Tags: midi audacity tls pcap misc wireshark http2 

Rating: 4.0

MIDI2 was a rather difficult Misc challange, as it was the one with the most points of its category.

A .pcap.gz file was given.
Unpacking it with
###### Command:
gunzip midi.pcap.gz
gives the .pcap file.

Opening it with wireshark quickly reveals some interesting packets:


here we can see a request for the "/keyfile" and the response to it. Looking at the response:


we can see s string containing the keyword "CLIENT_RANDOM". This is a hint for us to decrypt the TLS1.2 traffic at the beginning of the pcap.
Looking at the Wireshark documentation we see that we have extracted the CLIENT_RANDOM and the hex-encoded clear text master secret:

###### Documentation:
"CLIENT_RANDOM xxxx yyyy"
Where xxxx is the client_random from the ClientHello (hex-encoded)
Where yyyy is the cleartext master secret (hex-encoded)
(This format allows non-RSA SSL connections to be decrypted, i.e. ECDHE-RSA.)

This is enough information to decrypt the traffic. This is done by going into the Wireshark TLS settings, creating a file with the string we found and linking it there.
This reveals some HTTP2 packets:


The DATA[1] packet looks interesting so we extract its data into a file and look at it with the "file" command tool to reveal its filetype:
###### Command:
file http2_data

###### Output:
midifile.midi: Standard MIDI data (format 1) using 1 track at 1/220

Now we know why this challange is called MIDI2. So now we got a MIDI file. Looking at it with Audacity reveals an interesting pattern:


After some investigation it turns out the notes on the top are irrelevant and the ones at the bottom resemble binary numbers:


and if we look up the ASCII table we can translate those numbers into letters and if we do this for the whole file we get the flag:

###### Flag: