Challenge 17 ☆☆☆

Welcome to challenge 17. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Bash history

This developer has created a container and has had it running for a while. He uses it for a lot of work and is careful to not hardcode any secrets. When he needs to use secrets, he simply writes them in a Bash command when executing; therefore they disappear as soon as he writes them and remain secret. Right?

We all have little secrets hidden in our past, including Bash. Access the container and see if you can find one.

Answer to solution :

Why entering secrets in bash is a bad idea.

The command line can feel temporary and safe, but it is often being logged. This is a standard feature with most shells. Some do have protections in place, and most tools that request a secret will not print it. However, when writing custom commands these protections are not in place and you can easily shoot yourself in the foot.

Leaking secrets is a little hard to do with a Dockerfile when creating a container. However, if you have a container that you are using regularly, you do not delete it and you are typing in secrets in plaintext, then a malicious actor could use your seemingly innocuous docker container to escalate privileges. Potentially leading them to exploit something a lot more important than your PC.