-
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathgenerate_ctf_secrets.sh
More file actions
executable file
·342 lines (299 loc) · 12.4 KB
/
Copy pathgenerate_ctf_secrets.sh
File metadata and controls
executable file
·342 lines (299 loc) · 12.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
#!/bin/bash
# Script to generate CTF versions of the binaries with randomized secrets
# Format: "this is the secret in <language> : <random string>"
set -e
# Function to generate a random string of specified length
generate_random_string() {
local length=${1:-16}
# Try multiple methods for cross-platform compatibility
if command -v openssl >/dev/null 2>&1; then
openssl rand -hex $((length/2)) 2>/dev/null
elif [ -f /dev/urandom ]; then
head /dev/urandom | tr -dc A-Za-z0-9 | head -c $length
elif command -v python3 >/dev/null 2>&1; then
python3 -c "import secrets; print(''.join(secrets.choice('0123456789abcdef') for _ in range($length)))"
elif command -v python >/dev/null 2>&1; then
python -c "import random; import string; print(''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range($length)))"
else
# Fallback: use current timestamp and process ID
echo "$RANDOM$RANDOM$RANDOM$RANDOM" | head -c $length
fi
}
# Function to perform cross-platform sed replacement
sed_replace() {
local file="$1"
local pattern="$2"
local replacement="$3"
# Escape special characters for sed
local escaped_replacement=$(printf '%s\n' "$replacement" | sed 's/[[\.*^$()+?{|]/\\&/g')
# Use different sed syntax for macOS vs Linux
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS requires backup extension
sed -i '.bak' "s/$pattern/$escaped_replacement/g" "$file"
rm -f "${file}.bak"
else
# Linux/GNU sed
sed -i "s/$pattern/$escaped_replacement/g" "$file"
fi
}
# Function to backup original files
backup_original() {
local file=$1
if [ ! -f "${file}.original" ]; then
cp "$file" "${file}.original"
fi
}
# Function to restore original files
restore_original() {
local file=$1
if [ -f "${file}.original" ]; then
cp "${file}.original" "$file"
fi
}
# Generate random secret for each language with the specified format
C_SECRET="this is the secret in C : $(generate_random_string 16)"
CPLUS_SECRET="this is the secret in C++ : $(generate_random_string 16)"
GO_SECRET="this is the secret in Golang : $(generate_random_string 16)"
RUST_SECRET="this is the secret in Rust : $(generate_random_string 16)"
DOTNET_SECRET="this is the secret in dotnet : $(generate_random_string 16)"
SWIFT_SECRET="this is the secret in Swift : $(generate_random_string 16)"
JAVA_SECRET="this is the secret in Java : $(generate_random_string 16)"
echo "Generated CTF secrets:"
echo "C: $C_SECRET"
echo "C++: $CPLUS_SECRET"
echo "Go: $GO_SECRET"
echo "Rust: $RUST_SECRET"
echo ".NET: $DOTNET_SECRET"
echo "Swift: $SWIFT_SECRET"
echo "Java: $JAVA_SECRET"
# Function to update C source files
update_c_secrets() {
echo "Updating C secrets..."
# Update main.c
if [ -f "c/main.c" ]; then
backup_original "c/main.c"
sed_replace "c/main.c" "This is a hardcoded secret in C" "$C_SECRET"
# Update the character array in main.c
# Convert the secret to character array format
local char_array=""
for (( i=0; i<${#C_SECRET}; i++ )); do
char="$(printf '%s' "${C_SECRET:$i:1}")"
if [ "$i" -eq 0 ]; then
char_array="'$char'"
else
char_array="$char_array, '$char'"
fi
done
# Update the character array size and content with more robust pattern matching
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS sed
sed -i '.bak' "s/static char harder\[[0-9]*\] = {[^}]*};/static char harder[${#C_SECRET}] = {$char_array};/" "c/main.c"
rm -f "c/main.c.bak"
else
# Linux sed
sed -i "s/static char harder\[[0-9]*\] = {[^}]*};/static char harder[${#C_SECRET}] = {$char_array};/" "c/main.c"
fi
else
echo "Warning: c/main.c not found, skipping"
fi
# Update advanced/advanced.c if it exists
if [ -f "c/advanced/advanced.c" ]; then
backup_original "c/advanced/advanced.c"
sed_replace "c/advanced/advanced.c" "This is a hardcoded secret in C" "$C_SECRET"
fi
# Update challenge52/main.c if it exists
if [ -f "c/challenge52/main.c" ]; then
backup_original "c/challenge52/main.c"
sed_replace "c/challenge52/main.c" "This is a hardcoded secret in C" "$C_SECRET"
fi
}
# Function to update C++ source files
update_cplus_secrets() {
echo "Updating C++ secrets..."
