Again we download the Docker container and run it. Then check the history.
$ sudo docker history anssi/fcsc2024-forensics-layer-cake-2
[sudo] password for kali:
IMAGE CREATED CREATED BY SIZE COMMENT
03014d9fc480 12 months ago CMD ["/bin/sh"] 0B buildkit.dockerfile.v0
<missing> 12 months ago USER guest 0B buildkit.dockerfile.v0
<missing> 12 months ago RUN /bin/sh -c rm /tmp/secret # buildkit 0B buildkit.dockerfile.v0
<missing> 12 months ago COPY secret /tmp # buildkit 71B buildkit.dockerfile.v0
<missing> 14 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 14 months ago /bin/sh -c #(nop) ADD file:37a76ec18f9887751… 7.38MB
We can see that a file named secret
was created, but then deleted.
Due to the layered nature of the container, we can extract the layers.
Maybe find something.
# find image ID
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
anssi/fcsc2024-forensics-layer-cake-2 latest 03014d9fc480 12 months ago 7.38MB
# compress it to a file
$ sudo docker save -o layercake2.tar 03014d9fc480
# decompress it to a directory
$ sudo tar xvf layercake2.tar
blobs/
blobs/sha256/
blobs/sha256/03014d9fc4801b1810b112fd53e05e35ea127e55c82d1304b5622cfe257c0ad8
blobs/sha256/50a0303499bb5e208319a16317bde238b259b74945b7f5ec214743404c6c8323
blobs/sha256/66a34fd7d1ee6e3435fd8975d276cea87c0a525ff13a88a4b19e5fc406e1d4e5
blobs/sha256/6a14d402103eb7eb354cf8f4ee043886f74a44b8cc912239e68561140a1d27cb
blobs/sha256/aa6a5e1de1984008d10132de21845c0fa3c4e07be027ce81fa90e0763dae188c
blobs/sha256/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820
blobs/sha256/eebed19322aaa0082058596cc4cff6c33253f1ce4327e9ae4399edb2f657242e
blobs/sha256/fe62c480fd0c4bba858571806e7474fa5aa061ce78292de1988db0cd54d494b6
index.json
manifest.json
oci-layout
Then we create 8 layer directories and using the hashes, we create and extract each layer to them. I did quickly the 8 and the 7th gave me correct layer.
$ mkdir layer1
$ tar xvf <first_layer_hash> -C layer1
$ sudo tar xvf blobs/sha256/eebed19322aaa0082058596cc4cff6c33253f1ce4327e9ae4399edb2f657242e -C layer1
$ cd layer1
$ ls
tmp
$ cd tmp
$ ls
secret
$ sudo cat secret
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}