Challenge Description

Category: Miscellaneous
Author: qvipin

⚠️ Bruteforcing subdomains is not required and will result in disqualification. Follow the records.

Our monitoring systems have flagged suspicious DNS activity originating from a domain registered by the KRAMPUS SYNDICATE. Initial analysis suggests they're using it to coordinate operations against crucial North Pole systems.

The domain in question: krampus.csd.lol

We need you to perform a full DNS reconnaissance sweep. The Syndicate thinks they're clever, hiding their infrastructure in plain sight but they're wrong.

Map their infrastructure. Find what they're hiding. Report back before they realize we're onto them.

- NPLD Threat Intelligence Division

Note: All the information you need is in the DNS records. Dig deep.

---

Solution Walkthrough

Initial TXT Record Enumeration

The investigation begins with a TXT lookup on the root domain:

❯ dig TXT krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> krampus.csd.lol TXT @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14981
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;krampus.csd.lol.    IN    TXT

;; ANSWER SECTION:
krampus.csd.lol.    300    IN    TXT    "v=spf1 include:_spf.krampus.csd.lol -all"

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 04 10:42:19 IST 2025
;; MSG SIZE  rcvd: 97

A simple SPF record—not useful for the flag, but confirms DNS TXT retrieval works.

Attempting an ANY Query

❯ dig ANY krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> krampus.csd.lol ANY @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47645
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;krampus.csd.lol.    IN    ANY

;; ANSWER SECTION:
krampus.csd.lol.    3358    IN    HINFO    "RFC8482" ""

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (TCP)
;; WHEN: Thu Dec 04 10:40:47 IST 2025
;; MSG SIZE  rcvd: 65

Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482. So we proceed with more targeted queries.

Checking DMARC Policy

DMARC often reveals internal mail routing hints.

❯ dig TXT _dmarc.krampus.csd.lol

; <<>> DiG 9.20.15-2-Debian <<>> TXT _dmarc.krampus.csd.lol
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50361
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_dmarc.krampus.csd.lol.        IN    TXT

;; ANSWER SECTION:
_dmarc.krampus.csd.lol.    300    IN    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc@krampus.csd.lol; ruf=mailto:forensics@ops.krampus.csd.lol; fo=1; adkim=s; aspf=s"

;; Query time: 88 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Dec 04 11:35:52 IST 2025
;; MSG SIZE  rcvd: 181

This record exposes two interesting mailboxes:

• dmarc@krampus.csd.lol

• forensics@ops.krampus.csd.lol → reveals subdomain ops.

Enumerating ops Subdomain

❯ dig TXT ops.krampus.csd.lol

; <<>> DiG 9.20.15-2-Debian <<>> TXT ops.krampus.csd.lol
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63404
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ops.krampus.csd.lol.        IN    TXT

;; ANSWER SECTION:
ops.krampus.csd.lol.    300    IN    TXT    "internal-services: _ldap._tcp.krampus.csd.lol _kerberos._tcp.krampus.csd.lol _metrics._tcp.krampus.csd.lol"

;; Query time: 244 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Dec 04 11:37:45 IST 2025
;; MSG SIZE  rcvd: 167

This TXT record openly discloses internal services:

• _ldap._tcp.krampus.csd.lol

• _kerberos._tcp.krampus.csd.lol

• _metrics._tcp.krampus.csd.lol

This is atypical in a real environment but intentional for a CTF.

Querying SRV Records

These SRV lookups reveal new subdomains: dc01 and beacon.

❯ dig -t SRV _ldap._tcp.krampus.csd.lol

; <<>> DiG 9.20.15-2-Debian <<>> -t SRV _ldap._tcp.krampus.csd.lol
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45160
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.krampus.csd.lol.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.krampus.csd.lol. 300    IN    SRV    0 0 389 dc01.krampus.csd.lol.

