Writeup by iv3l for Layer Cake 2/3

intro forensics docker

April 13, 2025

Again we download the Docker container and run it. Then check the history.

$ sudo docker history anssi/fcsc2024-forensics-layer-cake-2
[sudo] password for kali:
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
03014d9fc480   12 months ago   CMD ["/bin/sh"]                                 0B        buildkit.dockerfile.v0
<missing>      12 months ago   USER guest                                      0B        buildkit.dockerfile.v0
<missing>      12 months ago   RUN /bin/sh -c rm /tmp/secret # buildkit        0B        buildkit.dockerfile.v0
<missing>      12 months ago   COPY secret /tmp # buildkit                     71B       buildkit.dockerfile.v0
<missing>      14 months ago   /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B
<missing>      14 months ago   /bin/sh -c #(nop) ADD file:37a76ec18f9887751…   7.38MB

We can see that a file named secret was created, but then deleted. Due to the layered nature of the container, we can extract the layers. Maybe find something.

# find image ID
$ sudo docker images
REPOSITORY                              TAG       IMAGE ID       CREATED         SIZE
anssi/fcsc2024-forensics-layer-cake-2   latest    03014d9fc480   12 months ago   7.38MB

# compress it to a file
$ sudo docker save -o layercake2.tar 03014d9fc480

# decompress it to a directory
$ sudo tar xvf layercake2.tar
blobs/
blobs/sha256/
blobs/sha256/03014d9fc4801b1810b112fd53e05e35ea127e55c82d1304b5622cfe257c0ad8
blobs/sha256/50a0303499bb5e208319a16317bde238b259b74945b7f5ec214743404c6c8323
blobs/sha256/66a34fd7d1ee6e3435fd8975d276cea87c0a525ff13a88a4b19e5fc406e1d4e5
blobs/sha256/6a14d402103eb7eb354cf8f4ee043886f74a44b8cc912239e68561140a1d27cb
blobs/sha256/aa6a5e1de1984008d10132de21845c0fa3c4e07be027ce81fa90e0763dae188c
blobs/sha256/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820
blobs/sha256/eebed19322aaa0082058596cc4cff6c33253f1ce4327e9ae4399edb2f657242e
blobs/sha256/fe62c480fd0c4bba858571806e7474fa5aa061ce78292de1988db0cd54d494b6
index.json
manifest.json
oci-layout

Then we create 8 layer directories and using the hashes, we create and extract each layer to them. I did quickly the 8 and the 7th gave me correct layer.

$ mkdir layer1
$ tar xvf <first_layer_hash> -C layer1
$ sudo tar xvf blobs/sha256/eebed19322aaa0082058596cc4cff6c33253f1ce4327e9ae4399edb2f657242e -C layer1
$ cd layer1
$ ls
tmp
$ cd tmp
$ ls
secret
$ sudo cat secret
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}