Fetch The Flag 2023 Finders Keepers

Published: November 4, 2025, updated: November 4, 2025

This is a writeup for the Fetch The Flag 2023 Finders Keepers challenge.

Challenge notes

Patch found a flag! He stored it in his home directory… should be able to keep it?

Solution

This challenge reminded me a lot of the OverTheWire Bandit wargame.

After gaining foothold on a Linux machine, one of the first things you typically do is look for misconfigured services, applications, and exposed secrets.

On this machine, the /usr/bin/find command has an active set group id bit (SGID.) See the s bit in the group part of Access: (2755/-rwxr-sr-x) here:

user@finders-keepers-7688f55750bdad7c-57f4c85fbf-7m6c6:~$ stat /usr/bin/find
  File: /usr/bin/find
  Size: 282088          Blocks: 552        IO Block: 4096   regular file
Device: ffh/255d        Inode: 653095      Links: 1
Access: (2755/-rwxr-sr-x) ...
                    ^
                    set group id bit

... Uid: (    0/    root)   Gid: ( 1001/   patch)
                            ^
                            Set to this group id
Access: 2022-03-23 13:52:12.000000000 +0000
Modify: 2022-03-23 13:52:12.000000000 +0000
Change: 2023-10-27 13:54:12.022668824 +0000
 Birth: 2023-10-27 13:54:12.017668516 +0000

This means that when running /usr/bin/find, you are part of the patch group. It just so happens that the user patch stores a secret file in their home directory. The patch group can access this file as well.

I use the /usr/bin/find command together with cat and search for files that belong to patch. Here’s the flag, among other things that find prints:

    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
flag{e4bd38e78379a5a0b29f047b91598add}
[...]

Tags

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index