diff --git a/README.md b/README.md index 2410003..fba6936 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ | - | - | - | | mcfx [Markdown](players/mcfx/writeup.md) [PDF](players/mcfx/writeup.pdf) | 总排名第一名 | 全部题目 | | [ProfFan](players/ProfFan/writeup.md) | | 证验码 | +| [A-wing](players/a-wing/writeup.md) | 补充一下官方题解 | 一闪而过的 Flag, 233 同学的字符串工具, 233 同学的 Docker | ## 其他资源 diff --git a/players/a-wing/writeup.md b/players/a-wing/writeup.md new file mode 100644 index 0000000..8b1be83 --- /dev/null +++ b/players/a-wing/writeup.md @@ -0,0 +1,107 @@ +## 一闪而过的 Flag + +有 windows 的话很好办(我专门借了别人的 Window 机测试,这个很容易,就是白送的) + +可是我没有。。。只能这样看二进制数据 + +```sh +hexdump -Cv Untitled01.exe +``` + +可以找到这样一段 + +```sh +00000a70 48 98 c6 44 05 90 66 8b 45 fc 8d 50 01 89 55 fc |H..D..f.E..P..U.| +00000a80 48 98 c6 44 05 90 6c 8b 45 fc 8d 50 01 89 55 fc |H..D..l.E..P..U.| +00000a90 48 98 c6 44 05 90 61 8b 45 fc 8d 50 01 89 55 fc |H..D..a.E..P..U.| +00000aa0 48 98 c6 44 05 90 67 8b 45 fc 8d 50 01 89 55 fc |H..D..g.E..P..U.| +00000ab0 48 98 c6 44 05 90 7b 8b 45 fc 8d 50 01 89 55 fc |H..D..{.E..P..U.| +00000ac0 48 98 c6 44 05 90 41 8b 45 fc 8d 50 01 89 55 fc |H..D..A.E..P..U.| +00000ad0 48 98 c6 44 05 90 72 8b 45 fc 8d 50 01 89 55 fc |H..D..r.E..P..U.| +00000ae0 48 98 c6 44 05 90 65 8b 45 fc 8d 50 01 89 55 fc |H..D..e.E..P..U.| +00000af0 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000b00 48 98 c6 44 05 90 79 8b 45 fc 8d 50 01 89 55 fc |H..D..y.E..P..U.| +00000b10 48 98 c6 44 05 90 6f 8b 45 fc 8d 50 01 89 55 fc |H..D..o.E..P..U.| +00000b20 48 98 c6 44 05 90 75 8b 45 fc 8d 50 01 89 55 fc |H..D..u.E..P..U.| +00000b30 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000b40 48 98 c6 44 05 90 65 8b 45 fc 8d 50 01 89 55 fc |H..D..e.E..P..U.| +00000b50 48 98 c6 44 05 90 79 8b 45 fc 8d 50 01 89 55 fc |H..D..y.E..P..U.| +00000b60 48 98 c6 44 05 90 65 8b 45 fc 8d 50 01 89 55 fc |H..D..e.E..P..U.| +00000b70 48 98 c6 44 05 90 73 8b 45 fc 8d 50 01 89 55 fc |H..D..s.E..P..U.| +00000b80 48 98 c6 44 05 90 31 8b 45 fc 8d 50 01 89 55 fc |H..D..1.E..P..U.| +00000b90 48 98 c6 44 05 90 67 8b 45 fc 8d 50 01 89 55 fc |H..D..g.E..P..U.| +00000ba0 48 98 c6 44 05 90 68 8b 45 fc 8d 50 01 89 55 fc |H..D..h.E..P..U.| +00000bb0 48 98 c6 44 05 90 74 8b 45 fc 8d 50 01 89 55 fc |H..D..t.E..P..U.| +00000bc0 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000bd0 48 98 c6 44 05 90 67 8b 45 fc 8d 50 01 89 55 fc |H..D..g.E..P..U.| +00000be0 48 98 c6 44 05 90 30 8b 45 fc 8d 50 01 89 55 fc |H..D..0.E..P..U.| +00000bf0 48 98 c6 44 05 90 30 8b 45 fc 8d 50 01 89 55 fc |H..D..0.E..P..U.| +00000c00 48 98 c6 44 05 90 44 8b 45 fc 8d 50 01 89 55 fc |H..D..D.E..P..U.| +00000c10 48 98 c6 44 05 90 3f 8b 45 fc 8d 50 01 89 55 fc |H..D..?.E..P..U.