Silent Channel
Your SOC team has detected unusual DNS traffic originating from a single internal workstation. A raw DNS query log has been captured from the network gateway. Your job: figure out what data is being sent out — and how.
— scenario
Alert triggered at 09:31 UTC by anomaly detection rule DNS-HEX-SUBDOMAIN.
Source: 192.168.1.42 (WKSTN-FINANCE-04)
Duration: ~12 minutes of sustained unusual DNS activity.
The workstation belongs to the finance department and should only be accessing internal ERP systems and standard SaaS tools. No external file transfers were authorised.
Analyze the attached DNS query log. Identify the exfiltration channel, extract the data being sent, and submit the flag.
— challenge file
dns-queries.log14 KB— write-up
reveal write-up (spoilers)
Step 1 — spot the anomaly
Filter the log to show only queries from 192.168.1.42. Of those, the vast majority go to *.company.local or known SaaS hosts. Four queries stand out: they all go to subdomains of exfil.badactor.cc, a domain you wouldn't expect to see in any normal business log.
Step 2 — collect the subdomain labels
Each subdomain label follows the pattern <hex-chunk>.<sequence-number>.exfil.badactor.cc. Sort by sequence number and extract the hex chunks in order:
1: 464f494c7b6330
2: 763372745f6368
3: 346e6e336c5f64
4: 6e735f37787dStep 3 — decode
Concatenate: 464f494c7b6330763372745f6368346e6e336c5f646e735f37787d
Decode as ASCII:
python3 -c "print(bytes.fromhex('464f494c7b6330763372745f6368346e6e336c5f646e735f37787d').decode())"Result: FOIL{c0v3rt_ch4nn3l_dns_7x}
Why this works as an attack
DNS is almost never blocked outbound and is rarely inspected in depth. By encoding data into subdomain labels (max 63 chars each), an attacker can exfiltrate data as long as they control a domain that resolves DNS queries — the "answers" don't even matter, because the data rides in the queries themselves.
Detection signals: unusual external domains receiving queries from a single internal host, hex-like subdomain labels, sequential numeric labels, high query rate to an otherwise unknown TLD.