Last active
October 28, 2022 12:51
-
-
Save ajmeese7/dc577fa3539dfec0f5f498c56be73734 to your computer and use it in GitHub Desktop.
"Trick or Breach" Hack the Boo 2022 solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Extract the DNS query data from the pcap | |
tshark -r ./capture.pcap -T fields -e dns.qry.name -Y 'dns.flags.response == 0' > raw_exfil.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Narrow the information to only the data from the DNS queries | |
egrep -o "[0-9a-f]+.pumpkincorp.com" ./raw_exfil.txt | cut -d. -f1 > exfil.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 0.000000 192.168.1.10 147.182.172.189 DNS 126 504b0304140008080800a52c47550000000000000000000000.pumpkincorp.com | |
2 0.217130 147.182.172.189 192.168.1.10 DNS 142 504b0304140008080800a52c47550000000000000000000000.pumpkincorp.com | |
3 1.062969 192.168.1.10 147.182.172.189 DNS 126 0018000000786c2f64726177696e67732f64726177696e6731.pumpkincorp.com | |
4 1.240617 147.182.172.189 192.168.1.10 DNS 142 0018000000786c2f64726177696e67732f64726177696e6731.pumpkincorp.com | |
5 2.069426 192.168.1.10 147.182.172.189 DNS 126 2e786d6c9dd05d6ec2300c07f013ec0e55de695a181343145e.pumpkincorp.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Unhex the exfiltrated data | |
xxd -r -p < exfil.txt > data |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment