Dans un premier temps on télécharge l’image :
remnux@remnux:~$ docker pull anssi/fcsc2024-forensics-layer-cake-2
En accord avec les informations données dans l’énoncé, on fait quelques recherches qui nous amènent à cet article :
Finding API secrets in hidden layers within Docker containers - Dana Epp’s Blog
L’article mentionne un outil qui semble correspondre parfaitement à notre besoin :
https://github.com/wagoodman/dive
$ dive anssi/fcsc2024-forensics-layer-cake-2
En se basant sur la doc mentionnée plus haut, on peut s’appuyer sur les informations dans la partie “Accessing Files in Hidden Layers”
remnux@remnux:~$ sudo ls /var/lib/docker/overlay2
01a61afe91f7a0be0cd7897c127813949c86d3f733175bf85c3f57f041001008 829f21d4d630e5b100c8c6e63bf1809b5fb650f538a2d769e002dfe6a371a162
13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f cf23b47b021ca96827d97b14fa1778a6245a44bff9630f030b8d2936fef7974e
18bd7414c7c0c0802714a6b487dc5a7231a0c252d6ee1dc14b03c82ab0130b0a dc5a719d3e41884f9956d3941202d043a522d9b326b43aaf153e0807785592e8
1ef638fef64900112b0ff0d1343cd3948794c3097d89a11d924ea6355fccdc47 dc5a719d3e41884f9956d3941202d043a522d9b326b43aaf153e0807785592e8-init
1ef638fef64900112b0ff0d1343cd3948794c3097d89a11d924ea6355fccdc47-init f957b2d0ac009873e6f0dc084cd2d8d9d61e9c82c3d6908bba7070ba488c5304
41055c50e7ae35bfea46f40df7b3212122cce64560a60f1f5015508759ee982a l
41055c50e7ae35bfea46f40df7b3212122cce64560a60f1f5015508759ee982a-init
remnux@remnux:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
anssi/fcsc2024-forensics-layer-cake-2 latest 03014d9fc480 13 days ago 7.38MB
anssi/fcsc2024-welcome-docker latest 695786bdcdab 13 days ago 5.29MB
anssi/fcsc2024-forensics-layer-cake-1 latest 0faa62781dd1 2 months ago 7.38MB
remnux@remnux:~$ docker image inspect anssi/fcsc2024-forensics-layer-cake-2 | jq '.[].GraphDriver.Data.UpperDir + ":" + .[].GraphDriver.Data.LowerDir | split(":") | reverse'
[
"/var/lib/docker/overlay2/01a61afe91f7a0be0cd7897c127813949c86d3f733175bf85c3f57f041001008/diff",
"/var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff",
"/var/lib/docker/overlay2/829f21d4d630e5b100c8c6e63bf1809b5fb650f538a2d769e002dfe6a371a162/diff"
]
remnux@remnux:~$ sudo ls /var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff
tmp
remnux@remnux:~$ sudo ls /var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff/tmp
secret
remnux@remnux:~$ sudo ls /var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff/tmp/secret
/var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff/tmp/secret
remnux@remnux:~$ sudo ls -la /var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff/tmp
total 12
drwxrwxrwt 2 root root 4096 Mar 25 05:05 .
drwxr-xr-x 3 root root 4096 Apr 7 05:46 ..
-r-------- 1 405 root 71 Mar 25 05:05 secret
remnux@remnux:~$ sudo cat /var/lib/docker/overlay2/13ecccaee8ce914c1d5cb0e8eedf86bda70aac9833d5a6076518aa47b2606b0f/diff/tmp/secret
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}
We got it ! ;)