Challenge 4

Welcome to challenge 4. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Docker arg based password

The developer got smarter: now the password is no longer defined by Spring, but by means of a docker container build argument.

You can easily spot it by looking at how the layers got constructed.

Answer to solution :

You can solve this challenge by the following steps:

  1. Use docker history:

    • Download the container,

    • Run docker history --no-trunc jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> with which you can find the arguments used for the container with the given tag.

    • Now try finding the ARG_BASED_PASSWORD .

  2. Visit the Docker-repository online:

    • Go to the WrongSecrets docker repo

    • Take a look the tag relevant for you. There you can find all the commands used to compose the container. What is the value of ARG_BASED_PASSWORD ?

  3. Use Dockle Dockle:

    • Install Dockle as described at its Github page

    • Run dockle jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and use its output for your secrets hunt.

  4. Exec into the container and dump the ENV-vars:

    • Start the container locally with docker run jeroenwillemsen/wrongsecrets:<TAGNAME-HERE>

    • Find the container id by doing docker ps in a next terminal

    • Do docker exec -it <container id> "/bin/sh"

    • In the container do env .

  5. Use docker inspect to find the ENV-vars:

    • Download the container,

    • Run docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> and try to find the Config section and then the Env section. What is the value of ARG_BASED_PASSWORD ? Did you know if you use JQ you could use `docker inspect jeroenwillemsen/wrongsecrets:<TAGNAME-HERE> | jq '.[] | .Config.Env[]' instead to find it much quicker?

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.