Kittens

A Cat has 9 Lives - payatu forensics challenge 2025

chall:

In the protocol hierarchy we can see :

It is best to take a look at what all domains the user went to , we can get that via tshark

tshark -r kittens.pcapng -Y "dns.flags.response == 0" -T fields -e dns.qry.name > queries.txt

also when we take a look at export objects in wireshark we get in http:

queries.txt

looks like this

Awfully lot of sillycat domain aint it?


www.google.com
www.google.com
ogads-pa.clients6.google.com
ogads-pa.clients6.google.com
www.youtube.com
www.youtube.com
play.google.com
play.google.com
fonts.gstatic.com
fonts.gstatic.com
i.ytimg.com
i.ytimg.com
t-ring-s.msedge.net
l-ring.msedge.net
dual-s-ring.msedge.net
accounts.google.com
accounts.google.com
googleads.g.doubleclick.net
googleads.g.doubleclick.net
rr4---sn-q4fl6ns6.googlevideo.com
rr4---sn-q4fl6ns6.googlevideo.com
www.google.com
www.google.com
www.google.co.in
www.google.co.in
ad.doubleclick.net
ad.doubleclick.net
yt3.ggpht.com
yt3.ggpht.com
play.google.com
play.google.com
rr4---sn-ci5gup-2o9s.googlevideo.com
rr4---sn-ci5gup-2o9s.googlevideo.com
static.doubleclick.net
static.doubleclick.net
encrypted-tbn0.gstatic.com
encrypted-tbn0.gstatic.com
lh3.googleusercontent.com
lh3.googleusercontent.com
www.googleadservices.com
www.googleadservices.com
tunnel.googlezip.net
ogads-pa.clients6.google.com
ogads-pa.clients6.google.com
encrypted-tbn0.gstatic.com
encrypted-tbn0.gstatic.com
tunnel.googlezip.net
play.google.com
play.google.com
encrypted-tbn2.gstatic.com
encrypted-tbn2.gstatic.com
encrypted-tbn1.gstatic.com
encrypted-tbn1.gstatic.com
www.youtube.com
www.youtube.com
www.youtube.com
www.youtube.com
i.ytimg.com
i.ytimg.com
googleads.g.doubleclick.net
googleads.g.doubleclick.net
static.doubleclick.net
static.doubleclick.net
jnn-pa.googleapis.com
jnn-pa.googleapis.com
tunnel.googlezip.net
lh3.googleusercontent.com
lh3.googleusercontent.com
waa-pa.clients6.google.com
waa-pa.clients6.google.com
encrypted-vtbn0.gstatic.com
encrypted-vtbn0.gstatic.com
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
en.wikipedia.org
en.wikipedia.org
upload.wikimedia.org
upload.wikimedia.org
meta.wikimedia.org
meta.wikimedia.org
content-autofill.googleapis.com
content-autofill.googleapis.com
tunnel.googlezip.net
tunnel.googlezip.net
tunnel.googlezip.net
www.reddit.com
www.reddit.com
array815.prod.do.dsp.mp.microsoft.com
array818.prod.do.dsp.mp.microsoft.com
array815.prod.do.dsp.mp.microsoft.com
www.redditstatic.com
www.redditstatic.com
auth.wikimedia.org
auth.wikimedia.org
login.wikimedia.org
login.wikimedia.org
w3-reporting.reddit.com
w3-reporting.reddit.com
o418887.ingest.sentry.io
o418887.ingest.sentry.io
error-tracking.reddit.com
error-tracking.reddit.com
styles.redditmedia.com
styles.redditmedia.com
preview.redd.it
preview.redd.it
external-preview.redd.it
external-preview.redd.it
emoji.redditmedia.com
emoji.redditmedia.com
i.redd.it
i.redd.it
b.thumbs.redditmedia.com
b.thumbs.redditmedia.com
id.rlcdn.com
id.rlcdn.com
www.google.com
www.google.com
accounts.google.com
accounts.google.com
ad-delivery.net
ad-delivery.net
alb.reddit.com
alb.reddit.com
content-autofill.googleapis.com
content-autofill.googleapis.com
www.gstatic.com
www.gstatic.com
www.google.com
www.google.com
fonts.gstatic.com
fonts.gstatic.com
w3-reporting-nel.reddit.com
w3-reporting-nel.reddit.com
v.redd.it
v.redd.it
chatgpt.com
chatgpt.com
cdn.oaistatic.com
cdn.oaistatic.com
ab.chatgpt.com
ab.chatgpt.com
content-autofill.googleapis.com
content-autofill.googleapis.com
chrome.google.com
chrome.google.com
api.msn.com
DESKTOP-MSCVCHF.local
DESKTOP-MSCVCHF.local
DESKTOP-MSCVCHF
DESKTOP-MSCVCHF
tunnel.googlezip.net
assets.msn.com
www.pinterest.com
www.pinterest.com
s.pinimg.com
s.pinimg.com
google-ohttp-relay-safebrowsing.fastly-edge.com
google-ohttp-relay-safebrowsing.fastly-edge.com
wpad.localdomain
v10.events.data.microsoft.com
www.pinterest.com
www.pinterest.com
