📋 Mission Brief
An employee’s workstation was flagged by the IDS for unusual network activity. The SOC captured 30 seconds of traffic from the machine. Something valuable was silently exfiltrated over the network — your job is to find what was stolen.
🎯 The Challenge
Download the ZIP, extract it, and open suspicious_traffic.pcap in Wireshark.
What to look for:
- Open Wireshark and load the PCAP file
- Apply the filter:
dns - Examine each DNS query carefully — look at the “Name” column
- Normal DNS queries go to common domains. What looks unusual?
- Collect all suspicious subdomain labels in order, then decode them
Tools needed: Wireshark (free, all platforms) or tshark on Linux/macOS.
📁 Challenge File
Download the file and analyze it to find the flag:
💡 Show Hint (click to reveal)
DNS tunneling works by encoding data inside DNS query names. Look for queries to an unusual domain like “exfil-c2.xyz”. Collect all the subdomain parts from those queries, join them together, and Base64-decode the result.
🚩 Submit Your Flag
Found the flag? Enter it below. Format: PlainlySec{...}