Vulnerability
During a recent engagement, I was doing some post exploitation work on a container once I had gotten root (looking for reused ssh keys and the like for lateral movement). After some time, I happened upon this file: /root/.docker/config.json
and was rewarded with base64 encoded credentials.
Cause
Upon further investigation, it turns out this was the result of using docker login
to access a local docker registry, and failing to use docker logout
as part of the provisioning process that was in place.
Fix
The resolution is pretty simple: if you use docker login
, don't forget to use docker logout
once you're done. Alternatively, the page for docker login recommends using a credentials store like keychain for OS X, which seems like a reasonable alternative to me.
Resources
https://docs.docker.com/engine/reference/commandline/login/#extended-description