Flare-On8-03_antioch

发布于 2022-04-08  103 次阅读


https://agate-colony-3f5.notion.site/03_antioch-413db35c387c4b17b9dd8564ddebc65e

信息以及文件提取

拿到后zip包中包含一个tar存档antioch.tar。 存档内部是以下文件结构:

manifest.json

repositories

a JSON file named with a hexadecimal ID.

还有31个额外的文件夹,以十六进制 ID 命名并包含 json、layer.tar 和 VERSION 文件.

查看以十六进制ID命名的文件夹中的json文件

我们确定了这个antioch.tar为导出的 Docker镜像

尝试加载这个镜像

sudo docker load -i antioch.tar

一个 Docker 镜像由一系列layer组成,每个layer都会对镜像进行更改。 大多数layer将文件添加到虚拟文件系统,但layer也可以删除文件或调整从映像生成的容器的启动配置。也就是每一个层是上一层的增量或者是一些改变

使用history命令可以查看image的layers

可以看见这个image只有两个layer

第一层将文件“AntiochOS”添加到虚拟文件系统的根目录,第二层将容器配置为在启动时运行该文件。

我们先运行一下这个image看这个可执行文件的输出,获取到一些信息

接下来我们提取这个AntiochOS文件

syj@ubuntu:~$ sudo docker container cp antioch_test:/AntiochOS /home/syj/Re
syj@ubuntu:~$ cd /home/syj/Re
syj@ubuntu:~/Re$ ls | grep AntiochOS
AntiochOS
syj@ubuntu:~/Re$ file AntiochOS
AntiochOS: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
statically linked, stripped

AntiochOS文件分析

1.字符串混淆:

有两种字符串混淆的方式

第一种是将字符串拆分为单个字节,经过一个函数赋值到堆栈中

.text:0000000000401340 ; void __fastcall str_quit(_BYTE *)
.text:0000000000401340 str_quit proc near
.text:0000000000401340 ; __unwind {
.text:0000000000401340 mov     byte ptr [rdi], 71h ; 'q'
.text:0000000000401343 mov     byte ptr [rdi+1], 75h ; 'u'
.text:0000000000401347 mov     byte ptr [rdi+2], 69h ; 'i'
.text:000000000040134B mov     byte ptr [rdi+3], 74h ; 't'
.text:000000000040134F mov     byte ptr [rdi+4], 0Ah
.text:0000000000401353 mov     byte ptr [rdi+5], 0
.text:0000000000401357 retn
.text:0000000000401357 str_quit endp
.text:0000000000401357
.text:0000000000401360 ; void __fastcall str_help(_BYTE *)
.text:0000000000401360 str_help proc near
.text:0000000000401360 ; __unwind {
.text:0000000000401360 mov     byte ptr [rdi], 68h ; 'h'
.text:0000000000401363 mov     byte ptr [rdi+1], 65h ; 'e'
.text:0000000000401367 mov     byte ptr [rdi+2], 6Ch ; 'l'
.text:000000000040136B mov     byte ptr [rdi+3], 70h ; 'p'
.text:000000000040136F mov     byte ptr [rdi+4], 0Ah
.text:0000000000401373 mov     byte ptr [rdi+5], 0
.text:0000000000401377 retn
.text:0000000000401377 str_help endp

第二种是approach_message_builder函数里面的

char *__fastcall approach_message_builder()
{
  char v0; // dl
  char *i; // rax

  v0 = byte_404020;
  if ( !byte_404020 )
  {
    for ( i = &byte_404020; ; v0 = *i )
    {
      *i++ = v0 ^ 0x9D;
      if ( i == &byte_404020 + 38 )
        break;
    }
  }
  return &unk_404021;
}

将字符串加密后存放到连续的内存中

运行时解密

可以知道就是异或

使用lazyida的get xor data即可快速得到对应真实字符串

2.支持命令

quit

help

consult

approach

3.approach命令对应的ask_questions函数分析

首先输出Approach the Gorge of Eternal Peril!\n字符串

然后输出What is your name?

之后调用sys_read从标准输入读取我们的输入(name)

然后传入flag_check函数,参数1是我们的输入字符串指针,参数2是长度

__int64 __fastcall flag_check(char *inp, int len)
{
  char *v2; // rsi
  unsigned int data; // eax
  char v4; // dl

  if ( len <= 0 )
    return 0LL;
  v2 = &inp[len - 1 + 1];
  data = -1;
  do
  {
    v4 = *inp++;
    data = CRC32_table_402260[(data ^ v4)] ^ (data >> 8);
  }
  while ( v2 != inp );
  return ~data;
}

CRC32我们的name之后和内存中的间隔12字节数据的前4字节进行比较

只要能找到一个值与CRC32(name)之后就值就不再执行while循环

下方输出What is your quest?

然后调用read读取我们的quest,读取了后面并没有用它做什么,这个quest没什么用

之后会输出What is your favorite color?

然后我们输入color之后又会将其进行CRC32

然后与内存中的间隔12字节数据的4-8字节进行比较

相同后会输出'Right. Off you go. #'

