Add Java CLI reverse-engineering challenges and bundle JAR variants

[Copilot]

This adds WrongSecrets challenges based on the new Java CLIs introduced in OWASP/wrongsecrets-binaries#130. It covers both the plain and obfuscated Java variants and includes the relevant bundled artifacts, including CTF builds.

• New challenges

  • Add Challenge65 for the plain Java CLI JAR
  • Add Challenge66 for the obfuscated Java CLI JAR
  • Register both challenges in wrong-secrets-configuration.yaml with matching explanation, hint, and reason content

• Java JAR execution support

  • Extend BinaryExecutionHelper to execute runnable JARs via java -jar
  • Reuse the existing binary challenge flow so spoil() resolves the embedded secret from the packaged CLI rather than duplicating logic in application code

• Bundled Java artifacts

  • Add the Java CLI variants under src/main/resources/executables/
    • wrongsecrets-java.jar
    • wrongsecrets-java-obfuscated.jar
    • wrongsecrets-java-ctf.jar
    • wrongsecrets-java-obfuscated-ctf.jar
  • Update .gitignore so these tracked JARs can live alongside the existing executable assets

• Challenge docs and tests

  • Add focused AsciiDoc content for both Java challenges
  • Add challenge tests covering the new plain and obfuscated JAR-backed flows

Example of the new execution path:

@Override
public String getAnswer() {
  BinaryExecutionHelper helper = new BinaryExecutionHelper(65, new MuslDetectorImpl());
  return helper.executeJavaJar("", "wrongsecrets-java.jar");
}

[commjoen]

@copilot can you be more explicit in the steps here please? what does the user exactly need to do?

[Copilot]

Updated with explicit step-by-step instructions for decompiling, inspecting bytecode, and running the JAR locally in 928795e.

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2523

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6714add

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2523)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6714add
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6714add

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge65.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge66.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java
- src/main/resources/explanations/challenge65.adoc
- src/main/resources/explanations/challenge65_hint.adoc
- src/main/resources/explanations/challenge65_reason.adoc
- src/main/resources/explanations/challenge66.adoc
- src/main/resources/explanations/challenge66_hint.adoc
- src/main/resources/explanations/challenge66_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2523}

[commjoen]

@copilot can you update the documentaiton as well please?

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2523

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[Copilot]

@copilot can you update the documentaiton as well please?

Updated the Challenge 66 explanation text as well so the main documentation now walks through downloading the JAR, running spoil, decompiling it, tracing the decoding logic, and submitting the recovered secret in 63dc675.

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-2a33460

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2523)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-2a33460
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-2a33460

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge65.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge66.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java
- src/main/resources/explanations/challenge65.adoc
- src/main/resources/explanations/challenge65_hint.adoc
- src/main/resources/explanations/challenge65_reason.adoc
- src/main/resources/explanations/challenge66.adoc
- src/main/resources/explanations/challenge66_hint.adoc
- src/main/resources/explanations/challenge66_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2523}

[commjoen]

@copilot instead of using spoil, how could an attacker find the array and decode it instead? Can you use that as the hints steps?

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2523

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[Copilot]

@copilot instead of using spoil, how could an attacker find the array and decode it instead? Can you use that as the hints steps?

Updated the Challenge 66 hint steps to focus on locating WrongSecretsObfuscated.class, extracting XOR_KEY_CHARS and ENCODED_SECRET, tracing decodeSecret(), and rebuilding the secret without using spoil in bfb629e.

Screenshot:

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• accounts.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=4999 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.9LZ3IT --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,8828843397190078902,7587338667278405990,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12403235434011049529,14081084788277886150,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --no-sandbox --disable-gpu --window-size=1400,2200 --screenshot=/tmp/wrongsecrets-screens/challenge66-hint.png REDACTED (dns block)
• clients2.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=4999 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.9LZ3IT --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,8828843397190078902,7587338667278405990,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12403235434011049529,14081084788277886150,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --no-sandbox --disable-gpu --window-size=1400,2200 --screenshot=/tmp/wrongsecrets-screens/challenge66-hint.png REDACTED (dns block)
• content-autofill.googleapis.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=4999 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.9LZ3IT --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,8828843397190078902,7587338667278405990,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12403235434011049529,14081084788277886150,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --no-sandbox --disable-gpu --window-size=1400,2200 --screenshot=/tmp/wrongsecrets-screens/challenge66-hint.png REDACTED (dns block)
• redirector.gvt1.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=4999 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.9LZ3IT --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,8828843397190078902,7587338667278405990,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12403235434011049529,14081084788277886150,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --no-sandbox --disable-gpu --window-size=1400,2200 --screenshot=/tmp/wrongsecrets-screens/challenge66-hint.png REDACTED (dns block)
• www.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --use-angle=swiftshader-webgl --crashpad-handler-pid=4999 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/org.chromium.Chromium.scoped_dir.9LZ3IT --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,8828843397190078902,7587338667278405990,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12403235434011049529,14081084788277886150,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /usr/bin/chromium chromium --headless --no-sandbox --disable-gpu --window-size=1400,2200 --screenshot=/tmp/wrongsecrets-screens/challenge66-hint.png REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6d2b4fa

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2523)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6d2b4fa
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2523-6d2b4fa

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge65.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge66.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java
- src/main/resources/explanations/challenge65.adoc
- src/main/resources/explanations/challenge65_hint.adoc
- src/main/resources/explanations/challenge65_reason.adoc
- src/main/resources/explanations/challenge66.adoc
- src/main/resources/explanations/challenge66_hint.adoc
- src/main/resources/explanations/challenge66_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2523}