English [EKOParty Part 2 – 2015] [Misc50 – Olive] Write Up


Recover the flag from this session

Attachment: misc50.zip


The challenge is giving us only a pcap file. As it’s the first Misc challenge, it seemed to be quite easy. The first thing to do with a pcap is to check used protocols :

Protocol hierarchy
Yep. Used protocols

Hmmm Netbios, HTTP(S), DNS, and VNC, quite classical. Usually, flags could be found on HTTP (by giving us next steps for example), but nothing here. The only weird thing was a css.php file, but it wasn’t useful for the challenge. DNS, Netbios, and HTTPS weren’t useful neither.

So, we took what was remaining: VNC. After some search, we found the chaosreader tool, which can extract the VNC packets, create a python script that can replay the VNC session. But… It failed 🙁

We searched some others toosl, to crack the VNC pass, but hey, it’s a 50 points challenge. It should be easier than that!

After looking directly the pcap, we saw something…

Client Key event???

Wait, what? “Client Key event”? Like “Hey, I’m the client, i’m sending you THIS key”?

Let’s filter on this message type ans see what we could have, with this filter :

(vnc.client_message_type == 4) && (vnc.key_down == 1)

To check if we are good, we just have to look at the packets details :

Gimme a “A”!

After checking every packet, we can extract this text :

can you see me//<bkspace><bkspace><shift L (multiple time)>_<bkspace>
<enter(multiple time)>


Flag was EKO{NOT_anym0re_VNC_hax}


The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *