BashCraft

Level

medium

Type

Forensics

Sometimes files appear identical, yet they hold subtle differences beneath the surface. Sometimes what we observe seems one thing, but in reality, it tells a different story. It’s a simple question, but uncovering the answer takes running multiple commands. So, as always — what’s the flag?

Unzip home.zip and Navigate to Desktop folder, Changes directory to Desktop.

unzip home.zip

ls home 
KaliSim

cd home/KaliSim/

ls     
Desktop    Downloads  Pictures  Templates
Documents  Music      Public    Videos

cd Desktop

List all files, including hidden ones, Lists all files and directories with details. a shows hidden files, l gives long listing.

ls -al

drwxrwxr-x 10 semopurple semopurple  4096 May 15 20:55 .
drwxrwxr-x  3 semopurple semopurple  4096 May 15 21:19 ..
drwxrwxr-x  4 semopurple semopurple  4096 May 15 20:25 Desktop
drwxrwxr-x  5 semopurple semopurple  4096 May 15 20:03 Documents
drwxrwxr-x  5 semopurple semopurple  4096 May 15 20:03 Downloads
drwxrwxr-x  4 semopurple semopurple  4096 May 15 20:03 Music
drwxrwxr-x  5 semopurple semopurple  4096 May 15 20:03 Pictures
drwxrwxr-x  3 semopurple semopurple  4096 May 15 20:03 Public
drwxrwxr-x  3 semopurple semopurple  4096 May 15 20:03 Templates
drwxrwxr-x  4 semopurple semopurple  4096 May 15 20:03 Videos
-rw-rw-r--  1 semopurple semopurple 41885 May 15 21:10 .zsh_history

View contents of the hidden file, Displays the contents of .hidd3n.txt, which contains a clue about a saved hash.

cat .hidd3n.txt

SectionOne: You find the initial section to begin the search? As you can see, I have many files, but one of them is very important. I forgot its name and all details. I only remember that I once saved its hash value somewhere on my device, but I forgot where. Please help me retrieve the content of that file.

Move back one directory, Navigates up one level from the current directory.

cd ../

List sizes of all files and directories recursively, Recursively lists all files and folders with their sizes.

ls -alR

...
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 4M8GBIyU.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 4mEzc8Tc.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 53IjVsFm.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 5eEaLYrd.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 6357P0uJ.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 6I1EgxJJ.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 7UuVQtxU.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 8PvBGxdl.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 AIgzhrDX.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 bbbJtW0x.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 biUDBAtj.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 BOFyO4XF.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 CCYVYRHv.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 Cllr3Dz9.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 Ctefnj6M.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 dZLjxEBu.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 eF2F6RWU.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 EMT1wm2A.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 eXKHnaXJ.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 fIOFvAOV.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 FrSpnZ5R.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 Gbs1wOHR.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 gpMUTSCW.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 gzQd3nNr.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 H51p0pvG.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 ha1TcvaK.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 hewLuMeg.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 I0MKaHql.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 IGclUD08.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 KI2XAb0e.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 L5zvQz3R.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 LPWUiy0V.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 MkORj1oT.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 mTxuRDzc.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 nNrW8Ihe.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 oFBOkOn1.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 pR7Oe9lu.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 Q6xQKUKE.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 qE3SICqy.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 Rg5dHWKk.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 tBlOhV6N.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 U12jIeZI.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 UvTi3Yz0.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 V1l1V3p7.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 VNrNBGfh.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 vsj24KZB.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 wjMVaC4h.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 WP8Oy3Wa.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 WpCVTagg.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 wx1KY1ZS.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 X3ply31h.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 x7R88IFV.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 xwjGghY9.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 YjcoT5rM.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 YYOB54iU.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 yYqVDWZV.txt
-rw-rw-r-- 1 semopurple semopurple  100 May 15 20:03 ZaVZWXzu.txt

Find files greater than 100 bytes, Finds all files (type f) larger than 100 bytes (+100c) in current and subdirectories.

find . -type f -size +100c

./KaliSim/Desktop/.hidd3n.txt
./KaliSim/Downloads/pxpJNzpW/Ebb4Wmu8.txt
./KaliSim/.zsh_history

Read the content of the identified .txt file, Displays the content, which appears to be a SHA-256 hash.

cat Downloads/pxpJNzpW/Ebb4Wmu8.txt

...
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}
zzlTEcOTXZuvIWUmuuBLNW4NwBrJLWCaw3sYNDeBOq07T9hEpaYNeb0DLrTG1wFJlXDsF21QtX{29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db}

(Hash string noted) 29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db is likely a SHA-256 hash, 64 hex characters (32 bytes).
Search for a file matching the SHA-256 hash, Computes sha256sum of all files and searches for a match with grep.

find . -type f -exec sha256sum {} + | grep 29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db

29a93a0b0684d3eeeb85942d29f0fa6ec84456b689329391fbe66c7774f726db  ./Music/zGFJYNpB/2jpKQMfq.txt

View the contents of the matching file, Displays encoded content that looks like Base64.

