BsidesSF’17 CTF DNScap Write-Up

This was one of the exciting challenges that I solved lately. I’d even recommend this challenge to everyone who is interested in learning Network Forensics and more about the scapy module of python. So enough talk, let us get on with the challenge.

Challenge Description:

“Found this packet capture. Pretty sure there’s a flag in here. Can you find it!?”

Challenge File: dnscap.pcap

The description doesn’t give out any clues as to what the challenge is. So let us start analyzing. Opening the pcap, we find that there is a lot of DNS traffic. The data/payload in each of the packets is clearly some “hex” encoded text. Let us try to carve out all the hex data in the packets and see if we can make anything out of this.

from scapy.all import *

r = rdpcap("dnscap.pcap")

a = ""

b = ""

for i in range(0,len(r)):
	a = r[i][DNSQR].qname
	b = a.replace("","")
	print (b.replace(".","")).decode("hex")

This gave some interesting output. Let us see.

Screenshot from 2018-12-30 15-33-40Screenshot from 2018-12-30 15-33-45

So, this traffic was generated using dnscat2. To read more about “dnscat2”, click on this link.

In the output, I also found IEND. So there was PNG file which was transmitted. So let us try to extract it out. So let us try to find where the PNG header starts.

Going through the dump, I found that the bytes related to the image start after skipping 9 bytes and also the extraction becomes tricky because there are a lot of re-transmits in between. So we need to put a check on that as well. Let us write a script for that now.

from scapy.all import *

r = rdpcap("dnscap.pcap")

a = ""

b = ""
c = ""
new = ""

f = open("flag.png","w")

for i in range (0,len(r)):
	if r[i].haslayer(DNSQR) and not r[i].haslayer(DNSRR):
		a = r[i][DNSQR].qname
		b = a.replace("","")
		b = b.replace(".","").decode("hex")[9:]

		if b == c:

		c = b

		if 6 < i <365:
			new = new + b



So let us run this and see how it goes.

Screenshot from 2018-12-30 21-31-11

There are some junk bytes at the beginning, so let us remove that. And Woah! we get the flag! (I know that there are junk bytes at the end too because I carved out the entire packets but it doesn’t matter because PNG ends after IEND…lol)


The flag is: b91011fc

That was a good challenge man! Good for everyone who wants to learn on DNS and scapy.

Please share and like it if it has helped you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

Create your website with
Get started
%d bloggers like this: