Skip to content

Latest commit

 

History

History
107 lines (81 loc) · 5.52 KB

writeup.md

File metadata and controls

107 lines (81 loc) · 5.52 KB
Raw

一闪而过的 Flag

有 windows 的话很好办(我专门借了别人的 Window 机测试,这个很容易,就是白送的)

可是我没有。。。只能这样看二进制数据

hexdump -Cv Untitled01.exe

可以找到这样一段

00000a70  48 98 c6 44 05 90 66 8b  45 fc 8d 50 01 89 55 fc  |H..D..f.E..P..U.|
00000a80  48 98 c6 44 05 90 6c 8b  45 fc 8d 50 01 89 55 fc  |H..D..l.E..P..U.|
00000a90  48 98 c6 44 05 90 61 8b  45 fc 8d 50 01 89 55 fc  |H..D..a.E..P..U.|
00000aa0  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000ab0  48 98 c6 44 05 90 7b 8b  45 fc 8d 50 01 89 55 fc  |H..D..{.E..P..U.|
00000ac0  48 98 c6 44 05 90 41 8b  45 fc 8d 50 01 89 55 fc  |H..D..A.E..P..U.|
00000ad0  48 98 c6 44 05 90 72 8b  45 fc 8d 50 01 89 55 fc  |H..D..r.E..P..U.|
00000ae0  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000af0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000b00  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000b10  48 98 c6 44 05 90 6f 8b  45 fc 8d 50 01 89 55 fc  |H..D..o.E..P..U.|
00000b20  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000b30  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000b40  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000b50  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000b60  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000b70  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000b80  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000b90  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000ba0  48 98 c6 44 05 90 68 8b  45 fc 8d 50 01 89 55 fc  |H..D..h.E..P..U.|
00000bb0  48 98 c6 44 05 90 74 8b  45 fc 8d 50 01 89 55 fc  |H..D..t.E..P..U.|
00000bc0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000bd0  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000be0  48 98 c6 44 05 90 30 8b  45 fc 8d 50 01 89 55 fc  |H..D..0.E..P..U.|
00000bf0  48 98 c6 44 05 90 30 8b  45 fc 8d 50 01 89 55 fc  |H..D..0.E..P..U.|
00000c00  48 98 c6 44 05 90 44 8b  45 fc 8d 50 01 89 55 fc  |H..D..D.E..P..U.|
00000c10  48 98 c6 44 05 90 3f 8b  45 fc 8d 50 01 89 55 fc  |H..D..?.E..P..U.|
00000c20  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000c30  48 98 c6 44 05 90 63 8b  45 fc 8d 50 01 89 55 fc  |H..D..c.E..P..U.|
00000c40  48 98 c6 44 05 90 61 8b  45 fc 8d 50 01 89 55 fc  |H..D..a.E..P..U.|
00000c50  48 98 c6 44 05 90 6e 8b  45 fc 8d 50 01 89 55 fc  |H..D..n.E..P..U.|
00000c60  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000c70  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000c80  48 98 c6 44 05 90 6f 8b  45 fc 8d 50 01 89 55 fc  |H..D..o.E..P..U.|
00000c90  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000ca0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000cb0  48 98 c6 44 05 90 64 8b  45 fc 8d 50 01 89 55 fc  |H..D..d.E..P..U.|
00000cc0  48 98 c6 44 05 90 49 8b  45 fc 8d 50 01 89 55 fc  |H..D..I.E..P..U.|
00000cd0  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000ce0  48 98 c6 44 05 90 74 8b  45 fc 8d 50 01 89 55 fc  |H..D..t.E..P..U.|
00000cf0  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000d00  48 98 c6 44 05 90 6e 8b  45 fc 8d 50 01 89 55 fc  |H..D..n.E..P..U.|
00000d10  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000d20  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000d30  48 98 c6 44 05 90 69 8b  45 fc 8d 50 01 89 55 fc  |H..D..i.E..P..U.|
00000d40  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000d50  48 98 c6 44 05 90 68 8b  45 fc 8d 50 01 89 55 fc  |H..D..h.E..P..U.|
00000d60  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000d70  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000d80  48 98 c6 44 05 90 69 8b  45 fc 8d 50 01 89 55 fc  |H..D..i.E..P..U.|
00000d90  48 98 c6 44 05 90 49 8b  45 fc 8d 50 01 89 55 fc  |H..D..I.E..P..U.|
00000da0  48 98 c6 44 05 90 3f 8b  45 fc 8d 50 01 89 55 fc  |H..D..?.E..P..U.|
00000db0  48 98 c6 44 05 90 7d 8b  45 fc 8d 50 01 89 55 fc  |H..D..}.E..P..U.|

233 同学的字符串工具 (这里有坑)

这道题其实是利用漏洞

  1. python upper() 函数有漏洞

https://www.anquanke.com/post/id/196044

U+FB02 大写 FL U+0046 U+004C

利用这个特殊字符可以生成 FL 。所以只要使用 flag 就可以在 upper() 转换成符合标准的字符

这个要特别注意 (这里有坑) ,如果用 nc 的话有些终端会自动转换。直接复制是不行的。要用那个浏览器提供的终端

Docker

这个是考 Docker 的原理,docker image 就是 git 的一层一层叠加上去的

这里可以看一下这个容器历史记录

https://hub.docker.com/layers/8b8d3c8324c7/stringtool/latest/images/sha256-aef87a00ad7a4e240e4b475ea265d3818c694034c26ec227d8d4f445f3d93152?context=explore

根据这份官方文档,我们可以找到如何查看 rootfs 的 diff

https://docs.docker.com/storage/storagedriver/overlayfs-driver/

docker pull 8b8d3c8324c7/stringtool

docker image inspect 8b8d3c8324c7/stringtool:latest

cat /var/lib/docker/overlay2/781c84bb2cc44b9b4a672de1475f0f50ed11c176a5a224b90b0e19b100d79917/diff/code/flag.txt

flag{Docker_Layers!=PS_Layers_hhh}