From b5b9cf7a1f61d004d7d53584d029c19302c63ba0 Mon Sep 17 00:00:00 2001 From: Aria Date: Sun, 1 Oct 2023 17:23:09 +0100 Subject: initial commit --- punkctf/docker_03.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 punkctf/docker_03.md (limited to 'punkctf/docker_03.md') diff --git a/punkctf/docker_03.md b/punkctf/docker_03.md new file mode 100644 index 0000000..9e7ea7a --- /dev/null +++ b/punkctf/docker_03.md @@ -0,0 +1,12 @@ + +Similar to the last one, we only have a hash of the flag in `/root/flag`. +If we look at the build steps with `docker image history --no-trunc challenge`, it is now copying the file, hashing it then removing it. + +Docker images consist of many layers in a specific order, where each layer modifies the filesystem in some way. Each build instruction maps to at most one layer. When we add the flag file, a new layer is created with it in it, and even if we remove the flag later, that layer is still part of our image. + +To get to it, we save the image as a tar (`docker save challenge > challenge.tar`), then extract it. + +Each layer has a folder with a long hash, and a `layer.tar` inside that. +To quickly search through them all, I used this command:`find -iname '*.tar' -exec sh -c 'echo {}; tar -tf {} | grep FLAG' \;` - this prints out the layer hash, followed by all files inside it containing `FLAG`. + +We see only one layer has the `FLAG` file, and once we extract it we can read `opt/flag` to get `punk_{53GAEP9LAWODTO0T}`. -- cgit v1.2.3