kashiCTF 2026 - Easy Forensics

Posted on In Views: Disqus:

A network analysis challenge where data was exfiltrated via DNS queries.

Challenge Description

A network capture was obtained from an internal monitoring system after suspicious activity was detected. The traffic appears mostly benign, but analysts believe data was covertly exfiltrated during normal communication.

Initial Reconnaissance

Checking the protocol distribution of the capture.pcap file using tshark:

1
tshark -r capture.pcap -q -z io,phs

The output confirms that 100% of the traffic is DNS, indicating that DNS is being used as a tunnel for exfiltration.

DNS Query Analysis

Extracting the DNS query names reveals two distinct patterns: 1. Repetitive queries for common domains like kashi.com and amazon.com (likely noise). 2. High-entropy subdomains under .exfil.internal.

Extracting the subdomains:

1
2
3
4
5
6
7
tshark -r capture.pcap -T fields -e dns.qry.name | grep ".exfil.internal"
# Example output:
# NNQXG2DJINKE.exfil.internal
# M63ENZZV6ZLY.exfil.internal
# MZUWY5DSMF2G.exfil.internal
# S33OL5UXGX3T.exfil.internal
# NZSWC23ZPU.exfil.internal

Data Recovery

The strings (e.g., NNQXG...) are characteristic of Base32 encoding. We can concatenate these strings and decode them to recover the secret payload:

1
2
3
4
5
6
7
8
import base64

# Concatenated subdomains
encoded_payload = "NNQXG2DJINKEM63ENZZV6ZLYMZUWY5DSMF2GS33OL5UXGX3TNZSWC23ZPU"

# Base32 decoding (adding padding if necessary)
decoded = base64.b32decode(encoded_payload + "======").decode()
print(f"Decoded flag: {decoded}")

Flag

kashiCTF{dns_exfiltration_is_sneaky}