FCSC2024 - Layer Cake
Layer cake write-up | FCSC 2024
1/3
Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Il utilise une variable d’environnement stockant un flag au moment du build, et vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-1.
Récupérez ce flag et prouvez-lui le contraire.
Firstly, we can pull the docker image :
docker pull anssi/fcsc2024-forensics-layer-cake-1The challenge tells us that our friend is using an environment variable declared during the build. In other words, that’s a layer !
Let’s check our layers :
sudo docker history anssi/fcsc2024-forensics-layer-cake-1
IMAGE CREATED CREATED BY SIZE COMMENT
0faa62781dd1 2 months ago CMD ["/bin/sh"] 0B buildkit.dockerfile.v0
<missing> 2 months ago USER guest 0B buildkit.dockerfile.v0
<missing> 2 months ago ARG FIRST_FLAG=FCSC{a1240d90ebeed7c6c422969e… 0B buildkit.dockerfile.v0
<missing> 2 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 2 months ago /bin/sh -c #(nop) ADD file:37a76ec18f9887751… 7.37MBThe problem is that we cannot see completly the flag in the layer. In order to see the full output, we can use --no-trunc :
docker history --no-trunc anssi/fcsc2024-forensics-layer-cake-1
IMAGE CREATED CREATED BY SIZE COMMENT
sha256:0faa62781dd1db0ebb6cd83836bb4ba24f8b58b0cd761ac0cbae426bccc7666f 2 months ago CMD ["/bin/sh"] 0B buildkit.dockerfile.v0
<missing> 2 months ago USER guest 0B buildkit.dockerfile.v0
<missing> 2 months ago ARG FIRST_FLAG=FCSC{a1240d90ebeed7c6c422969ee529cc3e1046a3cf337efe51432e49b1a27c6ad2} 0B buildkit.dockerfile.v0
<missing> 2 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 2 months ago /bin/sh -c #(nop) ADD file:37a76ec18f9887751cd8473744917d08b7431fc4085097bb6a09d81b41775473 in / 7.37MBAnd then we get the flag !
FCSC{a1240d90ebeed7c6c422969ee529cc3e1046a3cf337efe51432e49b1a27c6ad2}2/3
Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Il copie au moment du build un fichier contenant un flag, puis le supprime. Il vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-2.
Récupérez ce flag et prouvez-lui le contraire.
Let’s start by pulling the image
sudo docker pull anssi/fcsc2024-forensics-layer-cake-2Let’s try to save our image as an tar archive. In order to do that, we have to find the image ID :
sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
anssi/fcsc2024-forensics-layer-cake-2 latest 03014d9fc480 2 weeks ago 7.37MBAnd so let’s save the image :
sudo docker save 03014d9fc480 -o layer-cake-2.tarIt’s grep time!
grep -a FCSC layer-cake-2.tar
[...]
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}3/3
Un développeur de GoodCorp souhaite publier une nouvelle image Docker. Suite à ses mésaventures avec les Dockerfile, il décide d’utiliser Nix pour construire son image. En utilisant Nix, il donne un flag en argument à un service. Il vous assure que ce secret n’est pas visible du public. L’image est anssi/fcsc2024-forensics-layer-cake-3.
Récupérez ce flag et prouvez-lui le contraire.
For this challenge, I used the same method as the 2/3 challenge.
Let’s start by pulling the image
sudo docker pull anssi/fcsc2024-forensics-layer-cake-3Let’s try to save our image as an tar archive. In order to do that, we have to find the image ID :
sudo docker image lsREPOSITORY TAG IMAGE ID CREATED SIZE
anssi/fcsc2024-forensics-layer-cake-3 latest 269cd0c184df 54 years ago 34.2MBAnd so let’s save the image :
sudo docker save 269cd0c184df -o CTF/fcsc/forensic/layer-cake-3.tarIt’s grep time!
grep -a FCSC layer-cake-3.tar
exec /nix/store/rnxji3jf6fb0nx2v0svdqpj9ml53gyqh-hello-2.12.1/bin/hello -g "FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}" -tHere’s the flag :
FCSC{c12d9a48f1635354fe9c32b216f144ac66f7b8466a5ac82a35aa385964ccbb61}