并输出这一组的最后8-12字节的decimal值

我们可以得知,内存中12字节是这样排列的

CRC32(name)   4byte
CRC32(color)  4byte
number        4byte

对于name,我们在子目录的json文件中可以看见author

然后将其crc32之后在内存中可以找到

import zlib
print(hex(zlib.crc32(b'Dragon of Angnor\n')))      # 0xab1321cc

说明这些名字就是正确的

names = {"09e6fff53d6496d170aaa9bc88bd39e17c8e5c13ee9066935b089ab0312635ef":"Dragon of Angnor",
"1c5d28d6564aed0316526e8bb2d79a436b45530d2493967c8083fea2b2e518ce":"Roger the Shrubber",
"25e171d6ac47c26159b26cd192a90d5d37e733eb16e68d3579df364908db30f2":"Dinky",
"2b363180ec5d5862b2a348db3069b51d79d4e7a277d5cf5e4afe2a54fc04730e":"Dennis the Peasant",
"303dfd1f7447a80322cc8a8677941da7116fbf0cea56e7d36a4f563c6f22e867":"Sir Ector",
"49fb821d2bf6d6841ac7cf5005a6f18c4c76f417ac8a53d9e6b48154b5aa1e76":"A Famous Historian",
"4c33f90f25ea2ab1352efb77794ecc424883181cf8e6644946255738ac9f5dbd":"Tim the Enchanter",
"58da659c7d1c5a0c3447cb97cd6ffb12027c734bfba32de8b9b362475fe92fae":"Sir Gawain",
"6b4e128697aa0459a6caba2088f6f77efaaf29d407ec6b58939c9bc7814688ad":"Trojan Rabbit",
"754ee87063ee108c1f939cd3a28980a03b700f3c3967df8058831edad2743fd7":"Sir Robin",
"76531a907cdecf03c8ac404d91cbcabd438a226161e621fab103a920600372a8":"Green Knight",
"7d643931f34d73776e9169551798e1c4ca3b4c37b730143e88171292dbe99264":"Sir Bedevere",
"81f28623cca429f9914e21790722d0351737f8ad3e823619a4f7019be72e2195":"Squire Concorde",
"8e11477e79016a17e5cde00abc06523856a7db9104c0234803d30a81c50d2b71":"Sir Not-Appearing-in-this-Film",
"9a31bad171ad7e8009fba41193d339271fc51f992b8d574c501cae1bfa6c3fe2":"Legendary Black Beast of Argh",
"a2de31788db95838a986271665b958ac888d78559aa07e55d2a98fc3baecf6e6":"Sir Gallahad",
"a435765bcd8745561460979b270878a3e7c729fae46d9e878f4c2d42e5096a44":"Lady of the Lake",
"b5f502d32c018d6b2ee6a61f30306f9b46dad823ba503eea5b403951209fd59b":"Zoot",
"b75ea3e81881c5d36261f64d467c7eb87cd694c85dd15df946601330f36763a4":"Miss Islington",
"bfefc1bdf8b980a525f58da1550b56daa67bae66b56e49b993fff139faa1472c":"Chicken of Bristol",
"cd27ad9a438a7eef05f5b5d99e2454225693e63aba29ce8553800fed23575040":"Rabbit of Caerbannog",
"cfd7ddb31ce44bb24b373645876ac7ea372da1f3f31758f2321cc8f5b29884fb":"Black Knight",
"e1a9333f9eccfeae42acec6ac459b9025fe6097c065ffeefe5210867e1e2317d":"Prince Herbert",
"e5254dec4c7d10c15e16b41994ca3cf0c5e2b2a56c9d4dc2ef053eeff24333ff":"Brother Maynard",
"e6c2557dc0ff4173baee856cbc5641d5b19706ddb4368556fcdb046f36efd2e2":"King Arthur",
"ea12384be264c32ec1db0986247a8d4b2231bf017742313c01b05a7e431d9c26":"Sir Bors",
"f2ebdc667cbafc2725421d3c02babc957da2370fbd019a9e1993d8b0409f86dd":"Squire Patsy",
"f9621328166de01de73b4044edb9030b3ad3d5dbc61c0b79e26f177e9123d184":"Bridge Keeper",
"fadf53f0ae11908b89dffc3123e662d31176b0bb047182bfec51845d1e81beb9":"Inspector End Of Film",
"fd8bf3c084c5dd42159f9654475f5861add943905d0ad1d3672f39e014757470":"Sir Lancelot"}

总共30个名字,对应了内存中的30组数据

那么现在还有color不知道

get_color.py

import zlib
mem_cmpdata = [0xB59395A9, 0x1BB5AB29, 0x0000000E, 0x5EFDD04B, 0x3F8468C8, 0x00000012, 0xECED85D0, 0x82D23D48, 0x00000002, 0xD8549214, 0x00472EE5, 0x0000001D, 0x2C2F024D, 0xC9A060AA, 0x0000000C, 0x018A5232, 0x0024D235, 0x0000000D, 0x72B88A33, 0x81576613, 0x00000014, 0x674404E2, 0x5169E129, 0x0000000B, 0x307A73B5, 0xE560E13E, 0x0000001C, 0x13468704, 0x2358E4A9, 0x00000015, 0x94F6471B, 0xD6341A53, 0x00000005, 0xEDA1CF75, 0xBAFA91E5, 0x00000018, 0xBBAC124D, 0xA697641D, 0x00000019, 0xF707E4C3, 0xEF185643, 0x00000007, 0xD702596F, 0x79C28915, 0x0000000A, 0x86A10848, 0x59108FDC, 0x00000001, 0xD640531C, 0xEF3DE1E8, 0x00000013, 0x7B665DB3, 0xA3A903B0, 0x00000003, 0xAB1321CC, 0xEEEDEAD7, 0x00000004, 0x4F6066D8, 0x9C8A3D07, 0x00000011, 0x256047CA, 0x4085BE9E, 0x00000009, 0x3FC91ED3, 0x379549C9, 0x00000008, 0xA424AFE4, 0xEF871347, 0x0000001B, 0x550901DA, 0x01FCEC6B, 0x00000010, 0x10A29E2D, 0xE76056AA, 0x00000016, 0x56CBC85F, 0x356F1A68, 0x0000000F, 0x80DFE3A6, 0x9D0AB536, 0x0000001E, 0xE657D4E1, 0xB4E9FD30, 0x00000017, 0x2BA1E1D4, 0xBE66D918, 0x0000001A, 0x7D33089B, 0x67C1F585, 0x00000006]
with open(r'/usr/share/dict/words', 'r') as fp:
  colors = fp.read().split('\n')
colors = [color.capitalize().encode() for color in colors]
crc32_to_color = {zlib.crc32(color + b'\n'):color for color in colors}
for i in range(1, len(mem_cmpdata), 3):
    print(crc32_to_color[mem_cmpdata[i]])