wpad.local
wpad.local
wpad
wpad
wpad.local
wpad.local
i.pinimg.com
i.pinimg.com
v1.pinimg.com
v1.pinimg.com
c.aps.amazon-adsystem.com
c.aps.amazon-adsystem.com
wpad
wpad
wpad.local
wpad.local
wpad.local
wpad.local
www.recaptcha.net
www.recaptcha.net
accounts.google.com
accounts.google.com
wpad.localdomain
www.recaptcha.net
www.recaptcha.net
wpad.local
wpad
wpad
wpad.local
wpad.local
wpad.local
accounts.google.com
accounts.google.com
wpad
wpad
wpad.local
wpad.local
wpad.local
wpad.local
www.facebook.com
www.facebook.com
www.facebook.com
www.facebook.com
wpad.localdomain
wpad.local
wpad
wpad
wpad.local
play.google.com
play.google.com
wpad
wpad
wpad.local
wpad.local
tunnel.googlezip.net
c.pki.goog
3b46004bad61920021636f6d6d616e6420284445534b544f502d4d534356.4348462900.sillycats
506c014bad61929131.sillycats
3216014bad61929131.sillycats
51a8014bad61929131.sillycats
30a2014bad61929131.sillycats
12a7014bad61929131.sillycats
304f014bad61929131.sillycats
399f014bad61929131.sillycats
5f2a014bad61929131.sillycats
76e1014bad61929131.sillycats
00e9014bad61929131.sillycats
6417014bad61929131.sillycats
31cb014bad61929131.sillycats
googleads.g.doubleclick.net
googleads.g.doubleclick.net
2f50014bad61929131.sillycats
416c0066d300500001636d642e65786520284445534b544f502d4d534356.4348462900.sillycats
0891014bad6192913f000000068001000166d3.sillycats
0bb60166d30050e7a74d6963726f736f66742057696e646f7773205b5665.7273696f6e2031302e302e31393034352e353936355d0d0a286329204d69.63726f736f667420436f72706f726174696f6e2e20416c6c207269676874.732072657365727665642e0d0a0d0a433a5c55736572.sillycats
1ac1014bad619c913f.sillycats
12580166d300b7e7a7735c62616e6469743e.sillycats
32c30166d300c0e7a7.sillycats
0ad1014bad619c913f.sillycats
16fb0166d300c0e7a7.sillycats
1ae3014bad619c913f.sillycats
19930166d300c0e7a7.sillycats
01c0014bad619c913f.sillycats
64fb0166d300c0e7a7.sillycats
2cf3014bad619c913f.sillycats
37ec0166d300c0e7a7.sillycats
071c0166d300c0e7ae77686f616d690a6465736b746f702d6d7363766368.665c62616e6469740d0a0d0a433a5c55736572735c62616e6469743e.sillycats
74560166d300f1e7ae.sillycats
22ce014bad619c913f.sillycats
02010166d300f1e7ae.sillycats
play.google.com
play.google.com
4e33014bad619c913f.sillycats
50d40166d300f1e7ae.sillycats
2c4d014bad619c913f.sillycats
0ff50166d300f1e7ae.sillycats
36de0166d300f1e7b973797374656d696e666f0a.sillycats
463f0166d300fce7b9.sillycats
1861014bad619c913f.sillycats
2dc80166d300fce7b9.sillycats
2fa2014bad619c913f.sillycats
57690166d300fce7b90d0a486f7374204e616d653a202020202020202020.20202020202020204445534b544f502d4d5343564348460d0a4f53204e61.6d653a202020202020202020202020202020202020204d6963726f736f66.742057696e646f777320313020486f6d650d0a4f5320.sillycats
56cb0166d30163e7b956657273696f6e3a20202020202020202020202020.20202031302e302e3139303435204e2f41204275696c642031393034350d.0a4f53204d616e7566616374757265723a20202020202020202020204d69.63726f736f667420436f72706f726174696f6e0d0a4f.sillycats
7c840166d301cae7b95320436f6e66696775726174696f6e3a2020202020.20202020205374616e64616c6f6e6520576f726b73746174696f6e0d0a4f.53204275696c6420547970653a202020202020202020202020204d756c74.6970726f636573736f7220467265650d0a5265676973.sillycats
460a0166d30231e7b97465726564204f776e65723a202020202020202020.2062616e6469740d0a52656769737465726564204f7267616e697a617469.6f6e3a2020200d0a50726f647563742049443a2020202020202020202020.202020202030303332362d31303030302d3030303030.sillycats
547e0166d30298e7b92d41413532300d0a4f726967696e616c20496e7374.616c6c20446174653a2020202020362f32342f323032352c20373a31313a.353320414d0d0a53797374656d20426f6f742054696d653a202020202020.20202020362f32352f323032352c20333a35303a3237.sillycats
2e170166d302ffe7b920414d0d0a53797374656d204d616e756661637475.7265723a20202020202020564d776172652c20496e632e0d0a5379737465.6d204d6f64656c3a2020202020202020202020202020564d776172653230.2c310d0a53797374656d20547970653a202020202020.sillycats
10a8014bad619c913f.sillycats
