Print image history:
$ sudo docker history anssi/fcsc2024-forensics-layer-cake-3
IMAGE CREATED CREATED BY SIZE COMMENT
269cd0c184df N/A 34.2MB
Run an Inspect
$ sudo docker inspect anssi/fcsc2024-forensics-layer-cake-3
[
{
"Id": "sha256:269cd0c184df7781e86c030d8270e686b3f07ef203f56f209370ac0ad674ef35",
"RepoTags": [
"anssi/fcsc2024-forensics-layer-cake-3:latest"
],
"RepoDigests": [
"anssi/fcsc2024-forensics-layer-cake-3@sha256:f11c3351c870c7839ce1a266c71307ae11de11b9261137e89b32fca07ba457e4"
],
"Parent": "",
"Comment": "",
"Created": "1970-01-01T00:00:01Z",
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [],
"Cmd": [
"/nix/store/m8ww0n3iqndg8zaiwbsnij6rvmpmjbry-hello/bin/hello"
],
"Image": "",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 34210387,
"GraphDriver": {
"Data": {
"MergedDir": "/var/lib/docker/overlay2/222c68c8c18c1de16d1c810d415611cb3c7a604f84680687c1679baa1bb2930f/merged",
"UpperDir": "/var/lib/docker/overlay2/222c68c8c18c1de16d1c810d415611cb3c7a604f84680687c1679baa1bb2930f/diff",
"WorkDir": "/var/lib/docker/overlay2/222c68c8c18c1de16d1c810d415611cb3c7a604f84680687c1679baa1bb2930f/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:8ea6eb4812d48d7aee7de57a65ba99e4d3c3958fee6eb973419cf7aace4c7fec"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
We try the same method that we did in Layer Cake 2:
- We create a tar file from the docker container
- Extract it
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
anssi/fcsc2024-forensics-layer-cake-3 latest 269cd0c184df 55 years ago 34.2MB
$ sudo docker save -o layercake3.tar 269cd0c184df
# we can use the manifest jason file to list the layers
# but as there is only one real layer it is kind of evident
$ cat manifest.json
[{"Config":"blobs/sha256/269cd0c184df7781e86c030d8270e686b3f07ef203f56f209370ac0ad674ef35","RepoTags":null,"Layers":["blobs/sha256/8ea6eb4812d48d7aee7de57a65ba99e4d3c3958fee6eb973419cf7aace4c7fec"],"LayerSources":{"sha256:8ea6eb4812d48d7aee7de57a65ba99e4d3c3958fee6eb973419cf7aace4c7fec":{"mediaType":"application/vnd.oci.image.layer.v1.tar","size":35153920,"digest":"sha256:8ea6eb4812d48d7aee7de57a65ba99e4d3c3958fee6eb973419cf7aace4c7fec"}}}]
$ mkdir layer_8ea6eb4812d4
$ sudo tar xvf blobs/sha256/8ea6eb4812d48d7aee7de57a65ba99e4d3c3958fee6eb973419cf7aace4c7fec -C layer_8ea6eb4812d4
$ ll
total 28
dr-xr-xr-x 6 root root 4096 Jan 1 1980 1rm6sr6ixxzipv5358x0cmaw8rs84g2j-glibc-2.38-44
dr-xr-xr-x 3 root root 4096 Jan 1 1980 3sxwxqzkkrgpgaibkm27ggb9kjbzdy31-xgcc-13.2.0-libgcc
dr-xr-xr-x 4 root root 4096 Jan 1 1980 5lr5n3qa4day8l1ivbwlcby2nknczqkq-bash-5.2p26
dr-xr-xr-x 3 root root 4096 Jan 1 1980 77yhmwrwism02371kzyda4d127kdwdnf-libunistring-1.1
dr-xr-xr-x 3 root root 4096 Jan 1 1980 m8ww0n3iqndg8zaiwbsnij6rvmpmjbry-hello
dr-xr-xr-x 4 root root 4096 Jan 1 1980 n9sq1bvghs9z0qg6cmwg27y4jmszwgqi-libidn2-2.3.7
dr-xr-xr-x 4 root root 4096 Jan 1 1980 rnxji3jf6fb0nx2v0svdqpj9ml53gyqh-hello-2.12.1
# the hello will containe the binary
$ cd m8ww0n3iqndg8zaiwbsnij6rvmpmjbry-hello/bin
$ ll
total 4
-r-xr-xr-x 1 root root 219 Jan 1 1980 hello
$ cat hello
#!/nix/store/5lr5n3qa4day8l1ivbwlcby2nknczqkq-bash-5.2p26/bin/bash
exec /nix/store/rnxji3jf6fb0nx2v0svdqpj9ml53gyqh-hello-2.12.1/bin/hello -g "FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}" -t
Here you go the flag:
FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}