我们排列出来

[b'Bridge Keeper', b'Indigo', 14],
[b'Sir Lancelot', b'Blue', 18],
[b'Sir Bors', b'Coral', 2],
[b'Black Knight', b'Black', 29],
[b'Chicken of Bristol', b'Mint', 12],
[b'Roger the Shrubber', b'Tomato', 13],
[b'Rabbit of Caerbannog', b'Salmon', 20],
[b'Trojan Rabbit', b'Beige', 11],
[b'Dinky', b'Turquoise', 28],
[b'Sir Not-Appearing-in-this-Film', b'Transparent', 21],
[b'Brother Maynard', b'Crimson', 5],
[b'Inspector End Of Film', b'Gray', 24],
[b'Sir Ector', b'Bisque', 25],
[b'Sir Robin', b'Red', 7],
[b'Green Knight', b'Green', 10],
[b'Miss Islington', b'Brown', 1],
[b'Lady of the Lake', b'Gold', 19],
[b'Tim the Enchanter', b'Orange', 3],
[b'Dragon of Angnor', b'Khaki', 4],
[b'A Famous Historian', b'Pink', 17],
[b'Squire Concorde', b'Periwinkle', 9],
[b'Zoot', b'Tan', 8],
[b'Dennis the Peasant', b'Orchid', 27],
[b'Legendary Black Beast of Argh', b'Silver', 16],
[b'Prince Herbert', b'Wheat', 22],
[b'Sir Gawain', b'Azure', 15],
[b'Sir Gallahad', b'Yellow', 30],
[b'King Arthur', b'Purple', 23],
[b'Squire Patsy', b'Chartreuse', 26],
[b'Sir Bedevere', b'Teal', 6],

尝试一组

4.consult函数分析

先输出字符串Consult the Book of Armaments!\n

然后循环读取a.data-z.data的文件,每个文件0x1000字节

读取到了就将a.data ^ b.data ^ c.data ^ ....

以此类推

最后的结果会选取其中的单个元素作为字符表的下标从而取出字符赋值回buf

最后将buf输出

子文件夹中的layer.tar中就是.data文件

但是每个子文件夹中都有

我们先尝试将其中一个解压后和AntiochOS放到同目录下并执行consult命令的结果

可以看见输出了一些字符,但是并没有规律

Docker Layers恢复并重新载入执行consult

根据mem_cmpdata每个元素的最后那个number,我们能知道图层文件夹的顺序

在继续分析之前理解docker-image-layer:https://stackoverflow.com/questions/31222377/what-are-docker-image-layers/51660942#51660942

Docker image layers(tar 文件中的 31 个子目录)是 Docker 用来缓存中间阶段的中间镜像,以便在进行小的更改时可以更快地重建镜像,就像是git的commit。

这些层存储由Dockerfile中的指令生成的文件系统差异,并且每当有添加或更改时,整个文件都在每一层中。

我们创建一个Dockerfile并构建一个docker执行命令后查看layers

Dockerfile

FROM alpine
RUN echo 123456 > a.txt
RUN echo 789abc > b.txt
CMD ["sh"]

RUN是在build时执行,CMD是在docker run时运行

sudo docker build -t test .
syj@ubuntu:~/Re/docker$ sudo docker images
REPOSITORY                          TAG       IMAGE ID       CREATED         SIZE
test                                latest    d5c905e3d500   2 minutes ago   5.57MB
sudo docker save d5c905e3d500 -o ourpack.tar

分析ourpack.tar

查看manifest.json和.json

manifest.json

[{"Config":"d5c905e3d500e84f06c7c7a8bb80acf76a65b422db0e7225519b2dd4436788e6.json",
"RepoTags":null,
"Layers":
["e747bc64905b0eb97ce32a3cb5e2e18c9d7046cb602aa66c4216350aee7fa7b8/layer.tar",
"95121bcb3c02859ecd8df1ec3ec815415c044c74c4b44dca1bb002e320798454/layer.tar",
"b3860a9a7ab5c5ffbded325621a5682e9b8d81011471500a4ae959a301c56e90/layer.tar"]
}]

d5c905e3d500e84f06c7c7a8bb80acf76a65b422db0e7225519b2dd4436788e6.json

{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["sh"],"Image":"sha256:cba29b7dd9b850ea1b444fe0e901f3bbfa658b78b320d6f96c0cf4985617ecc3","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"99209384b56a40770d5ce950162a43c76430f543e17bad7a4a6dc70545e14a90","container_config":{"Hostname":"99209384b56a","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD ["sh"]"],"Image":"sha256:cba29b7dd9b850ea1b444fe0e901f3bbfa658b78b320d6f96c0cf4985617ecc3","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2022-04-03T08:01:56.473843177Z","docker_version":"20.10.7","history":[{"created":"2022-03-29T00:19:36.282057688Z","created_by":"/bin/sh -c #(nop) ADD file:3b5a33c96fd3c10d0c438d907ce172903f7b2bde0f4e5107831e135ddf111b19 in / "},{"created":"2022-03-29T00:19:36.3910427Z","created_by":"/bin/sh -c #(nop) CMD ["/bin/sh"]","empty_layer":true},{"created":"2022-04-03T08:01:56.01153152Z","created_by":"/bin/sh -c echo 123456 \u003e a.txt"},{"created":"2022-04-03T08:01:56.387249232Z","created_by":"/bin/sh -c echo 789abc \u003e b.txt"},{"created":"2022-04-03T08:01:56.473843177Z","created_by":"/bin/sh -c #(nop) CMD ["sh"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:a1c01e366b99afb656cec4b16561b6ab299fa471011b4414826407af3a5884f8","sha256:8b2bfce8c78b7c6f817c885d187e82fe0fa2d2ddc1b9bbfe2fb2fe793a7939f8","sha256:066048dbcd3c38b6d341c9e11cb79623f19c5fdb2aef67f1f0a4eb22c20b5ac8"]}}

