## 一闪而过的 Flag

有 windows 的话很好办（我专门借了别人的 Window 机测试，这个很容易，就是白送的）

可是我没有。。。只能这样看二进制数据

```sh
hexdump -Cv Untitled01.exe
```

可以找到这样一段

```sh
00000a70  48 98 c6 44 05 90 66 8b  45 fc 8d 50 01 89 55 fc  |H..D..f.E..P..U.|
00000a80  48 98 c6 44 05 90 6c 8b  45 fc 8d 50 01 89 55 fc  |H..D..l.E..P..U.|
00000a90  48 98 c6 44 05 90 61 8b  45 fc 8d 50 01 89 55 fc  |H..D..a.E..P..U.|
00000aa0  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000ab0  48 98 c6 44 05 90 7b 8b  45 fc 8d 50 01 89 55 fc  |H..D..{.E..P..U.|
00000ac0  48 98 c6 44 05 90 41 8b  45 fc 8d 50 01 89 55 fc  |H..D..A.E..P..U.|
00000ad0  48 98 c6 44 05 90 72 8b  45 fc 8d 50 01 89 55 fc  |H..D..r.E..P..U.|
00000ae0  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000af0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000b00  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000b10  48 98 c6 44 05 90 6f 8b  45 fc 8d 50 01 89 55 fc  |H..D..o.E..P..U.|
00000b20  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000b30  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000b40  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000b50  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000b60  48 98 c6 44 05 90 65 8b  45 fc 8d 50 01 89 55 fc  |H..D..e.E..P..U.|
00000b70  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000b80  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000b90  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000ba0  48 98 c6 44 05 90 68 8b  45 fc 8d 50 01 89 55 fc  |H..D..h.E..P..U.|
00000bb0  48 98 c6 44 05 90 74 8b  45 fc 8d 50 01 89 55 fc  |H..D..t.E..P..U.|
00000bc0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000bd0  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000be0  48 98 c6 44 05 90 30 8b  45 fc 8d 50 01 89 55 fc  |H..D..0.E..P..U.|
00000bf0  48 98 c6 44 05 90 30 8b  45 fc 8d 50 01 89 55 fc  |H..D..0.E..P..U.|
00000c00  48 98 c6 44 05 90 44 8b  45 fc 8d 50 01 89 55 fc  |H..D..D.E..P..U.|
00000c10  48 98 c6 44 05 90 3f 8b  45 fc 8d 50 01 89 55 fc  |H..D..?.E..P..U.|
00000c20  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000c30  48 98 c6 44 05 90 63 8b  45 fc 8d 50 01 89 55 fc  |H..D..c.E..P..U.|
00000c40  48 98 c6 44 05 90 61 8b  45 fc 8d 50 01 89 55 fc  |H..D..a.E..P..U.|
00000c50  48 98 c6 44 05 90 6e 8b  45 fc 8d 50 01 89 55 fc  |H..D..n.E..P..U.|
00000c60  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000c70  48 98 c6 44 05 90 79 8b  45 fc 8d 50 01 89 55 fc  |H..D..y.E..P..U.|
00000c80  48 98 c6 44 05 90 6f 8b  45 fc 8d 50 01 89 55 fc  |H..D..o.E..P..U.|
00000c90  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000ca0  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000cb0  48 98 c6 44 05 90 64 8b  45 fc 8d 50 01 89 55 fc  |H..D..d.E..P..U.|
00000cc0  48 98 c6 44 05 90 49 8b  45 fc 8d 50 01 89 55 fc  |H..D..I.E..P..U.|
00000cd0  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000ce0  48 98 c6 44 05 90 74 8b  45 fc 8d 50 01 89 55 fc  |H..D..t.E..P..U.|
00000cf0  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000d00  48 98 c6 44 05 90 6e 8b  45 fc 8d 50 01 89 55 fc  |H..D..n.E..P..U.|
00000d10  48 98 c6 44 05 90 67 8b  45 fc 8d 50 01 89 55 fc  |H..D..g.E..P..U.|
00000d20  48 98 c6 44 05 90 75 8b  45 fc 8d 50 01 89 55 fc  |H..D..u.E..P..U.|
00000d30  48 98 c6 44 05 90 69 8b  45 fc 8d 50 01 89 55 fc  |H..D..i.E..P..U.|
00000d40  48 98 c6 44 05 90 73 8b  45 fc 8d 50 01 89 55 fc  |H..D..s.E..P..U.|
00000d50  48 98 c6 44 05 90 68 8b  45 fc 8d 50 01 89 55 fc  |H..D..h.E..P..U.|
00000d60  48 98 c6 44 05 90 5f 8b  45 fc 8d 50 01 89 55 fc  |H..D.._.E..P..U.|
00000d70  48 98 c6 44 05 90 31 8b  45 fc 8d 50 01 89 55 fc  |H..D..1.E..P..U.|
00000d80  48 98 c6 44 05 90 69 8b  45 fc 8d 50 01 89 55 fc  |H..D..i.E..P..U.|
00000d90  48 98 c6 44 05 90 49 8b  45 fc 8d 50 01 89 55 fc  |H..D..I.E..P..U.|
00000da0  48 98 c6 44 05 90 3f 8b  45 fc 8d 50 01 89 55 fc  |H..D..?.E..P..U.|
00000db0  48 98 c6 44 05 90 7d 8b  45 fc 8d 50 01 89 55 fc  |H..D..}.E..P..U.|
```

## 233 同学的字符串工具 **(这里有坑)**

这道题其实是利用漏洞

1. python upper() 函数有漏洞

https://www.anquanke.com/post/id/196044

`fl`   `U+FB02`  `大写`  `FL`  `U+0046` `U+004C`

利用这个特殊字符可以生成 `FL` 。所以只要使用 `flag` 就可以在 `upper()` 转换成符合标准的字符

这个要特别注意 **(这里有坑)** ，如果用 nc 的话有些终端会自动转换。直接复制是不行的。要用那个浏览器提供的终端

## Docker

这个是考 Docker 的原理，docker image 就是 git 的一层一层叠加上去的

这里可以看一下这个容器历史记录

https://hub.docker.com/layers/8b8d3c8324c7/stringtool/latest/images/sha256-aef87a00ad7a4e240e4b475ea265d3818c694034c26ec227d8d4f445f3d93152?context=explore


根据这份官方文档，我们可以找到如何查看 rootfs 的 diff

https://docs.docker.com/storage/storagedriver/overlayfs-driver/

```sh

docker pull 8b8d3c8324c7/stringtool

docker image inspect 8b8d3c8324c7/stringtool:latest
```


`cat /var/lib/docker/overlay2/781c84bb2cc44b9b4a672de1475f0f50ed11c176a5a224b90b0e19b100d79917/diff/code/flag.txt`

`flag{Docker_Layers!=PS_Layers_hhh}`