;; ADDITIONAL SECTION:
dc01.krampus.csd.lol.    300    IN    A    203.0.113.1

;; Query time: 24 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Dec 04 11:40:06 IST 2025
;; MSG SIZE  rcvd: 116

LDAP → dc01.krampus.csd.lol

❯ dig -t SRV _kerberos._tcp.krampus.csd.lol

; <<>> DiG 9.20.15-2-Debian <<>> -t SRV _kerberos._tcp.krampus.csd.lol
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42736
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.krampus.csd.lol.    IN    SRV

;; ANSWER SECTION:
_kerberos._tcp.krampus.csd.lol.    300 IN    SRV    0 0 88 dc01.krampus.csd.lol.

;; ADDITIONAL SECTION:
dc01.krampus.csd.lol.    300    IN    A    203.0.113.1

;; Query time: 12 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Dec 04 11:40:46 IST 2025
;; MSG SIZE  rcvd: 120

Kerberos → also dc01

❯ dig -t SRV _metrics._tcp.krampus.csd.lol

; <<>> DiG 9.20.15-2-Debian <<>> -t SRV _metrics._tcp.krampus.csd.lol
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58240
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_metrics._tcp.krampus.csd.lol.    IN    SRV

;; ANSWER SECTION:
_metrics._tcp.krampus.csd.lol. 300 IN    SRV    0 0 443 beacon.krampus.csd.lol.

;; ADDITIONAL SECTION:
beacon.krampus.csd.lol.    300    IN    A    203.0.113.2

;; Query time: 24 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Dec 04 11:40:54 IST 2025
;; MSG SIZE  rcvd: 123

Metrics → beacon.krampus.csd.lol

Investigating dc01 and beacon

❯ dig TXT dc01.krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> TXT dc01.krampus.csd.lol @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13088
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dc01.krampus.csd.lol.        IN    TXT

;; AUTHORITY SECTION:
csd.lol.        1800    IN    SOA    harmony.ns.cloudflare.com. dns.cloudflare.com. 2390291443 10000 2400 604800 1800

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 04 11:43:22 IST 2025
;; MSG SIZE  rcvd: 114

Here, dc01 reveals nothing useful.

❯ dig TXT beacon.krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> TXT beacon.krampus.csd.lol @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;beacon.krampus.csd.lol.        IN    TXT

;; ANSWER SECTION:
beacon.krampus.csd.lol.    300    IN    TXT    "config=ZXhmaWwua3JhbXB1cy5jc2QubG9s=="

;; Query time: 92 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 04 11:44:12 IST 2025
;; MSG SIZE  rcvd: 101

But beacon reveals: config=ZXhmaWwua3JhbXB1cy5jc2QubG9s==
This is Base64. Upon decoding yields: exfil.krampus.csd.lol

Following the Breadcrumb to exfil

❯ dig TXT exfil.krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> TXT exfil.krampus.csd.lol @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36501
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;exfil.krampus.csd.lol.        IN    TXT

;; ANSWER SECTION:
exfil.krampus.csd.lol.    300    IN    TXT    "status=active; auth=dkim; selector=syndicate"

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 04 11:46:07 IST 2025
;; MSG SIZE  rcvd: 107

Reveals: status=active; auth=dkim; selector=syndicate

This tells us three things:

1. This node is operational ("status=active") -> so not a decoy

2. It uses DKIM for authentication -> DKIM records live under _domainkey.

3. The DKIM selector is syndicate

That means we must query: syndicate._domainkey.exfil.krampus.csd.lol

DKIM Selector Lookup

❯ dig TXT syndicate._domainkey.krampus.csd.lol @8.8.8.8

; <<>> DiG 9.20.15-2-Debian <<>> TXT syndicate._domainkey.krampus.csd.lol @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;syndicate._domainkey.krampus.csd.lol. IN TXT

;; ANSWER SECTION:
syndicate._domainkey.krampus.csd.lol. 300 IN TXT "v=DKIM1; k=rsa; p=Y3Nke2RuNV9tMTlIVF9CM19LMU5ENF9XME5LeX0="

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 04 12:00:26 IST 2025
;; MSG SIZE  rcvd: 136

The key component: p=Y3Nke2RuNV9tMTlIVF9CM19LMU5ENF9XME5LeX0=
Another Base64 string. Decoding yields the final flag.

---

Final Flag

csd{dn5_m19HT_B3_KINDA_W0NKy}