Skip to content

Latest commit

 

History

History
87 lines (58 loc) · 2.4 KB

09.md

File metadata and controls

87 lines (58 loc) · 2.4 KB

9. Data exfiltration techniques and their detection

In this goal our task is to detect and analyze exfiltration in pcap files.

9.a

Upon visually inspecting the pcap we see that there are some long DNS TXT record queries. We filtered those out using 'dns.txt' filter. Then we went to the flag server mentioned in task description on 192.168.1.167:8991.

The server prompted as with several questions:

What was the domain used for exfiltration? (input the last part of the subdomain and the TLD, e.g. google.com)

The answer to this can be found by simply viewing the TXT queries. The domain ends with securitytesting.online and that is the answer.

<Legolas> Which type of DNS record was used?

As mentioned before the queries were of TXT type.

<Legolas> How many queries were used for the exfiltration in total?

The number of filtered out txt queries from INIT to last packet is 61.

After that we received our flag:

<Legolas> Your friends are with you: BSY-FLAG-A09A-{...}

9.b

In this task we see pcap of dns data exfiltration again. This time we know which tool was used DNSExfiltrator and we have the information that password 'pass' was used.

We again filtered the packets using dns.txt and copied out both packets that were used for exfiltration:

init.ORSXG5BOOR4HI7BR.base64.securitytesting.online: type TXT, class IN

and

Name: 0.EIu3wCinsPK_RDCVv5d-28e2TU-Ec1BHT83QblPN3mOo-L1-dXVkSPod7iTczcQ.tlULhh7p_QqO-k4FtUQ56nkbgIOkTNePAkkDmEWAggVL7hEcLJpKORiesVBGsol.AEJgjlMn2JczQo6KGqUAJ4GtnaXI3YZW7uEel8fq0kjjJvQfVhtbHHKyx9bEhJO.zxhc39atS4.securitytesting.online

We cloned the repository with DNSExfiltrator and modified the code a bit to decode our string with fix password without the need to run the whole process. After extracting the result zip file we get folder with one single file: test.txt with following content:

lalalala
passwords: jkgjhqgfwgefjh

We then proceed to the flag server again, this time running on 192.168.1.167:8992 First question:

<Gimli> What is the name of the exfiltrated file?

we already know the answer, the extracted file is test.txt

<Gimli> What is the password inside the file?

Answer is in the file: jkgjhqgfwgefjh

Answering these two questions was enough to get the flag:

<Gimli> Never thought I'd die fighting side by side with an Elf: BSY-FLAG-A09B-{...}