The hxp CTF 2017 irrgarten challenge:
Running the dig command (with added +short to reduce output) provided the following output:
$ dig -t txt -p53535 @22.214.171.124 950ae439-d534-4b0c-8722-9ddcb97a50f6.maze.ctf.link +short "try" "down.<domain>"
Playing around with it we figured out you can prepend “up”, “down”, “left” and “right” to the records to navigate a maze:
$ dig -t txt -p53535 @126.96.36.199 down.950ae439-d534-4b0c-8722-9ddcb97a50f6.maze.ctf.link +short 569b8ba8-ac9a-4d60-a816-10d13b3d7021.maze.ctf.link. $ dig -t txt -p53535 @188.8.131.52 down.569b8ba8-ac9a-4d60-a816-10d13b3d7021.maze.ctf.link +short b55b6358-6f9a-4a2c-b68a-211f56c88df9.maze.ctf.link. $ dig -t txt -p53535 @184.108.40.206 left.b55b6358-6f9a-4a2c-b68a-211f56c88df9.maze.ctf.link +short $
An empty reply probably means that there is a wall in the way otherwise you get the DNS record of the next tile.
To solve it and figure out how big the maze is, this very inefficient Python script was created:
#!/usr/bin/env python import os import subprocess todo = [ '950ae439-d534-4b0c-8722-9ddcb97a50f6.maze.ctf.link.\n' ] done = [ ] directions = [ 'up', 'down', 'left', 'right' ] while True: for tile in todo: check = subprocess.check_output("/usr/bin/dig +short -t ANY -p53535 @220.127.116.11 " + tile, shell=True) print check for direction in directions: fqdn = direction + '.' + tile output = subprocess.check_output("/usr/bin/dig +short -t ANY -p53535 @18.104.22.168 " + fqdn, shell=True) if output: if output not in done: todo.append(output) print output todo.remove(tile) done.append(tile) if not todo: break
This basically loops over all known tiles and checks if there is an accessible tile next to it in all 4 directions. If there is it adds it to the todo list and moves on. All newly found tiles get written to stdout. The base FQDN without the direction prepended gets also queried, this is where we suspected the flag will be found.
While this was running we were trying to implement a more efficient solution but it captured the flag after around 28’000 tiles:
the same here haha
“While this was running we were trying to implement a more efficient solution but it captured the flag”