During a recent engagement, I was doing some post exploitation work on a container once I had gotten root (looking for reused ssh keys and the like for lateral movement). After some time, I happened upon this file:
/root/.docker/config.json and was rewarded with base64 encoded credentials.
Upon further investigation, it turns out this was the result of using
docker login to access a local docker registry, and failing to use
docker logout as part of the provisioning process that was in place.
The resolution is pretty simple: if you use
docker login, don't forget to use
docker logout once you're done. Alternatively, the page for docker login recommends using a credentials store like keychain for OS X, which seems like a reasonable alternative to me.