This article offers a writeup for the DUCTF’s DFIR challenge, “ogres are like onions”.
DFIR
ogres are like onions
Description:
if you see this you have to post in #memes thems the rules
docker run -tp 8000:8000 downunderctf/onions
What we know
- docker internals12
- Docker images can accidentally contain sensitive information when misconfigured3.
- sidenote: How to properly handle secret files4
- Hashes for each layer are missing (This can be done through the
--squash
argument, though this is currently an experimental feature.)❯ docker history downunderctf/onions IMAGE CREATED CREATED BY SIZE COMMENT e4ad5b4d9379 4 days ago CMD ["/usr/local/bin/python" "-m" "http.serv… 0B buildkit.dockerfile.v0 <missing> 4 days ago EXPOSE map[8000/tcp:{}] 0B buildkit.dockerfile.v0 <missing> 4 days ago RUN /bin/sh -c rm memes/flag.jpg # buildkit 0B buildkit.dockerfile.v0 <missing> 4 days ago COPY . /app # buildkit 527kB buildkit.dockerfile.v0 <missing> 10 days ago WORKDIR /app 0B buildkit.dockerfile.v0 <missing> 2 weeks ago /bin/sh -c #(nop) CMD ["python3"] 0B <missing> 2 weeks ago /bin/sh -c set -eux; wget -O get-pip.py "$… 10.9MB <missing> 2 weeks ago /bin/sh -c #(nop) ENV PYTHON_GET_PIP_SHA256… 0B <missing> 2 weeks ago /bin/sh -c #(nop) ENV PYTHON_GET_PIP_URL=ht… 0B <missing> 2 weeks ago /bin/sh -c #(nop) ENV PYTHON_SETUPTOOLS_VER… 0B <missing> 2 weeks ago /bin/sh -c #(nop) ENV PYTHON_PIP_VERSION=22… 0B <missing> 2 weeks ago /bin/sh -c set -eux; for src in idle3 pydoc… 32B <missing> 2 weeks ago /bin/sh -c set -eux; apk add --no-cache --… 30.5MB <missing> 2 weeks ago /bin/sh -c #(nop) ENV PYTHON_VERSION=3.10.7 0B <missing> 6 weeks ago /bin/sh -c #(nop) ENV GPG_KEY=A035C8C19219B… 0B <missing> 6 weeks ago /bin/sh -c set -eux; apk add --no-cache c… 1.82MB <missing> 6 weeks ago /bin/sh -c #(nop) ENV LANG=C.UTF-8 0B <missing> 6 weeks ago /bin/sh -c #(nop) ENV PATH=/usr/local/bin:/… 0B <missing> 6 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 6 weeks ago /bin/sh -c #(nop) ADD file:2a949686d9886ac7c… 5.54MB
To get the flag:
- save the docker image to a tar file
docker save downunderctf/onions:latest > onions.tar
- (recursively) untar the saved image file
binwalk -e --depth=3 onions.tar
- locate the flag
❯ find . -name "flag*"
References
Not so deep dive into Docker storage drivers, https://jpetazzo.github.io/assets/2015-03-03-not-so-deep-dive-into-docker-storage-drivers.html ↩︎
About storage drivers: https://docs.docker.com/storage/storagedriver/ ↩︎
📦 Security Camp B6 / 🔨 1. Container / 1.5. Container Image, https://mrtc0.notion.site/1-Container-4eaa4c087ad24b6b94d5edeea5b425db#c37a50d0ee7c4be192907d87d2555ef4 ↩︎
New Docker Build secret information, https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information ↩︎