# Level 2 - Dee Na Saw as a need

> We have detected and captured a stream of anomalous DNS network traffic sent out from one of the PALINDROME compromised servers. None of the domain names found are active. Either PALINDROME had shut them down or there's more to it than it seems.
>
> This level contains 2 flags and both flags can be found independently from the same pcap file as attached here.
>
> Flag 1 will be in this format, TISC{16 characters}.

We are provided with a PCAP capture containing some suspicious DNS traffic.

![](/files/g7QSIEMvKUPiZKc5g8bs)

The DNS queries follow the format d33d<2 numbers><7 characters>

### Part 1

After some analysis, I found that the 2 numbers ranged from 0 to 64. This would be base-64 encoding. Some scripting would help us to recover the encoded content.

```python
from scapy.all import *
from Crypto.Util.number import *
import base64

result = ''

scapy_cap = rdpcap('traffic.pcap')

b64_string = ''
std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

prev = ''
for packet in scapy_cap:
    qname = packet[DNSQR].qname.decode()
    curr = qname[4:][:2]
    b64_string += std_base64chars[int(curr) - 1]

b64_string = b64_string.encode()

missing_padding = len(b64_string) % 4
if missing_padding:
    b64_string += b'='* (4 - missing_padding)

result = base64.b64decode(b64_string)

with open('outfile', 'wb') as f:
    f.write(result)
```

It turns out the output was a Microsoft Word document.

```
$ file outfile
outfile: Microsoft OOXML
```

![](/files/sORjbeRnPBmzgTA7mr7N)

Since these documents are essentially zip files, I unzipped the Word document and did a recursive grep for the flag: `grep -r "TISC" .`

In `theme1.xml` lies the flag.

![](/files/hedup2Ya6SWev5v9giFQ)

### Part 2

The 2nd part (7 characters) comprised of upper case alphabets and numbers. This was base-32 encoding. The flag was hidden in the decoded output.

![](/files/RB73ex5ZWEqMDPIUf0BG)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/2021/the-infosecurity-challenge-tisc-2021/level-2-dee-na-saw-as-a-need.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.