Skip to content

[Challenge 6] shipit

Jump to bottom
Justin Chadwell edited this page Oct 23, 2020 · 3 revisions

For this challenge we're given an "image" file.

The final stage! If we can pull this off, we'll take the core servers!

Have a look at this intercepted email for yourself:

I've just finished creating this image - can you deploy it for me please, I
can't seem to login anymore!

It definitely doesn't seem to be a normal "image" at all, I can't seem to open it in anything!

Like always, when given an unusual file, it's worth checking what it is:

$ file shipit.tar
shipit.tar: POSIX tar archive

So it's definitely not a normal image, it's an archive file! Let's extract it.

$ tar xvf shipit.tar
04e0841e32e7344934521b7eac3db7b242150e260685c99885dc752db154191c.json
498243f11311cd8e047ad97cca743b67918b3b209798bc762c395b0f704afdf4/
498243f11311cd8e047ad97cca743b67918b3b209798bc762c395b0f704afdf4/VERSION
498243f11311cd8e047ad97cca743b67918b3b209798bc762c395b0f704afdf4/json
498243f11311cd8e047ad97cca743b67918b3b209798bc762c395b0f704afdf4/layer.tar
a9b8d26ff098b58b5d3ab7448d7d8738cab93752c703ca666081666986933a02/
a9b8d26ff098b58b5d3ab7448d7d8738cab93752c703ca666081666986933a02/VERSION
a9b8d26ff098b58b5d3ab7448d7d8738cab93752c703ca666081666986933a02/json
a9b8d26ff098b58b5d3ab7448d7d8738cab93752c703ca666081666986933a02/layer.tar
manifest.json
repositories

We've got quite a few files, including some more archives called "layer.tar".

If we look around and explore a bit, some of the files definitely have some useful hints:

$ cat 04e0841e32e7344934521b7eac3db7b242150e260685c99885dc752db154191c.json
{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh"],"ArgsEscaped":true,"Image":"sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container_config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) COPY file:6a63a284972a43f9e23b223311221bd85e645a2f57819d41892c65e2ec2d932d in /bin/sh "],"ArgsEscaped":true,"Image":"sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2020-10-22T22:23:10.000111516Z","docker_version":"19.03.13-ce","history":[{"created":"2020-10-22T02:19:24.33416307Z","created_by":"/bin/sh -c #(nop) ADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in / "},{"created":"2020-10-22T02:19:24.499382102Z","created_by":"/bin/sh -c #(nop)  CMD [\"/bin/sh\"]","empty_layer":true},{"created":"2020-10-22T22:23:10.000111516Z","created_by":"/bin/sh -c #(nop) COPY file:6a63a284972a43f9e23b223311221bd85e645a2f57819d41892c65e2ec2d932d in /bin/sh "}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:ace0eda3e3be35a979cec764a3321b4c7d0b9e4bb3094d20d3ff6782961a8d54","sha256:669f190994ce3eb663d515dce649c107fd6fa8acf7dc1d92c95845654c5899cf"]}}

If we beautify it, we can clearly see a key "docker_version". Just searching for "docker tar" reveals that we can package up a docker image into a tarball, using the docker-save command. From this, we can then guess that we can load this using docker-load.

We load the image:

$ cat shipit.tar | docker load
ace0eda3e3be: Loading layer  5.843MB/5.843MB
669f190994ce: Loading layer  23.55kB/23.55kB
Loaded image: shipit:latest
$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
shipit              latest              04e0841e32e7        17 hours ago        5.59MB

We can then run it:

$ docker run -ti shipit /bin/sh
---------------------------------------
***  ENHANCED PROTECTION ENABLED  *** 
PASSWORD AUTHENTICATION REQUIRED    
---------------------------------------
password:

Somehow /bin/sh has been replaced by another program. We can inspect the program it's been replaced with:

$ cd a9b8d26ff098b58b5d3ab7448d7d8738cab93752c703ca666081666986933a02
$ tar xf layer.tar
$ tree
.
├── bin
│   └── busybox
├── json
├── layer.tar
└── VERSION

We can see the file for /bin/busybox. We can run strings on it to see if the flag is encoded in plaintext:

$ strings bin/busybox | grep HTM
HTM{7174niC_f4ilur3}GCC: (Alpine 9.3.0) 9.3.0

And it is! The flag is "HTM{7174niC_f4ilur3}".

Clone this wiki locally