Overview
A single packet capture: capture.pcap. A suspicious workstation was generating unusual DNS traffic, and we need to figure out what was exfiltrated.
Reconnaissance
Open capture.pcap in Wireshark. At first glance it looks like a normal pcap of random DNS queries for Google, GitHub, Discord, etc. But scrolling through the DNS queries, one domain stands out immediately:
4d657461.totallynotac2.meatctf.com
4354467b.totallynotac2.meatctf.com
646e735f.totallynotac2.meatctf.com
...
The base domain totallynotac2.meatctf.com is obviously suspicious. The subdomain prefixes — 4d657461, 4354467b, 646e735f — all look like hex strings.
What is this?
This is DNS exfiltration: a classic data exfiltration technique where an attacker encodes stolen data into DNS subdomain queries. Since DNS is almost never blocked or inspected (firewalls let it through, IDS rarely flags it), it’s a stealthy channel for smuggling data out of a network.
The attacker’s tool on the compromised machine:
- Hex-encoded the stolen data
- Split it into 8-character chunks
- Sent one DNS query per chunk, using each chunk as a subdomain prefix
- Their C2 server logged the incoming queries and reassembled the data
Recovering the data
We can view what was in the hex with a simple bash one-liner using tshark:
tshark -r capture.pcap \
-Y 'dns.qry.name contains "totallynotac2"' \
-T fields -e dns.qry.name \
| sed 's/\.totallynotac2.*//' \
| tr -d '\n' \
| xxd -r -p
Flag
MetaCTF{dns_15_alw4ys_th3_culpr1t}