Ever opened a CTF challenge and stared at a file named /etc/resolv.In real terms, conf. In real terms, backup2 wondering if the prize is hidden somewhere inside? You’re not alone. The moment you see “backup2” you know the author tried to be sneaky, but most of the time the trick is right under your nose The details matter here..
So how do you actually pull the flag out of that seemingly innocent backup? Let’s walk through the whole process, from “what even is this file?” to “here’s the exact command that gets the flag every time No workaround needed..
What Is /etc/resolv.conf.backup2
On a typical Linux box, /etc/resolv.conf holds DNS resolver settings—nameserver IPs, search domains, that sort of thing. It’s the file the system consults whenever you type a hostname.
If you're see a sibling called resolv.conf.backup2, it’s usually a copy the system or an admin made before tinkering with DNS Small thing, real impact..
- It lives in a predictable location (
/etc/), so you don’t need to hunt around. - It’s a plain‑text file, meaning you can read it without special tools.
- The creator sometimes stuffs the flag inside a comment or a malformed line, hoping you’ll overlook it.
In practice the file looks something like this:
# This is a backup of the original resolv.conf
# flag{dNS_1s_4lw4ys_5h0w1ng}
nameserver 8.8.8.8
search example.com
Notice the flag is just sitting in a comment. That’s the classic “same technique” the challenge description hints at: treat the backup like any other text file and extract the hidden string.
Why It Matters / Why People Care
You might wonder why anyone would waste time on a file that’s essentially a copy of a DNS config. The answer is simple: CTF points and real‑world relevance Small thing, real impact..
- Points – In jeopardy‑style competitions, every flag is a point. The easier the flag, the faster you can rack up a lead. A backup file is a low‑effort win.
- Skill building – Knowing where to look for hidden data teaches you to think like an attacker. In penetration testing, the same mindset helps you spot mis‑configured files, leftover credentials, or hidden scripts.
- Defense – If you ever manage a Linux server, you’ll appreciate why leaving backup files lying around is a bad idea. They’re a perfect “dumpster‑diving” target for anyone who gains limited access.
So the technique isn’t just a CTF trick; it’s a reminder to clean up after yourself.
How It Works (or How to Do It)
Below is the step‑by‑step method that works on almost any Linux‑based challenge. I’ll break it into bite‑size chunks, each with a short explanation and the exact command you can copy‑paste.
1. Locate the File
First, make sure the file actually exists. In a CTF, you often start with a shell that has limited privileges, so you need to check the directory.
ls -l /etc/resolv.conf.backup2
If you see something like -rw-r--r-- 1 root root 123 Jan 01 2023 /etc/resolv.In real terms, conf. backup2, you’re good to go Easy to understand, harder to ignore..
find /etc -type f -name "resolv.conf*"
2. Peek Inside
The file is plain text, so cat or less works fine. Use head if it’s huge and you just want the first few lines.
cat /etc/resolv.conf.backup2 | head -n 20
Look for anything that looks like a flag—usually a string wrapped in curly braces, e.g.On top of that, , flag{... Here's the thing — }. If nothing jumps out, move to the next step.
3. Grep for the Flag Pattern
Most CTF flags follow a predictable pattern: a word like flag or ctf followed by curly braces. A quick grep will pull it out.
grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2
Explanation:
-Eenables extended regex.-oprints only the matching part.flag\{[^}]+\}matchesflag{then any characters except}until the closing brace.
If the flag uses a different prefix, replace flag with the appropriate word (e.g., ctf) No workaround needed..
4. Check for Base64 or Hex Encodings
Sometimes the flag isn’t in plain sight; it’s been encoded to make it less obvious. Look for long strings of letters and numbers.
grep -Eo '[A-Za-z0-9+/]{20,}=' /etc/resolv.conf.backup2
If you find something, try decoding:
echo "bXlTZWNyZXRGbGFn" | base64 -d
Replace the string with whatever you captured. If you get garbage, try hex:
echo "7365637265745f666c6167" | xxd -r -p
5. Use strings for Binary‑ish Content
In rare cases the backup may contain binary data (maybe a leftover from a corrupted editor). strings pulls printable sequences.
strings /etc/resolv.conf.backup2 | grep -i 'flag'
6. Automate the Whole Hunt
If you’re in a hurry, wrap everything in a one‑liner:
{ cat /etc/resolv.conf.backup2; grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2; strings /etc/resolv.conf.backup2 | grep -i 'flag'; } | grep -Eo 'flag\{[^}]+\}'
That command prints any flag it finds, no matter where it hides.
