ISSessions CTF 2021 DNS Exfiltration

· 2 min read
ctf writeup forensics dns

Extracting exfiltrated data from DNS queries in a PCAP capture using tshark and command-line tools.

DNS Exfiltration

The challenge here was we were given a PCAP with a TON of DNS queries, and somewhere in there is some exfil.

Solution

Keeping with the trend for most of the other challenges I did, I’m going to do this one in ZSH so I can quickly get the data out.

First thing I noticed when running tshark, the “stealthy” domain for exfil, was “stealthy-exfil.com”. I’ve dealt with how DNS exfiltration works, so I knew to look for a ton of requests to a subdomain of it, potentially the nameserver.

And what do you know, some weird looking requests, both A and TXT requests going to various subdomains.

After some trial and error, I came up with the following one liner:

tshark -r DNSExfil.pcap | grep -oE "(TXT|A).*ns.stealthy" | cut -d' ' -f2 | grep -oE "[A-Z]+.*" | sort -V | uniq | cut -d'.' -f2

Let’s break this down a bit, in terms of the regex outputs.

tshark -r DNSExfil.pcap | grep -oE "(TXT|A).*ns.stealthy"

This query gets me all the DNS queries that were either a TXT or an A record check. The subdomain of CMD[0-9]+ seems like it’s a sequence number.

Next, I don’t care what type of request it was, so lets cut out the request type:

cut -d' ' -f2

Now I want to get everything from the CMD ordering variable, to the end of the domain:

grep -oE "[A-Z]+.*"

From here, it seems like we’ve got quite a few duplicates. Let’s sort with “natural” sorting (so 10 doesn’t sort before 2):

sort -V

Now make sure we only have unique lines:

uniq

Since we’ve got clean decimal delimited lines now, lets split this out by decimal, and only keep the hex string:

cut -d'.' -f2

We know this is hex, so tossing it into a hex-to-ASCII converter gets us what looks to be a directory listing output from some server, with the flag embedded:

Flag = NobodyThoughtToCheckTheDNS
← Back to all posts