Analyzed DNS traffic in a PCAP file to decode hexadecimal strings embedded in subdomains.
We are provided with a capture.pcap file containing DNS queries flagged as unusual activity. The challenge title "Name Game" suggests that domain names themselves encode the hidden message.
Upon inspecting the DNS traffic, a suspicious domain stands out:
totallynotac2.meatctf.comUnder this domain, 9 DNS records were observed. Each subdomain is a hexadecimal string that decodes to a portion of the flag.
| Packet # | Timestamp | Hex Payload | Decoded ASCII |
|---|---|---|---|
| 721 | 240.000000 | 4d657461 | Meta |
| 724 | 241.029482 | 4354467b | CTF{ |
| 733 | 242.047030 | 646e735f | dns_ |
| 736 | 243.002208 | 31355f61 | 15_a |
| 737 | 243.966458 | 6c773479 | lw4y |
| 740 | 244.922549 | 735f7468 | s_th |
| 743 | 245.938842 | 335f6375 | 3_cu |
| 748 | 246.934191 | 6c707231 | lpr1 |
| 751 | 247.894408 | 747d | t} |
Stitching all decoded text chunks together in packet order reveals the hidden message:
Meta + CTF{ + dns_ + 15_a + lw4y + s_th + 3_cu + lpr1 + t}