这里有三个layers,第一个layers.tar中的内容

另外两个分别是a.txt和b.txt

对比题目的manifest.json和.json这两个文件

但是题目总共有31个子文件夹,除开这里已经有的一个Layers和sha256

就是30个,对应那30组

sha256其实就是子文件夹中layers.tar的sha256

测试:

fp = open(r'D:\CTF\Flare-On8_Challenges\03_antioch\ourtestdocker\95121bcb3c02859ecd8df1ec3ec815415c044c74c4b44dca1bb002e320798454\layer.tar', 'rb')
data = fp.read()
import hashlib
print(hashlib.sha256(data).hexdigest().lower())

我们按照顺序从1-30先排序

names = {"09e6fff53d6496d170aaa9bc88bd39e17c8e5c13ee9066935b089ab0312635ef":b"Dragon of Angnor",
"1c5d28d6564aed0316526e8bb2d79a436b45530d2493967c8083fea2b2e518ce":b"Roger the Shrubber",
"25e171d6ac47c26159b26cd192a90d5d37e733eb16e68d3579df364908db30f2":b"Dinky",
"2b363180ec5d5862b2a348db3069b51d79d4e7a277d5cf5e4afe2a54fc04730e":b"Dennis the Peasant",
"303dfd1f7447a80322cc8a8677941da7116fbf0cea56e7d36a4f563c6f22e867":b"Sir Ector",
"49fb821d2bf6d6841ac7cf5005a6f18c4c76f417ac8a53d9e6b48154b5aa1e76":b"A Famous Historian",
"4c33f90f25ea2ab1352efb77794ecc424883181cf8e6644946255738ac9f5dbd":b"Tim the Enchanter",
"58da659c7d1c5a0c3447cb97cd6ffb12027c734bfba32de8b9b362475fe92fae":b"Sir Gawain",
"6b4e128697aa0459a6caba2088f6f77efaaf29d407ec6b58939c9bc7814688ad":b"Trojan Rabbit",
"754ee87063ee108c1f939cd3a28980a03b700f3c3967df8058831edad2743fd7":b"Sir Robin",
"76531a907cdecf03c8ac404d91cbcabd438a226161e621fab103a920600372a8":b"Green Knight",
"7d643931f34d73776e9169551798e1c4ca3b4c37b730143e88171292dbe99264":b"Sir Bedevere",
"81f28623cca429f9914e21790722d0351737f8ad3e823619a4f7019be72e2195":b"Squire Concorde",
"8e11477e79016a17e5cde00abc06523856a7db9104c0234803d30a81c50d2b71":b"Sir Not-Appearing-in-this-Film",
"9a31bad171ad7e8009fba41193d339271fc51f992b8d574c501cae1bfa6c3fe2":b"Legendary Black Beast of Argh",
"a2de31788db95838a986271665b958ac888d78559aa07e55d2a98fc3baecf6e6":b"Sir Gallahad",
"a435765bcd8745561460979b270878a3e7c729fae46d9e878f4c2d42e5096a44":b"Lady of the Lake",
"b5f502d32c018d6b2ee6a61f30306f9b46dad823ba503eea5b403951209fd59b":b"Zoot",
"b75ea3e81881c5d36261f64d467c7eb87cd694c85dd15df946601330f36763a4":b"Miss Islington",
"bfefc1bdf8b980a525f58da1550b56daa67bae66b56e49b993fff139faa1472c":b"Chicken of Bristol",
"cd27ad9a438a7eef05f5b5d99e2454225693e63aba29ce8553800fed23575040":b"Rabbit of Caerbannog",
"cfd7ddb31ce44bb24b373645876ac7ea372da1f3f31758f2321cc8f5b29884fb":b"Black Knight",
"e1a9333f9eccfeae42acec6ac459b9025fe6097c065ffeefe5210867e1e2317d":b"Prince Herbert",
"e5254dec4c7d10c15e16b41994ca3cf0c5e2b2a56c9d4dc2ef053eeff24333ff":b"Brother Maynard",
"e6c2557dc0ff4173baee856cbc5641d5b19706ddb4368556fcdb046f36efd2e2":b"King Arthur",
"ea12384be264c32ec1db0986247a8d4b2231bf017742313c01b05a7e431d9c26":b"Sir Bors",
"f2ebdc667cbafc2725421d3c02babc957da2370fbd019a9e1993d8b0409f86dd":b"Squire Patsy",
"f9621328166de01de73b4044edb9030b3ad3d5dbc61c0b79e26f177e9123d184":b"Bridge Keeper",
"fadf53f0ae11908b89dffc3123e662d31176b0bb047182bfec51845d1e81beb9":b"Inspector End Of Film",
"fd8bf3c084c5dd42159f9654475f5861add943905d0ad1d3672f39e014757470":b"Sir Lancelot"}
data = [[b'Bridge Keeper', b'Indigo', 14],
[b'Sir Lancelot', b'Blue', 18],
[b'Sir Bors', b'Coral', 2],
[b'Black Knight', b'Black', 29],
[b'Chicken of Bristol', b'Mint', 12],
[b'Roger the Shrubber', b'Tomato', 13],
[b'Rabbit of Caerbannog', b'Salmon', 20],
[b'Trojan Rabbit', b'Beige', 11],
[b'Dinky', b'Turquoise', 28],
[b'Sir Not-Appearing-in-this-Film', b'Transparent', 21],
[b'Brother Maynard', b'Crimson', 5],
[b'Inspector End Of Film', b'Gray', 24],
[b'Sir Ector', b'Bisque', 25],
[b'Sir Robin', b'Red', 7],
[b'Green Knight', b'Green', 10],
[b'Miss Islington', b'Brown', 1],
[b'Lady of the Lake', b'Gold', 19],
[b'Tim the Enchanter', b'Orange', 3],
[b'Dragon of Angnor', b'Khaki', 4],
[b'A Famous Historian', b'Pink', 17],
[b'Squire Concorde', b'Periwinkle', 9],
[b'Zoot', b'Tan', 8],
[b'Dennis the Peasant', b'Orchid', 27],
[b'Legendary Black Beast of Argh', b'Silver', 16],
[b'Prince Herbert', b'Wheat', 22],
[b'Sir Gawain', b'Azure', 15],
[b'Sir Gallahad', b'Yellow', 30],
[b'King Arthur', b'Purple', 23],
[b'Squire Patsy', b'Chartreuse', 26],
[b'Sir Bedevere', b'Teal', 6]]

