Ever opened a CTF challenge and stared at a file named /etc/resolv.In practice, you’re not alone. That said, conf. backup2 wondering if the prize is hidden somewhere inside?
The moment you see “backup2” you know the author tried to be sneaky, but most of the time the trick is right under your nose.
So how do you actually pull the flag out of that seemingly innocent backup? This leads to let’s walk through the whole process, from “what even is this file? ” to “here’s the exact command that gets the flag every time Easy to understand, harder to ignore..
What Is /etc/resolv.conf.backup2
On a typical Linux box, /etc/resolv.In real terms, conf holds DNS resolver settings—nameserver IPs, search domains, that sort of thing. It’s the file the system consults whenever you type a hostname.
When you see a sibling called resolv.Plus, conf. backup2, it’s usually a copy the system or an admin made before tinkering with DNS And that's really what it comes down to..
- It lives in a predictable location (
/etc/), so you don’t need to hunt around. - It’s a plain‑text file, meaning you can read it without special tools.
- The creator sometimes stuffs the flag inside a comment or a malformed line, hoping you’ll overlook it.
In practice the file looks something like this:
# This is a backup of the original resolv.conf
# flag{dNS_1s_4lw4ys_5h0w1ng}
nameserver 8.8.8.8
search example.com
Notice the flag is just sitting in a comment. That’s the classic “same technique” the challenge description hints at: treat the backup like any other text file and extract the hidden string Most people skip this — try not to..
Why It Matters / Why People Care
You might wonder why anyone would waste time on a file that’s essentially a copy of a DNS config. The answer is simple: CTF points and real‑world relevance That's the whole idea..
- Points – In jeopardy‑style competitions, every flag is a point. The easier the flag, the faster you can rack up a lead. A backup file is a low‑effort win.
- Skill building – Knowing where to look for hidden data teaches you to think like an attacker. In penetration testing, the same mindset helps you spot mis‑configured files, leftover credentials, or hidden scripts.
- Defense – If you ever manage a Linux server, you’ll appreciate why leaving backup files lying around is a bad idea. They’re a perfect “dumpster‑diving” target for anyone who gains limited access.
So the technique isn’t just a CTF trick; it’s a reminder to clean up after yourself It's one of those things that adds up..
How It Works (or How to Do It)
Below is the step‑by‑step method that works on almost any Linux‑based challenge. I’ll break it into bite‑size chunks, each with a short explanation and the exact command you can copy‑paste Worth keeping that in mind..
1. Locate the File
First, make sure the file actually exists. In a CTF, you often start with a shell that has limited privileges, so you need to check the directory.
ls -l /etc/resolv.conf.backup2
If you see something like -rw-r--r-- 1 root root 123 Jan 01 2023 /etc/resolv.conf.backup2, you’re good to go.
find /etc -type f -name "resolv.conf*"
2. Peek Inside
The file is plain text, so cat or less works fine. Use head if it’s huge and you just want the first few lines And that's really what it comes down to..
cat /etc/resolv.conf.backup2 | head -n 20
Look for anything that looks like a flag—usually a string wrapped in curly braces, e.Plus, g. , flag{...That said, }. If nothing jumps out, move to the next step.
3. Grep for the Flag Pattern
Most CTF flags follow a predictable pattern: a word like flag or ctf followed by curly braces. A quick grep will pull it out And that's really what it comes down to. Turns out it matters..
grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2
Explanation:
-Eenables extended regex.-oprints only the matching part.flag\{[^}]+\}matchesflag{then any characters except}until the closing brace.
If the flag uses a different prefix, replace flag with the appropriate word (e.g., ctf).
4. Check for Base64 or Hex Encodings
Sometimes the flag isn’t in plain sight; it’s been encoded to make it less obvious. Look for long strings of letters and numbers.
grep -Eo '[A-Za-z0-9+/]{20,}=' /etc/resolv.conf.backup2
If you find something, try decoding:
echo "bXlTZWNyZXRGbGFn" | base64 -d
Replace the string with whatever you captured. If you get garbage, try hex:
echo "7365637265745f666c6167" | xxd -r -p
5. Use strings for Binary‑ish Content
In rare cases the backup may contain binary data (maybe a leftover from a corrupted editor). strings pulls printable sequences.
strings /etc/resolv.conf.backup2 | grep -i 'flag'
6. Automate the Whole Hunt
If you’re in a hurry, wrap everything in a one‑liner:
{ cat /etc/resolv.conf.backup2; grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2; strings /etc/resolv.conf.backup2 | grep -i 'flag'; } | grep -Eo 'flag\{[^}]+\}'
That command prints any flag it finds, no matter where it hides.
