Extract stream from dns

--- title: Extract stream from dns tags: CTF --- ### Extract stream from dns ##### Decription: Whispers in conversation can lead you to where the data is hiding. Pay attention to strange numbers and fleeting names. The secret lies in the silence, but not without a trace. ![image](https://hackmd.io/_uploads/SkpaIXofgg.png) ###### follow tcp and http it is nothing moreover can't export http ```bash! tshark -r chaos_ransom.pcap -Y "dns" -T fields -e dns.qry.name ``` ##### i noted something unusual in domain name ![image](https://hackmd.io/_uploads/H1S8wQiMeg.png) ** tshark -r CTB_chaos_ransom.pcap -Y "tcp.port == 8080 || tcp.port == 8081 || tcp.port == 8082" -T fields -e tcp.stream | sort -u** ```bash! ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -Y "tcp.port == 8080 tcp.port == 8081 tcp.port == 8082" -T fields -e tcp.stream | sort -u 102 95 98 ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,ascii,95 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 95 Node 0: 192.168.1.100:12360 Node 1: 192.168.1.101:8080 139 ..VQ_UUUUU4S..UUUUUUUUUUUU_UUU<8%:'!4;!z..VQAU\U6UC\.....i.UUUzUUUGU^U<8%:'!4;!z3942{!-!T.RUTU..V]UQ...k......5Z..W.......h.{.....`f.^4 dN% =================================================================== ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,ascii,98 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 98 Node 0: 192.168.1.100:12361 Node 1: 192.168.1.101:8081 139 x.F....m.pd...k../..:..?...O.C.lR.8....R]...i.UUUzUUU..TWJU_UUUUU4S..UUUUUUUUUUUU_UqUUUUUUUEUUUUUUU<8%:'!4;!z_UuUUUUUTUMU.s .H..T.s .H..TM3 =================================================================== ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,ascii,102 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 102 Node 0: 192.168.1.100:12362 Node 1: 192.168.1.101:8082 139 .H..TT.RUTU..V]U..PSUUUUWUWU.UUU.UUUUUUUUUUUuUUU}UUU<8%:'!4;!z3942{!-!_UuUUUUUTUMU(i.cu..T(i.cu..T.. =================================================================== ``` ###### we moved it into hex ```bash! ─(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,raw,98 > stream98.hex ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,raw,102 > stream102.hex ┌──(kali㉿kali)-[~/Desktop/chall2 day2] └─$ tshark -r chaos_ransom.pcap -qz follow,tcp,raw,95 > stream95.hex ``` ###### next we will see hex https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'55'%7D,'Standard',false)&input=MDUxZTU2NTE1ZjU1NTU1NTU1NTUzNDUzOTcwZjU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTVmNTU1NTU1M2MzODI1M2EyNzIxMzQzYjIxN2EwNTFlNTY1MTQxNTU1YzU1MzY1NTQzNWM5NzBmYjdlNDk2NjkxODU1NTU1NTdhNTU1NTU1NDc1NTVlNTUzYzM4MjUzYTI3MjEzNDNiMjE3YTMzMzkzNDMyN2IyMTJkMjE1NGNjNTI1NTU0NTUxNDEwNTY1ZDU1NTE5ZjFkZWU2YmY2ZTM5ZWJkMWY5YjM1NWFkZGE0NTdlOTBjZWU4MzJlYzRkNDY4ODY3YmZjYjE4YjBmOTc2MDY2ZWQ1ZTM0MGE2NDRlMjU3OGRmNDZjZGQzZDkxMjZkMDY3MDY0OWQxNWZjNmJmY2UwMmZkZDFjM2FlNmFhM2ZlZTFjYjk0ZjFhNDNkODZjNTIwNzM4ZmZkZTA1MWU1MjVkYjdlNDk2NjkxODU1NTU1NTdhNTU1NTU1MDUxZTU0NTc0YTU1NWY1NTU1NTU1NTU1MzQ1Mzk3MGY1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1ZjU1NzE1NTU1NTU1NTU1NTU1NTQ1NTU1NTU1NTU1NTU1NTUzYzM4MjUzYTI3MjEzNDNiMjE3YTVmNTU3NTU1NTU1NTU1NTU1NDU1NGQ1NTExNzMwYWU4NDg4NjhlNTQxMTczMGFlODQ4ODY4ZTU0NGQzMzQ4ZTQ0ODg2OGU1NDA1MWU1NDU3NGE1NTQxNTU1YzU1MzY1NTQzNWM5NzBmYjdlNDk2NjkxODU1NTU1NTdhNTU1NTU1NDc1NTdhNTU1NTU1NTU1NTU1NTU3NTU1NTU1NTdkNTU1NTU1M2MzODI1M2EyNzIxMzQzYjIxN2EzMzM5MzQzMjdiMjEyZDIxNWY1NTc1NTU1NTU1NTU1NTU0NTU0ZDU1Mjg2OTAwNjM3NTg2OGU1NDI4NjkwMDYzNzU4NjhlNTQxM2ZmMGRlMjQ4ODY4ZTU0NTRjYzUyNTU1NDU1MTQxMDU2NWQ1NTA1MWU1MDUzNTU1NTU1NTU1NzU1NTc1NTllNTU1NTU1OTU1NTU1NTU1NTU1 ###### we get file zip and crack file zip we get flag ### flag{Y0u_Cr4ck3d_An_Encryp7ed_Ext0rt1on_mrL0n9}