Introduction to Docker for CTFs
Вставка
- Опубліковано 5 жов 2024
- I'm using docker more often for CTFs, but it's also useful to host challenges. More CTFs share Dockerfiles to run it locally, so I figured it's time to give an introduction to docker. If you have some other tips or tricks about your workflow, please share it below!
Example challenge and CTF container: github.com/Liv...
DigitalOcean*: m.do.co/c/826f...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Who felt triggered by me using python2?
Me
For me python2 is way better than python3 and IDK why xD
for these purposes python 3 would be better :)
Me, 2 minutes too late, but eh
I was just scrolling down to comment on this blasphemy!
OK, if you starting with docker, you probably want to know that:
8:55
When you start container you can ofc give it a name with `--name some_name` (if you do not give any name it will assign some radom one, in this case it was `cool_yonath`)
later if you want to exec something it there, instead of using id, you can use that name.
Also if you are using if, you don't need to use full id (in fact that id that is displayed when you use `docker ps` is also first 12 characters of id) you need to use enough characters to have single matching result (it might be even only 1 character)
ps: if you using distro with selinux enabled, mount your volumes with `:z` at the end, eg: `-v $PWD:/pwd:z`
ps2: if you run container with `--link container_name:hostname` you are getting connectivity to mentioned container (`ping hostname`)
you can use first 3 characters of image id to reference the container, which is shorter than typing the name, in most cases
@@martingregorik2046 you might even use the first 2 characters if they are unique. But if you recreate the container it has another id, so it is better to give the containers a name.
PS: You can use TAB-completition on the container names, so no need for long typing and you have meaningful names.
liveoverflow : docker tutorial
everyone: where r u these days ?
You could use a bridge network for inter-container communication. With it you don't need to expose any port to the local network and can use the name of the container as IP address
You can also use docker-compose to create more complex setups, with multiple networks
P2P but you are in container.
Skynet: nice
I made a docker-like program (called doqueru-kun) and a tutorial that made me understand how docker works. Waiting for your next video to link it in my project!
I saw that blog! Very cool project!
Thank you! That means a lot for me coming from you!
@@LiveOverflow can you give me the link for the Blog which your referring here, I'm
interested read it as well.
>beginning of video: Docker. Docker container. Docker.
>Middle of video: docker docks docking docks docker dock
>end of video: dakka dakka durka durka docka docka dock
i think im going insane XD
Please explain Ctrl-C and Ctrl-V.
Lmao what
@@selimeneskaraduman6935 i think point was that explanation of docker and everything is so great that it would also great to explain such plain simple thing as copypaste
@@ShivamJha00 3:40
Ctrl+C will create a parallel universe
Docker is just amazing, Kubernetees is the next step
What about Consul?
Mattia Righetti
I thought we should use both since ya know they serve different purposes
Put whatever
kubernetes vs docker :
ua-cam.com/video/2vMEQ5zs1ko/v-deo.html
@@SuperSand2000 what fuck is consul? marca de geladeira? kkkkk
nc host.docker.internal 1024 (instead of finding the IP address of host), or just use the host network when creating the container
When using VSCode there is that awesome plugin that runs your current workspace on docker, so the set up is much easier and the development is much cleaner.
cool, I should check that out. whats the name?
@@LiveOverflow it's called "Remote Container"
Useful information as always. Thanks LiveOverflow
holy crap. nice animation.. very descriptive.. do this more often..
Looking forward to the next video.
(Also Holy shit, I have the green icon now)
Yeah, the time flies
I realized that too some days ago
So, basically Docker is like a solution to "works on my machine ¯\_(ツ)_/¯" syndrome. 😛
Great way of explaining things, kudos to you!!
Dockers are truly a gift for CTFs. I love them so much. And the best thing is that Docker Engine was written in Go!
Hey, a video around pwntools would be awesome!
Loved it, this was awesome and now I know what to use!
Thx
*he bacc*
Keep doing what you are doing! Greets from Germany :-)
aus Deutschland nach Deutschland? 😉
@@olpqay does it mean From Germany to Germany or something? I can totally use google translate, but Im making a guess
chickenicecream1942 exactly 😉
these videos are amazing, keep up the great work.
Love docker, especially when I'm working on a M1 Mac book and need to install tools developed for linux...
