Ever opened a CTF challenge and stared at a file named /etc/resolv.conf.backup2 wondering if the prize is hidden somewhere inside?
Day to day, you’re not alone. The moment you see “backup2” you know the author tried to be sneaky, but most of the time the trick is right under your nose.
So how do you actually pull the flag out of that seemingly innocent backup? Also, let’s walk through the whole process, from “what even is this file? ” to “here’s the exact command that gets the flag every time.
What Is /etc/resolv.conf.backup2
On a typical Linux box, /etc/resolv.conf holds DNS resolver settings—nameserver IPs, search domains, that sort of thing. It’s the file the system consults whenever you type a hostname Most people skip this — try not to. But it adds up..
The moment you see a sibling called resolv.conf.backup2, it’s usually a copy the system or an admin made before tinkering with DNS.
- It lives in a predictable location (
/etc/), so you don’t need to hunt around. - It’s a plain‑text file, meaning you can read it without special tools.
- The creator sometimes stuffs the flag inside a comment or a malformed line, hoping you’ll overlook it.
In practice the file looks something like this:
# This is a backup of the original resolv.conf
# flag{dNS_1s_4lw4ys_5h0w1ng}
nameserver 8.8.8.8
search example.com
Notice the flag is just sitting in a comment. That’s the classic “same technique” the challenge description hints at: treat the backup like any other text file and extract the hidden string.
Why It Matters / Why People Care
You might wonder why anyone would waste time on a file that’s essentially a copy of a DNS config. The answer is simple: CTF points and real‑world relevance.
- Points – In jeopardy‑style competitions, every flag is a point. The easier the flag, the faster you can rack up a lead. A backup file is a low‑effort win.
- Skill building – Knowing where to look for hidden data teaches you to think like an attacker. In penetration testing, the same mindset helps you spot mis‑configured files, leftover credentials, or hidden scripts.
- Defense – If you ever manage a Linux server, you’ll appreciate why leaving backup files lying around is a bad idea. They’re a perfect “dumpster‑diving” target for anyone who gains limited access.
So the technique isn’t just a CTF trick; it’s a reminder to clean up after yourself.
How It Works (or How to Do It)
Below is the step‑by‑step method that works on almost any Linux‑based challenge. I’ll break it into bite‑size chunks, each with a short explanation and the exact command you can copy‑paste Worth keeping that in mind. Simple as that..
1. Locate the File
First, make sure the file actually exists. In a CTF, you often start with a shell that has limited privileges, so you need to check the directory.
ls -l /etc/resolv.conf.backup2
If you see something like -rw-r--r-- 1 root root 123 Jan 01 2023 /etc/resolv.conf.backup2, you’re good to go Took long enough..
find /etc -type f -name "resolv.conf*"
2. Peek Inside
The file is plain text, so cat or less works fine. Use head if it’s huge and you just want the first few lines.
cat /etc/resolv.conf.backup2 | head -n 20
Look for anything that looks like a flag—usually a string wrapped in curly braces, e.Still, g. Think about it: , flag{... Now, }. If nothing jumps out, move to the next step.
3. Grep for the Flag Pattern
Most CTF flags follow a predictable pattern: a word like flag or ctf followed by curly braces. A quick grep will pull it out.
grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2
Explanation:
-Eenables extended regex.-oprints only the matching part.flag\{[^}]+\}matchesflag{then any characters except}until the closing brace.
If the flag uses a different prefix, replace flag with the appropriate word (e.Think about it: g. , ctf).
4. Check for Base64 or Hex Encodings
Sometimes the flag isn’t in plain sight; it’s been encoded to make it less obvious. Look for long strings of letters and numbers It's one of those things that adds up..
grep -Eo '[A-Za-z0-9+/]{20,}=' /etc/resolv.conf.backup2
If you find something, try decoding:
echo "bXlTZWNyZXRGbGFn" | base64 -d
Replace the string with whatever you captured. If you get garbage, try hex:
echo "7365637265745f666c6167" | xxd -r -p
5. Use strings for Binary‑ish Content
In rare cases the backup may contain binary data (maybe a leftover from a corrupted editor). strings pulls printable sequences.
strings /etc/resolv.conf.backup2 | grep -i 'flag'
6. Automate the Whole Hunt
If you’re in a hurry, wrap everything in a one‑liner:
{ cat /etc/resolv.conf.backup2; grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2; strings /etc/resolv.conf.backup2 | grep -i 'flag'; } | grep -Eo 'flag\{[^}]+\}'
That command prints any flag it finds, no matter where it hides.
