Lab Icon

DNS Exfil

Challenge 07 Jul 2025 Pro Exclusive Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
76%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

DNS Exfil - Complete Solution Walkthrough

Step 1: Initial Reconnaissance

  1. Download and open dns_exfil.pcap in Wireshark or your preferred network analysis tool.
  2. Apply a filter to view only DNS traffic: dns
  3. Observe the DNS queries and look for unusual patterns, such as long or random-looking subdomains.

Step 2: Installing tshark (if needed)

  1. If you don't have tshark installed, you can install it as follows:
# On Ubuntu/Debian:
sudo apt-get install tshark

# On macOS (with Homebrew):
brew install wireshark

# On CentOS/RHEL:
sudo yum install wireshark
  1. Alternatively, you can use Wireshark's GUI to export the DNS query names, or use other command-line tools like tcpdump.

Step 3: Extracting DNS Query Names

  1. Use tshark to extract all DNS query names:
    tshark -r dns_exfil.pcap -T fields -e dns.qry.name -Y 'dns'
  2. Review the output and identify queries that do not correspond to normal domains (e.g., www.google.com), but instead look like random strings followed by attacker.com.

Step 4: Identifying the Exfiltration Pattern

  1. Notice that the suspicious DNS queries have a structure like YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk.attacker.com.
  2. The subdomain part appears to be base64-encoded data.
  3. Collect all such subdomains (if there are multiple, concatenate them in order).

Step 5: Reconstructing and Decoding the Flag

  1. Extract the base64-encoded parts from the DNS queries. For example:
    YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk
  2. If the flag is split across multiple queries, concatenate all the base64 parts in the correct order.
  3. Decode the base64 string using a tool like CyberChef or the command line:
    echo 'YTdiM2M5ZDEtZTVmMi00YThiLTljNmQtM2U3ZjhhMmI1Yzlk' | base64 -d
  4. The decoded output is the flag in UUID format:
    a7b3c9d1-e5f2-4a8b-9c6d-3e7f8a2b5c9d

Step 6: Alternative Extraction Method (One-Liner)

  1. You can automate the extraction and decoding with a single command:
    tshark -r dns_exfil.pcap -T fields -e dns.qry.name -Y 'dns' | grep 'attacker.com' | cut -d'.' -f1 | tr -d '
' | base64 -d
  2. This will output the flag directly if the queries are in order.

Step 7: Flag Verification

  1. Check that the output matches the UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  2. For this challenge, the flag is:
    a7b3c9d1-e5f2-4a8b-9c6d-3e7f8a2b5c9d
  3. Submit the flag to complete the challenge.

Technical Details and Security Implications

  • DNS Tunneling: Attackers use DNS queries to bypass firewalls and exfiltrate data. The data is often encoded (e.g., base64) and split across multiple queries.
  • Detection: Unusually long or random-looking DNS queries, especially to suspicious domains, are a red flag for exfiltration.
  • Prevention: Monitor DNS traffic for anomalies, restrict outbound DNS, and use DNS security solutions.
  • Real-World Impact: DNS exfiltration is used in advanced persistent threats (APTs) and malware campaigns.

Tools and Resources Used

  • Wireshark: For packet capture analysis
  • tshark: Command-line packet analysis
  • CyberChef: Online tool for decoding and data extraction
  • grep, cut, tr, base64: Command-line utilities for text processing and decoding

Challenge Summary and Methodology

  1. Reconnaissance: Analyze DNS traffic for suspicious patterns
  2. Extraction: Identify and extract encoded data from DNS queries
  3. Decoding: Reconstruct and decode the exfiltrated data
  4. Verification: Confirm the flag format and submit