Exfil
We are given a PCAP file that we can view in Wireshark, this contains a lot of packets, but none of these seem to contain much actual information. Giving it a closer look, it appears to be exfiltrating each bit of a character of various fields at a time.
It will sleep for three seconds if the bit is a 1
, or return immediately if it is a 0
. After some trial and error, we can select only the relevent packets by using the packet filter mysql.packet_length == 1
, we can then save these and export these into a PCAP of their own.
We can then use a script to determine if the time between each request and response pair is either immediate or not. Python time!
from scapy.all import *
pcap = rdpcap(<file>)
m = ""
for i in range(0, len(p), 2):
if p[i+1].time - p[i].time < 1:
m += "0"
else:
m += "1"
We can then print m
, which is the series of bits making up the exfiltrated information
>>> m
'0110010001100010010111110110110100110011001100010011010000111001011100110110001101110010011001010110010101101110011100110110100001101111011101000111001100101100011101010111001101100101011100100111001101101001011001000010110001110101011100110110010101110010001011000111000001100001011100110111001101110111011011110111001001100100011000010110010001101101011010010110111001001000010101000100001001111011011000100011000101110100010111110111001101101000001100010110011001110100001100010110111001100111010111110011001101111000011001100011000101101100010111110011000101110011010111110110001100110000001100000110110001111101'
We can then convert this to ASCII using CyberChef with this recipe&input=MDExMDAxMDAwMTEwMDAxMDAxMDExMTExMDExMDExMDEwMDExMDAxMTAwMTEwMDAxMDAxMTAxMDAwMDExMTAwMTAxMTEwMDExMDExMDAwMTEwMTExMDAxMDAxMTAwMTAxMDExMDAxMDEwMTEwMTExMDAxMTEwMDExMDExMDEwMDAwMTEwMTExMTAxMTEwMTAwMDExMTAwMTEwMDEwMTEwMDAxMTEwMTAxMDExMTAwMTEwMTEwMDEwMTAxMTEwMDEwMDExMTAwMTEwMTEwMTAwMTAxMTAwMTAwMDAxMDExMDAwMTExMDEwMTAxMTEwMDExMDExMDAxMDEwMTExMDAxMDAwMTAxMTAwMDExMTAwMDAwMTEwMDAwMTAxMTEwMDExMDExMTAwMTEwMTExMDExMTAxMTAxMTExMDExMTAwMTAwMTEwMDEwMDAxMTAwMDAxMDExMDAxMDAwMTEwMTEwMTAxMTAxMDAxMDExMDExMTAwMTAwMTAwMDAxMDEwMTAwMDEwMDAwMTAwMTExMTAxMTAxMTAwMDEwMDAxMTAwMDEwMTExMDEwMDAxMDExMTExMDExMTAwMTEwMTEwMTAwMDAwMTEwMDAxMDExMDAxMTAwMTExMDEwMDAwMTEwMDAxMDExMDExMTAwMTEwMDExMTAxMDExMTExMDAxMTAwMTEwMTExMTAwMDAxMTAwMTEwMDAxMTAwMDEwMTEwMTEwMDAxMDExMTExMDAxMTAwMDEwMTExMDAxMTAxMDExMTExMDExMDAwMTEwMDExMDAwMDAwMTEwMDAwMDExMDExMDAwMTExMTEwMQ), which gives us the flag: HTB{b1t_sh1ft1ng_3xf1l_1s_c00l}