DNS Exfiltration

I love forensics.. I love the idea of how forensics work and how we can see what happened after an attack went down. Stopping an attacker isn’t all that interesting but seeing what they did after they got in, that’s cool. has an awesome collection of forensic challenges that really test a wide variety of tasks from memory analysis on mem dumps, word macro extraction, android app, AD, etc etc etc. but a few days ago they posted a DNS Exfiltration challenge which is hands down my favorite new challenge.

I had heard about data exfil this way from the sec community and through work but didn’t really have an idea how it worked or why it worked this challenge gives you a pcap and says good luck. So ton of reading over the last few days an a bit of experimentation and I gladly can say that I was able to knock it out and solve this one. Really excited at the theory behind it and kinda want to dive in and write my own version.

Props to the root-me team and to @__SamBeckS__ for this challenge.

(I did write up for it and submitted it to root-me but you have to beat the challenge to see how I did it)