We are given a PCAP file that we can view in Wireshark, this contains a lot of packets, but none of these seem to contain much actual information. Giving it a closer look, it appears to be exfiltrating each bit of a character of various fields at a time.

It will sleep for three seconds if the bit is a 1, or return immediately if it is a 0. After some trial and error, we can select only the relevent packets by using the packet filter mysql.packet_length == 1, we can then save these and export these into a PCAP of their own.

We can then use a script to determine if the time between each request and response pair is either immediate or not. Python time!

from scapy.all import *

pcap = rdpcap(<file>)
m = ""

for i in range(0, len(p), 2):
    if p[i+1].time - p[i].time < 1:
        m += "0"
            m  += "1"

We can then print m, which is the series of bits making up the exfiltrated information

>>> m

We can then convert this to ASCII using CyberChef with this recipe, which gives us the flag: HTB{b1t_sh1ft1ng_3xf1l_1s_c00l}