def getKey(value):
    if value not in names.values():
        return None
    result = ''
    for key in names:
        if names[key] == value:
            result = key
    return result

# print(getKey(data[0][0]))
for i in range(1, 33, 1):
    for j in range(len(data)):
        if data[j][2] == i:
            print("Number:"+str(i) + "  FolderName:" + getKey(data[j][0]) + "  Name:" + data[j][0].decode('utf-8') + "  " + "Color:" + data[j][1].decode('utf-8'))
Number:1  FolderName:b75ea3e81881c5d36261f64d467c7eb87cd694c85dd15df946601330f36763a4  Name:Miss Islington  Color:Brown
Number:2  FolderName:ea12384be264c32ec1db0986247a8d4b2231bf017742313c01b05a7e431d9c26  Name:Sir Bors  Color:Coral
Number:3  FolderName:4c33f90f25ea2ab1352efb77794ecc424883181cf8e6644946255738ac9f5dbd  Name:Tim the Enchanter  Color:Orange
Number:4  FolderName:09e6fff53d6496d170aaa9bc88bd39e17c8e5c13ee9066935b089ab0312635ef  Name:Dragon of Angnor  Color:Khaki
Number:5  FolderName:e5254dec4c7d10c15e16b41994ca3cf0c5e2b2a56c9d4dc2ef053eeff24333ff  Name:Brother Maynard  Color:Crimson
Number:6  FolderName:7d643931f34d73776e9169551798e1c4ca3b4c37b730143e88171292dbe99264  Name:Sir Bedevere  Color:Teal
Number:7  FolderName:754ee87063ee108c1f939cd3a28980a03b700f3c3967df8058831edad2743fd7  Name:Sir Robin  Color:Red
Number:8  FolderName:b5f502d32c018d6b2ee6a61f30306f9b46dad823ba503eea5b403951209fd59b  Name:Zoot  Color:Tan
Number:9  FolderName:81f28623cca429f9914e21790722d0351737f8ad3e823619a4f7019be72e2195  Name:Squire Concorde  Color:Periwinkle
Number:10  FolderName:76531a907cdecf03c8ac404d91cbcabd438a226161e621fab103a920600372a8  Name:Green Knight  Color:Green
Number:11  FolderName:6b4e128697aa0459a6caba2088f6f77efaaf29d407ec6b58939c9bc7814688ad  Name:Trojan Rabbit  Color:Beige
Number:12  FolderName:bfefc1bdf8b980a525f58da1550b56daa67bae66b56e49b993fff139faa1472c  Name:Chicken of Bristol  Color:Mint
Number:13  FolderName:1c5d28d6564aed0316526e8bb2d79a436b45530d2493967c8083fea2b2e518ce  Name:Roger the Shrubber  Color:Tomato
Number:14  FolderName:f9621328166de01de73b4044edb9030b3ad3d5dbc61c0b79e26f177e9123d184  Name:Bridge Keeper  Color:Indigo
Number:15  FolderName:58da659c7d1c5a0c3447cb97cd6ffb12027c734bfba32de8b9b362475fe92fae  Name:Sir Gawain  Color:Azure
Number:16  FolderName:9a31bad171ad7e8009fba41193d339271fc51f992b8d574c501cae1bfa6c3fe2  Name:Legendary Black Beast of Argh  Color:Silver
Number:17  FolderName:49fb821d2bf6d6841ac7cf5005a6f18c4c76f417ac8a53d9e6b48154b5aa1e76  Name:A Famous Historian  Color:Pink
Number:18  FolderName:fd8bf3c084c5dd42159f9654475f5861add943905d0ad1d3672f39e014757470  Name:Sir Lancelot  Color:Blue
Number:19  FolderName:a435765bcd8745561460979b270878a3e7c729fae46d9e878f4c2d42e5096a44  Name:Lady of the Lake  Color:Gold
Number:20  FolderName:cd27ad9a438a7eef05f5b5d99e2454225693e63aba29ce8553800fed23575040  Name:Rabbit of Caerbannog  Color:Salmon
Number:21  FolderName:8e11477e79016a17e5cde00abc06523856a7db9104c0234803d30a81c50d2b71  Name:Sir Not-Appearing-in-this-Film  Color:Transparent
Number:22  FolderName:e1a9333f9eccfeae42acec6ac459b9025fe6097c065ffeefe5210867e1e2317d  Name:Prince Herbert  Color:Wheat
Number:23  FolderName:e6c2557dc0ff4173baee856cbc5641d5b19706ddb4368556fcdb046f36efd2e2  Name:King Arthur  Color:Purple
Number:24  FolderName:fadf53f0ae11908b89dffc3123e662d31176b0bb047182bfec51845d1e81beb9  Name:Inspector End Of Film  Color:Gray
Number:25  FolderName:303dfd1f7447a80322cc8a8677941da7116fbf0cea56e7d36a4f563c6f22e867  Name:Sir Ector  Color:Bisque
Number:26  FolderName:f2ebdc667cbafc2725421d3c02babc957da2370fbd019a9e1993d8b0409f86dd  Name:Squire Patsy  Color:Chartreuse
Number:27  FolderName:2b363180ec5d5862b2a348db3069b51d79d4e7a277d5cf5e4afe2a54fc04730e  Name:Dennis the Peasant  Color:Orchid
Number:28  FolderName:25e171d6ac47c26159b26cd192a90d5d37e733eb16e68d3579df364908db30f2  Name:Dinky  Color:Turquoise
Number:29  FolderName:cfd7ddb31ce44bb24b373645876ac7ea372da1f3f31758f2321cc8f5b29884fb  Name:Black Knight  Color:Black
Number:30  FolderName:a2de31788db95838a986271665b958ac888d78559aa07e55d2a98fc3baecf6e6  Name:Sir Gallahad  Color:Yellow

