**The challenge** :
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-1.jpg "Challenge")
Using WireShark we can open and explore the file “Chall.pcapng”.
The packets are the result of a TFTP communication using TACACS+ authentication protocol.
This type of protocol is cyphering all messages using a generated shared key.
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-2.jpg "Challenge")
So to be able to read those messages we need to find a way to recover the shared key.
And the good news is that WireShard is able to do this on is own!
**1- Recover the shared key :**
One of the solutions to achieve this goal, is to extract the router(or switch) configuration within Wireshark :
File > Objects Explorer > TFTP
Alternate method :
Create a filter «udp.stream eq 5», then right click on one of packets and : Follow > UDP stream.
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-3.jpg "Challenge")
We now have access to the shared key that was generated to communicate with the TACAS server :
tacacs-server host 192.168.1.100 key 7 0325612F2835701E1D5D3F2033
Knowing this, we can easily decipher that key, witch is a type 7 CISCO key, to get the original password on this web site :
![alt text](./sharkyctf/RattataTACACS-4.jpg "Challenge")
**2- Decipher messages using that key :**
Go to the following menus : Edit > Preferences > Protocols > TACAS+.
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-5.jpg "Challenge")
Fill in the field «TACAS+ Encryption Key» with the deciphered key and then click “OK” button.
Filter all the packets by selecting "tacplus" filter, and extract all messages in relation with TACAS+ protocol.
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-6.jpg "Challenge")
And we now have access to the flag, in plain text mode :