Common Mistakes / What Most People Get Wrong
Even though the technique is straightforward, beginners trip over a few predictable pitfalls.
- Assuming the file is unreadable – Many think a backup in
/etcis owned by root and therefore off‑limits. In most CTF containers the user has read permission on the file; you just need to check the mode first (ls -l). - Skipping the grep step – Skimming with
catcan be overwhelming, especially if the file is long. A targeted grep saves time and avoids missing the flag in a sea of comments. - Forgetting about encodings – The flag might be base64‑encoded to look like a random string. If you only search for
flag{...}, you’ll get nothing. - Using the wrong regex – A common mistake is forgetting to escape the curly braces, which makes the pattern break. Remember
\{and\}. - Over‑relying on
sedorawk– Those tools are powerful but unnecessary here. A simplegrepdoes the job; adding complexity just adds room for error.
Practical Tips / What Actually Works
Here are the nuggets that have saved me (and my teammates) more than a few minutes in live competitions Simple, but easy to overlook. Surprisingly effective..
-
Check permissions first –
stat /etc/resolv.conf.backup2tells you the exact mode. If you see-rw-r-----, you might need tosudoor look for a world‑readable copy elsewhere. -
Combine
grepwithtrfor hidden whitespace – Some flags are split by invisible characters like\tor\r. Use:grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2 | tr -d '\r' -
Search for the word “flag” without braces – Occasionally the flag is written as
flag = abc123. A broader pattern helps:grep -iE 'flag[^a-zA-Z0-9]*[a-zA-Z0-9_]+' /etc/resolv.conf.backup2 -
apply
awkfor line numbers – Knowing where the flag lives can be handy for write‑ups:awk '/flag\{/{print NR, $0}' /etc/resolv.conf.backup2 -
If the file is huge, limit the search – Use
headortailto focus on the first/last 100 lines; most CTF creators hide the flag near the top Practical, not theoretical.. -
Document your command – When you finally submit the flag, the write‑up often asks “how did you find it?” Paste the exact command you used; it shows you understood the technique.
FAQ
Q: What if the file isn’t readable by my user?
A: Look for a world‑readable copy (find / -perm -004 -name resolv.conf.backup2 2>/dev/null). If none exist, you may need to exploit a privilege escalation vulnerability first.
Q: The flag isn’t in the format flag{...}. What now?
A: Check the challenge description for the flag pattern. Common alternatives are CTF{...}, picoCTF{...}, or even just a hex string. Adjust the grep regex accordingly Not complicated — just consistent. That alone is useful..
Q: I only see a long string of random characters. How can I tell if it’s encoded?
A: Try file on the string (e.g., echo "abcd" | file -). If it says “ASCII text” but looks like base64, decode with base64 -d. For hex, use xxd -r -p.
Q: Could the flag be in a binary part of the backup?
A: Yes, especially if the file was created by a misbehaving editor. Run strings on the file and pipe to grep -i flag.
Q: Is it safe to edit the backup file to make the flag more visible?
A: In a CTF you can, but it’s usually unnecessary. Editing may change timestamps and raise suspicion if the challenge tracks file integrity And that's really what it comes down to..
That’s it. Now, you’ve got the full toolbox to pull a flag out of /etc/resolv. conf.backup2 using the same technique most seasoned CTF players rely on. Next time you spot a backup file, don’t dismiss it as “just a copy.” Open it, grep for the pattern, decode if needed, and you’ll be adding points before the timer hits zero. Happy hunting!
The official docs gloss over this. That's a mistake Worth keeping that in mind..
