Name Game

Analyzed DNS traffic in a PCAP file to decode hexadecimal strings embedded in subdomains.

DNSPCAPForensicsMetaCTFEasy

Overview

We are provided with a capture.pcap file containing DNS queries flagged as unusual activity. The challenge title "Name Game" suggests that domain names themselves encode the hidden message.

Analysis

Upon inspecting the DNS traffic, a suspicious domain stands out:

Under this domain, 9 DNS records were observed. Each subdomain is a hexadecimal string that decodes to a portion of the flag.

Packet # Timestamp Hex Payload Decoded ASCII
721240.0000004d657461Meta
724241.0294824354467bCTF{
733242.047030646e735fdns_
736243.00220831355f6115_a
737243.9664586c773479lw4y
740244.922549735f7468s_th
743245.938842335f63753_cu
748246.9341916c707231lpr1
751247.894408747dt}

Reconstruction

Stitching all decoded text chunks together in packet order reveals the hidden message:

Meta + CTF{ + dns_ + 15_a + lw4y + s_th + 3_cu + lpr1 + t}

Flag

Decoded from DNS queries
MetaCTF{dns_15_alw4ys_th3_culpr1t}
OSINT — Letter
Layer Cake — Docker Layer Forensics