Challenge 12 ☆☆☆

Welcome to challenge 12. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.


Sometimes large parts of the local filesystem are copied over to the container so that they are available in the container for the convenience of the author.

In this challenge, we did some COPY’ing as well and hid a key there. Note that the key changes on every generation of the docker container, so you’d better extract and use it quickly :).

Try deepfenceio/secretscanning, docker history of the image, or just docker exec against a running container.

Answer to solution :

Why using containers to put secrets in is a bad idea

As you can tell by now, you can easily detect any secret that stored within a container. Whether it is an ENV, a file, or another property: if a system can read it, so can a human.

Given it is a best practice to let a container be immutable and versioned, you will often end up with the secret within a container forever, unless you remove it again from the registry.

Note: when you reduce the amount of executables in a container (so no shell is possible), don’t forget about Openssl client and simple binaries like ls and cat that might have to be removed as well. This helps to prevent an attacker going through the contents of your container.