Rogue is an Easy-rated HackTheBox Forensics challenge. You receive a single packet capture file. Three flags are hidden across three different protocol-level credential theft and data exfiltration scenarios. The Easy rating reflects that the
techniques are well-documented — but encountering DNS tunnelling for the first time makes Flag 3 anything but easy.
Initial pcap triage
# Capinfos gives a summary without opening the full file capinfos rogue.pcap # File name: rogue.pcap # File type: Wireshark/tcpdump/... - pcap # File encapsulation: Ethernet # Packet size limit: 65535 bytes # Number of packets: 8472 # File size: 2456 kB # Data size: 2432 kB # Duration: 312.543 secs # Start time: 2023-06-10 14:22:10 # End time: 2023-06-10 14:27:22 # Protocol breakdown tshark -r rogue.pcap -q -z io,phs # eth # ip # tcp # ftp <-- cleartext credentials # ftp-data <-- file transfer # http <-- cleartext form submission # udp # dns <-- tunnelling
Flag 1 — FTP credentials
FTP sends credentials in plaintext in the USER and PASS commands. Extract them directly:
tshark -r rogue.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" \ -T fields -e frame.number -e ftp.request.command -e ftp.request.arg # Output: # 23 USER ftpuser # 25 PASS s3cur3_ftp_p4ssw0rd # Follow the full FTP session to see what was transferred: tshark -r rogue.pcap -Y "ftp or ftp-data" -T fields \ -e frame.time -e ftp.request.command -e ftp.request.arg -e ftp.response.code \ | head -30 # Shows: LIST, RETR credentials.txt, QUIT
The downloaded file credentials.txt contained Flag 1: HTB{ftp_cr3d5_1n_pl41nt3xt}
Flag 2 — HTTP form POST
# Find all HTTP POST requests tshark -r rogue.pcap -Y "http.request.method == POST" \ -T fields -e frame.number -e http.request.uri -e http.file_data # Output: # 1204 /login username=admin&password=HTB%7Bhttp_f0rm_p0st_l0g1n%7D&submit=Login
URL-decode the password field: HTB{http_f0rm_p0st_l0g1n} — that is Flag 2. The credentials were transmitted in the HTTP POST body without TLS, fully visible to any network observer.
Flag 3 — DNS tunnelling
DNS tunnelling encodes data in DNS query names. The receiving server decodes the subdomain labels and reassembles the data stream. It is commonly used for both C2 and data exfiltration because DNS traffic is rarely blocked outbound.
# Find DNS queries with unusually long names tshark -r rogue.pcap -Y "dns.qry.type == 1" \ -T fields -e dns.qry.name \ | awk "length($0) > 30" | head -20 # Output: # 5a6d566b4c6d703062484d.tunnel.justruss.htb # 7550356c5a585139644739.tunnel.justruss.htb # 774b564852684c6d5a3159.tunnel.justruss.htb # 57585a7a6332387a.tunnel.justruss.htb
The subdomains before .tunnel.justruss.htb are hex-encoded data. Extract and reassemble them in order:
tshark -r rogue.pcap -Y "dns.qry.type == 1 and dns.qry.name contains tunnel.justruss.htb" \
-T fields -e dns.qry.name -e frame.time_relative \
| sort -k2 -n \
| awk "{print $1}" \
| sed "s/.tunnel.justruss.htb//" \
| tr -d "\n" \
| xxd -r -p
# Output: HTB{dns_tunn3l_d4t4_3xf1l}
Detection perspective
From a defender standpoint, all three techniques are straightforward to detect with the right logging:
- FTP authentication events in firewall/proxy logs; any FTP session to a non-approved server is suspicious
- HTTP POST to login endpoints without TLS — enforce HTTPS, log all plain HTTP outbound
- DNS: query length threshold alerts (names over 50 characters), high query rate to a single domain, queries containing hex-like subdomains
# Zeek dns.log query for tunnelling indicators:
cat dns.log | zeek-cut ts query answers \
| awk -F"\t" "length($2) > 50 {print $1, length($2), $2}" \
| sort -k2 -rn | head -20