Skip to content

Hacky Holidays CTF 2021: Injection Traffic

TL;DR

  • The PCAP contains captured TDS (SQL Server) traffic from a blind SQL injection attack.
  • Each injected query tests a single character of the flag using SUBSTRING and ASCII comparisons.
  • A response length of 200 bytes indicates a true condition.
  • Parsing query parameters reveals both the flag index and tested character value.
  • Reassembling all successful conditions reconstructs the full flag.

Video Walkthrough

Hacky Holidays Space Race CTF 2021 Injection Traffic forensics video walkthrough showing blind SQL injection reconstruction from PCAP analysis

Challenge Description

Help us run forensics on this database exploit…

Solution

from pyshark import *
import re

capture = FileCapture('traffic.pcap')

# Fake flag will be updated as pcap processed
flag = list("CTF{deadbeefdeadc0dedeadbeefdeadc0de}")

for i, packet in enumerate(capture):
    try:
        # Grab SQL queries
        sql_query = packet.tds.query
        if 'SUBSTRING' in sql_query:
            # If the response length is 200 then condition is true
            if capture[i + 1].length == '200':
                # Extract the char position and decimal value
                extracted = re.match(r'.*,(\d+),\d+\)\)\>(\d+)', sql_query, re.M | re.I)
                char_index = extracted.group(1)
                char_value = extracted.group(2)
                # Update the flag
                flag[int(char_index) - 1] = chr(int(char_value) + 1)
    except AttributeError as e:
        pass

# Profit?
print(''.join(flag))