Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
MiscEasy

Creepnet Pcap

CTF writeup for Creepnet from deadface

//Creepnet

>TL;DR

DEADFACE exfiltrated a message using DNS query labels (DNS tunneling). I extracted three base64-encoded DNS labels from creep-log.pcap, decoded them, and assembled the final flag:

deadface{Its_Imp0rtant-T0.c@tch-Everyd3t@il}

The detailed steps, commands and code used are below so you (or a CI) can reproduce the result exactly.

>Artifacts

  • Provided archive: CreepNet.zip
  • Extracted file: creep-log.pcap

>Tools used

  • tshark (Wireshark CLI)
  • unzip
  • Python 3 (base64 decoding)

>Investigation steps

1) Extract the PCAP (if needed)

If you received CreepNet.zip locally, extract it:

bash
unzip -l CreepNet.zip      # list contents
unzip -o CreepNet.zip -d . # extract to current folder

You should see creep-log.pcap inside the archive.

2) Look for DNS queries in the pcap

I used tshark to inspect DNS query names. First, list DNS query names only:

bash
# Show DNS query names found in the pcap
tshark -r creep-log.pcap -Y "dns.flags.response==0" -T fields -e dns.qry.name

This displays a lot of normal-looking queries (e.g., search.yahoo.com, www.google.com) but also several suspicious-looking, non-resolving labels (long base64 segments). To get frame numbers so we can order & reference them:

bash
# Show frame number and query name for DNS queries
tshark -r creep-log.pcap -Y "dns.flags.response==0 && dns.qry.name" \
  -T fields -e frame.number -e dns.qry.name

From the output we extracted three suspicious labels (examples from my run):

  • frame 274: ZGVhZGZhY2V7SXRzX0lt.com
  • frame 348: aC1FdmVyeWQzdEBpbH0K.com
  • frames 729/730: cDBydGFudC1UMC5jQHRj.com

Note: The .com is the DNS suffix; the interesting part is the left-most label (the base64 chunk).

3) Extract the base64 labels

From the queries above, take the left-most label (everything before the first .). Those are:

  • ZGVhZGZhY2V7SXRzX0lt
  • aC1FdmVyeWQzdEBpbH0K
  • cDBydGFudC1UMC5jQHRj

We can decode each with Python's base64 module. Example commands used:

bash
python3 - <<'PY'
import base64
labels = [
    'ZGVhZGZhY2V7SXRzX0lt',
    'aC1FdmVyeWQzdEBpbH0K',
    'cDBydGFudC1UMC5jQHRj'
]
for s in labels:
    decoded = base64.b64decode(s)
    print(s, '->', decoded)
PY

Sample decoded bytes (raw):

  • ZGVhZGZhY2V7SXRzX0lt -> b'deadface{Its_Im'
  • aC1FdmVyeWQzdEBpbH0K -> b'h-Everyd3t@il}\n'
  • cDBydGFudC1UMC5jQHRj -> b'p0rtant-T0.c@tc'

4) Assemble the fragments (correct order)

We need to order the fragments so they form a readable string. By inspection, the fragments that produce a coherent string are ordered as:

  1. ZGVhZGZhY2V7SXRzX0lt -> deadface{Its_Im
  2. cDBydGFudC1UMC5jQHRj -> p0rtant-T0.c@tc
  3. aC1FdmVyeWQzdEBpbH0K -> h-Everyd3t@il}\n

Concatenating and stripping trailing newline yields:

python
import base64
parts = ['ZGVhZGZhY2V7SXRzX0lt', 'cDBydGFudC1UMC5jQHRj', 'aC1FdmVyeWQzdEBpbH0K']
message = ''.join(base64.b64decode(p).decode('utf-8', 'ignore') for p in parts).strip()
print(message)

This prints:

deadface{Its_Imp0rtant-T0.c@tch-Everyd3t@il}

So the recovered flag is:

deadface{Its_Imp0rtant-T0.c@tch-Everyd3t@il}

5) Short explanation: how the exfiltration works

DEADFACE used DNS query labels to hide the message. The attacker encoded message fragments in base64 and used them as left-most labels in DNS queries. DNS is a common covert channel because DNS queries are often allowed through firewalls and can carry arbitrary label data. When collected from DNS logs or a packet capture, the base64 labels can be decoded and concatenated to recover the original message.

6) Reproducible checklist (commands)

  1. Extract pcap:
bash
unzip -o CreepNet.zip -d .
  1. List suspicious DNS labels:
bash
# show query names
tshark -r creep-log.pcap -Y "dns.flags.response==0" -T fields -e dns.qry.name

# show frame number + query name
tshark -r creep-log.pcap -Y "dns.flags.response==0 && dns.qry.name" -T fields -e frame.number -e dns.qry.name
  1. Base64 decode (example, script form):
bash
python3 - <<'PY'
import base64
parts = ['ZGVhZGZhY2V7SXRzX0lt', 'cDBydGFudC1UMC5jQHRj', 'aC1FdmVyeWQzdEBpbH0K']
print(''.join(base64.b64decode(p).decode('utf-8','ignore') for p in parts).strip())
PY

>Mitigations / Detection tips

  • Monitor DNS queries for non-meaningful labels (long labels, base64-like characters, high frequency of NXDOMAIN).
  • Enforce DNS proxying or inspection (DNS-over-HTTPS/DoT complicates inspection, but blocking unknown resolvers helps).
  • Rate-limit or alert on unusual query name entropy.

>Final result (flag)

deadface{Its_Imp0rtant-T0.c@tch-Everyd3t@il}