Description: I tried to download the flag, but somehow received only 404 errors :( Hint: The last step is to look for flag pattern.

(misc80, solved by 292)



We are provided with a pcapng file, after opening the file in wireshark we can see that it contains some HTTP Requests (without answers) and some DNS lookups.

After looking at it for a while we noticed that the hostnames looked interesting, the first part of the hostname looked like hex-encoded ascii.

I wrote a small python-script that decodes the pcap and the DNS queries:

(I could not get python to read the pcapng so i converted it to pcap using pcapng)

#!/usr/bin/env python

import base64
import re

from scapy.all import *
from scapy.layers.dns import DNSRR, DNS, DNSQR

pcap = './flag.s0i0.pcap'
pkts = rdpcap(pcap)

lst = []

for p in pkts:

    if p.haslayer(DNS):

	if p.qdcount > 0 and isinstance(p.qd, DNSQR):
            q = p.qd.qname
	    m ='([^.]+)', q);
	    h =
	    s =  ''.join([chr(int(''.join(c), 16)) for c in zip(h[0::2],h[1::2])])
	    if s not in lst:

print lst

The script generated the following output:

["In the end, it's all about fla", 'gs.\nWhether you win or lose do', "esn't matter.\n{Ofc, winning is", ' cooler\nDid you find other fla', 'gs?\nNoboby finds other flags!\n', 'Superman is my hero.\n_HERO!!!_', "\nHelp me my friend, I'm lost i", 'n my own mind.\nAlways, always,', ' for ever alone.\nCrying until ', "I'm dying.\nKings never die.\nSo", ' do I.\n}!\n']

Pretty printed:

In the end, it's all about flags.
Whether you win or lose doesn't matter.
{Ofc, winning is cooler
Did you find other flags?
Noboby finds other flags!
Superman is my hero.
Help me my friend, I'm lost in my own mind.
Always, always, for ever alone.
Crying until I'm dying.
Kings never die.
So do I.

We know the flag format and could see that the first letter after \n matches the format

We now have the flag : IW{DNS_HACKS}