Want to run this Docker container locally?

docker run -d --cap-add=NET_ADMIN -p 5354:53/udp -p 9025:80 --name Flag-red46 --restart always joshbeck2024/ctf-dns-firewall-bypass-flag-red46

IP Address: 172.25.200.200

Web Server: Port 9025 (It will seem broken!)

Here’s the scenario:

• Your internal team has identified the node responsible for resolving DNS requests within the organization at the IP Address above.
  • Hosts on the internal subnet, which you don’t have access to, utilize this machine as their DNS server. It is responsible for resolving domain names outside of the organization, like Google.com. It is configured to use an external resolver on port 5354.
  • The firewall rules are very strict and this machine only allows outbound connections on port 5354
  • It has a web server listening on port 9025

The flag is on the web server in index.html

(1000 pts)

This is a firewall bypass. Here’s what we know:

• The target only allows data out on port 5353.
• Therefore, we need to specify a source port of 5353 for all requests. That way when the server responds, it will respond using port 5353 which is allowed out.

printf "GET /index.html HTTP/1.1\\r\\nUser-Agent: nc/0.0.1\\r\\nHost: 127.0.0.1\\r\\nAccept: /\\r\\n\\r\\n" | ncat --source-port 53544 172.25.200.200 9025