Keep Tryin

Would be glad, if some one could help with this.

I read the SANS paper, tried to find the precedence of the script that generates the requests but still I’m missing how to decode it if anyone can PM me or give a hint…

Very interesting challenge, love it ! Thankyou @cmaddy

I’m blocked on this one, I’ve been trying several tools but I didn’t find anyone that makes sense for the fqdn in the pcap, can anybody give me a pointer?

I found a walkthrough that provided the flag. I don’t know if you can call it a walkthrough, because the script it had didn’t work for me personally, but I’d like to be able to understand why what I tried didn’t work, and what I was missing. I would appreciate a PM to help me understand why my script wouldn’t run; I’m not that good with python scripts.

I am stuck… I can’t find out how to decode the packet…

Well, that was tougher than I expected.

As some have said, finding the tool which generated (or receives) these packets is the key to this. If you don’t locate the right tool, you’ll never crack this without a truckload of jammy luck.

After hours of beating my head against a wall, I eventually realised that the combination of “init.” and txt records helped me find what I was looking for.

finally! had to give it a honest harder try and tweaking a lot of my script. that was quite a challenge

If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.

I found the tool that I think this was sent with, but it requires a password to be set? Do we need to attack this password, or is it included in the other packets, or am I barking up the wrong tree?

Any tips on how to decode the 2nd query?

General tip:
How could I write a base64 in a domain? Mmh, maybe I could modify something.

Here some big tips (read only if you are in difficult):
Study how infections via DNS works.
Basically you have to modify the second string (the first is useful only to let you think about future) to force it to be a base64, because you can’t set a full qualified base64 as a domain because some characters are forbidden.
Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.

This challenge needs some acknowledge of others challenges like crypto or stego.
Imho it’s very hard

@Heichou said:

Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.

This was a pain to code for binary instead of strings.
@Heichou, thanks for the tip. I hit a wall and you bring me light.

@KameB0Y said:

@Heichou said:

Once it’s a base64, use it as input in encryption algorithm and decrypt that using a key that you must find by yourself.
The output will be something nice, but it isn’t the flag.

This was a pain to code for binary instead of strings.
@Heichou, thanks for the tip. I hit a wall and you bring me light.

Glad to help

Solved! This was an amazing challenge, I’ve learned a lot.
The second part required a little of effort to arrange “something” but it was worth it.

If you need some help just PM me :wink:

What a great challenge! I ironically found the tool required after solving it. Initially gave up trying to find the tool and ended up watching a few DNS exfiltration videos on youtube which showed a few of the common encoding techniques used. I then used CyberChef with two recipes, tweaking a few of the characters to comply with base64 first, then piped that into the second one, which gave something obvious (and magical). Happy to give some nudges.

  • Understanding what the allowed characters are in both base64 and a domain name will help.
  • as will the 2nd encoding used

Type your comment> @GillesEstJaune said:

If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.

I second this - there is an easier way to accomplish, no script needed.

Fun challenge :slight_smile:

Any chance of a hint on the decoding section please?

Fun challenge, quite tricky to start but google and the hints here help a lot.

My hint: Take your time to understand what is valid base64 and what isn’t.