Incident (Forensic, Hard, 500 pts)

Author: Egor Zaytsev (@groke)

Our users recently have complained that their passwords stored in our service were constantly leaking 😱

We identified an infected node, and it looks like it was an APT that installed a software implant right inside our service.

Can you investigate what has happened and find out what data the attackers have stolen?

ssh incident@35.228.133.151
Password: 6fS0jH9T

We understand that you can't dump memory or attach with the debugger since it's Docker, but we're sure you'll figure it out!

Hint at 20:00 — We know that out service is vulnerable, and the backdoor was installed via exploitation of this vuln. If you want to dump the backdoor, you should exploit this vuln too