Common Mistakes / What Most People Get Wrong
Even though the technique is straightforward, beginners trip over a few predictable pitfalls.
- Assuming the file is unreadable – Many think a backup in
/etcis owned by root and therefore off‑limits. In most CTF containers the user has read permission on the file; you just need to check the mode first (ls -l). - Skipping the grep step – Skimming with
catcan be overwhelming, especially if the file is long. A targeted grep saves time and avoids missing the flag in a sea of comments. - Forgetting about encodings – The flag might be base64‑encoded to look like a random string. If you only search for
flag{...}, you’ll get nothing. - Using the wrong regex – A common mistake is forgetting to escape the curly braces, which makes the pattern break. Remember
\{and\}. - Over‑relying on
sedorawk– Those tools are powerful but unnecessary here. A simplegrepdoes the job; adding complexity just adds room for error.
Practical Tips / What Actually Works
Here are the nuggets that have saved me (and my teammates) more than a few minutes in live competitions The details matter here..
-
Check permissions first –
stat /etc/resolv.conf.backup2tells you the exact mode. If you see-rw-r-----, you might need tosudoor look for a world‑readable copy elsewhere And it works.. -
Combine
grepwithtrfor hidden whitespace – Some flags are split by invisible characters like\tor\r. Use:grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2 | tr -d '\r' -
Search for the word “flag” without braces – Occasionally the flag is written as
flag = abc123. A broader pattern helps:grep -iE 'flag[^a-zA-Z0-9]*[a-zA-Z0-9_]+' /etc/resolv.conf.backup2 -
put to work
awkfor line numbers – Knowing where the flag lives can be handy for write‑ups:awk '/flag\{/{print NR, $0}' /etc/resolv.conf.backup2 -
If the file is huge, limit the search – Use
headortailto focus on the first/last 100 lines; most CTF creators hide the flag near the top. -
Document your command – When you finally submit the flag, the write‑up often asks “how did you find it?” Paste the exact command you used; it shows you understood the technique Small thing, real impact..
FAQ
Q: What if the file isn’t readable by my user?
A: Look for a world‑readable copy (find / -perm -004 -name resolv.conf.backup2 2>/dev/null). If none exist, you may need to exploit a privilege escalation vulnerability first.
Q: The flag isn’t in the format flag{...}. What now?
A: Check the challenge description for the flag pattern. Common alternatives are CTF{...}, picoCTF{...}, or even just a hex string. Adjust the grep regex accordingly.
Q: I only see a long string of random characters. How can I tell if it’s encoded?
A: Try file on the string (e.g., echo "abcd" | file -). If it says “ASCII text” but looks like base64, decode with base64 -d. For hex, use xxd -r -p.
Q: Could the flag be in a binary part of the backup?
A: Yes, especially if the file was created by a misbehaving editor. Run strings on the file and pipe to grep -i flag.
Q: Is it safe to edit the backup file to make the flag more visible?
A: In a CTF you can, but it’s usually unnecessary. Editing may change timestamps and raise suspicion if the challenge tracks file integrity.
That’s it. You’ve got the full toolbox to pull a flag out of /etc/resolv.backup2 using the same technique most seasoned CTF players rely on. conf.” Open it, grep for the pattern, decode if needed, and you’ll be adding points before the timer hits zero. Next time you spot a backup file, don’t dismiss it as “just a copy.Happy hunting!