最后我们计算出所有的子文件夹中layers.tar的sha256并恢复hexdecimal.json

import hashlib
for i in range(1, 33, 1):
    for j in range(len(data)):
        if data[j][2] == i:
            path = r'D:\CTF\Flare-On8_Challenges\03_antioch\{}'.format(getKey(data[j][0]))
            path += r'\layer.tar'
            fp = open(path, 'rb')
            print(hashlib.sha256(fp.read()).hexdigest().lower())
56ad9094e91589a0c4468a7e584f98f95eb0cdb95d77c1ed3567dc0f310079fa
20614930b565c3c2526921cf31e702c2da876e6a25761e568c3a6475b1964506
c65f4e1496510df94490300b02159b21f00d742cc8080d53db4f08cd3089ff4d
9ec175233e561a2ad8bceb988d8a186abd7562222b32a8487d3cf457b9970930
c68fa7e94d0a47345da92520fd4e27fde95ca5f231db6f435b8c9cbade1b9efb
f2ebda36a3271ce1edbfda092bc053163b904f7f93c84f907d4791cb0f4b8af9
8cc63febc37c500f301c624c1c82657900b19a6ea20284a2dddebc00acfc4aab
f54e81fa7589480b984daf7b11b57a5fe30c6335da59f0e0f0245e858f70aea7
8a59833db6f59a805955912151a3403e8390b5889608da3073095035afe80221
4dcdbaa3c03c9d6d127109bc686a6ceddec745836e93fb7727bb1789ef51ea6e
86125e99d06c9cbb8f25aaf9e70f9729844dc65f32d0b9efba91e61867488a6a
c28906f9ed037116d6ff53ca7b5d3eb78a4547390e39d8d82e37c26b65d9ce55
c416773ee5440f99882839de8d06eee55cb8536d1bbb75a81288532a5bc8dd70
64f92abbf678e56017f1b670b6fc78cf239a949f703fba98883cf758690cf102
e944a08386b83919946593148a10b6b8275569629641e33c34c030470ffdfc32
9c55cbc3e9f23e18005595de7f3039a0007d13b327048fdf02e6c9dff6bf8de2
61c178892d09a1a7e50123811ceb2a2d860ce901a786aa260ddfa09735e88e91
970169c0464c5aa6c46a82e115a85e7831240c9458f18821f0825c8552052e76
12cb667eaf12d800ed7ff08f79dc80079f6fb4559cb42bc51b8826daaf6b5a59
3748143bbc2992faddca264a8aca13125149922bf24496d6feffc11ee3f2639c
2627f896e6d693720980dd7eec1b4bd3dfa7bc81c16fcd5c5a5f2a07d9044011
021c7ef7074b770c5aff7315e43ac0cc4c310c27fef2bb36f01ec38ad4c1a7b4
2fdfbdaf3fcbdd173c30e17b38d600747f1502b833966b3c9b2732e8f86a89de
ee93546f18b55ff3eb1af34a4e07bdb0a2e80b23d1fa8be14342510de2fbe107
6a176544c667df500bcb8bacb610bc36d3cdf77d34e72824aaa351331ddc5478
14df0f30dcb29e09bfdf2b4d0333e41fb706986b0f9c6f7ffa0024771738fd61
3e89196663df29d2cbf04edd731ab51f7f47aeb285f432e572400bf5cca38dad
51bb2a6f30c9b9223ce724504ac1bed187f4d19891d7a5371c3e2d1d66618d60
937f0b798dcf7876f6553c8c8b06eddef39f0f8595597fd649ab3bcce3a3a64e
308b197bb7085ec2dc8889914b184ffc185469512e36b45e8a61dc59b8b386da

