By Yaakov Cohen
We connected to the server, and after poking around a bit we saw that they left
docker.sock opened. Let's see what info we can get.
curl --unix-socket /var/run/docker.sock http/containers/json?all=1 gaves us a list of 4 containers. Only the first one was relevant:
Since the system was read-only we ran the next step from our command line:
The long number is the Id of the container we are trying to extract,
flag in reverse.
After the file finished downloading we extracted it and found a bash script named
/home/flag_is_here we found