Home

Published

- 2 min read

Let's Defend - Docker Forensics

DFIR writeup Digital Forensics Docker Lets defend
img of Let's Defend - Docker Forensics

Description

Just Dive Into the DOCKER to REVEAL the layers

Tools

1- Docker
2- Dive

Writeup

Q1

How many layers are in this docker container that u pull into your device?

For this Question all u need to do after pulling the image into your local docker use the Dive tool to get all the layers

dive mmox/what-is-0xl4ugh

1

by just counting them we get the answer

23

Q2

What is the web server that the image used?

while checking the files in the layers u will find there is a folder in /etc named apache2

2

apache2

Q3

What is the complete GitHub URL that a Docker container uses to fetch a website?

there is 2 ways to get the answer the first and the easiest is to get the command from the docker hub it self

3

or by using dive u will get also the layers by going to the layer that has the git clone command u will get the answer

4

https://github.com/0xMM0X/BIG-GHAZY.git

Q4

What is the database username and password?

u will see in the layers that the init.sh script gets saved in the root directory all u will need is to access the docker image and open this file

5

u will find the username and password in clear text

Ghazy:0xL4ugh_F0R_EV3R!!

Q5

What is the ID of the layer that copies the db file?

all we need to do is to check the layer that has the copy init.db and u will find the ID in the layer details

6

6d020808f2c3259c35ebe745cce9d3ded01b0bada9fa85c7ec62e2f8a0b7ce0a

Q6

What is the secret that get removed?

this is the hardest question u will need to get the layer before it get deleted

I will explain the easy way if u have another please share it with me on any of my social media

I downloaded the full image by using this command

docker save -o m.tar mmox/what-is-0xl4ugh:latest

then untar the image u will find something like this

7

each folder has the ** layer id ** as it’s name u will need to know the right one but it’s easy u will check the layers from dive to get the id of the layer that copys the SUPER_SECRET.txt

8

we will check the f5d4aa0fde54751d8b910b4935c89e0b5f2124e72aed396afbc275b93f3ff55f folder it will have the secret file

9

Can You Introduce Me As Joker?