CTFtime.org / Nullcon Goa HackIM 2026 CTF / DragoNflieS / Writeup

# DragoNflieS

**Event:** Nullcon Goa HackIM 2026 CTF
**Category:** Misc
**Points:** 257
**Service:** `52.59.124.14:5053`

## Overview
The DNS server uses EDNS Client Subnet (ECS) to return different TXT answers for `flag.ctf.nullcon.net` based on the client subnet. By spoofing ECS with the right internal address, the real flag is returned.

## Approach
1. Query without ECS: returns `NOPE`.
2. Add ECS and test private ranges to confirm split-horizon behavior.
3. The winning subnet is `10.13.37.1/32`, which returns the real flag.

## Winning Query
```bash
dig @52.59.124.14 -p 5053 flag.ctf.nullcon.net TXT +subnet=10.13.37.1/32
```

## Flag
`ENO{Whirr_do_not_send_private_data_for_wrong_IP_Whirr}`

Original writeup (https://github.com/RootRunners/Nullcon-Goa-HackIM-2026-CTF-RootRunners-Official-Write-ups/blob/main/Misc/DragoNflieS/README.md).

DragoNflieS

Comments

Sign in with