CTFtime.org / Nullcon Goa HackIM 2025 CTF / ZONEy / Writeup

### Zoney Writeup

This challenge was all about **DNS enumeration** and exploiting **NSEC record leaks** to uncover hidden subdomains.

1. **Initial Discovery:**
Used `dig` to query the nameserver:
```sh
dig @52.59.124.14 -p 5007 www.zoney.eno +cmd
```
This revealed the existence of `challenge.zoney.eno`.

2. **Abusing NSEC Records:**
Since **NSEC (Next Secure) records** can expose the next valid DNS entry, we queried:
```sh
dig @52.59.124.14 -p 5007 challenge.zoney.eno NSEC
```
This leaked another subdomain: **`hereisthe1337flag.zoney.eno`**.

3. **Extracting the Flag:**
The final step was querying the TXT record for the leaked subdomain:
```sh
dig @52.59.124.14 -p 5007 hereisthe1337flag.zoney.eno TXT
```
And we got the flag `ENO{1337_FL4G_NSeC_W4LK3R}`

ZONEy

Comments

Sign in with