01430166d30366e7b92020202020202020207836342d6261736564205043.0d0a50726f636573736f722873293a202020202020202020202020202031.2050726f636573736f7228732920496e7374616c6c65642e0d0a20202020.20202020202020202020202020202020202020202020.sillycats
1c8b0166d303cde7b9205b30315d3a20496e74656c36342046616d696c79.2036204d6f64656c20313730205374657070696e6720342047656e75696e.65496e74656c207e33303732204d687a0d0a42494f532056657273696f6e.3a2020202020202020202020202020564d776172652c.sillycats
61da0166d30434e7b920496e632e20564d573230312e3030562e32343030.363538362e4236342e323430363034323135342c20362f342f323032340d.0a57696e646f7773204469726563746f72793a202020202020202020433a.5c57696e646f77730d0a53797374656d204469726563.sillycats
39d40166d3049be7b9746f72793a20202020202020202020433a5c57696e.646f77735c73797374656d33320d0a426f6f74204465766963653a202020.2020202020202020202020205c4465766963655c486172646469736b566f.6c756d65310d0a53797374656d204c6f63616c653a20.sillycats
62f80166d30502e7b9202020202020202020202020656e2d75733b456e67.6c6973682028556e6974656420537461746573290d0a496e707574204c6f.63616c653a2020202020202020202020202020656e2d75733b456e676c69.73682028556e6974656420537461746573290d0a5469.sillycats
564f0166d30569e7b96d65205a6f6e653a20202020202020202020202020.20202020285554432d30383a30302920506163696669632054696d652028.555320262043616e616461290d0a546f74616c20506879736963616c204d.656d6f72793a2020202020342c303935204d420d0a41.sillycats
452c0166d305d0e7b97661696c61626c6520506879736963616c204d656d.6f72793a20363434204d420d0a5669727475616c204d656d6f72793a204d.61782053697a653a2020352c353033204d420d0a5669727475616c204d65.6d6f72793a20417661696c61626c653a20312c303734.sillycats
5fb60166d30637e7b9204d420d0a5669727475616c204d656d6f72793a20.496e205573653a20202020342c343239204d420d0a506167652046696c65.204c6f636174696f6e2873293a2020202020433a5c7061676566696c652e.7379730d0a446f6d61696e3a20202020202020202020.sillycats
2a700166d3069ee7b920202020202020202020574f524b47524f55500d0a.4c6f676f6e205365727665723a20202020202020202020202020205c5c44.45534b544f502d4d5343564348460d0a486f746669782873293a20202020.202020202020202020202020203620486f7466697828.sillycats
2c410166d30705e7b9732920496e7374616c6c65642e0d0a202020202020.2020202020202020202020202020202020202020205b30315d3a204b4235.3033313938380d0a20202020202020202020202020202020202020202020.20202020205b30325d3a204b42353031353638340d0a.sillycats
7567014bad619c913f.sillycats
20340166d3076ce7b9202020202020202020202020202020202020202020.2020202020205b30335d3a204b42353036303533330d0a20202020202020.20202020202020202020202020202020202020205b30345d3a204b423530.31343033320d0a202020202020202020202020202020.sillycats
35e50166d307d3e7b92020202020202020202020205b30355d3a204b4235.3033323930370d0a20202020202020202020202020202020202020202020.20202020205b30365d3a204b42353035393530340d0a4e6574776f726b20.436172642873293a202020202020202020202031204e.sillycats
57e10166d3083ae7b9494328732920496e7374616c6c65642e0d0a202020.2020202020202020202020202020202020202020202020205b30315d3a20.496e74656c2852292038323537344c2047696761626974204e6574776f72.6b20436f6e6e656374696f6e0d0a2020202020202020.sillycats
39200166d308a1e7b9202020202020202020202020202020202020202020.20202020436f6e6e656374696f6e204e616d653a2045746865726e657430.0d0a20202020202020202020202020202020202020202020202020202020.20202020204448435020456e61626c65643a20202020.sillycats
1ada0166d30908e7b95965730d0a20202020202020202020202020202020.202020202020202020202020202020202044484350205365727665723a20.202020203139322e3136382e31392e3235340d0a20202020202020202020.20202020202020202020202020202020202020202020.sillycats
1e260166d3096fe7b92049502061646472657373286573290d0a20202020.20202020202020202020202020202020202020202020202020202020205b.30315d3a203139322e3136382e31392e3133330d0a202020202020202020.20202020202020202020202020202020202020202020.sillycats