| +00000c20 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000c30 48 98 c6 44 05 90 63 8b 45 fc 8d 50 01 89 55 fc |H..D..c.E..P..U.| +00000c40 48 98 c6 44 05 90 61 8b 45 fc 8d 50 01 89 55 fc |H..D..a.E..P..U.| +00000c50 48 98 c6 44 05 90 6e 8b 45 fc 8d 50 01 89 55 fc |H..D..n.E..P..U.| +00000c60 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000c70 48 98 c6 44 05 90 79 8b 45 fc 8d 50 01 89 55 fc |H..D..y.E..P..U.| +00000c80 48 98 c6 44 05 90 6f 8b 45 fc 8d 50 01 89 55 fc |H..D..o.E..P..U.| +00000c90 48 98 c6 44 05 90 75 8b 45 fc 8d 50 01 89 55 fc |H..D..u.E..P..U.| +00000ca0 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000cb0 48 98 c6 44 05 90 64 8b 45 fc 8d 50 01 89 55 fc |H..D..d.E..P..U.| +00000cc0 48 98 c6 44 05 90 49 8b 45 fc 8d 50 01 89 55 fc |H..D..I.E..P..U.| +00000cd0 48 98 c6 44 05 90 73 8b 45 fc 8d 50 01 89 55 fc |H..D..s.E..P..U.| +00000ce0 48 98 c6 44 05 90 74 8b 45 fc 8d 50 01 89 55 fc |H..D..t.E..P..U.| +00000cf0 48 98 c6 44 05 90 31 8b 45 fc 8d 50 01 89 55 fc |H..D..1.E..P..U.| +00000d00 48 98 c6 44 05 90 6e 8b 45 fc 8d 50 01 89 55 fc |H..D..n.E..P..U.| +00000d10 48 98 c6 44 05 90 67 8b 45 fc 8d 50 01 89 55 fc |H..D..g.E..P..U.| +00000d20 48 98 c6 44 05 90 75 8b 45 fc 8d 50 01 89 55 fc |H..D..u.E..P..U.| +00000d30 48 98 c6 44 05 90 69 8b 45 fc 8d 50 01 89 55 fc |H..D..i.E..P..U.| +00000d40 48 98 c6 44 05 90 73 8b 45 fc 8d 50 01 89 55 fc |H..D..s.E..P..U.| +00000d50 48 98 c6 44 05 90 68 8b 45 fc 8d 50 01 89 55 fc |H..D..h.E..P..U.| +00000d60 48 98 c6 44 05 90 5f 8b 45 fc 8d 50 01 89 55 fc |H..D.._.E..P..U.| +00000d70 48 98 c6 44 05 90 31 8b 45 fc 8d 50 01 89 55 fc |H..D..1.E..P..U.| +00000d80 48 98 c6 44 05 90 69 8b 45 fc 8d 50 01 89 55 fc |H..D..i.E..P..U.| +00000d90 48 98 c6 44 05 90 49 8b 45 fc 8d 50 01 89 55 fc |H..D..I.E..P..U.| +00000da0 48 98 c6 44 05 90 3f 8b 45 fc 8d 50 01 89 55 fc |H..D..?.E..P..U.| +00000db0 48 98 c6 44 05 90 7d 8b 45 fc 8d 50 01 89 55 fc |H..D..}.E..P..U.| +``` + +## 233 同学的字符串工具 **(这里有坑)** + +这道题其实是利用漏洞 + +1. python upper() 函数有漏洞 + +https://www.anquanke.com/post/id/196044 + +`fl` `U+FB02` `大写` `FL` `U+0046` `U+004C` + +利用这个特殊字符可以生成 `FL` 。所以只要使用 `flag` 就可以在 `upper()` 转换成符合标准的字符 + +这个要特别注意 **(这里有坑)** ,如果用 nc 的话有些终端会自动转换。直接复制是不行的。要用那个浏览器提供的终端 + +## Docker + +这个是考 Docker 的原理,docker image 就是 git 的一层一层叠加上去的 + +这里可以看一下这个容器历史记录 + +https://hub.docker.com/layers/8b8d3c8324c7/stringtool/latest/images/sha256-aef87a00ad7a4e240e4b475ea265d3818c694034c26ec227d8d4f445f3d93152?context=explore + + +根据这份官方文档,我们可以找到如何查看 rootfs 的 diff + +https://docs.docker.com/storage/storagedriver/overlayfs-driver/ + +```sh + +docker pull 8b8d3c8324c7/stringtool + +docker image inspect 8b8d3c8324c7/stringtool:latest +``` + + +`cat /var/lib/docker/overlay2/781c84bb2cc44b9b4a672de1475f0f50ed11c176a5a224b90b0e19b100d79917/diff/code/flag.txt` + +`flag{Docker_Layers!=PS_Layers_hhh}` +