Feature(#614): Challenge38 - Git notes challenge

README.md

@@ -428,7 +428,7 @@ Feel free to edit and propose changes via pull requests. Be sure to follow our g
 
 Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of `exe` files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).
 
-If, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot)
+If, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot).
 
 ### Automatic reload during development
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java

@@ -0,0 +1,78 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.util.List;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/** This is a challenge based on leaking secrets with the misuse of Git notes */
+@Component
+@Order(34)
+public class Challenge34 extends Challenge {
+
+  public Challenge34(ScoreCard scoreCard) {
+    super(scoreCard);
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getSolution());
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return getSolution().equals(answer);
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public int difficulty() {
+    return Difficulty.EASY;
+  }
+
+  /** {@inheritDoc} Git based. */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.GIT.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  private String getSolution() {
+    return unobfuscate("UOZFGZTLOLLXHTKEGGS");
+  }
+
+  private String unobfuscate(String obfuscatedString) {
+    final String key = "QWERTYUIOPASDFGHJKLZXCVBNM";
+    StringBuilder plainText = new StringBuilder();
+    for (char c : obfuscatedString.toCharArray()) {
+      if (Character.isLetter(c)) {
+        int index = key.indexOf(Character.toUpperCase(c));
+        char replacement = (char) ('A' + index);
+        plainText.append(replacement);
+      } else {
+        plainText.append(c);
+        System.out.println(plainText);
+      }
+    }
+    return plainText.toString();
+  }
+}

src/main/resources/explanations/challenge35.adoc

@@ -0,0 +1,15 @@
+<<<<<<< HEAD
+=== Generating Random Keys
+
+Many security folks teach engineers to use secure key derivation functions like https://en.wikipedia.org/wiki/PBKDF2[PBKDF2] when a key needs to be generated. A developer followed this instruction and tried to create a key in `Challenge34.java`, which should now be far more secure than a hardcoded key.
+Can you spot the mistake? Can you find the value of the generated key?
+=======
+=== Git Notes
+
+Git commits can be a constant pain point.
+It is fine using a short message, unintelligible garble or mashing the keyboard in a git message until you have the unfortunate task of reviewing past commits and trying to figure out what has happened.
+Git notes is here to solve this, it has been around for a while but often gets overlooked.
+Add extra metadata about the commit without affecting the commit message itself.
+
+Like all Git, once information is commited it is very very hard to remove all reference of it. What could possible go wrong?
+>>>>>>> cefa8809 ( Feature(#614): Added test files)

src/main/resources/explanations/challenge35_hint.adoc

@@ -0,0 +1,15 @@
+<<<<<<< HEAD
+This challenge can be solved by replaying the Key derivation function with the given inputs.
+
+1. Run the function online
+- Locate the parameters used for the key derivation function in the `generateKey` function in Challenge33.java
+- Copy the used parameters to an online https://www.dcode.fr/pbkdf2-hash[generator] and execute it
+- The website will return the value of the key.
+=======
+Like other Git challenges this can be solved by manually combing the Git metadata.
+There are also a plethora of tools that will automatically search for secrets leaked in Git repos.
+
+1. Search manually using `git log`. You can then use a tool such as grep to try and find leaked secrets with regex searches.
+
+2. Search a whole Git repo with a secrets scanning tool such as TruffleHog.
+>>>>>>> cefa8809 ( Feature(#614): Added test files)

src/main/resources/explanations/challenge35_reason.adoc

@@ -0,0 +1,14 @@
+<<<<<<< HEAD
+*Why Key Derivation Functions are not safe when using hardcoded values*
+
+Key Derivation Functions (KDFs) are deterministic. This means that they will always give back the same output for a given input. So, if the parameters are hardcoded, anyone with access to the code can run the KDF with the specified parameters and get the key.
+
+KDFs should be used to generate keys based on dynamic input, such as human-supplied passwords. KDFs might be used when secure random sources can be used to generate keys. Again, the KDF's input is not hardcoded/deterministic in both cases.
+=======
+*Why you should be careful with Git notes?*
+
+When developers use Git notes they can also expose secrets if developers inadvertently include sensitive information, such as passwords or API keys, in the notes.
+Unlike regular commits, notes are not easily visible in code reviews, so they can go unnoticed for a long time.
+
+Although manually going through Git notes to look for secrets would be cumbersome, there are many tools attackers could use to search through Git repo's to look for these leaked secrets.
+>>>>>>> cefa8809 ( Feature(#614): Added test files)