08420166d309d6e7b920205b30325d3a20666538303a3a613335303a3635.33343a376164333a623238370d0a48797065722d5620526571756972656d.656e74733a202020202020412068797065727669736f7220686173206265.656e2064657465637465642e20466561747572657320.sillycats
3f650166d30a3de7b9726571756972656420666f722048797065722d5620.77696c6c206e6f7420626520646973706c617965642e0d0a0d0a433a5c55.736572735c62616e6469743e.sillycats
15850166d30a7ce7b9.sillycats
686f014bad619c913f.sillycats
6fd70166d30a7ce7b9.sillycats
3b39014bad619c913f.sillycats
66500166d30a7ce7b9.sillycats
6a87014bad619c913f.sillycats
057e0166d30a7ce7bd6469720a20566f6c756d6520696e20647269766520.4320686173206e6f206c6162656c2e0d0a20566f6c756d65205365726961.6c204e756d62657220697320443437412d393136450d0a0d0a2044697265.63746f7279206f6620433a5c55736572735c62616e64.sillycats
174c0166d30ae3e7bd69740d0a0d0a30362f32352f32303235202030343a.333520414d202020203c4449523e202020202020202020202e0d0a30362f.32352f32303235202030343a333520414d202020203c4449523e20202020.2020202020202e2e0d0a30362f32342f323032352020.sillycats
4ebe0166d30b4ae7bd30383a303720414d202020203c4449523e20202020.2020202020202e7673636f64650d0a30362f32342f32303235202030373a.323320414d202020203c4449523e202020202020202020203344204f626a.656374730d0a30362f32342f32303235202030373a32.sillycats
3d1b0166d30bb1e7bd3320414d202020203c4449523e2020202020202020.2020436f6e74616374730d0a30362f32342f32303235202030383a323520.414d202020203c4449523e202020202020202020204465736b746f700d0a.30362f32352f32303235202030343a333420414d2020.sillycats
44ca0166d30c18e7bd20203c4449523e20202020202020202020446f6375.6d656e74730d0a30362f32352f32303235202030333a353120414d202020.203c4449523e20202020202020202020446f776e6c6f6164730d0a30362f.32342f32303235202030373a323320414d202020203c.sillycats
3dff0166d30c7fe7bd4449523e202020202020202020204661766f726974.65730d0a30362f32352f32303235202030343a333520414d202020202020.20202020203134322c3333362066756e6e796361742e6578650d0a30362f.32342f32303235202030373a323320414d202020203c.sillycats
34290166d30ce6e7bd4449523e202020202020202020204c696e6b730d0a.30362f32342f32303235202030373a323320414d202020203c4449523e20.2020202020202020204d757369630d0a30362f32342f3230323520203037.3a323620414d202020203c4449523e20202020202020.sillycats
58590166d30d4de7bd2020204f6e6544726976650d0a30362f32342f3230.3235202030383a313620414d202020203c4449523e202020202020202020.2050696374757265730d0a30362f32342f32303235202030373a32332041.4d202020203c4449523e202020202020202020205361.sillycats
79940166d30db4e7bd7665642047616d65730d0a30362f32342f32303235.202030373a323420414d202020203c4449523e2020202020202020202053.656172636865730d0a30362f32342f32303235202030383a313720414d20.2020203c4449523e2020202020202020202056696465.sillycats
31960166d30e1be7bd6f730d0a2020202020202020202020202020203120.46696c6528732920202020202020203134322c3333362062797465730d0a.2020202020202020202020202020313620446972287329202033352c3536.362c3531302c30383020627974657320667265650d0a.sillycats
616a014bad619c913f.sillycats
36d00166d30e82e7bd0d0a433a5c55736572735c62616e6469743e.sillycats
62c30166d30e94e7bd.sillycats
70bf014bad619c913f.sillycats
3dc90166d30e94e7bd.sillycats
1a87014bad619c913f.sillycats
385a0166d30e94e7bd.sillycats
w3-reporting-nel.reddit.com
w3-reporting-nel.reddit.com
6343014bad619c913f.sillycats
25270166d30e94e7bd.sillycats
505b014bad619c913f.sillycats
60c30166d30e94e7bd.sillycats
4b0a0166d30e94e7c3636420433a0a433a5c55736572735c62616e646974.0d0a0d0a433a5c55736572735c62616e6469743e.sillycats
4d690166d30ebde7c3.sillycats
0d9e014bad619c913f.sillycats
615b0166d30ebde7c3.sillycats
7554014bad619c913f.sillycats
65270166d30ebde7c3.sillycats
43ec014bad619c913f.sillycats
563d0166d30ebde7c3.sillycats
2836014bad619c913f.sillycats
57940166d30ebde7c3.sillycats
074f014bad619c913f.sillycats
7d520166d30ebde7c3.sillycats
08520166d30ebde7ca636420433a5c0a0d0a433a5c3e.sillycats
61b00166d30ecae7ca.sillycats
6296014bad619c913f.sillycats
20980166d30ecae7ca.sillycats
72da014bad619c913f.sillycats
64ac0166d30ecae7ca.sillycats
