Keep Tryin

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’m at exactly the same spot. I could also use some study material.

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.

Hmmmm…

@k4r4koyun said:

@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.

I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.

Hmmmm…

Shameless bump, now at the last step. Swear on me mum if this is one of those “guess harder” challenges I’m gonna…

Could really use a hint here

I found it! make sure you know what script the attacker used for this, and modify it. Don’t overcomplicate it and try to bruteforce stuff like I did.

Circling back after some time off and still hitting wall. My modification didn’t work so probably have wrong script. Can anyone confirm this isn’t an obscure script? I’m focused on an old perl script at the moment.

There is a part that is easy to decode which will indicate whether you got a good script or not. Feel free to send me a pm with the script you use and I will check

I have found a script that if you replace a certain symbol with another, i think it matches the fingerprint given. The script contains some encryption to produce such a payload, do i need to bruteforce the pass with a dictionary? Am I on the right path? Hoping I do not spoil too much…

Hi all,

I need some hints here. :slight_smile: Thanks. Please PM me. Which encoding is this again? I know it’s a replacement cipher, but how do we get there?

study material Detecting DNS Tunneling | SANS Institute

Thanks charybdis! Always love reading a SANS paper, even if I’m still stuck afterwards :slight_smile: We’ll see.

Can someone please provide me a hint for the decoding of the package? Not the short string, but the long one. I think I know which script is being used, but I’ve no idea how to set it all up or use it, since I’m new to all this stuff. At this point I’ll even learn more from someone just spoiling me than just looking at the package all day and not knowing what to do.

The Sans paper was interesting and helpful, but it didn’t provide the answers I’m looking for…

Would be glad, if some one could help with this.

I read the SANS paper, tried to find the precedence of the script that generates the requests but still I’m missing how to decode it if anyone can PM me or give a hint…

Very interesting challenge, love it ! Thankyou @cmaddy

I’m blocked on this one, I’ve been trying several tools but I didn’t find anyone that makes sense for the fqdn in the pcap, can anybody give me a pointer?

I found a walkthrough that provided the flag. I don’t know if you can call it a walkthrough, because the script it had didn’t work for me personally, but I’d like to be able to understand why what I tried didn’t work, and what I was missing. I would appreciate a PM to help me understand why my script wouldn’t run; I’m not that good with python scripts.

I am stuck… I can’t find out how to decode the packet…

Well, that was tougher than I expected.

As some have said, finding the tool which generated (or receives) these packets is the key to this. If you don’t locate the right tool, you’ll never crack this without a truckload of jammy luck.

After hours of beating my head against a wall, I eventually realised that the combination of “init.” and txt records helped me find what I was looking for.

finally! had to give it a honest harder try and tweaking a lot of my script. that was quite a challenge

If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.