Data Exfil

We’re given a ZIP archive which contains various log files and a packet capture. I only used the PCAP for this challenge, so I cannot tell if the log files are of any help. First we try the usual stuff when dealing with a packet capture: Following TCP and HTTP streams, trying to export transmitted objects via File -> Export Objects. However, these steps do not lead to anything useful here.

When we look at the different protocols, we discover, that the host uses two different Servers for DNS: (Google) and While the responses from the first DNS server look legit (what could go wrong with Google?), those of the second server have weird subdomains in the URLs. We filter these responses in Wireshark with ip.src == and order the result ascending based on packet number.


Then we copy two or three packets (e.g. 180, 182 and 184) as printable text and throw the subdomains into a hex decoder. Below you can see the three subdomains:


and their decoded pendants which contain the flag: