Advent Of Cyber 3 - Day 18

Posted on Dec 18, 2021
tl;dr: Docker

AWS Elastic Container Registry - ECR Public Gallery , playing around with docker images.

The grinch enterprises have a public ECR that looks suspicious: Grinch Enterprises

using windows docker or linux docker, pull the image with:

docker pull

docker pull  
latest: Pulling from h0w1j9u3/grinch-aoc  
7b1a6ab2e44d: Pull complete  
7181c3c4941b: Pull complete  
148b30b9ae2d: Pull complete  
6f5a7c388565: Pull complete  
ef099323cb4a: Pull complete  
de5bf7e2abf0: Pull complete  
455d5424d859: Pull complete  
b1ee65a7e02a: Pull complete  
a47021107475: Pull complete  
Digest: sha256:593c79eaaa1a905c533e389b0034022e074969da3936df648172c4efc8d421d8  
Status: Downloaded newer image for

and then run it with: docker run -it

with this command we’ll get a shell directly into the docker-container and can interact with it directly as if we were on the server itself.

there’s nothing in the home-folder of the container-user. But there’s some interesting environment variables:

$ printenv  

Further analysis of the docker container

exit from the shell and save the running container as a tar-file.

mkdir aoc && cd $_
docker save -o aoc.tar

unpack the saved container to see what files are contained in it.

tar xf aoc.tar

in case jq isn’t installed, get it.

sudo apt install -y jq

the manifest.json file includes information that we want to investigate further.

cat manifest.json | jq

the jq command formats it in JSON so it’s easier to read:

    "Config": "f886f00520700e2ddd74a14856fcc07a360c819b4cea8cee8be83d4de01e9787.json",
    "RepoTags": [
    "Layers": [

go through the various layers that were unpacked into folders with layer.tar files inside of them. In the folder 249855506821100cff82e4b2ce1f920b51bcff2b3272de2b9636eb4c83572beb

there’s a root/envconsul folder that looks interesting. Extract that folder with 7-zip and dig further in the config files for envconsul named config.hcl

looking for a token, we can see that they forgot to clean it out from this particular layer:

└─$ grep token config.hcl                                                                              
  # This is the token to use when communicating with the Vault server.
  # assumption that you provide it with a Vault token; it does not have the
  # incorporated logic to generate tokens via Vault's auth methods.
  token = "7095b3e9300542edadbc2dd558ac11fa"

command to list container images stored in local container registry: docker images

command to save docker image as tar archive: docker save

name of the file for configuration, repo tags and layer hash values: manifest.json

token value: 7095b3e9300542edadbc2dd558ac11fa