Skip to main content

love_bacon

Challenge

Imported from local notes.md.

Solution

Original Notes

love_bacon

Challenge Summary

  • Given: a DNS-only packet capture at starting_files/dns_c2.pcap.
  • Goal: identify the suspicious DNS activity and recover the flag.
  • Constraints: live CTF challenge, so the solution had to come from packet analysis instead of outside hints/writeups.

Initial Recon / Triage

  • Observations:
    • The capture contains exactly 2000 packets, all UDP/DNS.
    • Every request is for a subdomain of dawg.cwa.sec.
    • The leftmost DNS labels use only the Base32 alphabet A-Z2-7.
  • File identification:
    • dns_c2.pcap is a DNS exfiltration/C2 trace.
  • Entry points:
    • Inspect the DNS queries with tshark.
    • Test whether the labels decode as Base32.
    • Search for readable chunks inside individually decodable labels.

Hypotheses & Approach

  • Hypothesis 1: the query labels are carrying exfiltrated data in Base32.
  • Hypothesis 2: not every label is an independent chunk, but some labels are valid standalone Base32 strings and may leak plaintext directly.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/dawg2026CTF/love_bacon/starting_files
capinfos dns_c2.pcap | head -n 20

tshark -r dns_c2.pcap -Y dns -T fields \
	-e frame.number -e ip.src -e ip.dst -e dns.qry.name -e dns.flags.response | head -n 20

Results:

  • Confirmed the PCAP is entirely DNS traffic.
  • Requests come from 10.67.0.2 to 10.1.1.53.
  • Query labels look like Base32 payload chunks.

Stage 2

Commands:

cd /root/dawg2026CTF/love_bacon/artifacts

python3 scan_individual_labels.py
python3 map_flag_packets.py

Results:

  • Scanning individually decodable Base32 labels surfaced three clear plaintext chunks:
    • Frame 533 decoded to DawgCTF{s1zzlin
    • Frame 909 decoded to _succul3nt
    • Frame 1823 decoded to _c2_b4con}
  • Combining the readable fragments produced the flag:
    • DawgCTF{s1zzlin_succul3nt_c2_b4con}

Artifacts Produced

  • artifacts/analyze_bacon.py
  • artifacts/inspect_payload.py
  • artifacts/map_flag_packets.py
  • artifacts/scan_individual_labels.py
  • artifacts/search_length_bacon.py
  • artifacts/valid_invalid_bacon.py

Flag

DawgCTF{s1zzlin_succul3nt_c2_b4con}