if [ -f "cplus/main.cpp" ]; then
backup_original "cplus/main.cpp"
sed_replace "cplus/main.cpp" "Another secret in C++" "$CPLUS_SECRET"
# Update the character array in C++
local char_array=""
for (( i=0; i<${#CPLUS_SECRET}; i++ )); do
char="$(printf '%s' "${CPLUS_SECRET:$i:1}")"
if [ "$i" -eq 0 ]; then
char_array="'$char'"
else
char_array="$char_array, '$char'"
fi
done
# Update the character array size and content with more robust pattern matching
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS sed
sed -i '.bak' "s/static char harder\[[0-9]*\] = {[^}]*};/static char harder[${#CPLUS_SECRET}] = {$char_array};/" "cplus/main.cpp"
rm -f "cplus/main.cpp.bak"
else
# Linux sed
sed -i "s/static char harder\[[0-9]*\] = {[^}]*};/static char harder[${#CPLUS_SECRET}] = {$char_array};/" "cplus/main.cpp"
fi
else
echo "Warning: cplus/main.cpp not found, skipping"
fi
}
# Function to update Go source files
update_go_secrets() {
echo "Updating Go secrets..."
if [ -f "golang/cmd/root.go" ]; then
backup_original "golang/cmd/root.go"
sed_replace "golang/cmd/root.go" "This is the secret in Golang today" "$GO_SECRET"
else
echo "Warning: golang/cmd/root.go not found, skipping"
fi
}
# Function to update Rust source files
update_rust_secrets() {
echo "Updating Rust secrets..."
if [ -f "rust/src/main.rs" ]; then
backup_original "rust/src/main.rs"
sed_replace "rust/src/main.rs" "This is a not very random string posing as a secret in Rust" "$RUST_SECRET"
# Update the character array in Rust
local char_array=""
for (( i=0; i<${#RUST_SECRET}; i++ )); do
char="$(printf '%s' "${RUST_SECRET:$i:1}")"
if [ "$i" -eq 0 ]; then
char_array="'$char'"
else
char_array="$char_array, '$char'"
fi
done
# Update the vec! content with more robust pattern matching
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS sed
sed -i '.bak' "s/vec!\[[^]]*\]/vec![$char_array]/" "rust/src/main.rs"
rm -f "rust/src/main.rs.bak"
else
# Linux sed
sed -i "s/vec!\[[^]]*\]/vec![$char_array]/" "rust/src/main.rs"
fi
else
echo "Warning: rust/src/main.rs not found, skipping"
fi
}
# Function to update .NET source files
update_dotnet_secrets() {
echo "Updating .NET secrets..."
if [ -f "dotnet/dotnetproject/Program.cs" ]; then
backup_original "dotnet/dotnetproject/Program.cs"
sed_replace "dotnet/dotnetproject/Program.cs" "This is a dotnet secret, huray\\." "$DOTNET_SECRET"
else
echo "Warning: dotnet/dotnetproject/Program.cs not found, skipping"
fi
}
# Function to update Swift source files
update_swift_secrets() {
echo "Updating Swift secrets..."
if [ -f "swift/Sources/main.swift" ]; then
backup_original "swift/Sources/main.swift"
# Create character array format for Swift
local char_array=""
for (( i=0; i<${#SWIFT_SECRET}; i++ )); do
char="$(printf '%s' "${SWIFT_SECRET:$i:1}")"
if [ "$i" -eq 0 ]; then
char_array="\"$char\""
else
char_array="$char_array, \"$char\""
fi
done
# Update the character array in Swift with more robust pattern matching
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS sed
sed -i '.bak' "s/let CharArr: \[Character\] = \[[^]]*\]/let CharArr: [Character] = [$char_array]/" "swift/Sources/main.swift"
rm -f "swift/Sources/main.swift.bak"
else
# Linux sed
sed -i "s/let CharArr: \[Character\] = \[[^]]*\]/let CharArr: [Character] = [$char_array]/" "swift/Sources/main.swift"
fi
else
echo "Warning: swift/Sources/main.swift not found, skipping"
fi
}
# Function to update Java source files
update_java_secrets() {
echo "Updating Java secrets..."