Welcome back pro
if u want your last container to execute an arbitrary command, you can prefix the command with docker exec -it $(docker ps -lq)
maybe someone reads this and finds it useful (in an automated setup ofcourse)
I was wondering what docker was!
That's cool
This intro to docker has made the most sense out of every other explanation I have been given, but I still don't get what the difference between this and a VM is.
The main difference is that with a VM a separate kernel is used for the guest. With containers, the host and guest share a kernel.
A VM contains a whole OS (yes, including a kernel), and is a resource hog. A container holds just the files necessary to operate it (like database binaries, for instance ), uses the host kernel, and is much, much lighter and faster.
Minor correction: Docker on Windows can run without Linux, but usually doesn't
Awesome Work Man! Good content
Ehh Welcome Back!
MIssed you, dude!
If you want to run something on the host machine ip from a container you don't need to look for the ip you can just use host.docker.internal :)
I'm used to use Netcup for servers because a) it's a german service so the data is stored in germany and b) from what I had seen it seemed far less expansive even considering the free bonus I get as a student or by such promotions.
Miss your videos
finally a new video
Have you heared about hetzner.de? It is basically like digital ocean but cheaper. They have server farms in Germany and Finland.
My go-to VPS host is scaleway, very similar to digitalocean in usage (also pretty flexible) but much cheaper. And they have some pretty nice AMD epyc machines.
@@juliavanderkris5156 Hetzner also has a huge selection of dedicated server models btw. (Also Epyc)
`docker-compose` is its own package and ‘docker compose` is just docker with the compose plugin, which comes by default. You shouldn’t need the docker-compose package if all you’re doing is basic compose launching.
L33t is back :)
Hey, ist da ein weg um mit dir zu kommunizieren?
habe heute möglicherweise einen iteresanten bug gefunden in einem Parkautomaten.
Muss aber mal wieder zurück und austesten ob das wirklich so jedesmal funktioniert.
Wenn ja, dann gibt es einen weg um ohne zu bezahlen aus dem parkhaus raus zufahren;)
Didn't undertsnad half of the video. But the video is still good, ty
Could you please tell in future video the differences between Packer, Vagrant and Docker? Awesome video! :P
No clue what packer is. But vagrant simply manages virtual machines. What docker really is I will explain next video
Packer is a tool from HashiCorp that builds machine images. So unlike Docker, it's not container technology. Vagrant is basically (really oversimplified here) a CLI tool for managing VMs.
Packer allows you to "pack" all your programs and whatever you might need, bundles that up and spits out an AMI or VMDK/VMX or OVF file.
Basically a dockerfile for VMs.
@@LiveOverflow I never got around to finding out why docker stopped using LXC/LXD/LXCFS...
I have a container setup with the Kali Linux Desktop Environment running and I use Reminna to access it; But it slows my machine done as much as a VM does.
Great video, for me Docker already starts to feel a old tech , because I am already working with Docker for 2 years but it is so rare to see videos for new guys talking about docker. But side note, in the first time you talk about the docker build command was to create a container that it is incorrect, but I think that was just a little mistake
💥💥💥
Please don't run your docker commands as root. That can break some docker images. It is way better to add your user to the docker group, which will give you (for docker) pretty much the same abilities. There is also a really nice utility called ctop(github/bcicen/ctop) which is pretty much htop for docker. Also, look into docker registries (for example hosted on GitLab) to save your Docker images so you don't have to recompile them every time. Also using networks or the deprecated link flag can save you the trouble of exposing hosts to the outside world, and can make it a lot more comprehensible to see which container is connecting to which.
Mh why? I have never had any issues. Ran it as root all the time when using some server.
Also access to docker gives you basically root permissions. So I find it a bit weird to not explicitly use sudo and add the group.
@@LiveOverflow I had problems with mounted files, and yes its fixable with chown and chmod, but I think its an unnecessary risk right? If the container does get exploited?
Docker containers are run by a separate process and have their own users inside. The user id may collide, and it can cause trouble, but it can access only the directories you have mounted to it - which is the main issue.
Look at docker docs, they even say that giving your user docker privileges, is the same as actually giving your user root priveleges - so it is much less safe, than simply running your docker commands with sudo infront.
Not (necessarily) true: "Docker on Windows runs a hidden Linux VM"
The Windows kernel actually supports something quite similar to the Linux namespaces thingy, called "Containers". When using Docker in Container mode on Windows, no VM is necessary or used. In fact this feature even enables Windows to be able to run both Linux Containers AND Windows containers (yes, you can download and run a Windows 10 container) side-by-side simultaneously.