cat Music/zGFJYNpB/2jpKQMfq.txt

WVVDVEZ7TDBuR19UM3h0X0wwMDAwbkdfTDBuR19UM3h0X0wwbkdfIFNlY3Rpb25Ud286IFNvbWV0aW1lcywgc2l6ZSBtYXR0ZXJz

Decode the Base64 string, Decodes Base64 content to reveal the first part of the flag.

echo "WVVDVEZ7TDBuR19UM3h0X0wwMDAwbkdfTDBuR19UM3h0X0wwbkdfIFNlY3Rpb25Ud286IFNvbWV0aW1lcywgc2l6ZSBtYXR0ZXJz" | base64 -d

YUCTF{L0nG_T3xt_L0000nG_L0nG_T3xt_L0nG_ SectionTwo: Sometimes, size matters

Check terminal command history, Opens .zsh_history in Sublime Text to review previous commands.

subl .zsh_history

ls
cd ../
cd Videos
mkdir TestFolder
cd ../../
touch TestFile.txt
pwd
rm -rf OldFolder
cp TestFile.txt BackupFile.txt
mv BackupFile.txt Archive/
cat TestFile.txt
echo "Hello World" > Greetings.txt
head -n 5 TestFile.txt
tail -n 10 Logs.log
mkdir Projects
cd Projects
touch README.md
nano README.md
chmod 755 Scripts
./Scripts/run.sh
find . -name "*.log"
grep "error" system.log
tar -czvf archive.tar.gz Documents/
unzip files.zip -d extracted/
df -h
free -m
ps aux | grep ssh
kill -9 1234
history | tail -20
du -sh *
ln -s /usr/bin/python3 python
curl http://example.com
wget https://example.com/file.zip
chmod +x script.sh
./script.sh
date
uptime
whoami
env
export PATH=$PATH:/opt/custom/bin
mount /dev/sdb1 /mnt/usb
umount /mnt/usb
systemctl status apache2
journalctl -xe



















...

As see we have lot's of commands but if we go down so much we can see we have more content, so we will combine then in one section:

...

-[------->+<]>.
-[->++++<]>.+[-
---->+<]>.----.
--.+.++++++++++
++.[---->+<]>++
+.[->+++<]>++.+
++.--[--->+<]>-
.-[--->++<]>--.
-------.--[--->
+<]>---.-------
-------.-[--->+
<]>-.---[->++++
<]>.-----.[--->
+<]>-----.+[---

...

-->+<]>+.+.++++
+.-----------.-
-----.++.--[---
>+<]>-.---[->++
++<]>-.----.--.
--------.[--->+
<]>---.--------
---.++++.------
--.[--->+<]>---
-.-[++>---<]>+.
------------.--

...

-[->++++<]>-.--
--.[--->+<]>---
--.-[--->++<]>-
-.---.+++++++++
++++.----------
---.-[---->+<]>.
--[->+++++<]>.+[
---->+<]>+++.[->
+++<]>+.-[->+++<
]>.+[->+++<]>++.
+++++++++.------
----.[----->+++<
]>--.[-->+<]>+++

...

.++++[->++<]>.--
[-->+++<]>.-----
.[-->+<]>+..++++
[->++<]>.-------
--------.++[->++
+<]>.>-[--->+<]>
-.>-[----->+<]>.
+[--->++<]>.----
.+[->+++<]>.++++
++++++.+++++++++
+.++[->+++<]>.++
[->+++<]>.[->+++
<]>-.+.-----..[-
->+<]>+.++++[->+
+<]>.[--->+<]>++
+.

echo "-[------->+<]>.-[->++++<]>.+[----->+<]>.----.--.+.++++++++++++.[---->+<]>+++.[->+++<]>++.+++.--[--->+<]>-.-[--->++<]>--.-------.--[--->+<]>---.--------------.-[--->+<]>-.---[->++++<]>.-----.[--->+<]>-----.+[----->+<]>+.+.+++++.-----------.------.++.--[--->+<]>-.---[->++++<]>-.----.--.--------.[--->+<]>---.-----------.++++.--------.[--->+<]>----.-[++>---<]>+.------------.---[->++++<]>-.----.[--->+<]>-----.-[--->++<]>--.---.+++++++++
++++.-------------.-[---->+<]>.--[->+++++<]>.+[---->+<]>+++.[->+++<]>+.-[->+++<]>.+[->+++<]>++.+++++++++.----------.[----->+++<]>--.[-->+<]>+++.++++[->++<]>.--[-->+++<]>.-----.[-->+<]>+..++++[->++<]>.---------------.++[->+++<]>.>-[--->+<]>-.>-[----->+<]>.+[--->++<]>.----.+[->+++<]>.++++++++++.++++++++++.++[->+++<]>.++[->+++<]>.[->+++<]>-.+.-----..[-->+<]>+.++++[->++<]>.[--->+<]>+++."

We have brainfuck code so we will decode it by going to:
dCode_fr Brainfuck
This is the result of the decode:

I might be hard to notice sometimes, so here a end: Hid33n_#T3xt_is_#hidd3n}

We can now combine the flag and get it
Flag: YUCTF{L0nG_T3xt_L0000nG_L0nG_T3xt_L0nG_Hid33n_#T3xt_is_#hidd3n}