Add Java CLI reverse-engineering challenges and bundle JAR variants#2523
Conversation
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/f2ea090d-47bb-4e0a-ad4c-179c568545a8 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/f2ea090d-47bb-4e0a-ad4c-179c568545a8 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/f2ea090d-47bb-4e0a-ad4c-179c568545a8 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
| You can solve it by: | ||
|
|
||
| 1. Decompiling the classes and following the code that reconstructs the secret. | ||
| 2. Looking for encoded byte arrays, reflection, and helper methods that decode data at runtime. |
There was a problem hiding this comment.
@copilot can you be more explicit in the steps here please? what does the user exactly need to do?
There was a problem hiding this comment.
Updated with explicit step-by-step instructions for decompiling, inspecting bytecode, and running the JAR locally in 928795e.
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/ffd37450-0343-442a-abee-851241cb0eff Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6714add
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6714addThen visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
|
@copilot can you update the documentaiton as well please? |
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/f5613696-4b1f-4899-844f-53b020e7c5e3 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-2a33460
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-2a33460Then visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
|
@copilot instead of using spoil, how could an attacker find the array and decode it instead? Can you use that as the hints steps? |
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-3a62fd2
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-3a62fd2Then visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-0c8267c
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-0c8267cThen visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
@copilot can you make sure the new jar files also are laoded into the desktop containers? |
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/84886970-be86-48ff-984d-b416ea66922f Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
| === Hiding in binaries part 6: the plain Java CLI | ||
|
|
||
| Runnable JARs are not a safe place to hide secrets. Just like Android APKs, they are archives that ship bytecode and resources directly to the attacker, which makes embedded strings, constants, and helper methods straightforward to inspect with common reverse-engineering tools. | ||
|
|
||
| If a client-side Java artifact needs a secret to work, assume that secret can be extracted once the file is downloaded. Keep real secrets on a trusted backend and only release them after proper authentication and authorization. | ||
|
|
||
| If you want more Java and Android reverse-engineering practice, explore the https://github.com/OWASP/MASTG-Hacking-Playground[OWASP MASTG Hacking Playground]. |
There was a problem hiding this comment.
@copilot can you move this to the challenge65_reason.adoc file instead? This file should tell the same story as challenge66.adoc (E.g. there is a cli in java, here you can find it, can you find the secret? you can either enter it into the box below or use the cli itself to see if it is correct)
There was a problem hiding this comment.
Moved the APK/JAR warning and MASTG link into challenge65_reason.adoc, rewrote challenge65.adoc to match the Challenge 66 task flow, and switched the JAR link to the direct raw file in 82f3b54. Screenshot: https://github.com/user-attachments/assets/d7a5da14-9ecd-4d99-a8d0-b3f426e562eb
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-745e64c
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-745e64cThen visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/24a041b5-fd38-429d-a6b5-f8f141ed817d Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/24a041b5-fd38-429d-a6b5-f8f141ed817d Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/24a041b5-fd38-429d-a6b5-f8f141ed817d Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-cd1a864
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-cd1a864Then visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2523 |
This adds WrongSecrets challenges based on the new Java CLIs introduced in
OWASP/wrongsecrets-binaries#130. It covers both the plain and obfuscated Java variants and includes the relevant bundled artifacts, including CTF builds.New challenges
Challenge65for the plain Java CLI JARChallenge66for the obfuscated Java CLI JARwrong-secrets-configuration.yamlwith matching explanation, hint, and reason contentJava JAR execution support
BinaryExecutionHelperto execute runnable JARs viajava -jarspoil()resolves the embedded secret from the packaged CLI rather than duplicating logic in application codeBundled Java artifacts
src/main/resources/executables/wrongsecrets-java.jarwrongsecrets-java-obfuscated.jarwrongsecrets-java-ctf.jarwrongsecrets-java-obfuscated-ctf.jar.gitignoreso these tracked JARs can live alongside the existing executable assetsChallenge docs and tests
spoilExample of the new execution path: