Labyrenth 2017 Threat 01For the first challenge of the threat track we are given a file called challenge.pcap.
Opening the pcap in WireShark reveals a bunch of DNS requests.
Looking at the raw requests one immediately notices a bunch of additional bytes
|unusual bytes in DNS request|
This gives the following sequence
UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAAWith the given range of characters I guessed it to be a base64 encoded string, so I used some python code to base64 decode the string and write the result to a file. To avoid decoding errors I just skipped the last byte.
target = "UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAA"
out_file = open('b64.bin','wb')
Opening the output in HxD reveals the byte sequence "50 4B 03 04" which might indicate a zip file.
|b64 decoded file with zip file header|
So I tried 7-zip "Extract Here" which gave me some warnings but also extracted a file called file.dat
Opening that file in Notepad++ revealed the first flag: