DESCRIPTION
Security researcher was inspecting traffic from compromised network.Reviewing http, https, imap and ssh packets he was not able to find anything suspicious.But after discussions with other security researchers, he decided to inspect DNS traffic.To his surprise DNS requests and responses had very interesting artifacts from 2020.cboe DNS zone.Try to find the flag from DNS server 10.195.165.113
QUESTION
Can you find the flag from DNS server?
SOLUTION
dig 2020.cboe @10.195.165.113
dig @10.195.165.113 AXFR 2020.cboe
dig @10.195.165.113 TXT 2020.cboe
dig @10.195.165.113 A 2020.cboe
dig @10.195.165.113 AAAA 2020.cboe
dig @10.195.165.113 TXT _spf.2020.cboe
Bash
Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________
11.2020.cboe. 604800 IN CNAME (
25.2020.cboe. 604800 IN CNAME (
27.2020.cboe. 604800 IN CNAME (
28.2020.cboe. 604800 IN CNAME (
29.2020.cboe. 604800 IN CNAME (
30.2020.cboe. 604800 IN CNAME (
33.2020.cboe. 604800 IN CNAME (
34.2020.cboe. 604800 IN CNAME (
36.2020.cboe. 604800 IN CNAME (
37.2020.cboe. 604800 IN CNAME (
7.2020.cboe. 604800 IN CNAME (
ftp.2020.cboe. 604800 IN A 10.20.30.10
ns.2020.cboe. 604800 IN A 127.0.0.1
owa.2020.cboe. 604800 IN A 10.30.10.11
pop.2020.cboe. 604800 IN CNAME www.2020.cboe.
www.2020.cboe. 604800 IN A 10.20.10.13
relay.2020.cboe. 604800 IN CNAME www.2020.cboe.
www.2020.cboe. 604800 IN A 10.20.10.13
server.2020.cboe. 604800 IN A 10.10.10.1
smtp.2020.cboe. 604800 IN CNAME www.2020.cboe.
www.2020.cboe. 604800 IN A 10.20.10.13
w.2020.cboe. 604800 IN A 10.20.10.11
webmail.2020.cboe. 604800 IN A 10.30.10.12
ww.2020.cboe. 604800 IN A 10.20.10.12
www.2020.cboe. 604800 IN A 10.20.10.13
wwww.2020.cboe. 604800 IN A 10.20.10.14
Shell
$ dig TXT @10.195.165.113 1.2020.cboe
; <<>> DiG 9.16.6-Debian <<>> TXT @10.195.165.113 1.2020.cboe
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9484
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3a777dfa8a444bf2010000005fb520b495c41c72489c51a5 (good)
;; QUESTION SECTION:
;1.2020.cboe. IN TXT
;; ANSWER SECTION:
1.2020.cboe. 604800 IN CNAME 1f8b08000311a95f0003ed97e9371b08.f7c733d38e3eaded747e7ddaa141a794.e9a8aa7d09525555a362ab2a41c65251.4bad11846430ade9a8a50d554b84d652.fb4ed1242a53a176aad624d508498825.2020.cboe.
;; AUTHORITY SECTION:
2020.cboe. 604800 IN SOA ns.2020.cboe. root.2020.cboe. 29 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 10.195.165.113#53(10.195.165.113)
;; WHEN: Wed Nov 18 15:25:03 EET 2020
;; MSG SIZE rcvd: 300
Shell
CNAME queries for {1...42}.2020.cboe return stable results
Let's see what happens if we take all the hex & concatenate them
root@cboekali-100:~# for f in {1..42}; do nslookup -type=cname $f.2020.cboe 10.195.165.113 | tail -n 2 | head -n 1 | awk '/canonical/ { print $5 }' | sed -e 's/.2020.cboe.//'; done | tr '.' ' ' > alldns.txt
Shell
Hex decoded:
14c4d98c-e786-46de-95b9-5635d4f10295
Yes, it was correct
Hexed —> Gzipped file —> PNG file —> Flag