Challenge 3

Welcome to challenge Challenge 3.

Docker ENV based password

Did you know that you can use the ENV as well in Docker containers to set the password? What a great idea to share it with everyone!

You can easily spot the secret by looking at how the layers were constructed or detecting it with a tool like Dockle.

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

You can solve this challenge by the following alternative solutions:

  1. Use docker history:

    • Download the container (docker pull jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> where the tag can be latest-no-vault or a specific version you are using now) ,

    • Run docker history --no-trunc jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> with which you can find the arguments used for the container with the given tag.

    • Now try finding the DOCKER_ENV_PASSWORD .

  2. Visit the Docker-repository online:

    • Go to the WrongSecrets docker repo

    • Take a look the tag relevant for you. There you can find all the commands used to compose the container. What is the value of DOCKER_ENV_PASSWORD ?

  3. Use Dockle Dockle:

    • Install Dockle as described at its Github page

    • Run dockle jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and use its output for your secrets hunt.

  4. Exec into the container and dump the ENV-vars:

    • Start the container locally with docker run jeroenwillemsen/wrongsecrets:<TAGNAME-HERE>

    • Find the container id by doing docker ps in a next terminal

    • Do docker exec -it <container id> sh

    • In the container do env .

  5. Use docker inspect to find the ENV-vars:

    • Download the container,

    • Run docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and try to find the Config section and then the Env section. What is the value of DOCKER_ENV_PASSWORD ? Did you know if you use JQ you could use `docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> | jq '.[] | .Config.Env[]' instead to find it much quicker?

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.

Interesting ENV vars for you to have a look at can be found at this list.