Merge pull request #2075 from OWASP/challenge53

commjoen · web-flow · commit d1e175498c4b · 2025-06-30T06:21:27.000+02:00
Enable challenge 53 for CTF, add the gdb to desktop container
diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop
@@ -9,7 +9,7 @@ RUN \
 
 RUN \
   echo "**** install packages ****" && \
-  apk add --no-cache shadow keepassxc radare2 aws-cli geany git build-base icu-libs icu-data-full&& \
+  apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full&& \
   echo "**** adding abc user to root for Docker ****" && \
   usermod -aG root abc && \
   touch /var/run/docker.sock && \
diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s
@@ -9,7 +9,7 @@ RUN \
 
 RUN \
   echo "**** install packages ****" && \
-  apk add --no-cache shadow keepassxc radare2 aws-cli geany git build-base icu-libs icu-data-full && \
+  apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full && \
   echo "**** adding abc user to root for Docker ****" && \
   usermod -aG root abc && \
   touch /var/run/docker.sock && \
diff --git a/src/main/resources/explanations/challenge53.adoc b/src/main/resources/explanations/challenge53.adoc
@@ -2,6 +2,6 @@
 
 Modern cloud environments often rely on debugging tools to troubleshoot issues in running applications. However, when debugging capabilities are left open in production, they can expose sensitive information.
 
-A Kubernetes deployment has been misconfigured, allowing developers to attach a debugging container to a running application. Inside this pod, a binary holds a secret in memory. Normally, this secret would be protected, but due to the debugging access, it becomes retrievable.
+A Kubernetes deployment has been misconfigured [challenge53](https://github.com/OWASP/wrongsecrets/blob/master/k8s/challenge53/secret-challenge53.yml), allowing developers to attach a debugging container to a running application. Inside this pod, a binary holds a secret in memory. Normally, this secret would be protected, but due to the debugging access, it becomes retrievable.
 
 Can you uncover the secret?
diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml
@@ -839,7 +839,7 @@ configurations:
       difficulty: *hard
       category: *secrets
       ctf:
-        enabled: false
+        enabled: true
 
     - name: Challenge 54
       short-name: "challenge-54"
