Recovery — Securinets CTF 2025

Scenario

A victim machine has been compromised with ransomware. The attack used DNS as a covert channel to deliver the malicious payload. Your task is to analyze network traffic and filesystem artifacts to reconstruct the attack.

Artifacts Provided:

🔍 Network Traffic Analysis

Wireshark Examination

Filtering for DNS traffic revealed queries to a suspicious domain: meow.
The labels appeared to contain Base32-encoded data with index numbers, suggesting chunked data transmission.

Wireshark Protocol Hierarchy
DNS queries to meow domain

[!NOTE]
This is a classic DNS Data Exfiltration/Infiltration technique where file data is tunneled through DNS query subdomains.

🛠️ Malware Reconstruction

Desktop Discovery

Examining the home directory revealed the following:
Victim desktop files

Recovering Source from GitHub

Examining the commit history for the suspicious repo:
GitHub commit history

Extracting Payload from PCAP

We wrote a Python script using Scapy to:

  1. Parse the DNS labels from the "meow" domain.
  2. Reassemble the Base32 chunks based on their index.
  3. XOR-decrypt the reassembled bytes using a single-byte key found in the packet headers.

Result: Reconstructed an executable named reconstructed.exe.

Unpacking

The binary was packed with UPX. After unpacking, we performed static analysis with IDA Pro.

🔬 Reverse Engineering

Encryption Algorithm

The malware uses a custom Linear Congruential Generator (LCG) for keystream generation.

Key Components:

🔓 Flag Extraction

We implemented the decryption algorithm in Python, supplying the correct full path (C:\Users\gumba\Desktop\sillyflag.png) to generate the correct seed.

Decrypted flag image

Flag: Securinets{DNS_3xf1l_w1th_cust0m_LCG_encrypt10n}

📊 Investigation Summary