Common Mistakes / What Most People Get Wrong
Even though the technique is straightforward, beginners trip over a few predictable pitfalls.
- Assuming the file is unreadable – Many think a backup in
/etcis owned by root and therefore off‑limits. In most CTF containers the user has read permission on the file; you just need to check the mode first (ls -l). - Skipping the grep step – Skimming with
catcan be overwhelming, especially if the file is long. A targeted grep saves time and avoids missing the flag in a sea of comments. - Forgetting about encodings – The flag might be base64‑encoded to look like a random string. If you only search for
flag{...}, you’ll get nothing. - Using the wrong regex – A common mistake is forgetting to escape the curly braces, which makes the pattern break. Remember
\{and\}. - Over‑relying on
sedorawk– Those tools are powerful but unnecessary here. A simplegrepdoes the job; adding complexity just adds room for error.
Practical Tips / What Actually Works
Here are the nuggets that have saved me (and my teammates) more than a few minutes in live competitions.
-
Check permissions first –
stat /etc/resolv.conf.backup2tells you the exact mode. If you see-rw-r-----, you might need tosudoor look for a world‑readable copy elsewhere. -
Combine
grepwithtrfor hidden whitespace – Some flags are split by invisible characters like\tor\r. Use:grep -Eo 'flag\{[^}]+\}' /etc/resolv.conf.backup2 | tr -d '\r' -
Search for the word “flag” without braces – Occasionally the flag is written as
flag = abc123. A broader pattern helps:grep -iE 'flag[^a-zA-Z0-9]*[a-zA-Z0-9_]+' /etc/resolv.conf.backup2 -
take advantage of
awkfor line numbers – Knowing where the flag lives can be handy for write‑ups:awk '/flag\{/{print NR, $0}' /etc/resolv.conf.backup2 -
If the file is huge, limit the search – Use
headortailto focus on the first/last 100 lines; most CTF creators hide the flag near the top. -
Document your command – When you finally submit the flag, the write‑up often asks “how did you find it?” Paste the exact command you used; it shows you understood the technique That alone is useful..
FAQ
Q: What if the file isn’t readable by my user?
A: Look for a world‑readable copy (find / -perm -004 -name resolv.conf.backup2 2>/dev/null). If none exist, you may need to exploit a privilege escalation vulnerability first.
Q: The flag isn’t in the format flag{...}. What now?
A: Check the challenge description for the flag pattern. Common alternatives are CTF{...}, picoCTF{...}, or even just a hex string. Adjust the grep regex accordingly Surprisingly effective..
Q: I only see a long string of random characters. How can I tell if it’s encoded?
A: Try file on the string (e.g., echo "abcd" | file -). If it says “ASCII text” but looks like base64, decode with base64 -d. For hex, use xxd -r -p Turns out it matters..
Q: Could the flag be in a binary part of the backup?
A: Yes, especially if the file was created by a misbehaving editor. Run strings on the file and pipe to grep -i flag That's the part that actually makes a difference. But it adds up..
Q: Is it safe to edit the backup file to make the flag more visible?
A: In a CTF you can, but it’s usually unnecessary. Editing may change timestamps and raise suspicion if the challenge tracks file integrity.
That’s it. You’ve got the full toolbox to pull a flag out of /etc/resolv.Next time you spot a backup file, don’t dismiss it as “just a copy.” Open it, grep for the pattern, decode if needed, and you’ll be adding points before the timer hits zero. backup2 using the same technique most seasoned CTF players rely on. conf.Happy hunting!
