Trick Or Breach

# Extract the DNS query data from the pcap;
# https://unix.stackexchange.com/a/393503/370076
tshark -r ./capture.pcap -T fields -e dns.qry.name -Y 'dns.flags.response == 0' > raw_exfil.txt

# Get only the data from the DNS queries;
# https://www.hackucf.org/hack-all-the-things/hack-all-the-things-exfiltrating-data-via-dns-requests
egrep -o "[0-9a-f]+.pumpkincorp.com" ./raw_exfil.txt | cut -d. -f1 > exfil.txt

# Unhex the exfiltrated data
xxd -r -p < exfil.txt > data

Looking at the data file, I determined that it was an archive that was really an Excel spreadsheet. I opened it in OpenOffice and found the flag:

HTB{M4g1c_c4nn0t_pr3v3nt_d4t4_br34ch}

Tags

  1. hackthebox (Private)
  2. easy (Private)
  3. dns (Private)
  4. exfiltration (Private)
  5. forensics (Private)

Backlinks