Keep Tryin

I’ve decoded enough to know there is a txt file. How do I decode the actual file? I’ve never messed with this type of exfil before and my google searching is instructive, but I am missing something. Anybody have a nudge?

I know its going to sound simple but I too would like a direction on this.

still hitting my head on the wall here…

Spoiler Removed - Arrexel

I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I also need assistance with this one. I prefer the study material, not a hint.

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’m at exactly the same spot. I could also use some study material.

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.

Hmmmm…

@k4r4koyun said:

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.

Hmmmm…

Shameless bump, now at the last step. Swear on me mum if this is one of those “guess harder” challenges I’m gonna…

Could really use a hint here

I found it! make sure you know what script the attacker used for this, and modify it. Don’t overcomplicate it and try to bruteforce stuff like I did.

Circling back after some time off and still hitting wall. My modification didn’t work so probably have wrong script. Can anyone confirm this isn’t an obscure script? I’m focused on an old perl script at the moment.

There is a part that is easy to decode which will indicate whether you got a good script or not. Feel free to send me a pm with the script you use and I will check

I have found a script that if you replace a certain symbol with another, i think it matches the fingerprint given. The script contains some encryption to produce such a payload, do i need to bruteforce the pass with a dictionary? Am I on the right path? Hoping I do not spoil too much…

Hi all,

I need some hints here. :slight_smile: Thanks. Please PM me. Which encoding is this again? I know it’s a replacement cipher, but how do we get there?

study material Detecting DNS Tunneling | SANS Institute

Thanks charybdis! Always love reading a SANS paper, even if I’m still stuck afterwards :slight_smile: We’ll see.

Can someone please provide me a hint for the decoding of the package? Not the short string, but the long one. I think I know which script is being used, but I’ve no idea how to set it all up or use it, since I’m new to all this stuff. At this point I’ll even learn more from someone just spoiling me than just looking at the package all day and not knowing what to do.

The Sans paper was interesting and helpful, but it didn’t provide the answers I’m looking for…

Would be glad, if some one could help with this.

I read the SANS paper, tried to find the precedence of the script that generates the requests but still I’m missing how to decode it if anyone can PM me or give a hint…

Very interesting challenge, love it ! Thankyou @cmaddy