After a long time looking playing ctf's and here's my solution for forensics - 100 .
As i don't have access to the challenges. I'll try explaining the question as much as i can.
Question :
There is a pcap given and said that hackers used an old technique to communicate to the server from victim machine.
Link to file : Forensics100
Solution :
As we look at the pcap using our trade of tool "Wireshark". It shows that its all DNS query and response.
The only strings changing is the dns query values like: ASfsbGivEQsT2aQPHzaB.gzpgs.trendmicro.co.jp
5GBJZEAWX7WJASGCg5Br.gzpgs.trendmicro.co.jp
9TvJjPCj9kRW9fk5XU2b.gzpgs.trendmicro.co.jp
etc.,
so i used tshark to extract all the 255 values and dump it into for100.txt as below:
Now interesting is that if we look at the total characters in the file using awk and sort and uniq we find that its 58 characters and not 64 to guess it as base64 encoding
I used the below command to find the total characters :
As i don't have access to the challenges. I'll try explaining the question as much as i can.
Question :
There is a pcap given and said that hackers used an old technique to communicate to the server from victim machine.
Link to file : Forensics100
Solution :
As we look at the pcap using our trade of tool "Wireshark". It shows that its all DNS query and response.
The only strings changing is the dns query values like: ASfsbGivEQsT2aQPHzaB.gzpgs.trendmicro.co.jp
5GBJZEAWX7WJASGCg5Br.gzpgs.trendmicro.co.jp
9TvJjPCj9kRW9fk5XU2b.gzpgs.trendmicro.co.jp
etc.,
so i used tshark to extract all the 255 values and dump it into for100.txt as below:
tshark -r output.pcap -T fields -e ip.src -e dns.qry.name -Y "dns.flags.response eq 0" | awk '{print $2}' | tr -d "gzpgs.trendmicro.co.jp \n" > for100.txt
I used the below command to find the total characters :
awk 'BEGIN{FS=""} {for(i=1;i<=NF;i++) print $(i) ; } ;' for100.txt | sort | uniq | tr -d '\n'
output : 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
Now all that is left is to find the base58 decoder. On googling i found a website :
base58-decode
And finally decoding we get the flag in the end as "TMCTF{DNSTunnelExfil}"
w00t w00t!!
Now all that is left is to find the base58 decoder. On googling i found a website :
base58-decode
And finally decoding we get the flag in the end as "TMCTF{DNSTunnelExfil}"
w00t w00t!!