7️⃣ Automate the hunt – one‑liner for the whole box
When you’re racing against the clock, manually typing each command can cost precious seconds. The following one‑liner does everything you need for a typical resolv.conf‑style backup:
#!/usr/bin/env bash
TARGET=$(find / -type f -name 'resolv.conf.backup*' 2>/dev/null | head -n1)
[[ -z $TARGET ]] && { echo "No backup found – try a different name."; exit 1; }
echo "Scanning $TARGET …"
{
echo "=== raw file ==="
cat "$TARGET"
echo; echo "=== strings output ==="
strings "$TARGET"
echo; echo "=== possible flags (raw) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET"
echo; echo "=== possible flags (post‑processing) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET" | tr -d '\r'
echo; echo "=== base64 candidates ==="
grep -Eo '[A-Za-z0-9+/]{20,}={0,2}' "$TARGET" | while read -r b; do
echo -n "$b -> "
echo "$b" | base64 -d 2>/dev/null | grep -i 'flag' && echo "✓"
done
} | tee /tmp/flaghunt_$(basename "$TARGET").log
Why this works
| Step | What it does | Why it matters |
|---|---|---|
find … |
Locates the first file matching the common backup naming scheme. | Saves you from hunting through ls -R. And |
cat |
Dumps the file verbatim. Because of that, | Gives you a quick visual sanity check. Practically speaking, |
strings |
Extracts printable sequences from binary blobs. | Catches flags hidden inside non‑text sections. |
grep -Eoi |
Pulls out any flag{…} occurrences, case‑insensitive, ignoring surrounding noise. Even so, |
The most direct way to surface the flag. |
tr -d '\r' |
Strips stray carriage‑returns that sometimes appear in Windows‑style line endings. Practically speaking, | Prevents false‑negative matches. Practically speaking, |
| Base64 sniffing | Looks for long base64 strings, decodes them on‑the‑fly, and checks for the word “flag”. | Handles the classic “store the flag as base64 to make it harder to eyeball”. |
tee |
Saves the entire session to a timestamped log file. | Perfect for write‑ups and for proving you didn’t cheat. |
You can drop this script into any CTF container (chmod +x hunt.sh && ./hunt.sh) and let it do the heavy lifting while you move on to the next challenge.
8️⃣ When the flag is still invisible
Even after the above steps you might end up with a dead end. Here are a few “last‑resort” tactics that have rescued teams in the past.
| Technique | Command snippet | When to use it |
|---|---|---|
| Search for entropy spikes – a high‑entropy region often signals encoded data. On top of that, | `awk '{print length, $0}' "$TARGET" | sort -nr |
Check for hidden attributes – extended attributes (xattr) can hide data on modern filesystems. Practically speaking, |
getfattr -d "$TARGET" |
The creator used setfattr to stash the flag. |
| Inspect the inode directly – sometimes the flag lives in the “deleted” space of the same inode. | debugfs -R 'stat <inode#>' /dev/sda1 |
The file was partially overwritten but the inode still contains remnants. |
make use of a forensic tool – bulk_extractor can carve out patterns across the entire disk image. |
bulk_extractor -o outdir /dev/sda1 |
You have a full disk image and the flag might be anywhere. |
| Brute‑force common obfuscations – rotate each character by a Caesar shift and grep again. | `cat "$TARGET" | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
If none of these uncover anything, re‑read the challenge description. CTF authors love to hide clues in the story itself—sometimes the flag is simply a password you need to log into a service, not a string hidden in a file Simple, but easy to overlook. Surprisingly effective..
9️⃣ A quick sanity‑check checklist before you submit
- Exact match – Copy the flag exactly as it appears, including braces and case.
- No trailing whitespace – Use
printf '%s\n' "$FLAG"to verify. - Correct flag format – Some platforms expect
CTF{...}while others accept raw strings. - Submit once – Most CTF platforms lock a flag after a successful submission; double‑check before hitting “Enter”.
- Document – Add a short note in your write‑up: “Found flag in
/etc/resolv.conf.backup2usinggrep -Eoi 'flag\{[^}]+\}'after stripping carriage returns.”
🎯 Conclusion
Backup files are the low‑hanging fruit of any capture‑the‑flag competition. In practice, a file named resolv. Plus, conf. backup2 may look innocuous, but with the right combination of search, decode, and forensic tools you can reliably extract a hidden flag.
- Locate the file (
find,locate). - Inspect its raw contents (
cat,hexdump). - Extract printable strings (
strings). - Pattern‑match for flag syntax (
grep,awk). - Normalize hidden whitespace (
tr). - Decode common encodings (
base64,xxd). - Automate the process for speed and reproducibility.
Armed with these steps, you’ll turn every stray backup into a point‑earning opportunity rather than a dead end. So the next time you see a file ending in .backup, open it, run the one‑liner, and let the flag surface. Good luck, and may your timers always stay in the green!
