szymanski.ninja
About
CTF Writeups
Contact
pl|en

RITSEC CTF 2021: Answers

Answers

Category: Misc

100 points

Lookup this

answers.ritsec.club:53/udp

~knif3

Solution

Under given address there’s a DNS server (I had doubt in it at the beginning). I’ve tried to query it first.

dig @answers.ritsec.club answers.ritsec.club +all
; <<>> DiG 9.16.12-Debian <<>> @answers.ritsec.club answers.ritsec.club +all
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33818
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;answers.ritsec.club.		IN	A

;; ANSWER SECTION:
answers.ritsec.club.	1440	IN	CNAME	ymbcoqrjbxfhrvcg.answers.ritsec.club.
answers.ritsec.club.	1440	IN	CNAME	zsrccffjkqjhmlur.answers.ritsec.club.
answers.ritsec.club.	1440	IN	CNAME	nlhmvfueacoehdwo.answers.ritsec.club.

;; Query time: 147 msec
;; SERVER: 34.69.61.54#53(34.69.61.54)
;; WHEN: sob kwi 10 14:37:26 CEST 2021
;; MSG SIZE  rcvd: 130

Ok, so we’ve got 3 more random CNAME records in the answer. I didn’t want to spend hours on manually digging through the records, so I’ve wrote a small loop to automate it.

#!/bin/bash
records="answers.ritsec.club"
while [ -n "${records}" ]; do
    echo "${records}"
    records=`dig @answers.ritsec.club ${records} +short | tr "\n" " "`
done

Which gave me a lot of CNAME records, whichin I found something like random_txt_record_ryupmw.answers.ritsec.club.

Ok, the hint is in the name. Let’s query for TXT record.

dig @answers.ritsec.club random_txt_record_ryupmw.answers.ritsec.club +all TXT
; <<>> DiG 9.16.12-Debian <<>> @answers.ritsec.club random_txt_record_ryupmw.answers.ritsec.club +all TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42854
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;random_txt_record_ryupmw.answers.ritsec.club. IN TXT

;; ANSWER SECTION:
random_txt_record_ryupmw.answers.ritsec.club. 1440 IN TXT "RS{should_have_used_pihol3}"

;; Query time: 152 msec
;; SERVER: 34.69.61.54#53(34.69.61.54)
;; WHEN: sob kwi 10 13:53:53 CEST 2021
;; MSG SIZE  rcvd: 102

Bingo! Few more remarks:

  • querying ANY record type was disabled on server side (that’s why I didn’t use it),
  • after a while DNS records were re-randomized so probably at this moment (if chall is still available) you won’t be able to query for random_txt_record_ryupmw.answers.ritsec.club to get the flag - kudos to organizers for that ;-)

Flag

RS{should_have_used_pihol3}

Privacy Policy
luc © 2021