a13ffcf46cf41480e7f15c7f3c6b862b799bbe61e7d5909150d8a43bd3b6c039.json文件恢复后

{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/AntiochOS"],"Image":"sha256:72081c09b8504bda08787ba6ea0c5059e74464398cb92685b3c86a26230b8a1f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"5a7d890eaf80df63166dedb6c0f0afaa26894ba10dd647671da887cfe2ce4349","container_config":{"Hostname":"5a7d890eaf80","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"/AntiochOS\"]"],"Image":"sha256:72081c09b8504bda08787ba6ea0c5059e74464398cb92685b3c86a26230b8a1f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2021-07-23T03:21:55.959771124Z","docker_version":"20.10.2","history":[{"created":"2021-07-23T03:21:55.793483339Z","created_by":"/bin/sh -c #(nop) ADD file:fae1674275a5cc9b0c04ef177df65aebeaf796b0ba7c94ac2bd35120306411d4 in / "},{"created":"2021-07-23T03:21:55.959771124Z","created_by":"/bin/sh -c #(nop)  CMD [\"/AntiochOS\"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:d26c760acd6e75540d4ab7a33245a75a5506daa7998819f97918a39632a15497", "sha256:56ad9094e91589a0c4468a7e584f98f95eb0cdb95d77c1ed3567dc0f310079fa","sha256:20614930b565c3c2526921cf31e702c2da876e6a25761e568c3a6475b1964506","sha256:c65f4e1496510df94490300b02159b21f00d742cc8080d53db4f08cd3089ff4d","sha256:9ec175233e561a2ad8bceb988d8a186abd7562222b32a8487d3cf457b9970930","sha256:c68fa7e94d0a47345da92520fd4e27fde95ca5f231db6f435b8c9cbade1b9efb","sha256:f2ebda36a3271ce1edbfda092bc053163b904f7f93c84f907d4791cb0f4b8af9","sha256:8cc63febc37c500f301c624c1c82657900b19a6ea20284a2dddebc00acfc4aab","sha256:f54e81fa7589480b984daf7b11b57a5fe30c6335da59f0e0f0245e858f70aea7","sha256:8a59833db6f59a805955912151a3403e8390b5889608da3073095035afe80221","sha256:4dcdbaa3c03c9d6d127109bc686a6ceddec745836e93fb7727bb1789ef51ea6e","sha256:86125e99d06c9cbb8f25aaf9e70f9729844dc65f32d0b9efba91e61867488a6a","sha256:c28906f9ed037116d6ff53ca7b5d3eb78a4547390e39d8d82e37c26b65d9ce55","sha256:c416773ee5440f99882839de8d06eee55cb8536d1bbb75a81288532a5bc8dd70","sha256:64f92abbf678e56017f1b670b6fc78cf239a949f703fba98883cf758690cf102","sha256:e944a08386b83919946593148a10b6b8275569629641e33c34c030470ffdfc32","sha256:9c55cbc3e9f23e18005595de7f3039a0007d13b327048fdf02e6c9dff6bf8de2","sha256:61c178892d09a1a7e50123811ceb2a2d860ce901a786aa260ddfa09735e88e91","sha256:970169c0464c5aa6c46a82e115a85e7831240c9458f18821f0825c8552052e76","sha256:12cb667eaf12d800ed7ff08f79dc80079f6fb4559cb42bc51b8826daaf6b5a59","sha256:3748143bbc2992faddca264a8aca13125149922bf24496d6feffc11ee3f2639c","sha256:2627f896e6d693720980dd7eec1b4bd3dfa7bc81c16fcd5c5a5f2a07d9044011","sha256:021c7ef7074b770c5aff7315e43ac0cc4c310c27fef2bb36f01ec38ad4c1a7b4","sha256:2fdfbdaf3fcbdd173c30e17b38d600747f1502b833966b3c9b2732e8f86a89de","sha256:ee93546f18b55ff3eb1af34a4e07bdb0a2e80b23d1fa8be14342510de2fbe107","sha256:6a176544c667df500bcb8bacb610bc36d3cdf77d34e72824aaa351331ddc5478","sha256:14df0f30dcb29e09bfdf2b4d0333e41fb706986b0f9c6f7ffa0024771738fd61","sha256:3e89196663df29d2cbf04edd731ab51f7f47aeb285f432e572400bf5cca38dad","sha256:51bb2a6f30c9b9223ce724504ac1bed187f4d19891d7a5371c3e2d1d66618d60","sha256:937f0b798dcf7876f6553c8c8b06eddef39f0f8595597fd649ab3bcce3a3a64e","sha256:308b197bb7085ec2dc8889914b184ffc185469512e36b45e8a61dc59b8b386da"]
}}

manifest.json文件恢复后

[{"Config":"a13ffcf46cf41480e7f15c7f3c6b862b799bbe61e7d5909150d8a43bd3b6c039.json","RepoTags":["antioch:latest"],"Layers":["7016b68f19aed3bb67ac4bf310defd3f7e0f7dd3ce544177c506d795f0b2acf3/layer.tar", "b75ea3e81881c5d36261f64d467c7eb87cd694c85dd15df946601330f36763a4/layer.tar", "ea12384be264c32ec1db0986247a8d4b2231bf017742313c01b05a7e431d9c26/layer.tar", "4c33f90f25ea2ab1352efb77794ecc424883181cf8e6644946255738ac9f5dbd/layer.tar", "09e6fff53d6496d170aaa9bc88bd39e17c8e5c13ee9066935b089ab0312635ef/layer.tar", "e5254dec4c7d10c15e16b41994ca3cf0c5e2b2a56c9d4dc2ef053eeff24333ff/layer.tar", "7d643931f34d73776e9169551798e1c4ca3b4c37b730143e88171292dbe99264/layer.tar", "754ee87063ee108c1f939cd3a28980a03b700f3c3967df8058831edad2743fd7/layer.tar", "b5f502d32c018d6b2ee6a61f30306f9b46dad823ba503eea5b403951209fd59b/layer.tar", "81f28623cca429f9914e21790722d0351737f8ad3e823619a4f7019be72e2195/layer.tar", "76531a907cdecf03c8ac404d91cbcabd438a226161e621fab103a920600372a8/layer.tar", "6b4e128697aa0459a6caba2088f6f77efaaf29d407ec6b58939c9bc7814688ad/layer.tar", "bfefc1bdf8b980a525f58da1550b56daa67bae66b56e49b993fff139faa1472c/layer.tar", "1c5d28d6564aed0316526e8bb2d79a436b45530d2493967c8083fea2b2e518ce/layer.tar", "f9621328166de01de73b4044edb9030b3ad3d5dbc61c0b79e26f177e9123d184/layer.tar", "58da659c7d1c5a0c3447cb97cd6ffb12027c734bfba32de8b9b362475fe92fae/layer.tar", "9a31bad171ad7e8009fba41193d339271fc51f992b8d574c501cae1bfa6c3fe2/layer.tar", "49fb821d2bf6d6841ac7cf5005a6f18c4c76f417ac8a53d9e6b48154b5aa1e76/layer.tar", "fd8bf3c084c5dd42159f9654475f5861add943905d0ad1d3672f39e014757470/layer.tar", "a435765bcd8745561460979b270878a3e7c729fae46d9e878f4c2d42e5096a44/layer.tar", "cd27ad9a438a7eef05f5b5d99e2454225693e63aba29ce8553800fed23575040/layer.tar", "8e11477e79016a17e5cde00abc06523856a7db9104c0234803d30a81c50d2b71/layer.tar", "e1a9333f9eccfeae42acec6ac459b9025fe6097c065ffeefe5210867e1e2317d/layer.tar", "e6c2557dc0ff4173baee856cbc5641d5b19706ddb4368556fcdb046f36efd2e2/layer.tar", "fadf53f0ae11908b89dffc3123e662d31176b0bb047182bfec51845d1e81beb9/layer.tar", "303dfd1f7447a80322cc8a8677941da7116fbf0cea56e7d36a4f563c6f22e867/layer.tar", "f2ebdc667cbafc2725421d3c02babc957da2370fbd019a9e1993d8b0409f86dd/layer.tar", "2b363180ec5d5862b2a348db3069b51d79d4e7a277d5cf5e4afe2a54fc04730e/layer.tar", "25e171d6ac47c26159b26cd192a90d5d37e733eb16e68d3579df364908db30f2/layer.tar", "cfd7ddb31ce44bb24b373645876ac7ea372da1f3f31758f2321cc8f5b29884fb/layer.tar", "a2de31788db95838a986271665b958ac888d78559aa07e55d2a98fc3baecf6e6/layer.tar"]}]

