159 words
1 minute
SCSC2026 Quals - Dongker - Forensics Writeup
2026-02-17
Writeup
CTF
/
Security
/
Forensics

Category: Forensics

File: dongker_container.tar

Flag: scsc26{l3arn_3z_f0r3ns1c_d0n9k3r}

Description#

We are given a Docker/OCI container export (.tar). The goal is to recover the flag from the container filesystem.

Analysis#

A container export is basically a tar archive containing the root filesystem (rootfs) plus some metadata. The quickest approach is to extract it and look for anything suspicious in common places such as:

  • /root/.ash_history / /root/.bash_history (command history)

  • /tmp, /var/tmp (temporary files)

  • /home/* (user files)

  • /etc (sometimes flags are hidden in configs)

Solution#

Extract the archive:

mkdir -p dongker_rootfs
tar -xf dongker_container.tar -C dongker_rootfs

Check root’s shell history. This container uses ash (common on Alpine), so the history file is:

Terminal window
cat dongker_rootfs/root/.ash_history

Inside the history we can see the author literally built the flag by appending characters into a temp file:

echo "s" > /tmp/rahasia.txt
echo "c" >> /tmp/rahasia.txt
echo "s" >> /tmp/rahasia.txt
echo "c" >> /tmp/rahasia.txt
echo "2" >> /tmp/rahasia.txt
echo "6" >> /tmp/rahasia.txt
echo "{" >> /tmp/rahasia.txt
echo "l3arn_3z_f0r3ns1c_d0n9k3r" >> /tmp/rahasia.txt
echo "}" >> /tmp/rahasia.txt

So we can just read the file directly from the extracted filesystem:

Terminal window
cat dongker_rootfs/tmp/rahasia.txt

Output:

scsc26{l3arn_3z_f0r3ns1c_d0n9k3r}
SCSC2026 Quals - Dongker - Forensics Writeup
https://fuwari.vercel.app/posts/29/scsc2026-quals-dongker-forensics-writeup/
Author
Light
Published at
2026-02-17
License
CC BY-NC-SA 4.0
SCSC2026 Quals - Sigmatour - Forensics Writeup
SCSC2026 Quals - Sharkk - Forensics Writeup
© 2026 Light. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari