Nous récupérons l’image :
docker pull anssi/fcsc2024-forensics-layer-cake-1
La commande docker history permet de récupérer les commandes utilisées pour bâtir une image :
docker history anssi/fcsc2024-forensics-layer-cake-1:latest
IMAGE CREATED CREATED BY SIZE COMMENT
0faa62781dd1 12 months ago CMD ["/bin/sh"] 0B buildkit.dockerfile.v0
<missing> 12 months ago USER guest 0B buildkit.dockerfile.v0
<missing> 12 months ago ARG FIRST_FLAG=FCSC{xxxxxxxx… 0B buildkit.dockerfile.v0
<missing> 12 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 12 months ago /bin/sh -c #(nop) ADD file:37a76ec18f9887751… 7.38MB
Le script suivant permet d’obtenir le flag :
docker pull anssi/fcsc2024-forensics-layer-cake-1
docker history --no-trunc anssi/fcsc2024-forensics-layer-cake-1:latest | grep --only-matching 'FCSC{[0-9a-fA-F]*}'
Le résultat est le suivant :
Using default tag: latest
latest: Pulling from anssi/fcsc2024-forensics-layer-cake-1
4abcf2066143: Already exists
Digest: sha256:e076eb7bc9ef18441fef7e73a08a305c5a1b631dd6789d0fc4f75c25d8c225b3
Status: Downloaded newer image for anssi/fcsc2024-forensics-layer-cake-1:latest
docker.io/anssi/fcsc2024-forensics-layer-cake-1:latest
FCSC{xxxxxxxx}