> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/container/trick-0159.md).

# Credential Harvesting from Docker Inspect

***

Sensitive configuration details, particularly environment variables containing credentials, are often stored within Docker containers. These variables are typically passed to a container when it is initially run using the `-e` or `--env` flag, allowing configuration without building secrets directly into the image. For instance, when setting up a MySQL database container, mandatory and optional environment variables are used:

```bash
docker run --name mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -p 3306:3306 -d mysql:latest
```

In this example, the `-e MYSQL_ROOT_PASSWORD=my-secret-pw` part sets the root password. Other variables like `MYSQL_DATABASE`, `MYSQL_USER`, and `MYSQL_PASSWORD` are also commonly set this way.

If access to `docker inspect` is available, either directly or through a wrapper script (like `system-checkup.py` in this case), these sensitive environment variables can often be extracted. The `docker inspect` command returns low-level information about Docker objects, including containers. To retrieve environment variables specifically, one can specify a format string to target relevant sections of the container's configuration, such as `.Config.Env`, which holds environment variables.

For example, using a wrapper script providing access to `docker inspect` on a container named `mysql_db`:

```bash
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' mysql_db | jq
```

This command targets the configuration (`.Config`) of the `mysql_db` container, formats it as JSON, and pipes it to `jq` to reveal environment variables such as `MYSQL_ROOT_PASSWORD` or `MYSQL_PASSWORD` if present within the container's environment configuration.

Alternatively, the `docker inspect` command can be used directly with a format string targeting the environment variables:

```bash
docker inspect --format '{{ .Config.Env }}' <container_id_or_name>
```

This command will output a list of environment variables in a simple list format. To get each variable on a new line, a different format string can be used:

```bash
docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' <container_id_or_name>
```

Piping the JSON output from `docker inspect` to `jq` is a common method to parse the data and extract specific fields, like the environment variables found under `.Config.Env`.

```bash
docker inspect <container_id_or_name> | jq '.[0].Config.Env'
```

Another way to view the environment variables is to execute the `env` or `printenv` command directly inside the running container using `docker exec`:

```bash
docker exec <container_id_or_name> env
```

or

```bash
docker exec <container_id_or_name> printenv
```

This provides the environment variables as seen by the processes running inside the container. These methods highlight that anyone with sufficient privileges to run `docker inspect` or `docker exec` on a host can potentially retrieve sensitive information passed to containers via environment variables.
