KnightCTF 2026 - Forensics: Database Credentials Theft#

Challenge Information#

• Category: Forensics
• File: pcap3.pcapng

Challenge Description#

The attacker’s ultimate goal was to access our database. During the post-exploitation phase, they managed to extract database credentials from the compromised system. Find the database username and password that were exposed.

Flag Format: KCTF{username_password}

Solution#

1
strings pcap3.pcapng | grep -iE 'DB_NAME|DB_USER|DB_PASSWORD|DB_HOST'

1
// Default template values
2
define( 'DB_NAME', 'database_name_here' );
3
define( 'DB_USER', 'username_here' );
4
define( 'DB_PASSWORD', 'password_here' );
5
define( 'DB_HOST', 'localhost' );
6

7
// Actual credentials exposed
8
define( 'DB_NAME', 'wordpress_db' );
9
define( 'DB_USER', 'wpuser' );
10
define( 'DB_PASSWORD', 'wp@user123' );
11
define( 'DB_HOST', 'localhost' );

Flag#

1
KCTF{wpuser_wp@user123}

Attack Chain Summary#

1. Reconnaissance - Attacker scanned WordPress for vulnerable plugins
2. Exploitation - Used Social Warfare 3.5.2 RCE (CVE-2019-9978)
3. Post-Exploitation - Read wp-config.php to extract DB credentials
4. Goal Achieved - Database credentials stolen

Tools Used#

• strings
• grep

Author: MR. Umair
Date: January 20, 2026
Competition: KnightCTF 2026