Can't See You

• Category: Misc.
• 200 Points
• Solved by the JCTF Team

Solution

Let's run the attached docker.

``````    |\\      //(
| \\    //  '
'  \\  //  /
\  )\((  /
)`    `/
/   __  \
/   (_O)  \
/           \________
_.(_)           )      /
(__,        /      /
\         /      /
\_______/      (
\    /         \
\  /           \
\/             \
/               )
/               /
/ _     o__     /
( (_)   //\,\   (
\    ``~---~`   )
\      \             /
\      \           /
\      \         /
\____/ \_______/
------------------------------------------------
"...she found herself falling down a very deep well.
Either the well was very deep, or she fell very slowly,
for she had plenty of time as she went down to look about her and to wonder what was going to happen next.
First, she tried to look down and make out what she was coming to, but it was too dark to see anything."
/home #``````

Not too much to see here. The docker is running locally so this can't be an escape challenge. Let's inspect the docker container itself:

``````\$ docker history --no-trunc g3rzi/rabbit_hole
IMAGE                                                                     CREATED        CREATED BY                                                                                                       SIZE      COMMENT
sha256:6c206a5f4eb94555206db9eb5cea0883fcaea96d4a10aee4ea9d05220737d119   3 months ago   /bin/sh -c #(nop) WORKDIR /home                                                                                  0B
<missing>                                                                 3 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["/bin/sh" "-c" "clear; cat /home/message; sh;"]                       0B
<missing>                                                                 3 months ago   /bin/sh -c rm /tmp/Wonderland                       0B
<missing>                                                                 3 months ago   /bin/sh -c #(nop) COPY file:562947c0a4dbfc439d967ce78b6a06318e475dff95157295a63e5cd1d357f299 in /home/message    932B
<missing>                                                                 3 months ago   /bin/sh -c #(nop) COPY dir:ce226651d1a2141a3df6d4bbb9135fb5de96b4f36ca8bd170d16f016f2ea00e2 in /                 11.7MB
<missing>                                                                 4 months ago   /bin/sh -c #(nop)  CMD ["/bin/sh"]                       0B
<missing>                                                                 4 months ago   /bin/sh -c #(nop) ADD file:2a949686d9886ac7c10582a6c29116fd29d3077d02755e87e111870d63607725 in /                 5.54MB``````

We can see that one of the layers removed a file! What are you, `/tmp/Wonderland`?

To find it, we export the docker image to a `tar` file with `docker save --output rabbit_hole.tar g3rzi/rabbit_hole`. Then we untar it:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ tar -xvf rabbit_hole.tar
60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/
60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/VERSION
60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/json
60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/layer.tar
6c206a5f4eb94555206db9eb5cea0883fcaea96d4a10aee4ea9d05220737d119.json
ac98da2332a56465c337fe58aca626d67aa296273a22c6d8d88a12fd449ccd77/
ac98da2332a56465c337fe58aca626d67aa296273a22c6d8d88a12fd449ccd77/VERSION
ac98da2332a56465c337fe58aca626d67aa296273a22c6d8d88a12fd449ccd77/json
ac98da2332a56465c337fe58aca626d67aa296273a22c6d8d88a12fd449ccd77/layer.tar
manifest.json
repositories``````

One of the layers will contain the file:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ find . -name "layer.tar" -exec bash -c "echo {} && tar -tvf {} | grep Wonderland" \;
./60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/layer.tar
-rw-rw-r-- 0/0         6163456 2022-09-14 15:02 tmp/Wonderland
./ac98da2332a56465c337fe58aca626d67aa296273a22c6d8d88a12fd449ccd77/layer.tar
-rw------- 0/0               0 2022-09-14 15:02 tmp/.wh.Wonderland

Let's extract it:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ tar -xvf ./60ba9005d6f27b9225eae9f87baebfced06103206174e465a956c01137381f96/layer.tar tmp/Wonderland
tmp/Wonderland

┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ file tmp/Wonderland
tmp/Wonderland: POSIX tar archive``````

It's another `tar` file. In we go.

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ tar -xvf Wonderland
047229ac3650fb687d05206f9c8b505b5d5214382e16ee09830ee1ccbca7c7fe/
047229ac3650fb687d05206f9c8b505b5d5214382e16ee09830ee1ccbca7c7fe/VERSION
047229ac3650fb687d05206f9c8b505b5d5214382e16ee09830ee1ccbca7c7fe/json
047229ac3650fb687d05206f9c8b505b5d5214382e16ee09830ee1ccbca7c7fe/layer.tar
...
fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/
fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/VERSION
fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/json
fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/layer.tar
fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/
fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/VERSION
fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/json
fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/layer.tar
manifest.json
repositories``````

More layers. Most of them just have a file called `door`:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ find . -name "*.tar" -exec bash -c "echo {} && tar -tvf {}" \; | tail
./efd3bc07eee5db05b82a77d899f59a27ab648f1e9a534a58e8fc9c9a35733e3f/layer.tar
-rw-r--r-- 0/0               2 2022-09-14 15:00 door
./effe4bc861a420e0ac1a85d415606ca4cacbcb66c7ffcd2d3e2db55167aab69f/layer.tar
-rw-r--r-- 0/0               2 2022-09-14 14:59 door
./f15b16837781b337f7f99b5b549515afeb9fdef405f11a115299611d1720365d/layer.tar
-rw-r--r-- 0/0               2 2022-09-14 14:59 door
./fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/layer.tar
-rw-r--r-- 0/0               2 2022-09-14 14:59 door
./fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/layer.tar
-rw-r--r-- 0/0               2 2022-09-14 15:00 door``````

Let's take a look at a few:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ tar -xvf ./fe588e64e86c132eb6b7064f08a860cb0ec02de1d0d196c6da09ff68f535ccf3/layer.tar
door

┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ cat door
z

┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ tar -xvf ./fae8145d76a4d64fa960075ac73fabfa2b36676a2c140fc1a380e6012cb68b1c/layer.tar
door

┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you/tmp]
└─\$ cat door
5``````

Random characters. So let's extract them all and try to piece together a message. We'll follow the order from `manifest.json`.

``````import json
import tarfile
from pathlib import Path

BASE_PATH = Path("tmp")
DOOR_FILE = "door"

output = b""

with open(BASE_PATH / "manifest.json") as manifest_file:

for layer in manifest["Layers"]:
with tarfile.open(BASE_PATH / layer) as tar:
if DOOR_FILE in tar.getnames():
door = tar.extractfile(DOOR_FILE)

print(output)``````

Output:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ python3 solve.py
b'SU5URU5Ue2FfbDE3N2wzX2cwbGQzbl9rM3lfZjByX2FfbDE3N2wzX2QwMHJ9'``````

That looks like base64. We add `print(base64.b64decode(output).decode())` to the script in order to get the flag:

``````┌──([email protected])-[/media/sf_CTFs/intent/Cant_see_you]
└─\$ python3 solve.py
b'SU5URU5Ue2FfbDE3N2wzX2cwbGQzbl9rM3lfZjByX2FfbDE3N2wzX2QwMHJ9'
INTENT{a_l177l3_g0ld3n_k3y_f0r_a_l177l3_d00r}``````