Day 18
Last updated
Last updated
Although Docker and containerisation has changed the modern software landscape, I don't have a ton of experience working with it. So let's dive in and hopefully learn something new.
Grinch Enterprises has been gloating about their attack on an underground forum. We know they were specifically targeting organizations in a campaign they've themed "Advent of Cyber" (AOC) - what a frustrating coincidence. Tracing the user back over time - we also encountered a reference to using AWS Elastic Container Registry (ECR) to store container images they use as infrastructure in their attacks. Let's see if we can find out more about the attack tooling Grinch Enterprises is using.
First let's pull down the Docker image:
And then run it:
We get put into a shell inside the docker image. We're logged in as "newuser" and the working directory is basically empty.
From here if we run printenv we see the Grinch defined an environment variable called "api_key":
Now let's save our image as a .tar:
Once we extract this:
We get a bunch of files and directories. If we do cat manifest.json we can see some metadata about the container. For example, the Config file:
If we cat this file out we can see a list of commands the Docker daemon runs in setting up the image. Here's an interesting one:
We definitely want to look at anything being brought into the root directory. Let's check inside the various layers:
We can check various folders this way that we wouldn't have access to inside the container. We'll keep doing the above process in each layer directory until we get to one that contains the root folder. Inside is another folder, envconsul. This is the one we're looking for. There's a file inside called config.hcl. Let's cat it out and see.
Inside, there's an important line:
This is the token to access the Grinch's Vault server, a secrets storage utility. And that finishes off today's challenge. A shorty but a goody.
