Tags: midi audacity tls pcap misc wireshark http2
MIDI2 was a rather difficult Misc challange, as it was the one with the most points of its category.
A .pcap.gz file was given.
Unpacking it with
gives the .pcap file.
Opening it with wireshark quickly reveals some interesting packets:
here we can see a request for the "/keyfile" and the response to it. Looking at the response:
we can see s string containing the keyword "CLIENT_RANDOM". This is a hint for us to decrypt the TLS1.2 traffic at the beginning of the pcap.
Looking at the Wireshark documentation we see that we have extracted the CLIENT_RANDOM and the hex-encoded clear text master secret:
"CLIENT_RANDOM xxxx yyyy"
Where xxxx is the client_random from the ClientHello (hex-encoded)
Where yyyy is the cleartext master secret (hex-encoded)
(This format allows non-RSA SSL connections to be decrypted, i.e. ECDHE-RSA.)
This is enough information to decrypt the traffic. This is done by going into the Wireshark TLS settings, creating a file with the string we found and linking it there.
This reveals some HTTP2 packets:
The DATA packet looks interesting so we extract its data into a file and look at it with the "file" command tool to reveal its filetype:
midifile.midi: Standard MIDI data (format 1) using 1 track at 1/220
Now we know why this challange is called MIDI2. So now we got a MIDI file. Looking at it with Audacity reveals an interesting pattern:
After some investigation it turns out the notes on the top are irrelevant and the ones at the bottom resemble binary numbers:
and if we look up the ASCII table we can translate those numbers into letters and if we do this for the whole file we get the flag: