HackTheBox

Rogue | HTB Forensics (Easy)

11 November 2025 | 2 min read | justruss.tech

Rogue is an Easy-rated HackTheBox forensics challenge. One packet capture file, three flags hidden across three distinct credential theft and data exfiltration techniques. The Easy rating reflects that each individual technique is well-documented, but encountering DNS tunnelling for the first time makes Flag 3 far from obvious.

Initial pcap triage

capinfos rogue.pcap
# Number of packets: 8472
# Duration: 312 seconds

tshark -r rogue.pcap -q -z io,phs
# Shows: ftp, ftp-data, http, dns

Flag 1: FTP credentials

tshark -r rogue.pcap \
  -Y "ftp.request.command == USER || ftp.request.command == PASS" \
  -T fields -e frame.number -e ftp.request.command -e ftp.request.arg

# Output:
# 23    USER    ftpuser
# 25    PASS    s3cur3_ftp_p4ssw0rd

Following the full FTP TCP stream shows a RETR command downloading credentials.txt, which contains Flag 1.

Flag 2: HTTP POST form data

tshark -r rogue.pcap -Y "http.request.method == POST" \
  -T fields -e frame.number -e http.request.uri -e http.file_data

# Output:
# 1204  /login  username=admin&password=HTB%7Bhttp_f0rm_p0st%7D&submit=Login

URL decoding the password parameter gives Flag 2. Credentials sent over plain HTTP with no TLS are fully visible to any network observer.

Flag 3: DNS tunnelling

DNS tunnelling encodes data in DNS query names. The receiving server decodes the subdomain labels and reassembles the data. It is used for both C2 and data exfiltration because outbound DNS is almost never blocked.

tshark -r rogue.pcap -Y "dns.qry.type == 1" \
  -T fields -e dns.qry.name | awk "length($0) > 30" | head -10

# Returns long subdomains before .tunnel.justruss.htb

The subdomains are hex-encoded data. Extract, sort by frame time, and reassemble:

tshark -r rogue.pcap \
  -Y "dns.qry.type == 1 and dns.qry.name contains tunnel.justruss.htb" \
  -T fields -e dns.qry.name -e frame.time_relative \
  | sort -k2 -n \
  | awk "{print $1}" \
  | sed "s/.tunnel.justruss.htb//" \
  | tr -d "\n" \
  | xxd -r -p
# HTB{dns_tunn3l_d4t4_3xf1l}

Detection perspective

All three techniques are detectable with the right logging. FTP authentication to non-approved servers should alert from firewall or proxy logs. HTTP POST to authentication endpoints without TLS should be caught by policies enforcing HTTPS. DNS tunnelling is detectable via query length thresholds in Zeek dns.log, high query rates to a single domain, and queries containing hex-like subdomains.

// related posts

HackTheBox
Reminiscent | HTB Forensics (Easy)
26 Aug 2025
 HackTheBox
Lockpick 3.0 | HTB Forensics (Hard)
3 Feb 2026
 HackTheBox
PersistenceIsFutile | HTB Forensics (Moderate)
9 Sep 2025
 HackTheBox
Obscure | HTB Forensics (Easy)
2 Sep 2025