Can someone please provide me a hint for the decoding of the package? Not the short string, but the long one. I think I know which script is being used, but I’ve no idea how to set it all up or use it, since I’m new to all this stuff. At this point I’ll even learn more from someone just spoiling me than just looking at the package all day and not knowing what to do.
The Sans paper was interesting and helpful, but it didn’t provide the answers I’m looking for…
I read the SANS paper, tried to find the precedence of the script that generates the requests but still I’m missing how to decode it if anyone can PM me or give a hint…
I’m blocked on this one, I’ve been trying several tools but I didn’t find anyone that makes sense for the fqdn in the pcap, can anybody give me a pointer?
I found a walkthrough that provided the flag. I don’t know if you can call it a walkthrough, because the script it had didn’t work for me personally, but I’d like to be able to understand why what I tried didn’t work, and what I was missing. I would appreciate a PM to help me understand why my script wouldn’t run; I’m not that good with python scripts.
As some have said, finding the tool which generated (or receives) these packets is the key to this. If you don’t locate the right tool, you’ll never crack this without a truckload of jammy luck.
After hours of beating my head against a wall, I eventually realised that the combination of “init.” and txt records helped me find what I was looking for.
If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.
I found the tool that I think this was sent with, but it requires a password to be set? Do we need to attack this password, or is it included in the other packets, or am I barking up the wrong tree?
General tip:
How could I write a base64 in a domain? Mmh, maybe I could modify something.
Here some big tips (read only if you are in difficult):
Study how infections via DNS works.
Basically you have to modify the second string (the first is useful only to let you think about future) to force it to be a base64, because you can’t set a full qualified base64 as a domain because some characters are forbidden.
Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.
This challenge needs some acknowledge of others challenges like crypto or stego.
Imho it’s very hard
@Heichou said:
…
Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.
This was a pain to code for binary instead of strings. @Heichou, thanks for the tip. I hit a wall and you bring me light.
@Heichou said:
…
Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.
This was a pain to code for binary instead of strings. @Heichou, thanks for the tip. I hit a wall and you bring me light.
What a great challenge! I ironically found the tool required after solving it. Initially gave up trying to find the tool and ended up watching a few DNS exfiltration videos on youtube which showed a few of the common encoding techniques used. I then used CyberChef with two recipes, tweaking a few of the characters to comply with base64 first, then piped that into the second one, which gave something obvious (and magical). Happy to give some nudges.
Understanding what the allowed characters are in both base64 and a domain name will help.
If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.
I second this - there is an easier way to accomplish, no script needed.