7️⃣ Automate the hunt – one‑liner for the whole box
When you’re racing against the clock, manually typing each command can cost precious seconds. The following one‑liner does everything you need for a typical resolv.conf‑style backup:
#!/usr/bin/env bash
TARGET=$(find / -type f -name 'resolv.conf.backup*' 2>/dev/null | head -n1)
[[ -z $TARGET ]] && { echo "No backup found – try a different name."; exit 1; }
echo "Scanning $TARGET …"
{
echo "=== raw file ==="
cat "$TARGET"
echo; echo "=== strings output ==="
strings "$TARGET"
echo; echo "=== possible flags (raw) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET"
echo; echo "=== possible flags (post‑processing) ==="
grep -Eoi 'flag\{[^}]+\}' "$TARGET" | tr -d '\r'
echo; echo "=== base64 candidates ==="
grep -Eo '[A-Za-z0-9+/]{20,}={0,2}' "$TARGET" | while read -r b; do
echo -n "$b -> "
echo "$b" | base64 -d 2>/dev/null | grep -i 'flag' && echo "✓"
done
} | tee /tmp/flaghunt_$(basename "$TARGET").log
Why this works
| Step | What it does | Why it matters |
|---|---|---|
find … |
Locates the first file matching the common backup naming scheme. So | Saves you from hunting through ls -R. |
cat |
Dumps the file verbatim. On top of that, | Gives you a quick visual sanity check. Which means |
strings |
Extracts printable sequences from binary blobs. | Catches flags hidden inside non‑text sections. |
grep -Eoi |
Pulls out any flag{…} occurrences, case‑insensitive, ignoring surrounding noise. Worth adding: |
The most direct way to surface the flag. So |
tr -d '\r' |
Strips stray carriage‑returns that sometimes appear in Windows‑style line endings. Think about it: | Prevents false‑negative matches. |
| Base64 sniffing | Looks for long base64 strings, decodes them on‑the‑fly, and checks for the word “flag”. And | Handles the classic “store the flag as base64 to make it harder to eyeball”. Worth adding: |
tee |
Saves the entire session to a timestamped log file. | Perfect for write‑ups and for proving you didn’t cheat. |
You can drop this script into any CTF container (chmod +x hunt.sh && ./hunt.sh) and let it do the heavy lifting while you move on to the next challenge Worth knowing..
8️⃣ When the flag is still invisible
Even after the above steps you might end up with a dead end. Here are a few “last‑resort” tactics that have rescued teams in the past.
| Technique | Command snippet | When to use it |
|---|---|---|
| Search for entropy spikes – a high‑entropy region often signals encoded data. Practically speaking, | `awk '{print length, $0}' "$TARGET" | sort -nr |
Check for hidden attributes – extended attributes (xattr) can hide data on modern filesystems. |
getfattr -d "$TARGET" |
The creator used setfattr to stash the flag. |
| Inspect the inode directly – sometimes the flag lives in the “deleted” space of the same inode. | debugfs -R 'stat <inode#>' /dev/sda1 |
The file was partially overwritten but the inode still contains remnants. On top of that, |
apply a forensic tool – bulk_extractor can carve out patterns across the entire disk image. |
bulk_extractor -o outdir /dev/sda1 |
You have a full disk image and the flag might be anywhere. |
| Brute‑force common obfuscations – rotate each character by a Caesar shift and grep again. | `cat "$TARGET" | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
If none of these uncover anything, re‑read the challenge description. CTF authors love to hide clues in the story itself—sometimes the flag is simply a password you need to log into a service, not a string hidden in a file Nothing fancy..
9️⃣ A quick sanity‑check checklist before you submit
- Exact match – Copy the flag exactly as it appears, including braces and case.
- No trailing whitespace – Use
printf '%s\n' "$FLAG"to verify. - Correct flag format – Some platforms expect
CTF{...}while others accept raw strings. - Submit once – Most CTF platforms lock a flag after a successful submission; double‑check before hitting “Enter”.
- Document – Add a short note in your write‑up: “Found flag in
/etc/resolv.conf.backup2usinggrep -Eoi 'flag\{[^}]+\}'after stripping carriage returns.”
🎯 Conclusion
Backup files are the low‑hanging fruit of any capture‑the‑flag competition. conf.Now, a file named resolv. backup2 may look innocuous, but with the right combination of search, decode, and forensic tools you can reliably extract a hidden flag Simple as that..
- Locate the file (
find,locate). - Inspect its raw contents (
cat,hexdump). - Extract printable strings (
strings). - Pattern‑match for flag syntax (
grep,awk). - Normalize hidden whitespace (
tr). - Decode common encodings (
base64,xxd). - Automate the process for speed and reproducibility.
Armed with these steps, you’ll turn every stray backup into a point‑earning opportunity rather than a dead end. Now, backup, open it, run the one‑liner, and let the flag surface. So the next time you see a file ending in .Good luck, and may your timers always stay in the green!
