Avatar

Labs / DNS Exfil

  • Daily Challenge
  • Released 07 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

DNS Exfil - Complete Solution Walkthrough

Step 1: Initial Reconnaissance

  1. Download and open dns_exfil.pcap in Wireshark or your preferred network analysis tool.
  2. Apply a filter to view only DNS traffic: dns
  3. Observe the DNS queries and look for unusual patterns, such as long or random-looking subdomains.

Step 2: Installing tshark (if needed)

  1. If you don't have tshark installed, you can install it as follows:
# On Ubuntu/Debian:
sudo apt-get install tshark

# On macOS (with Homebrew):
brew install wireshark

# On CentOS/RHEL:
sudo yum install wireshark
  1. Alternatively, you can use Wireshark's GUI to export the DNS query names, or use other command-line tools like tcpdump.

Step 3: Extracting DNS Query Names

  1. Use tshark to extract all DNS query names:
    tshark -r dns_exfil.pcap -T fields -e dns.qry.name -Y 'dns'
  2. Review the output and identify queries that do not correspond to normal domains (e.g., www.google.com), but instead look like random strings followed by attacker.com.

Step 4: Identifying the Exfiltration Pattern

  1. Notice that the suspicious DNS queries have a structure like YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk.attacker.com.
  2. The subdomain part appears to be base64-encoded data.
  3. Collect all such subdomains (if there are multiple, concatenate them in order).

Step 5: Reconstructing and Decoding the Flag

  1. Extract the base64-encoded parts from the DNS queries. For example:
    YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk
  2. If the flag is split across multiple queries, concatenate all the base64 parts in the correct order.
  3. Decode the base64 string using a tool like CyberChef or the command line:
    echo 'YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk' | base64 -d
  4. The decoded output is the flag in UUID format:
    a7b3c9d1-e5f2-4a8b-9c6d-3e7f8a2b5c9d

Step 6: Alternative Extraction Method (One-Liner)

  1. You can automate the extraction and decoding with a single command:
    tshark -r dns_exfil.pcap -T fields -e dns.qry.name -Y 'dns' | grep 'attacker.com' | cut -d'.' -f1 | tr -d '
' | base64 -d
  2. This will output the flag directly if the queries are in order.

Step 7: Flag Verification

  1. Check that the output matches the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  2. For this challenge, the flag is:
    a7b3c9d1-e5f2-4a8b-9c6d-3e7f8a2b5c9d
  3. Submit the flag to complete the challenge.

Technical Details and Security Implications

  • DNS Tunneling: Attackers use DNS queries to bypass firewalls and exfiltrate data. The data is often encoded (e.g., base64) and split across multiple queries.
  • Detection: Unusually long or random-looking DNS queries, especially to suspicious domains, are a red flag for exfiltration.
  • Prevention: Monitor DNS traffic for anomalies, restrict outbound DNS, and use DNS security solutions.
  • Real-World Impact: DNS exfiltration is used in advanced persistent threats (APTs) and malware campaigns.

Tools and Resources Used

  • Wireshark: For packet capture analysis
  • tshark: Command-line packet analysis
  • CyberChef: Online tool for decoding and data extraction
  • grep, cut, tr, base64: Command-line utilities for text processing and decoding

Challenge Summary and Methodology

  1. Reconnaissance: Analyze DNS traffic for suspicious patterns
  2. Extraction: Identify and extract encoded data from DNS queries
  3. Decoding: Reconstruct and decode the exfiltrated data
  4. Verification: Confirm the flag format and submit