Category: Forensics
Flag: SCSC26{d0ck3r_1n_d0ck3r_1nc3pt10n_h1dd3n_l4y3rs}
Description: Dinda di manakah kau berada Rindu aku ingin jumpa Meski lewat nada
The artifact was a tarball named dindaaaaaaaaa.tar.gz. file identified it as gzip data, and stat gave the size and timestamp. No flag yet.
file '/home/rei/Downloads/SCSC2026Final/dindaaaaaaaaa.tar.gz' && stat -c '%s %F %y' '/home/rei/Downloads/SCSC2026Final/dindaaaaaaaaa.tar.gz'/home/rei/Downloads/SCSC2026Final/dindaaaaaaaaa.tar.gz: gzip compressed data, last modified: Sat May 16 05:29:06 2026, from Unix, original size modulo 2^32 383511552 gzip compressed data, unknown method, has CRC, has comment, encrypted, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 383511552
135761281 regular file 2026-05-16 13:03:38.263471903 +0700A quick strings sweep produced noisy brace-shaped matches but no valid scsc26{...} flag. The archive listing showed a root filesystem with Docker paths such as /var/lib/docker/..., Alpine files, and Docker binaries. That made the challenge a Docker filesystem artifact, not a normal file-carving task.
tar -tf '/home/rei/Downloads/SCSC2026Final/dindaaaaaaaaa.tar.gz'Docker-in-Docker style filesystem with `/var/lib/docker/...`, Alpine rootfs paths, Docker binaries.Extraction hit one device-node permission error, but regular files still came out. That was enough.
tar -xzf '/home/rei/Downloads/SCSC2026Final/dindaaaaaaaaa.tar.gz' -C '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa'tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.com.apple.macl'
tar: ./var/lib/docker/volumes/backingFsBlockDev: Cannot mknod: Operation not permitted
tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.security.capability'
tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.security.capability'
tar: Exiting with failure status due to previous errorsThe Docker data directory contained containers, image, containerd, and one container ID. The relevant container was e2c72a527d6dbefb3862f29d9b95a69bcca13ee5b077a7b46b4510707194e030.
ls -la '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker'buildkit/
containerd/
containers/
image/
network/
plugins/
rootfs/
runtimes/
swarm/
tmp/
volumes/
engine-id 36Bls -la '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker/containers'e2c72a527d6dbefb3862f29d9b95a69bcca13ee5b077a7b46b4510707194e030/The container config preserved the command that created the hidden payload. It wrote a base64 string into /opt/payload/.dindaaaaaaaaa.txt, then slept.
grep -a -i 'dindaaaaaaaaa\|/opt/payload\|base64' '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker/containers/e2c72a527d6dbefb3862f29d9b95a69bcca13ee5b077a7b46b4510707194e030/config.v2.json'"Path":"sh","Args":["-c","mkdir -p /opt/payload \u0026\u0026 echo \"e2QwY2szcl8xbl9kMGNrM3JfMW5jM3B0MTBuX2gxZGQzbl9sNHkzcnN9\" | base64 -d \u003e /opt/payload/.dindaaaaaaaaa.txt \u0026\u0026 sleep 9999999"]Decoding the base64 string gave the flag body.
import base64
s = 'e2QwY2szcl8xbl9kMGNrM3JfMW5jM3B0MTBuX2gxZGQzbl9sNHkzcnN9'
print(base64.b64decode(s).decode()){d0ck3r_1n_d0ck3r_1nc3pt10n_h1dd3n_l4y3rs}The same payload existed in the overlayfs snapshot, confirming the command had run inside the container.
for p in '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/opt/payload/.dindaaaaaaaaa.txt' '/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/opt/payload/.dindaaaaaaaaa.txt'; do if [ -f "$p" ]; then printf '%s\n' "$p"; strings "$p"; fi; done/home/rei/Downloads/SCSC2026Final/CTFChan_Forensics_SCSC2026Final_ngeDinDaaaaaaaaa/var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/opt/payload/.dindaaaaaaaaa.txt
{d0ck3r_1n_d0ck3r_1nc3pt10n_h1dd3n_l4y3rs}With the given prefix, the flag was SCSC26{d0ck3r_1n_d0ck3r_1nc3pt10n_h1dd3n_l4y3rs}.