2015, CTF, EKOPARTY

English [EKOParty Part 2 – 2015] [Misc50 – Olive] Write Up

Leave a comment

Description

Recover the flag from this session

Attachment: misc50.zip

Resolution

The challenge is giving us only a pcap file. As it’s the first Misc challenge, it seemed to be quite easy. The first thing to do with a pcap is to check used protocols :

Protocol hierarchy
Yep. Used protocols

Hmmm Netbios, HTTP(S), DNS, and VNC, quite classical. Usually, flags could be found on HTTP (by giving us next steps for example), but nothing here. The only weird thing was a css.php file, but it wasn’t useful for the challenge. DNS, Netbios, and HTTPS weren’t useful neither.

So, we took what was remaining: VNC. After some search, we found the chaosreader tool, which can extract the VNC packets, create a python script that can replay the VNC session. But… It failed 🙁

We searched some others toosl, to crack the VNC pass, but hey, it’s a 50 points challenge. It should be easier than that!

After looking directly the pcap, we saw something…

client_key
Client Key event???

Wait, what? “Client Key event”? Like “Hey, I’m the client, i’m sending you THIS key”?

Let’s filter on this message type ans see what we could have, with this filter :

(vnc.client_message_type == 4) && (vnc.key_down == 1)

To check if we are good, we just have to look at the packets details :

packet_details
Gimme a “A”!

After checking every packet, we can extract this text :

notepad<enter>
can you see me//<bkspace><bkspace><shift L (multiple time)>_<bkspace>
<enter(multiple time)>
EKO{NOT_anym0re_VNC_hax}

YES! WE CAN SEE YOU!

Flag was EKO{NOT_anym0re_VNC_hax}

Enjoy

The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *