Labyrenth 2017 Threat 01
For the first challenge of the threat track we are given a file called challenge.pcap.Opening the pcap in WireShark reveals a bunch of DNS requests.
 |
| challenge.pcap |
Looking at the raw requests one immediately notices a bunch of additional bytes
 |
| unusual bytes in DNS request |
This gives the following sequence
UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAAWith the given range of characters I guessed it to be a base64 encoded string, so I used some python code to base64 decode the string and write the result to a file. To avoid decoding errors I just skipped the last byte.
import base64
target = "UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAA"
out_file = open('b64.bin','wb')
out_file.write(base64.b64decode(target[:-1]))
Opening the output in HxD reveals the byte sequence "50 4B 03 04" which might indicate a zip file.
 |
| b64 decoded file with zip file header |
So I tried 7-zip "Extract Here" which gave me some warnings but also extracted a file called file.dat
Opening that file in Notepad++ revealed the first flag:
PAN{AllPointersInDNSShouldPointBackwards}
No comments:
Post a Comment