Description#

We are given a Docker/OCI container export (.tar). The goal is to recover the flag from the container filesystem.

Analysis#

A container export is basically a tar archive containing the root filesystem (rootfs) plus some metadata. The quickest approach is to extract it and look for anything suspicious in common places such as:

• /root/.ash_history / /root/.bash_history (command history)
• /tmp, /var/tmp (temporary files)
• /home/* (user files)
• /etc (sometimes flags are hidden in configs)

Solution#

Extract the archive:

mkdir -p dongker_rootfs
tar -xf dongker_container.tar -C dongker_rootfs

Check root’s shell history. This container uses ash (common on Alpine), so the history file is:

cat dongker_rootfs/root/.ash_history

Inside the history we can see the author literally built the flag by appending characters into a temp file:

echo "s" > /tmp/rahasia.txt
echo "c" >> /tmp/rahasia.txt
echo "s" >> /tmp/rahasia.txt
echo "c" >> /tmp/rahasia.txt
echo "2" >> /tmp/rahasia.txt
echo "6" >> /tmp/rahasia.txt
echo "{" >> /tmp/rahasia.txt
echo "l3arn_3z_f0r3ns1c_d0n9k3r" >> /tmp/rahasia.txt
echo "}" >> /tmp/rahasia.txt

So we can just read the file directly from the extracted filesystem:

cat dongker_rootfs/tmp/rahasia.txt

Output:

scsc26{l3arn_3z_f0r3ns1c_d0n9k3r}