Challenge 3

Welcome to challenge Challenge 3. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Docker ENV based password

Did you know that you can use the ENV as well in Docker containers to set the password? What a great idea to share it with everyone!

You can easily spot the secret by looking at how the layers were constructed or detecting it with a tool like Dockle.

Answer to solution :

You can solve this challenge by the following steps:

  1. Use docker history:

    • Download the container,

    • Run docker history --no-trunc jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> with which you can find the arguments used for the container with the given tag.

    • Now try finding the DOCKER_ENV_PASSWORD .

  2. Visit the Docker-repository online:

    • Go to the WrongSecrets docker repo

    • Take a look the tag relevant for you. There you can find all the commands used to compose the container. What is the value of DOCKER_ENV_PASSWORD ?

  3. Use Dockle Dockle:

    • Install Dockle as described at its Github page

    • Run dockle jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and use its output for your secrets hunt.

  4. Exec into the container and dump the ENV-vars:

    • Start the container locally with docker run jeroenwillemsen/wrongsecrets:<TAGNAME-HERE>

    • Find the container id by doing docker ps in a next terminal

    • Do docker exec -it <container id> "/bin/sh"

    • In the container do env .

  5. Use docker inspect to find the ENV-vars:

    • Download the container,

    • Run docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and try to find the Config section and then the Env section. What is the value of DOCKER_ENV_PASSWORD ? Did you know if you use JQ you could use `docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> | jq '.[] | .Config.Env[]' instead to find it much quicker?

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.

Interesting ENV vars for you to have a look at can be found at this list.