Was looking for that comment
Yes, Docker has two types for Windows. One is newer Docker for Windows which uses this Windows functionality for containers (but AFAIK requires Windows 10 Pro) and the other is Docker Toolbox which uses VirtualBox to run boot2docker Linux VM.
@@filipstamcar6553 yes, although Docker will use Hyper-V instead of VirtualBox by default if it wants to use a VM
Can I use docker for doing CTFs? Many recommend using a VM to participate in CTFs for security purposes. But are docker containers more secure than a VM sandbox?
nice content, @liveoverflow I have been following for a while an I have been wanting to start playing RE/ ctf's and I suck at it, I have been looking for a strong basics where I can start and get a hold of the sub, please refer a source since you are good at it I was hoping you would know a better place to begin for a noon.
Any good ctf list to download
I need many of them
Damn. Awesome. Time to spend the day trawling through docker docs and learning.
This is wouldnt work for anything with a gui right? Like a crackme with a window pop up for a password would just have to run on your main host wouldnt it?
Willy you can. you can run an X server in the Docker container and ssh with X forwarding on your host.
It's possible to forward X applications out of the container into your own X session. This requires that you're on Linux, are using X and not Wayland (maybe there's a way to use XWayland, but I don't know how), and set it up in your Dockerfile.
somatorio.org/en/post/running-gui-apps-with-docker/
thx for the vid
Hi, I have a problem using ctfdocker ---- when using "gdb.attach(io)" with pwntools, how Launch a new terminal in docker container?
I guess using WSL is perfectly fine if not better in this particular use case? A Windows user's point of view
The digital ocean refferral link didnt work for me :((
Don't use `sudo` to run docker commands! add your user to the `docker` group instead, no more nagging for passwords for using docker!
I prefer sudo
it's not secure, read docs
This is more than docker documentation
dumb question, what is CTF??
MilMike - capture the flag, hacking contests where you try to find a special file on the target.
What's CTF?
I searched the web and found this:
CTF (Capture The Flag) is a kind of information security competition that challenges contestants to solve a variety of tasks ranging from a scavenger hunt on wikipedia to basic programming exercises, to hacking your way into a server to steal data.
Is it possible to expose ports for one container to be used by other containers, without exposing it to the host system?
No.
Yes, you have to use a feature called "bridge network". You create a network (with 'docker network create ') and then when you run a container you add the option '-network '.
All the ports will be exposed by default from from inside the network, and you can use the name of the container as IP address alias :)
Very much yes. In fact that’s the point.
Finallyyyyyyyy
how to doing like gdb.attach on docker ?
wow this looks so complicated, Makes me hate hacking 😕
Nice x)
Can you update this man
Gasp running docker as super user
Why are you surprised?
what is ctfs?
Ruchit Micro - Capture The Flag - a contest of breaking into a target and finding special files.
9:58 WHY PYTHON 2??
Docker Docs are actually too much to lean food someone not too familiar with it. It can be frustrating and a waste of time. I’d recommend some videos from UA-cam to help you with it
CT-Who?
Perhaps first?
apt-get install docker.io docker-compose -y
All IT work should be security work.
@@homelessrobot you know what? You're right. Keep IT Interesting.
I think docker is silly. Why would you download and set up a whole thing that's basically a chroot, just to run some tool? If you don't trust that software then yes, fine. But other than sandboxing, I don't think it's useful for tooling. Maybe I'm thinking about this wrong, but why would i have a container for hashcat and another container for jtr and another container for nmap and another for wfuzz, and so forth. It makes no sense and all you accomplish is wasting your hard drive space on redundant data. And don't tell me that's not how it works, because you literally install stuff with `docker pull`, creating one container image for the one tool you pulled.
If you just want a linux environment, feel free to use linux. If you're running on windows you get WSL2. If you are running on mac, get a computer that works and where you don't have to pay for every little thing.
Each app has dependencies that need to be installed. It’s nice to not litter your host system with all these dependencies. Containers are not necessarily used for security. And more about isolation of dependencies and making apps trivial to deploy.
hi first
i know its childish
@@shootingshooter2829 yeah it is
It should work on windows. Well yes but actually no.
Hi
hihi
13th
I have actually seen way better docker videos...kind of disappointed.