Forensics
Hard
300 points

Exfiltrated

Recuite 2025 - HCMUS
6 tháng 10, 2025
DNS Exfiltration
SAM
NTLM
Password Cracking
Recuite 2025 - HCMUS
Forensics

Exfiltrated - Writeup

Challenge Information

  • Category: Forensics
  • File: capture.pcap
  • Hint: Flag is the Administrator login password, wrapped in BPCTF{}

Analysis

DNS Exfiltration Pattern

All traffic relates to DNS queries to the suspicious domain rnicrosofft.xyz (typosquatting!).

Pattern:

  • Queries to *.N.updates.rnicrosofft.xyz (N = sequence number)
  • Each subdomain contains a base64 encoded chunk
  • Beginning chunk: H4sIAAAAAAAAA → this is a common gzip header prefix!

Example:

H4sIAAAAAAAAA+w8CXiURZbVgUCCHEECBAT5EZRACHQuEhiFXJ.0.updates.rnicrosofft.xyz
ySEBMDEUXSJJ2kSae77e4AAZQojGR00Kxnxs36RfFz4/WZGY9h.1.updates.rnicrosofft.xyz

Data Extraction

import subprocess, re, base64, gzip

# Extract DNS traffic
result = subprocess.run(['tcpdump', '-r', 'capture.pcap', '-n', 'port 53'],
                       capture_output=True, text=True)

# Parse by sequence number
dns_data = {}
pattern = r'0\+ TXT\? ([A-Za-z0-9+/=]+)\.(\d+)\.updates\.rnicrosofft\.xyz'

for line in result.stdout.split('\n'):
    match = re.search(pattern, line)
    if match:
        dns_data[int(match.group(2))] = match.group(1)

# Assemble and decompress
combined = ''.join([dns_data[i] for i in sorted(dns_data.keys())])
decoded = base64.b64decode(combined)
decompressed = gzip.decompress(decoded)

Preliminary Results:

  • 55,116 DNS chunks
  • 2,755,796 bytes base64
  • 11,079,680 bytes decompressed

Exfiltrated Files

file exfiltrated_data.bin
# POSIX tar archive

tar -xvf exfiltrated_data.bin
# Extraction result: SAM, SYSTEM

Windows registry hives:

  • SAM: Security Account Manager (contains password hashes)
  • SYSTEM: Contains boot key used to decrypt SAM

Extract Password Hash

Use pypykatz or similar tool on SAM and SYSTEM files:

pypykatz registry --sam SAM SYSTEM

Example Output:

Boot Key: 9a2ff52cd74d450e0c309f9ba1875d63
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e05a7fb0593bee4aab25939341c46065:::

Administrator NTLM hash: e05a7fb0593bee4aab25939341c46065

Crack Password

Hash cracked to: blackpinker597

Verification:

from passlib.hash import nthash
nthash.hash("blackpinker597")
# Result: 'e05a7fb0593bee4aab25939341c46065'  ✓

Flag

BPCTF{blackpinker597}

Key Takeaways

Attack Pattern

  • DNS can be used to bypass network security mechanisms.
  • Data is chunked, base64-encoded, and embedded in subdomains.
  • Sequence numbers are used to reassemble in correct order.
  • Compression (gzip) is used to reduce transmission size.

Detection

  1. High volume of unusual TXT/DNS queries.
  2. Suspicious/typosquatting domains (e.g. rnicrosofft.xyz).
  3. Long subdomains containing base64 strings.
  4. Sequential patterns in subdomain names.

Mitigation

  • Monitor DNS anomalies (volume / pattern).
  • Limit DNS query length and frequency.
  • Block/blacklist suspicious domains.
  • Use DNS filtering/monitoring solutions (DNS filtering, DNS logging).
  • Protect registry hives (SAM/SYSTEM) and restrict physical/privileged access.
  • Use strong, unique passwords and secure password management policies.

Tools Used

  • tcpdump — packet analysis
  • pypykatz — credential extraction from SAM/SYSTEM
  • passlib (or hashcat/john) — verify / crack NTLM
  • gzip, tar — handle compression and archives
300
Points
Hard
Difficulty
Forensics
Category

More Forensics Challenges

Mouse Cap

Medium
120 pts

Painted

Hard
500 pts

Cropped

Medium
250 pts