35f10166d30ecae7ce6469720a20566f6c756d6520696e20647269766520.4320686173206e6f206c6162656c2e0d0a20566f6c756d65205365726961.6c204e756d62657220697320443437412d393136450d0a0d0a2044697265.63746f7279206f6620433a5c0d0a0d0a30362f32352f.sillycats
6bb20166d30f31e7ce32303235202030323a343720414d20202020202020.202020202020202020323520666c61672e7478740d0a30362f32352f3230.3235202030323a313320414d202020203c4449523e202020202020202020.20696e65747075620d0a31322f30372f323031392020.sillycats
07c60166d30f98e7ce30323a313420414d202020203c4449523e20202020.202020202020506572664c6f67730d0a30362f32352f3230323520203032.3a313920414d202020203c4449523e2020202020202020202050726f6772.616d2046696c65730d0a30362f32342f323032352020.sillycats
219d0166d30fffe7ce30383a303020414d202020203c4449523e20202020.20202020202050726f6772616d2046696c65732028783836290d0a30362f.32342f32303235202030373a323820414d202020203c4449523e20202020.20202020202055736572730d0a30362f32352f323032.sillycats
7bd1014bad619c913f.sillycats
78b00166d31066e7ce35202030323a313420414d202020203c4449523e20.20202020202020202057696e646f77730d0a202020202020202020202020.202020312046696c65287329202020202020202020202020203235206279.7465730d0a2020202020202020202020202020203620.sillycats
60540166d310cde7ce446972287329202033352c3536352c3333302c3433.3220627974657320667265650d0a0d0a433a5c3e.sillycats
4a650166d310f6e7ce.sillycats
0ffe014bad619c913f.sillycats
20200166d310f6e7ce.sillycats
2dc0014bad619c913f.sillycats
13dd0166d310f6e7ce.sillycats
54f9014bad619c913f.sillycats
58540166d310f6e7ce.sillycats
3c45014bad619c913f.sillycats
35460166d310f6e7ce.sillycats
5393014bad619c913f.sillycats
2ff50166d310f6e7ce.sillycats
1653014bad619c913f.sillycats
00f10166d310f6e7ce.sillycats
30ce014bad619c913f.sillycats
2fc70166d310f6e7ce.sillycats
4411014bad619c913f.sillycats
022d0166d310f6e7ce.sillycats
15f3014bad619c913f.sillycats
2fbe0166d310f6e7ce.sillycats
63150166d310f6e7de696361636c7320666c61672e7478740a666c61672e.747874204255494c54494e5c41646d696e6973747261746f72733a284929.2846290a2020202020202020204e5420415554484f524954595c53595354.454d3a2849292846290a202020202020202020425549.sillycats
4c710166d3115de7de4c54494e5c55736572733a284929285258290a2020.202020202020204e5420415554484f524954595c41757468656e74696361.7465642055736572733a284929284d290a2020202020202020204d616e64.61746f7279204c6162656c5c48696768204d616e6461.sillycats
66f30166d311c4e7de746f7279204c6576656c3a284929284e57290a0a53.75636365737366756c6c792070726f63657373656420312066696c65733b.204661696c65642070726f63657373696e6720302066696c65730d0a0d0a.433a5c3e.sillycats
6b420166d31219e7de.sillycats
www.google.com
www.google.com
1261014bad619c913f.sillycats
67ca0166d31219e7de.sillycats
6303014bad619c913f.sillycats
60be0166d31219e7de.sillycats
6ea1014bad619c913f.sillycats
06860166d31219e7de.sillycats
0b72014bad619c913f.sillycats
486e0166d31219e7de.sillycats
1aa30166d31219e7ec7479706520666c61672e7478740a5041594154557b.53305f5468335f6334375f357033346b537d0d0a433a5c3e.sillycats
70210166d31246e7ec.sillycats
6ccd014bad619c913f.sillycats
www.youtube.com
www.youtube.com
2e690166d31246e7ec.sillycats
1017014bad619c913f.sillycats
4d6f0166d31246e7ec.sillycats
2635014bad619c913f.sillycats
7bec0166d31246e7ec.sillycats
3487014bad619c913f.sillycats
420a0166d31246e7ec.sillycats
4afe014bad619c913f.sillycats
7be80166d31246e7ec.sillycats
6e98014bad619c913f.sillycats
7efe0166d31246e7ec.sillycats
7a8c014bad619c913f.sillycats
26cf0166d31246e7ec.sillycats
3782014bad619c913f.sillycats
3ab20166d31246e7ec.sillycats
4a6a014bad619c913f.sillycats
419a0166d31246e7ec.sillycats
64cd014bad619c913f.sillycats
3a190166d31246e7ec.sillycats
5eac014bad619c913f.sillycats
1c1e0166d31246e7ec.sillycats
264d014bad619c913f.sillycats
571a0166d31246e7ec.sillycats
4c86014bad619c913f.sillycats
7a8f0166d31246e7ec.sillycats
745f014bad619c913f.sillycats
303c0166d31246e7ec.sillycats
232b014bad619c913f.sillycats
76550166d31246e7ec.sillycats
6a64014bad619c913f.sillycats
