I Love Bacon!
metactf
Task: analyze a DNS-only PCAP with suspicious request/response pairs that look like encoded C2 traffic. Solution: ignore the noisy base32-like data, isolate the three anomalous responses with TTL 1337 where TXT equals the query label, and base32-decode the recovered fragments into the flag.
$ ls tags/ techniques/
I Love Bacon! — metactf
Description
PCAP containing suspicious DNS request activity to a C2.
English summary: the challenge provides a packet capture of DNS traffic that appears to carry encoded command-and-control data. The goal is to identify which packets contain the meaningful signal, reconstruct the hidden message, and recover the flag.
Analysis
The first pass over dns_c2.pcap shows a very regular pattern:
- 2000 packets total
- only UDP/DNS traffic
- 1000 DNS
Aqueries from10.67.0.2to10.1.1.53 - 1000 matching responses
- each response carries one
TXTanswer - both the queried subdomain labels and TXT values look like uppercase RFC4648 base32 strings under
*.dawg.cwa.sec
That strongly suggests DNS-based exfiltration or C2. However, decoding everything is a trap: most entries decode to high-entropy junk and do not produce useful plaintext.
The real clue is an anomaly in the DNS responses. Three packets stand out because their response TTL is 1337, while the rest use ordinary-looking values. Those three responses also have an exact equality between the TXT answer and the query label, which does not happen in the surrounding noise.
The key packets are:
- frame
534 - frame
910 - frame
1824
Using TTL as the hunting pivot isolates the signal immediately. Extracting only those responses yields three base32 fragments:
IRQXOZ2DKRDHW4ZRPJ5GY2LOL5ZXKY3DOVWDG3TUL5RTEX3CGRRW63T5
Base32-decoding them gives readable ASCII chunks:
DawgCTF{s1zzlin_succul3nt_c2_b4con}
Concatenating the chunks reconstructs the full flag.
Solution
...
Permission denied (requires auth)
Sign in to read this free writeup
This writeup is free — just sign in with GitHub to read it.
$ssh [email protected]