Challenge 12 ☆☆☆

Welcome to challenge Challenge 12. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Docker COPY and WORKDIR

Sometimes large parts of the local filesystem are copied over to the container so that they are available in the container for the convenience of the author.

In this challenge, we did some COPY’ing as well and hid a key there. Note that the key changes on every generation of the docker container, so you’d better extract and use it quickly :).

Try deepfenceio/secretscanning, docker history of the image, or just docker exec against a running container.

Answer to solution :

You can solve this challenge by the following steps:

  1. Exec into the container and go over the files:

    • First check the actual Dockerfile and see what COPY operations happen. Note that you can get this data using docker history (see challenge 3&4 as well) when you have no Dockerfile but only an image.

    • Start the container locally with docker run jeroenwillemsen/wrongsecrets:<TAGNAME-HERE>

    • Find the container id by doing docker ps in a next terminal

    • Do docker exec -it <container id> "/bin/sh"

    • In the container, go to target directory of the COPY operation and look for the secret.

  2. Use Deepfence secret scanner

    • Download the target version of the wrongsecrets container: docker pull jeroenwillemsen/wrongsecrets:<VERSION YOU ARE PLAYING-HERE>

    • Run docker run -it --rm --name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker deepfenceio/secretscanning -image-name jeroenwillemsen/wrongsecrets:<VERSION YOU ARE PLAYING-HERE>

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.

Note: when you reduce the amount of executables in a container (so no shell is possible), don’t forget about Openssl client and simple binaries like ls and cat that might have to be removed as well. This helps to prevent an attacker going through the contents of your container.