Dans cette 2e partie, le flag a été stocké dans un fichier, l'image buildée, le fichier supprimé et l'image rebuildée sans ce fichier.
Analyons les layers
Layers
Pour commencer, on va récupérer l'image docker
┌──(root㉿Tyrell)-[/home/kali/FCSC/2024/Intro/Layer Cake 2]
└─# docker pull anssi/fcsc2024-forensics-layer-cake-2
Using default tag: latest
latest: Pulling from anssi/fcsc2024-forensics-layer-cake-2
4abcf2066143: Already exists
a0eaf34c8bac: Pull complete
1ba3c4c6a2e3: Pull complete
Digest: sha256:86a863f674adbbae9168d1a5d233478cd9747a587a322b8950fcb39f3992be7a
Status: Downloaded newer image for anssi/fcsc2024-forensics-layer-cake-2:latest
docker.io/anssi/fcsc2024-forensics-layer-cake-2:latest
Fouillons un peu les layers
──(root㉿Tyrell)-[/var/lib/docker/image/overlay2/imagedb/content/sha256]
└─# cat /var/lib/docker/image/overlay2/layerdb/sha256/961f65d6c1d8e7b59b97a46d5ef31497fd2f27fd70a614a3ac1daf7e97cd6a17/cache-id
1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988
┌──(root㉿Tyrell)-[/var/lib/docker/image/overlay2/imagedb/content/sha256]
└─# find /var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff
/var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff
/var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff/tmp
/var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff/tmp/secret
On voit une ligne qui nous intéresse ici :
/var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff/tmp/secret
Affichons son contenu :
┌──(root㉿Tyrell)-[/var/lib/docker/image/overlay2/imagedb/content/sha256]
└─# cat /var/lib/docker/overlay2/1c75a438110e9d42a48f9e3186307b4ce90c369848a867562b24979b2a08f988/diff/tmp/secret
FCSC{b38095916b2b578109cbf35b8be713b04a64b2b2df6d7325934be63b7566be3b}
Ressources :