7️⃣ Automate the hunt – one‑liner for the whole box
When you’re racing against the clock, manually typing each command can cost precious seconds. The following one‑liner does everything you need for a typical resolv.conf‑style backup:
#!/usr/bin/env bash
TARGET=$(find / -type f -name 'resolv.conf.backup*' 2>/dev/null | head -n1)
[[ -z $TARGET ]] && { echo "No backup found – try a different name."; exit 1; }
echo "Scanning $TARGET …"
{
echo "=== raw file ==="
cat "$TARGET"
echo; echo "=== strings output ==="
strings "$TARGET"
echo; echo "=== possible flags (raw) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET"
echo; echo "=== possible flags (post‑processing) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET" | tr -d '\r'
echo; echo "=== base64 candidates ==="
grep -Eo '[A-Za-z0-9+/]{20,}={0,2}' "$TARGET" | while read -r b; do
echo -n "$b -> "
echo "$b" | base64 -d 2>/dev/null | grep -i 'flag' && echo "✓"
done
} | tee /tmp/flaghunt_$(basename "$TARGET").log
Why this works
| Step | What it does | Why it matters |
|---|---|---|
find … |
Locates the first file matching the common backup naming scheme. | |
tr -d '\r' |
Strips stray carriage‑returns that sometimes appear in Windows‑style line endings. | Prevents false‑negative matches. Also, |
| Base64 sniffing | Looks for long base64 strings, decodes them on‑the‑fly, and checks for the word “flag”. | Catches flags hidden inside non‑text sections. |
grep -Eoi |
Pulls out any flag{…} occurrences, case‑insensitive, ignoring surrounding noise. |
Saves you from hunting through ls -R. |
cat |
Dumps the file verbatim. And | |
tee |
Saves the entire session to a timestamped log file. | Handles the classic “store the flag as base64 to make it harder to eyeball”. Now, |
strings |
Extracts printable sequences from binary blobs. | Perfect for write‑ups and for proving you didn’t cheat. |
You can drop this script into any CTF container (chmod +x hunt.sh && ./hunt.sh) and let it do the heavy lifting while you move on to the next challenge But it adds up..
8️⃣ When the flag is still invisible
Even after the above steps you might end up with a dead end. Here are a few “last‑resort” tactics that have rescued teams in the past.
| Technique | Command snippet | When to use it |
|---|---|---|
| Search for entropy spikes – a high‑entropy region often signals encoded data. Also, | `awk '{print length, $0}' "$TARGET" | sort -nr |
Check for hidden attributes – extended attributes (xattr) can hide data on modern filesystems. |
getfattr -d "$TARGET" |
The creator used setfattr to stash the flag. |
| Inspect the inode directly – sometimes the flag lives in the “deleted” space of the same inode. That said, | debugfs -R 'stat <inode#>' /dev/sda1 |
The file was partially overwritten but the inode still contains remnants. |
make use of a forensic tool – bulk_extractor can carve out patterns across the entire disk image. |
bulk_extractor -o outdir /dev/sda1 |
You have a full disk image and the flag might be anywhere. Day to day, |
| Brute‑force common obfuscations – rotate each character by a Caesar shift and grep again. | `cat "$TARGET" | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
If none of these uncover anything, re‑read the challenge description. CTF authors love to hide clues in the story itself—sometimes the flag is simply a password you need to log into a service, not a string hidden in a file Simple as that..
9️⃣ A quick sanity‑check checklist before you submit
- Exact match – Copy the flag exactly as it appears, including braces and case.
- No trailing whitespace – Use
printf '%s\n' "$FLAG"to verify. - Correct flag format – Some platforms expect
CTF{...}while others accept raw strings. - Submit once – Most CTF platforms lock a flag after a successful submission; double‑check before hitting “Enter”.
- Document – Add a short note in your write‑up: “Found flag in
/etc/resolv.conf.backup2usinggrep -Eoi 'flag\{[^}]+\}'after stripping carriage returns.”
🎯 Conclusion
Backup files are the low‑hanging fruit of any capture‑the‑flag competition. That said, conf. Here's the thing — a file named resolv. backup2 may look innocuous, but with the right combination of search, decode, and forensic tools you can reliably extract a hidden flag.
- Locate the file (
find,locate). - Inspect its raw contents (
cat,hexdump). - Extract printable strings (
strings). - Pattern‑match for flag syntax (
grep,awk). - Normalize hidden whitespace (
tr). - Decode common encodings (
base64,xxd). - Automate the process for speed and reproducibility.
Armed with these steps, you’ll turn every stray backup into a point‑earning opportunity rather than a dead end. So the next time you see a file ending in .backup, open it, run the one‑liner, and let the flag surface. Good luck, and may your timers always stay in the green!
