By Yaakov Cohen


We connected to the server, and after poking around a bit we saw that they left docker.sock opened. Let's see what info we can get.

Running curl --unix-socket /var/run/docker.sock http/containers/json?all=1 gaves us a list of 4 containers. Only the first one was relevant:


Since the system was read-only we ran the next step from our command line:


The long number is the Id of the container we are trying to extract, galf is flag in reverse.

After the file finished downloading we extracted it and found a bash script named


In /home/flag_is_here we found flag.txt: BSidesTLV{i_am_r34dy_t0_esc4p3_th3_d0ck3r!}