OWASP#810 nexus credentials

maven/settings/settings.xml

@@ -0,0 +1,51 @@
+<settings>
+    <mirrors>
+        <mirror>
+            <id>nexus</id>
+            <mirrorOf>*</mirrorOf>
+            <url>http://localhost:8081/nexus/content/groups/public</url>
+        </mirror>
+    </mirrors>
+    <activeProfiles>
+        <activeProfile>nexus</activeProfile>
+    </activeProfiles>
+    <profiles>
+        <profile>
+            <id>nexus</id>
+            <repositories>
+                <repository>
+                    <id>central</id>
+                    <url>http://central</url>
+                    <releases>
+                        <enabled>true</enabled>
+                    </releases>
+                    <snapshots>
+                        <enabled>true</enabled>
+                    </snapshots>
+                </repository>
+            </repositories>
+            <pluginRepositories>
+                <pluginRepository>
+                    <id>central</id>
+                    <url>http://central</url>
+                    <releases>
+                        <enabled>true</enabled>
+                    </releases>
+                    <snapshots>
+                        <enabled>true</enabled>
+                    </snapshots>
+                </pluginRepository>
+            </pluginRepositories>
+        </profile>
+    </profiles>
+    <pluginGroups>
+        <pluginGroup>org.owsap.plugins</pluginGroup>
+    </pluginGroups>
+    <servers>
+        <server>
+            <id>nexus</id>
+            <username>admin</username>
+            <password>admin123</password>
+        </server>
+    </servers>
+</settings>

pom.xml

@@ -248,6 +248,12 @@
       <artifactId>spotbugs-annotations</artifactId>
       <version>4.7.3</version>
     </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
+            <version>2.7</version>
+            <!-- Replace with the latest version available -->
+        </dependency>
     <!--        <dependency>-->
     <!--            <groupId>com.h2database</groupId>-->
     <!--            <artifactId>h2</artifactId>-->

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge42.java

@@ -0,0 +1,88 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.io.StringReader;
+import java.nio.charset.Charset;
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.configuration2.XMLConfiguration;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.annotation.Order;
+import org.springframework.core.io.Resource;
+import org.springframework.stereotype.Component;
+
+/**
+ * This is a challenge based on leaking secrets due to keeping the encryption key and secret
+ * together
+ */
+@Slf4j
+@Component
+@Order(42)
+public class Challenge42 extends Challenge {
+
+  private final Resource resource;
+
+  public Challenge42(
+      ScoreCard scoreCard, @Value("classpath:maven/settings/settings.xml") Resource resource) {
+    super(scoreCard);
+    this.resource = resource;
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getSolution());
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return getSolution().equals(answer);
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public int difficulty() {
+    return Difficulty.EASY;
+  }
+
+  /** {@inheritDoc} Cryptography based. */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.CRYPTOGRAPHY.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  private String getSolution() {
+    try {
+      String config = resource.getContentAsString(Charset.defaultCharset());
+      StringReader stringReader = new StringReader(config);
+
+      XMLConfiguration xmlConfiguration = new XMLConfiguration();
+      xmlConfiguration.read(stringReader);
+
+      // Retrieve the Nexus password
+      return xmlConfiguration.getString("nexus.password");
+    } catch (Exception e) {
+      log.warn("there was an exception with decrypting content in challenge42", e);
+      return "error_decryption";
+    }
+  }
+}

src/main/resources/explanations/challenge42.adoc

@@ -0,0 +1,3 @@
+=== Nexus credential read
+
+Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.

src/main/resources/explanations/challenge42_hint.adoc

@@ -0,0 +1,10 @@
+This challenge can be solved by decrypting the base64 encoded secret in `secrchallenge.json`. You can do this either by:
+
+1. Using an online aes decryption tool like https://www.devglan.com/online-tools/aes-encryption-decryption[https://www.devglan.com/online-tools/aes-encryption-decryption]
+- Copy the value of `secret` from `secrchallenge.json` and paste it into the textbox of the decryptor.
+- Ensure the input format is `Base64` and the cipher mode is `ECB`.
+- Use the value of `key` from `secrchallenge.json` as decryption key and click on `Decrypt` to get the secret.
+
+2. Using the terminal
+- Launch the terminal while you are in the `maven` directory.
+- Copy the value of `password` from `settings.xml`.

src/main/resources/explanations/challenge42_reason.adoc

@@ -0,0 +1,7 @@
+*Why you should not have nexus deployment credentials in your github project hardcoded*
+
+Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.
+
+In such scenarios, an attacker has the key the moment the file is in his possession.
+
+It is always recommended to store your credentials securely.

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge42Test.java

@@ -0,0 +1,41 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.springframework.core.io.Resource;
+
+@ExtendWith(MockitoExtension.class)
+class Challenge42Test {
+  @Mock private ScoreCard scoreCard;
+
+  @Mock private Resource resource;
+
+  @BeforeEach
+  void setUp() throws IOException {
+    when(resource.getContentAsString(Charset.defaultCharset()))
+        .thenReturn(
+            "<root><nexus><username>test_user</username><password>test_password</password></nexus></root>");
+  }
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge42(scoreCard, resource);
+    Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
+    Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge42(scoreCard, resource);
+    Assertions.assertThat(challenge.answerCorrect("wrong answer")).isFalse();
+  }
+}