To solve this one, you need to install docker on your side.
Then, to inspect files in image (linux commands):
$ docker save anssi/fcsc2024-forensics-layer-cake-2 > layercake2.tar
$ mkdir layercake2
$ tar xvf layercake2.tar -C layercake2
You should have these:
$ ls -la layercake2
drwxr-xr-x 5 totoiste totoiste 4096 Jun 30 19:39 .
drwx------ 10 totoiste totoiste 4096 Jun 30 19:40 ..
-rw-r--r-- 1 totoiste totoiste 1471 Mar 25 10:05 03014d9fc4801b1810b112fd53e05e35ea127e55c82d1304b5622cfe257c0ad8.json
drwxr-xr-x 2 totoiste totoiste 4096 Mar 25 10:05 84735535b8f006a23870482d13039fa74fc009506abd064f7d3e207b334265ad
drwxr-xr-x 2 totoiste totoiste 4096 Mar 25 10:05 ab84cac537173dda17abe9ec841571b290e31f60b81f5622558b9dc85f9a1ae9
drwxr-xr-x 2 totoiste totoiste 4096 Mar 25 10:05 e6d55b6d9408ba898bc99e370536259f5baa6cfbc0963313689eca342c17ed31
-rw-r--r-- 1 totoiste totoiste 387 Jan 1 1970 manifest.json
-rw-r--r-- 1 totoiste totoiste 120 Jan 1 1970 repositories
In image layers details we can see that there is a file named secret.
In each directory, there is a tar file named layer.tar, so before to search secret file, we have to untar these.
$ find layercake2 -name "*.tar" -exec tar -xvf {} \;
$ find layercake2 -name "secret" -ls
4602582 4 -r-------- 1 totoiste totoiste 71 Mar 25 10:05 ./tmp/secret
$ cat layercake2/tmp/secret
[REDACTED]