# Update the plain Java source (simple string replacement)
local plain_file="java/plain/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsPlain.java"
if [ -f "$plain_file" ]; then
backup_original "$plain_file"
sed_replace "$plain_file" "This is the secret in Java" "$JAVA_SECRET"
else
echo "Warning: $plain_file not found, skipping"
fi
# Update the obfuscated Java source: re-encode the new secret with the XOR key and
# replace the ENCODED_SECRET byte array.
local obf_file="java/obfuscated/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsObfuscated.java"
if [ -f "$obf_file" ]; then
backup_original "$obf_file"
# Compute the XOR-encoded byte array for the new secret using Python3.
# Key matches the XOR_KEY_CHARS constant: "WrongSecrets!@#$"
local new_encoded
new_encoded=$(python3 -c "
secret = '''$JAVA_SECRET'''
key = [0x57, 0x72, 0x6f, 0x6e, 0x67, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x21, 0x40, 0x23, 0x24]
encoded = [(b ^ key[i % len(key)]) for i, b in enumerate(secret.encode('utf-8'))]
print(', '.join('(byte)0x{:02x}'.format(b) for b in encoded))
")
# Replace the entire ENCODED_SECRET block (spans multiple lines) using Python3
# to avoid sed multiline complexity.
python3 - "$obf_file" "$new_encoded" <<'PYEOF'
import sys, re
filepath = sys.argv[1]
new_bytes = sys.argv[2]
with open(filepath, 'r') as f:
content = f.read()
# Replace the ENCODED_SECRET byte array (potentially spanning multiple lines)
pattern = r'(private static final byte\[\] ENCODED_SECRET = \{)[^}]*(};)'
replacement = r'\g<1>\n ' + new_bytes + r'\n \g<2>'
new_content = re.sub(pattern, replacement, content, flags=re.DOTALL)
with open(filepath, 'w') as f:
f.write(new_content)
PYEOF
else
echo "Warning: $obf_file not found, skipping"
fi
}
# Function to restore all original files
restore_all() {
echo "Restoring original files..."
[ -f "c/main.c.original" ] && restore_original "c/main.c"
[ -f "c/advanced/advanced.c.original" ] && restore_original "c/advanced/advanced.c"
[ -f "c/challenge52/main.c.original" ] && restore_original "c/challenge52/main.c"
[ -f "cplus/main.cpp.original" ] && restore_original "cplus/main.cpp"
[ -f "golang/cmd/root.go.original" ] && restore_original "golang/cmd/root.go"
[ -f "rust/src/main.rs.original" ] && restore_original "rust/src/main.rs"
[ -f "dotnet/dotnetproject/Program.cs.original" ] && restore_original "dotnet/dotnetproject/Program.cs"
[ -f "swift/Sources/main.swift.original" ] && restore_original "swift/Sources/main.swift"
[ -f "java/plain/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsPlain.java.original" ] && \
restore_original "java/plain/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsPlain.java"
[ -f "java/obfuscated/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsObfuscated.java.original" ] && \
restore_original "java/obfuscated/src/main/java/io/github/owasp/wrongsecrets/WrongSecretsObfuscated.java"
}
# Main script logic
case "${1:-generate}" in
"generate")
echo "Generating CTF versions with randomized secrets..."
update_c_secrets
update_cplus_secrets
update_go_secrets
update_rust_secrets
update_dotnet_secrets
update_swift_secrets
update_java_secrets
echo "CTF secrets generated successfully!"
;;
"restore")
restore_all
echo "Original files restored!"
;;
*)
echo "Usage: $0 [generate|restore]"
echo " generate - Generate CTF versions with random secrets (default)"
echo " restore - Restore original source files"
exit 1
;;
esac