这题要是对docker的镜像分层原理有所了解会舒服得多,不会的可以先看看
https://www.cnblogs.com/woshimrf/p/docker-container-lawyer.html
按题目所要求的,拉下来后进去看看(这里发现有80端口开着,映射后没找到东西)
docker pull impakho/trihistory:latest
docker run impakho/trihistory:latest
docker exec -it (容器ID) /bin/bash
用命令 find / -name *flag* 寻找可用信息
在/var/www/html/ 下有flag.html然而提示flag被删了
使用命令 docker history impakho/trihistory:latest 可以查看镜像历史:
第三行是十分可疑的地方,结合那个flag.html我们可以知道应该需要在该层的上一层寻找删除的文件(原理见开头)
命令 docker inspect (容器ID) 显示镜像详情,这里面有我们需要的的上一层文件地址:
[
{
"Id": "sha256:f8f0608cd1a4334c15aa7f37598f5aa1ba7aca9556897a1d119a2e8432424238",
"RepoTags": [
"impakho/trihistory:latest"
],
"RepoDigests": [
"impakho/trihistory@sha256:17297590f715c03d277b0587bedfd471b1cef1270903751c978e72dd0de570f5"
],
"Parent": "",
"Comment": "",
"Created": "2020-05-20T10:57:23.1669636Z",
"Container": "1d4ee6c290809d39f5c3b9796d35db94a128ed59cb146fc07ff8bbad529ba4a8",
"ContainerConfig": {
"Hostname": "1d4ee6c29080",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"ENTRYPOINT [\"/start.sh\"]"
],
"ArgsEscaped": true,
"Image": "sha256:eea8459418cdd2ad3e0ce40ac4b828a62eedc4d654bc7af9ff8cf528b8ebec09",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": [
"/start.sh"
],
"OnBuild": null,
"Labels": {}
},
"DockerVersion": "18.06.1-ce",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": null,
"ArgsEscaped": true,
"Image": "sha256:eea8459418cdd2ad3e0ce40ac4b828a62eedc4d654bc7af9ff8cf528b8ebec09",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": [
"/start.sh"
],
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 158201380,
"VirtualSize": 158201380,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/0f56c1e70b7abdff23d4af0086b6785f36452e353b1f72241350a8a16a7f631a/diff:/var/lib/docker/overlay2/74937ae7d64f4e71ca1d21207cdb0351c9061e52c24b96d7ef1bb5390e922a8b/diff:/var/lib/docker/overlay2/5b2382d04d3cecdf024c55226ec76ac09528afd876704bd2060902de8c930d4a/diff:/var/lib/docker/overlay2/18e504d7953b6a3e83097c7371463d55c6f84a2cf9631ebca680f015a994fa30/diff:/var/lib/docker/overlay2/78d32b8efe559ada64ddaf40c295f7f628d6f66bc2bc608fd1659a544993a36d/diff:/var/lib/docker/overlay2/5b2e0f0718d91f8cfe7c836aeac0d62bf9ca3dd51a9565b3edfa5011f570b973/diff:/var/lib/docker/overlay2/4e9e5307c9c16d506a6f453c6cca6bb95bf6478f867edcad4758ef75996e3bb2/diff:/var/lib/docker/overlay2/11a484c8c600f7f4e7da7c10c746af366949fd54dbead18c714f690a3b988542/diff:/var/lib/docker/overlay2/8687aace973f08a9ca2756aaba3b4e41f982cf52b33cbf12d552c62f63953707/diff",
"MergedDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/merged",
"UpperDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/diff",
"WorkDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:b7f7d2967507ba709dbd1dd0426a5b0cdbe1ff936c131f8958c8d0f910eea19e",
"sha256:a6ebef4a95c345c844c2bf43ffda8e36dd6e053887dd6e283ad616dcc2376be6",
"sha256:838a37a24627f72df512926fc846dd97c93781cf145690516e23335cc0c27794",
"sha256:28ba7458d04b8551ff45d2e17dc2abb768bf6ed1a46bb262f26a24d21d8d7233",
"sha256:8108c9bd0bf43db0fed516a8f8484c2ecd938ec9bd8ea1334b88b9ef8bdf8053",
"sha256:ca6b45f562603630ba96c849823ac1f1b4be17fe95899ba7ee817f24590e9c19",
"sha256:4c2307ccb6c66b7ee5b0df2b28ace1c53dd52f834adaa30606450393ef28fee6",
"sha256:343896badf0a77e212b0ff3e05c67b6bc6fef467bc83e519fa1b4f8059d1a6bd",
"sha256:f41e1512553f003a733275dcd77494c67c5eda32d9ce5fee8d680c9877b2598c",
"sha256:af63a460580b4b088fb3a4bd2d9a9c7eae28621844a1df10b5c2aa9bfc9db93d"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
我们需要的是这一段
"Data": {
"LowerDir": "/var/lib/docker/overlay2/0f56c1e70b7abdff23d4af0086b6785f36452e353b1f72241350a8a16a7f631a/diff:/var/lib/docker/overlay2/74937ae7d64f4e71ca1d21207cdb0351c9061e52c24b96d7ef1bb5390e922a8b/diff:/var/lib/docker/overlay2/5b2382d04d3cecdf024c55226ec76ac09528afd876704bd2060902de8c930d4a/diff:/var/lib/docker/overlay2/18e504d7953b6a3e83097c7371463d55c6f84a2cf9631ebca680f015a994fa30/diff:/var/lib/docker/overlay2/78d32b8efe559ada64ddaf40c295f7f628d6f66bc2bc608fd1659a544993a36d/diff:/var/lib/docker/overlay2/5b2e0f0718d91f8cfe7c836aeac0d62bf9ca3dd51a9565b3edfa5011f570b973/diff:/var/lib/docker/overlay2/4e9e5307c9c16d506a6f453c6cca6bb95bf6478f867edcad4758ef75996e3bb2/diff:/var/lib/docker/overlay2/11a484c8c600f7f4e7da7c10c746af366949fd54dbead18c714f690a3b988542/diff:/var/lib/docker/overlay2/8687aace973f08a9ca2756aaba3b4e41f982cf52b33cbf12d552c62f63953707/diff",
"MergedDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/merged",
"UpperDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/diff",
"WorkDir": "/var/lib/docker/overlay2/e1295a59839727e2c0f3dde843d298cf53aaf404e08f6f6612f682686ab0484c/work"
}
去一个个翻目录也行,看别的师傅的WP有更巧妙的方法,也就是使用linux的通配符*:
到目录下有个git文件夹,接下来我们就比较熟悉了,git config 后找到删除的文件checkout即可
可以发现有swp文件.flag.html.swp,vim -r flag.html 恢复后即是flag
