Contents

FCSC2024 - Layer Cake

Layer cake write-up | FCSC 2024

Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Il utilise une variable d’environnement stockant un flag au moment du build, et vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-1. Récupérez ce flag et prouvez-lui le contraire.

Firstly, we can pull the docker image :

docker pull anssi/fcsc2024-forensics-layer-cake-1

The challenge tells us that our friend is using an environment variable declared during the build. In other words, that’s a layer !

Let’s check our layers :

sudo docker history anssi/fcsc2024-forensics-layer-cake-1

IMAGE          CREATED        CREATED BY                                      SIZE      COMMENT
0faa62781dd1   2 months ago   CMD ["/bin/sh"]                                 0B        buildkit.dockerfile.v0
<missing>      2 months ago   USER guest                                      0B        buildkit.dockerfile.v0
<missing>      2 months ago   ARG FIRST_FLAG=FCSC{a1240d90ebeed7c6c422969e…   0B        buildkit.dockerfile.v0
<missing>      2 months ago   /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B
<missing>      2 months ago   /bin/sh -c #(nop) ADD file:37a76ec18f9887751…   7.37MB

The problem is that we cannot see completly the flag in the layer. In order to see the full output, we can use --no-trunc :

docker history --no-trunc anssi/fcsc2024-forensics-layer-cake-1


IMAGE                                                                     CREATED        CREATED BY                                                                                          SIZE      COMMENT
sha256:0faa62781dd1db0ebb6cd83836bb4ba24f8b58b0cd761ac0cbae426bccc7666f   2 months ago   CMD ["/bin/sh"]                                                                                     0B        buildkit.dockerfile.v0
<missing>                                                                 2 months ago   USER guest                                                                                          0B        buildkit.dockerfile.v0
<missing>                                                                 2 months ago   ARG FIRST_FLAG=FCSC{a1240d90ebeed7c6c422969ee529cc3e1046a3cf337efe51432e49b1a27c6ad2}               0B        buildkit.dockerfile.v0
<missing>                                                                 2 months ago   /bin/sh -c #(nop)  CMD ["/bin/sh"]                                                                  0B
<missing>                                                                 2 months ago   /bin/sh -c #(nop) ADD file:37a76ec18f9887751cd8473744917d08b7431fc4085097bb6a09d81b41775473 in /    7.37MB

And then we get the flag !

FCSC{a1240d90ebeed7c6c422969ee529cc3e1046a3cf337efe51432e49b1a27c6ad2}

Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Il copie au moment du build un fichier contenant un flag, puis le supprime. Il vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-2. Récupérez ce flag et prouvez-lui le contraire.

Let’s start by pulling the image

sudo docker pull anssi/fcsc2024-forensics-layer-cake-2

Let’s try to save our image as an tar archive. In order to do that, we have to find the image ID :

sudo docker image ls


REPOSITORY                              TAG       IMAGE ID       CREATED        SIZE

anssi/fcsc2024-forensics-layer-cake-2   latest    03014d9fc480   2 weeks ago    7.37MB

And so let’s save the image :

sudo docker save 03014d9fc480 -o layer-cake-2.tar

It’s grep time!

grep -a FCSC layer-cake-2.tar

[...]
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}

Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Suite à ses mésaventures avec les Dockerfile, il décide d’utiliser Nix pour construire son image. En utilisant Nix, il donne un flag en argument à un service. Il vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-3. Récupérez ce flag et prouvez-lui le contraire.

For this challenge, I used the same method as the 2/3 challenge.

Let’s start by pulling the image

sudo docker pull anssi/fcsc2024-forensics-layer-cake-3

Let’s try to save our image as an tar archive. In order to do that, we have to find the image ID :

sudo docker image ls
REPOSITORY                              TAG       IMAGE ID       CREATED        SIZE

anssi/fcsc2024-forensics-layer-cake-3   latest    269cd0c184df   54 years ago   34.2MB

And so let’s save the image :

sudo docker save 269cd0c184df -o CTF/fcsc/forensic/layer-cake-3.tar

It’s grep time!

grep -a FCSC layer-cake-3.tar

exec /nix/store/rnxji3jf6fb0nx2v0svdqpj9ml53gyqh-hello-2.12.1/bin/hello -g "FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}" -t

Here’s the flag :

FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}