Answers
Category: Misc
100 points
Lookup this
answers.ritsec.club:53/udp
~knif3
Solution
Under given address there’s a DNS server (I had doubt in it at the beginning). I’ve tried to query it first.
dig @answers.ritsec.club answers.ritsec.club +all
; <<>> DiG 9.16.12-Debian <<>> @answers.ritsec.club answers.ritsec.club +all
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33818
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;answers.ritsec.club. IN A
;; ANSWER SECTION:
answers.ritsec.club. 1440 IN CNAME ymbcoqrjbxfhrvcg.answers.ritsec.club.
answers.ritsec.club. 1440 IN CNAME zsrccffjkqjhmlur.answers.ritsec.club.
answers.ritsec.club. 1440 IN CNAME nlhmvfueacoehdwo.answers.ritsec.club.
;; Query time: 147 msec
;; SERVER: 34.69.61.54#53(34.69.61.54)
;; WHEN: sob kwi 10 14:37:26 CEST 2021
;; MSG SIZE rcvd: 130
Ok, so we’ve got 3 more random CNAME records in the answer. I didn’t want to spend hours on manually digging through the records, so I’ve wrote a small loop to automate it.
#!/bin/bash
records="answers.ritsec.club"
while [ -n "${records}" ]; do
echo "${records}"
records=`dig @answers.ritsec.club ${records} +short | tr "\n" " "`
done
Which gave me a lot of CNAME records, whichin I found something like random_txt_record_ryupmw.answers.ritsec.club
.
Ok, the hint is in the name. Let’s query for TXT
record.
dig @answers.ritsec.club random_txt_record_ryupmw.answers.ritsec.club +all TXT
; <<>> DiG 9.16.12-Debian <<>> @answers.ritsec.club random_txt_record_ryupmw.answers.ritsec.club +all TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42854
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;random_txt_record_ryupmw.answers.ritsec.club. IN TXT
;; ANSWER SECTION:
random_txt_record_ryupmw.answers.ritsec.club. 1440 IN TXT "RS{should_have_used_pihol3}"
;; Query time: 152 msec
;; SERVER: 34.69.61.54#53(34.69.61.54)
;; WHEN: sob kwi 10 13:53:53 CEST 2021
;; MSG SIZE rcvd: 102
Bingo! Few more remarks:
- querying
ANY
record type was disabled on server side (that’s why I didn’t use it), - after a while DNS records were re-randomized so probably at this moment (if chall is still available) you won’t be
able to query for
random_txt_record_ryupmw.answers.ritsec.club
to get the flag - kudos to organizers for that ;-)
Flag
RS{should_have_used_pihol3}