Challenge 65 ☆☆

Welcome to challenge Challenge 65.

Hiding in binaries part 6: the plain Java CLI

Plain strings inside a Java CLI are easy to recover once the JAR is downloaded. Can you find the secret hidden in our plain Java CLI?

To solve it:

  1. Download and inspect wrongsecrets-java.jar.

  2. Decompile the JAR or inspect the main class with a Java decompiler such as CFR, JADX, IntelliJ IDEA, or javap.

  3. Look for the class that returns the secret and identify the plain string embedded in the CLI.

  4. Once you recover the exact secret value, you can submit it in the box below or validate it with java -jar wrongsecrets-java.jar <your recovered secret>.

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

This challenge uses a plain Java CLI JAR.

You can solve it by:

  1. Find the compiled class that holds the secret:

    • Download wrongsecrets-java.jar.

    • Run jar tf wrongsecrets-java.jar and locate io/github/owasp/wrongsecrets/WrongSecretsPlain.class.

    • Open that class in CFR, JADX, IntelliJ IDEA, or another decompiler.

  2. Inspect how the secret is stored:

    • Run javap -c -p -classpath wrongsecrets-java.jar io.github.owasp.wrongsecrets.WrongSecretsPlain.

    • Find the getSecret() method and look at the ldc instruction it uses.

    • Notice that the secret is stored as a plain string constant instead of being obfuscated.

  3. Recover the value and submit it:

    • Copy the string returned by getSecret() from the decompiler or bytecode output.

    • If you want another quick check, tools like strings wrongsecrets-java.jar can also help expose readable constants.

    • Submit the recovered string as the answer.

Why runnable JARs and Android APKs should not be used to hide secrets.

Runnable JARs are not a safe place to hide secrets. Just like Android APKs, they are archives that ship bytecode and resources directly to the attacker, which makes embedded strings, constants, and helper methods straightforward to inspect with common reverse-engineering tools.

If a client-side Java artifact needs a secret to work, assume that secret can be extracted once the file is downloaded. Keep real secrets on a trusted backend and only release them after proper authentication and authorization.

If you want more Java and Android reverse-engineering practice, explore the OWASP MASTG Hacking Playground.


⬅️ Previous
🏠 Main Page
Next ➡️
0