6d950166d31246e7ec.sillycats
36eb014bad619c913f.sillycats
620e0166d31246e7fa7479706520666c61672e7478740a5041594154557b.53305f5468335f6334375f357033346b537d0d0a433a5c3e.sillycats
497e0166d31273e7fa.sillycats
46f4014bad619c913f.sillycats
0a870166d31273e7fa.sillycats
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
7ce2014bad619c913f.sillycats
1f8a0166d31273e7fa.sillycats
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
374c014bad619c913f.sillycats
72d70166d31273e7fa.sillycats
010e0166d31273e80764656c20666c61672e7478740a433a5c666c61672e.7478740d0a4163636573732069732064656e6965642e0d0a0d0a433a5c3e.sillycats
4e5d0166d312a6e807.sillycats
0963014bad619c913f.sillycats
509f0166d312a6e807.sillycats
59ab014bad619c913f.sillycats
6f410166d312a6e807.sillycats
29bc014bad619c913f.sillycats
7cad0166d312a6e807.sillycats
0bbe014bad619c913f.sillycats
4eb20166d312a6e807.sillycats
69c1014bad619c913f.sillycats
42360166d312a6e807.sillycats
1e85014bad619c913f.sillycats
7c540166d312a6e807.sillycats
2034014bad619c913f.sillycats
03720166d312a6e807.sillycats
0eff014bad619c913f.sillycats
2b380166d312a6e807.sillycats
52d7014bad619c913f.sillycats
64760166d312a6e807.sillycats
1abc014bad619c913f.sillycats
5e500166d312a6e807.sillycats
5559014bad619c913f.sillycats
18500166d312a6e807.sillycats
6de60166d312a6e80c657869740a.sillycats
1d2f0266d353747265616d20636c6f73656400.sillycats
0984014bad619c913f.sillycats
2c68014bad619c913f.sillycats
0090014bad619c913f.sillycats
0090014bad619c913f.sillycats
2d04014bad619c913f.sillycats
2d04014bad619c913f.sillycats
2ca4014bad619c913f.sillycats
2ca4014bad619c913f.sillycats
6e16014bad619c913f.sillycats
6e16014bad619c913f.sillycats
2f3d014bad619c913f.sillycats
2f3d014bad619c913f.sillycats
09d8014bad619c913f.sillycats
09d8014bad619c913f.sillycats
i.ytimg.com
i.ytimg.com
5e3a014bad619c913f.sillycats
5e3a014bad619c913f.sillycats
467e014bad619c913f.sillycats
467e014bad619c913f.sillycats
yt3.ggpht.com
yt3.ggpht.com
5ab4014bad619c913f.sillycats
5ab4014bad619c913f.sillycats
googleads.g.doubleclick.net
googleads.g.doubleclick.net
play.google.com
play.google.com
1c07014bad619c913f.sillycats
1c07014bad619c913f.sillycats
4be1014bad619c913f.sillycats
4be1014bad619c913f.sillycats
en.wikipedia.org
en.wikipedia.org
upload.wikimedia.org
upload.wikimedia.org
28b4014bad619c913f.sillycats
28b4014bad619c913f.sillycats
1b02014bad619c913f.sillycats
1b02014bad619c913f.sillycats
rr3---sn-ci5gup-cvhe7.googlevideo.com
rr3---sn-ci5gup-cvhe7.googlevideo.com
65fc014bad619c913f.sillycats
65fc014bad619c913f.sillycats
2e80014bad619c913f.sillycats
2e80014bad619c913f.sillycats
6e0c014bad619c913f.sillycats
6e0c014bad619c913f.sillycats
51cf014bad619c913f.sillycats
51cf014bad619c913f.sillycats
chatgpt.com
chatgpt.com
cdn.oaistatic.com
cdn.oaistatic.com
2630014bad619c913f.sillycats
2630014bad619c913f.sillycats
ab.chatgpt.com
ab.chatgpt.com
www.google.com
www.google.com
04b0014bad619c913f.sillycats
04b0014bad619c913f.sillycats
3cc0014bad619c913f.sillycats
3cc0014bad619c913f.sillycats
27e4014bad619c913f.sillycats
27e4014bad619c913f.sillycats
encrypted-tbn0.gstatic.com
encrypted-tbn0.gstatic.com
x.com
x.com
abs.twimg.com
abs.twimg.com
api.twitter.com
api.twitter.com
video.twimg.com
video.twimg.com
t.co
t.co
pbs.twimg.com
pbs.twimg.com
abs-0.twimg.com
abs-0.twimg.com
api.x.com
api.x.com
accounts.google.com
accounts.google.com
browser-intake-datadoghq.com
browser-intake-datadoghq.com
www.reddit.com
www.reddit.com
www.redditstatic.com
www.redditstatic.com
preview.redd.it
preview.redd.it
analytics.google.com
analytics.google.com
stats.g.doubleclick.net
stats.g.doubleclick.net
www.google.co.in
www.google.co.in
w3-reporting-nel.reddit.com
w3-reporting-nel.reddit.com
www.google.com
www.google.com
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
obiworkstation._dosvc._tcp.local
error-tracking.reddit.com
error-tracking.reddit.com
www.redditstatic.com
www.redditstatic.com
www.reddit.com
www.reddit.com

