Black Hat Developer

Secrets from DockerHub

Secrets from DockerHub

Black Hat Developer's photo
Black Hat Developer
Apr 4, 2023·

2 min read

Some time ago, a friend created for me a docker image with AWS credentials inside. He just pushed it to dockerhub.com and asked me to try it. He did not realise that he actually published secrets in the public repository.

DockerHub API

You may find public repositories by calling the endpoint:

https://hub.docker.com/v2/search/repositories/?query=aa&page=1&page_size=100

you can see query=aa, you may iterate via all combinations like "ab", "ac" ... "zz".

You can read information about concrete user accounts:

https://hub.docker.com/v2/repositories/balenalib?page_size=100

From this response, you may decide which repositories have the biggest potential to contain some secrets, for me, it should be quiet and fresh repositories, uploaded by mistake.

  • star_count = 0

  • pull_count < 100

  • is_automated = false

  • is_official = false

Extracting content

You may download the image:

docker pull $IMAGE_NAME

And later you may export content to a TAR file, but calling:

docker save -o output.tar $IMAGE_NAME

Later you can untar the file, find an application, for example, JAR, unzip it and search for secrets, for example, properties.

Limitations

Of course, DockerHub.com has some limitations. A free account can pull only 200 images per 6 hours -> 800 per day.

If you pay $9 per month, you may pull 5_000 images per day.

Warning: I would expect dockerhub.com to store the IP addresses of clients, so it can be a starting point for law enforcement.

Secrets

What can be found in the docker images on DockerHub? I can imagine some examples:

  • AWS root keys

  • deepl.com secret keys

  • openAI secret keys

  • database credentials

Monetization

My biggest problem is, how to monetize such secrets. As I have proven, mining Monero cryptocurrency on AWS is a joke (around 1% of the return of invested money). You may say, it is not your money, but to earn $1k, you need to use around $100k of AWS resources. For me, the profit is too small.

Ideas

Do you have a good idea of how to monetize secrets found in the Docker images found on DockerHub.com? Let me know!

Contact

Let me know in the comments, what you think about this topic!

You can also write a direct message to me: black.hat.developer.online@gmail.com

secretshackingmoney