knightctf 2026 writeups

Author: spiperac

.direnv/flake-profile

@@ -0,0 +1 @@
+flake-profile-1-link

.direnv/flake-profile-1-link

@@ -0,0 +1 @@
+/nix/store/6jdvv1df7v9vmapy34hqlaryx565mf0h-nix-shell-env

content/posts/2025-11-20-fuzzel-as-a-menu.md

@@ -0,0 +1,8 @@
++++
+title = 'Fuzzel as a menu'
+date = 2025-11-20 02:23:16+01:00
+slug = "fuzzel-as-a-menu"
+[taxonomies]
+  tags = ["misc"]
++++
+

content/posts/KnightCTF 2026 - Network 100 - Database Theft.md

@@ -0,0 +1,113 @@
++++
+date = 2026-01-21
+description ="KnightCTF 2026 - Network 100 - Database Theft"
+title = "KnightCTF 2026 - Network 100 - Database Theft"
+[taxonomies]
+tags = ["ctf", "networking", "wireshark", "tshark"]
++++
+## Task
+
+```
+## Database Credentials Theft
+
+### 100 Points
+
+Author
+
+The attacker's ultimate goal was to access our database. During the post-exploitation phase, they managed to extract database credentials from the compromised system. Find the database username and password that were exposed.
+
+> Use pcap3.pcapng file to solve this challenge.
+
+**Flag Format: KCTF{username_password}**
+
+_**Author: TareqAhamed (0xt4req)**_
+```
+
+## Tshark Dump
+
+This was the easiest one so far.
+Since we know from previous task that reverse shell was running on 9576, lets only dump tcp stream from it, and convert it from hex to bin/ascii.
+That way we can basically see what the attacker was running in reverse shell:
+```bash
+tshark -r pcap3.pcapng -Y "tcp.port==9576" -T fields -e tcp.payload | xxd -r -p
+
+```
+
+Output:
+```bash
+www-data@ubuntu-server-2:/var/www/html/wordpress/wp-admin$ cd ..
+cd ..
+www-data@ubuntu-server-2:/var/www/html/wordpress$ ls
+ls
+index.php
+license.txt
+readme.html
+wp-activate.php
+wp-admin
+wp-blog-header.php
+wp-comments-post.php
+wp-config-sample.php
+wp-config.php
+wp-content
+wp-cron.php
+wp-includes
+wp-links-opml.php
+wp-load.php
+wp-login.php
+wp-mail.php
+wp-settings.php
+wp-signup.php
+wp-trackback.php
+xmlrpc.php
+.............
+www-data@ubuntu-server-2:/var/www/html/wordpress$ cat wp-config.php
+cat wp-config.php
+<?php
+/**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the installation.
+ * You don't have to use the website, you can copy this file to "wp-config.php"
+ * and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * Database settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
+ *
+ * @package WordPress
+ */
+
+// ** Database settings - You can get this info from your web host ** //
+/** The name of the database for WordPress */
+define( 'DB_NAME', 'wordpress_db' );
+
+/** Database username */
+define( 'DB_USER', 'wpuser' );
+
+/** Database password */
+define( 'DB_PASSWORD', 'wp@user123' );
+
+/** Database hostname */
+define( 'DB_HOST', 'localhost' );
+
+/** Database charset to use in creating database tables. */
+define( 'DB_CHARSET', 'utf8mb4' );
+
+/** The database collate type. Don't change this if in doubt. */
+define( 'DB_COLLATE', '' );
+
+....................
+```
+
+And, well, yes thats a password and username right there.
+
+## Flag
+
+Flag is: **KCTF{wpuser_wp@user123}**
+
+![](/images/7a483ecec97a116e2f38fc8f665e5570.png)

content/posts/KnightCTF 2026 - Network 100 - Post Exploitation.md

@@ -0,0 +1,60 @@
++++
+date = 2026-01-21
+description ="KnightCTF 2026 - Network 100 - Post Exploitation"
+title = "KnightCTF 2026 - Network 100 - Post Exploitation"
+[taxonomies]
+tags = ["ctf", "networking", "wireshark", "tshark"]
++++
+## Task
+
+```
+## Post-Exploitation
+
+### 100 Points
+
+Author
+
+After exploiting the vulnerability, the attacker established a persistent connection back to their command and control server. Analyze the traffic to identify the HTTP port used for the initial payload delivery and the port used for the reverse shell connection.
+
+Download: [pcap3.pcapng](https://drive.google.com/file/d/1Xr1onCDIvTvMviH1k16mIjH2P2tfQZuq/view?usp=sharing)
+
+**Flag Format: KCTF{httpPort_revshellPort}**
+```
+
+
+https://drive.google.com/file/d/1Xr1onCDIvTvMviH1k16mIjH2P2tfQZuq/view?usp=sharing
+
+
+## WireShark dump
+
+Since it's wordpress in question, i assumed that shell was uploaded from that Social Warfare plugin we already figured out previously, which means by http.
+So i started filtering out by POST,  GET and looking around, and it couldn't be more obvious:
+![](/images/2a7ba68a114d37e816a2f96a8b85285b.png)
+
+This already gives us http port for payload **8786**, which is half the flag. Now we need to find reverse shell port, and to narrow it down we want to:
+
+- look after timestamp of a payload, since revese shell can only be invoked after uploading obviously, in screenshot you can see timestamp: **882**
+   `( frame.time_relative > 882)`
+   
+- `!(tcp.port==80 || tcp.port==8767)` - exclude port 80 and payload port 8786
+ - `ip.src==192.168.1.102`  - Only traffic from the victim.
+- `ip.dst==192.168.1.104` - Only traffic going to the attacker.
+
+We will also filter multiple mentions of the same port number with sort -u :
+
+```bash
+~/Vault/isec/ctf/knight2k26/net100-exploitation  ✓ $ tshark -r pcap3.pcapng -Y "ip.src==192.168.1.102 && ip.dst==192.168.1.104 && tcp && frame.time_relative>882 && !(tcp.port==80 || tcp.port==8767)" -T fields -e tcp.srcport -e tcp.dstport | sort -u
+
+     9576
+
+```
+
+And there it is, reverse shell port **9576**
+
+Note:
+You can filter with `sort | uniq -c` if you want to display number of packets sent and ephemeral port.
+## Flag
+
+Flag is: KCTF{8767_9576}
+
+![](/images/7be91c4aef1cc1f6451c0cd389d0ef49.png)