strategy:

The sillycats domain (e.g., 3b46004bad61920021636f6d6d616e6420284445534b544f502d4d534356.4348462900.sillycats) stands out as suspicious, with long, hex-encoded subdomains, characteristic of dnscat2 exfiltration.
dnscat2 Query Structure:

dnscat2 encodes data in subdomains as hex strings, often with control bytes (first 9 bytes of decoded data) for session management.
Queries like 3b46004bad61920021636f6d6d616e6420284445534b544f502d4d534356.4348462900.sillycats contain hex-encoded data (e.g., 636f6d6d616e64 decodes to command).

The sequence ends with 1d2f0266d353747265616d20636c6f73656400.sillycats, indicating the stream closure (stream closed).

Key Observations: Several queries explicitly reference flag.txt (e.g., 620e0166d31246e7ec7479706520666c61672e7478740a5041594154557b53305f5468335f6334375f357033346b537d0d0a433a5c3e.sillycats). Decoding 5041594154557b53305f5468335f6334375f357033346b537d (hex) yields `PAYATU{S0_Th3_c47_5p34kS}` , which matches the CTF flag format flag{...}. The queries show commands executed on the victim machine (e.g., whoami, systeminfo, dir, type flag.txt), suggesting the attacker used dnscat2 to run commands and exfiltrate their output, including the flag.

