The attacker appears to have identified a web application running on our server. We need to determine what application was being targeted. Find the version and username associated with the application in the capture.

Flag Format: KCTF{version_username}

Solution#

Step 1: Initial Analysis#

Downloaded pcap2.pcapng and analyzed HTTP traffic using tshark.

Step 2: Identify the Web Application#

Found WordPress installation at /wordpress/ on 192.168.1.102:

1
GET /wordpress/ HTTP/1.1
2
GET /wordpress/wp-login.php HTTP/1.1

Step 3: Extract WordPress Version#

Found version in the RSS/Atom feed generator tag:

1
strings pcap2.pcapng | grep "version=" | head -10

Output:

1
<generator uri="https://wordpress.org/" version="6.9">WordPress</generator>

Version: 6.9

Step 4: Find Username#

Extracted HTTP POST data from login attempts:

1
tshark -r pcap2.pcapng -Y 'http.request.method == POST' -T fields -e http.file_data

Decoded the hex POST data:

1
log=kadmin_user&pwd=f750d046

Also confirmed via wp-json API response:

1
[{"id":1,"name":"kadmin_user","url":"http://192.168.1.102/wordpress",...}]

Username: kadmin_user

Key Observations#

Attacker (192.168.1.104) was performing directory bruteforce on the WordPress installation
Login attempts were captured showing credentials
The WordPress user kadmin_user is the administrator (user id=1)