Home > Writeups > WHAMazon! Network 3 - It wasn't me

WHAMazon! Network 3 - It wasn't me

Extracting a PowerShell hex-decoding payload from a DNS C2 packet capture using strings, then decoding the embedded hex string to recover the flag.

Date: February 28, 2026 Category: Network Difficulty: Easy Views: 12
Tags:
pcap pcapng dns c2 strings powershell hex dns-exfiltration WHAMazon!

It wasn't me

Challenge Description

Love them pcap files yet?

Flag: Raptor{DNS_<3s_U}

Provided: chal3_dns_c2.pcapng

Solution

The filename says it all, dns_c2. DNS command-and-control traffic tunnels data through DNS queries and responses, encoding payloads as subdomains or TXT records to blend in with normal traffic.

strings first, same as Networking 1:

strings chal3_dns_c2.pcapng

Scrolling through the output, a PowerShell one-liner surfaces:

$h=('5261'+'7074'+'6f72'+'7b44'+'4e53'+'5f3c'+'3373'+'5f55'+'7d') -join '';
$o=([Text.Encoding]::ASCII).GetString(
  (0..(($h.Length/2)-1)|%{[Convert]::ToByte($h.Substring($_*2,2),16)})
);
Write-Output $o

The script concatenates hex string chunks, then converts each pair of hex characters to a byte and decodes the result as ASCII. Breaking out the hex:

5261 7074 6f72 7b44 4e53 5f3c 3373 5f55 7d

Decoding:

Raptor{DNS_<3s_U}

What the PowerShell Does

The script is straightforward hex-to-ASCII decoding, just split across concatenated string chunks to make it slightly less obvious at a glance:

  • $h assembles the full hex string by joining the chunks
  • 0..(($h.Length/2)-1) generates indices for each byte (pair of hex chars)
  • [Convert]::ToByte($h.Substring($_*2,2),16) converts each two-character hex slice to a byte
  • [Text.Encoding]::ASCII.GetString(...) decodes the byte array to a string

Splitting the payload across concatenated string literals is a common PowerShell obfuscation technique to evade simple string-match detection, tools looking for Raptor{ as a literal string wouldn't find it in the raw script.

Key Takeaways

DNS C2 is a well-established exfiltration technique because DNS traffic is rarely blocked and often poorly monitored. Payloads get encoded (hex, base64, or custom schemes) and passed through DNS queries, the receiver decodes them on the other side. In a real incident this pcap would warrant a much closer look at every DNS query, but for the CTF strings was enough to surface the encoded payload directly.

The three network challenges in this event formed a nice progression: plaintext in strings (Network 1), TLS decryption with a key file (Network 2), and encoded payload in DNS C2 traffic (Network 3). Each one needed a slightly different lens, but strings as a first pass stayed useful all the way through.

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat whamazon-network-3-it-wasnt-me.md | wc -l

Published 2026-02-28 • Network