we can decode the qeury with the code:


import binascii

def decode_sillycats_queries(query_file, target_domain):
    """
    Decode hex-encoded subdomains from sillycats DNS queries and extract the flag.
    Args:
        query_file (str): Path to the file containing DNS query names
        target_domain (str): The C2 domain (e.g., 'sillycats')
    Returns:
        str: Decoded data containing the flag or exfiltrated content
    """
    output = ""
    last_query = ""
    
    with open(query_file, 'r') as f:
        queries = f.readlines()
    
    for query in queries:
        query = query.strip()
        if query.endswith(target_domain):
            # Remove the target domain
            subdomain = query.replace("." + target_domain, "")
            # Split subdomains (dnscat2 may use multiple labels)
            subdomains = subdomain.split(".")
            try:
                # Decode hex-encoded subdomains
                decoded = ""
                for sub in subdomains:
                    if sub:  # Skip empty subdomains
                        decoded += binascii.unhexlify(sub).decode('utf-8', errors='ignore')
                # Skip first 9 bytes (dnscat2 control bytes) if applicable
                data = decoded[9:] if len(decoded) > 9 else decoded
                # Avoid duplicates
                if data and data != last_query:
                    output += data
                    last_query = data
            except (binascii.Error, UnicodeDecodeError):
                # Skip malformed or non-hex subdomains
                continue
    
    return output

def extract_flag(data):
    """
    Extract the flag from decoded data.
    """
    import re
    # Search for flag{...} pattern
    flag_pattern = r'flag\{[^{}]*\}'
    match = re.search(flag_pattern, data)
    if match:
        return match.group(0)
    
    # If no flag found, check for PAYATU{...} (as seen in data)
    payatu_pattern = r'PAYATU\{[^{}]*\}'
    match = re.search(payatu_pattern, data)
    if match:
        return match.group(0)
    
    return data  # Return raw data if no flag found

def main():
    import sys
    if len(sys.argv) != 2:
        print("Usage: python dns_sillycats_analyzer.py <query_file>")
        sys.exit(1)
    
    query_file = sys.argv[1]
    target_domain = "sillycats"
    
    # Decode queries
    decoded_data = decode_sillycats_queries(query_file, target_domain)
    
    # Extract flag
    flag = extract_flag(decoded_data)
    
    # Output results
    print("Flag:", flag)
    with open("decoded_output.txt", "w") as f:
        f.write(decoded_data)
    print("Full decoded data saved to decoded_output.txt")

if __name__ == "__main__":
    main()

Extract all sillycats subdomains, decode their hex content, and skip control bytes. Concatenate the decoded data to reconstruct the exfiltrated output. Search for flag{...} in the decoded data, as the flag is likely in the output of type flag.txt.

tshark -r kittens.pcapng -Y "dns.flags.response == 0" -T fields -e dns.qry.name > queries.txt

PAYATU{S0_Th3_c47_5p34kS}

PreviousPayatu Hiring Ctf 2025 NextTravel Agency

Last updated 6 months ago