File decoding, vulnerability scanning and password cracking. We solve network problems with KnightCTF 2024

File decoding, vulnerability scanning and password cracking. We solve network problems with KnightCTF 2024

Hello, Habre!

In the previous article

I was talking about the KnightCTF 2024 tournament organized by a team from Bangladesh. But not all tasks were included there. Below I will talk about four more from the networking category. Read on to learn how to get secret information in bash-history and find the admin password in the dump. It will be useful for both experienced and beginners

information security



: the material does not teach hacking and does not encourage illegal actions. Everything described below only shows what security gaps are found in real web applications. And warns what to pay attention to during software development.

Use the navigation to go to the task of interest:

→ Task: Hidden File
→ Assignment: Confidential
→ Task: Super Admin
→ Quest: Famous Tool 2

Task: Hidden File


What flag does the hidden file have?


.pcap file


In the past part

I talked about the Port task, in which you need to find the port number in the reverse shell of the server – 6200/tcp. From the exploit code, you can understand that telnet was used for the connection, so all commands were intercepted in the open. From there I get bash_history.

Contents of bash-history.

There is a string in the conclusion 37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9. This is not the classic Hex format, but Twin-Hex. It converts the original text two characters at a time.

Next, I decode the string using the Python module for Twin-Hex:

$ python -d "37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9"

Done – I get the flag!

Assignment: Confidential


There is something confidential here. Can you find it? Please use the appendix for the first task.

Flag Format: KCTF{fl4G}


Let’s go back to bash-history from the previous task. On line 162, I see the archive downloaded. Let’s find out what is in it.

Traffic content.

In Wireshark, you can get the files that were transmitted when the traffic dump was recorded. I choose FileExport objectsHTTPI add to the filter:

HTTP list.

I unpack the archive. Inside – a .docx file with a picture. It features the Knight CTF 2024 mascot::

Image in archive.

The .docx format is also an archive, you need to open it. It contains three folders with files and an XML document.

Using a normal text search, I search in the name KCTF. The flag is in maybeconfidential/maybeconfidential/word/document.xml. The task is solved!

Task: Super Admin


What is the web app admin password? Download the SQL dump to solve the problem. It may be needed to solve other tasks.

Flag Format: KCTF{password}


SQL dump.


An interesting task! Once only a dump was given, I decided to start with it. And I did not miss: inside there was an interesting part with information about users

The contents of the SQL dump.

I take the hash of the root user 5f27f7648285dec7954f5ee1ad696841 and decode its hash sum in the md5 decoder. I get the password – letmeinroot.

Decoded password from hash sum.

I substitute the password in the line to form the flag – KCTF {letmeinroot}. Done!

Task: Famous Tool 2


What tool did the attacker use to discover the job edit page vulnerability? Please use the attachment from the first task.

Flag Format: KCTF{toolname/version}


I continue to work with the well-known .pcap file. In the exploit code from the Port task, I apply the http contains “sql” filter. I see several requests with IP addresses, protocols and other parameters.

Filter in the exploit.

Looks like the scan needs to be checked. I open package 49187 in Wireshark:

Package contents.

I find User-Agent and see the value sqlmap/1.7.10#stable. We conclude that the attacker used the sqlmap version 1.7.10 tool for the attack. Done – we are forming a flag.

Interesting materials from CTF

If you want to get acquainted with other tasks of CTF tournaments, I recommend reading previous articles on this topic.

Related posts