Category: Forensics Points: 150 Description:

A deadly virus is killing bees in Busybee’s village Busybox, India. Unfortuantely, you have to go to the village to fight the infection. Get the flag virus out of the infected files.
Village address:
Created by: Ashish Chaudhary


Let’s unpack our infected.tar and take a look around

drwxr-xr-x  3 dade dade 4096 Jun  4 12:50 2b0fbc0e1ac044737fd881cff8164bb5a2c7bfbf90c40c87de3c3435f2c6a94e
drwxr-xr-x  4 dade dade 4096 Jun  4 12:53 983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7
drwxr-xr-x 10 dade dade 4096 Jun  4 12:51 d51a083a3b01fe8c58086903595b91fc975de59a9e9ececec755df384a181026
-rw-r--r--  1 dade dade 1344 Jun  3 09:13 eaa21323de5e2cce7078df3af4dd292181114dfc94be761b948657efbe3af26b.json
-rw-r--r--  1 dade dade  373 Dec 31  1969 manifest.json
-rw-r--r--  1 dade dade  106 Dec 31  1969 repositories

The json files don’t really have much interesting in them, looks primarily like data from building the problem. Lets dig in to 2b0fbc0e…

[email protected]:~$ ls -la infected/2b0fbc0e1ac044737fd881cff8164bb5a2c7bfbf90c40c87de3c3435f2c6a94e
-rw-r--r-- 1 dade dade  464 Jun  3 09:13 json
-rw-r--r-- 1 dade dade 1024 Jun  3 09:13 layer.tar
-rw-r--r-- 1 dade dade    3 Jun  3 09:13 VERSION

file layer.tar says “data” and tar xvf layer.tar is unable to get anything. xxd layer.tar shows us that the data is all 0s. Nothing of interest in json or VERSION

Let’s move on to 983179bd…

-rw-r--r-- 1 dade dade     907 Jun  3 09:13 json
-rw-r--r-- 1 dade dade 1035776 Jun  3 09:13 layer.tar
-rw-r--r-- 1 dade dade       3 Jun  3 09:13 VERSION

json and VERSION are probably still not particularly helpful for us, but lets unpack this layer.tar

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ tar xvf layer.tar 

.ash_history looks like a shell history file, let’s see if anything interesting is in there.

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ cat root/.ash_history
not so easy bru - the infections is intense


Hmm. This tarball also had two binaries in it. Let’s see if there is a reason those binaries specifically were included by checking them out with strings. Given the premise of the challenge, that the flag had “infected” files by a “virus”, binaries are a common target to hide in.

[email protected]:~/infected/983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7$ strings bin/sha1sum 

Well that was easy, the virus flag was in the infected binaries. Just sha256 that string and submit.


This challenge is hosted permanently at Backdoor, so go find the flag yourself!