Description
Recover the flag from this session
Attachment: misc50.zip
Resolution
The challenge is giving us only a pcap file. As it’s the first Misc challenge, it seemed to be quite easy. The first thing to do with a pcap is to check used protocols :
![Protocol hierarchy](https://0x90r00t.com/wp-content/uploads/2015/10/Capture-du-2015-10-23-230855-300x227.png)
Hmmm Netbios, HTTP(S), DNS, and VNC, quite classical. Usually, flags could be found on HTTP (by giving us next steps for example), but nothing here. The only weird thing was a css.php file, but it wasn’t useful for the challenge. DNS, Netbios, and HTTPS weren’t useful neither.
So, we took what was remaining: VNC. After some search, we found the chaosreader tool, which can extract the VNC packets, create a python script that can replay the VNC session. But… It failed 🙁
We searched some others toosl, to crack the VNC pass, but hey, it’s a 50 points challenge. It should be easier than that!
After looking directly the pcap, we saw something…
![client_key](https://0x90r00t.com/wp-content/uploads/2015/10/client_key.png)
Wait, what? “Client Key event”? Like “Hey, I’m the client, i’m sending you THIS key”?
Let’s filter on this message type ans see what we could have, with this filter :
(vnc.client_message_type == 4) && (vnc.key_down == 1)
To check if we are good, we just have to look at the packets details :
![packet_details](https://0x90r00t.com/wp-content/uploads/2015/10/packet_details.png)
After checking every packet, we can extract this text :
notepad<enter> can you see me//<bkspace><bkspace><shift L (multiple time)>_<bkspace> <enter(multiple time)> EKO{NOT_anym0re_VNC_hax}
YES! WE CAN SEE YOU!
Flag was EKO{NOT_anym0re_VNC_hax}
Enjoy
The lsd