打包为.tar并重新docker load

最后重新run一下docker并执行consult得到我们的flag

sudo docker run -it --rm --name antioch_test 4a9eb913c7c5
AntiochOS, version 1.32 (build 1975)
Type help for help
> consult
Consult the Book of Armaments!
...............
...............
...............
...............
...............
...............
...............
...............
...............
....______.....
...|..____|....
...|.|__.......
...|..__|......
...|.|.........
...|_|.........
...............
...............
...._..........
...(_).........
...._..........
...|.|.........
...|.|.........
...|_|.........
...............
...............
...............
...............
...__...__.....
...\.\././.....
....\.V./......
.....\_/.......
...............
...............
...............
...............
.....___.......
..../._.\......
...|..__/......
....\___|......
...............
...............
...............
...............
....______.....
...|______|....
...............
...............
...............
...............
...._____......
...|_..._|.....
.....|.|.......
.....|.|.......
...._|.|_......
...|_____|.....
...............
...............
...............
...............
....___........
.../.__|.......
...\__.\.......
...|___/.......
...............
...............
...............
...............
....______.....
...|______|....
...............
...............
...............
...............
...._____......
...|..__.\.....
...|.|__).|....
...|.._../.....
...|.|.\.\.....
...|_|..\_\....
...............
...............
...._..........
...(_).........
...._..........
...|.|.........
...|.|.........
...|_|.........
...............
...............
...............
...............
.....__._......
..../._`.|.....
...|.(_|.|.....
....\__,.|.....
.....__/.|.....
....|___/......
...._..........
...|.|.........
...|.|__.......
...|.'_.\......
...|.|.|.|.....
...|_|.|_|.....
...............
...............
...._..........
...|.|.........
...|.|_........
...|.__|.......
...|.|_........
....\__|.......
...............
...............
...............
...............
....______.....
...|______|....
...............
...............
...............
...............
.....____......
..../.__.\.....
...|.|..|.|....
...|.|..|.|....
...|.|__|.|....
....\____/.....
...............
...............
...............
...............
...._..._......
...|.|.|.|.....
...|.|_|.|.....
....\__,_|.....
...............
...............
...._..........
...|.|.........
...|.|_........
...|.__|.......
...|.|_........
....\__|.......
...............
...............
...............
......____.....
...../.__.\....
...././._`.|...
...|.|.(_|.|...
....\.\__,_|...
.....\____/....
...............
.....__........
..../._|.......
...|.|_........
...|.._|.......
...|.|.........
...|_|.........
...............
...............
...._..........
...|.|.........
...|.|.........
...|.|.........
...|.|.........
...|_|.........
...............
...............
...............
...............
.....__._......
..../._`.|.....
...|.(_|.|.....
....\__,_|.....
...............
...............
...............
...............
...._.__.......
...|.'__|......
...|.|.........
...|_|.........
...............
...............
...............
...............
.....___.......
..../._.\......
...|..__/......
....\___|......
...............
...............
...............
...............
....______.....
...|______|....
...............
...............
...............
...............
...............
...............
.....___.......
..../._.\......
...|.(_).|.....
....\___/......
...............
...............
...............
...............
...._.__.......
...|.'_.\......
...|.|.|.|.....
...|_|.|_|.....
...............
...............
...............
...............
...............
...............
...._..........
...(_).........
...............
...............
...............
...............
.....___.......
..../.__|......
...|.(__.......
....\___|......
...............
...............
...............
...............
.....___.......
..../._.\......
...|.(_).|.....
....\___/......
...............
...............
...............
...............
...._.__.___...
...|.'_.`._.\..
...|.|.|.|.|.|.
...|_|.|_|.|_|.
...............
...............
...............
...............
...............
...............
...............
...............
...............

flag:Five-Is-Right-Out@flare-on.com


一沙一世界,一花一天堂。君掌盛无边,刹那成永恒。