**The challenge** :
![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-1.jpg "Challenge")

Using WireShark we can open and explore the file “Chall.pcapng”.
The packets are the result of a TFTP communication using TACACS+ authentication protocol.
This type of protocol is cyphering all messages using a generated shared key.

![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-2.jpg "Challenge")

So to be able to read those messages we need to find a way to recover the shared key.
And the good news is that WireShard is able to do this on is own!

**1- Recover the shared key :**

One of the solutions to achieve this goal, is to extract the router(or switch) configuration within Wireshark :
File > Objects Explorer > TFTP

Alternate method :
Create a filter «udp.stream eq 5», then right click on one of packets and : Follow > UDP stream.

![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-3.jpg "Challenge")

We now have access to the shared key that was generated to communicate with the TACAS server :

tacacs-server host key 7 0325612F2835701E1D5D3F2033

Knowing this, we can easily decipher that key, witch is a type 7 CISCO key, to get the original password on this web site :

![alt text](./sharkyctf/RattataTACACS-4.jpg "Challenge")

**2- Decipher messages using that key :**

Go to the following menus : Edit > Preferences > Protocols > TACAS+.

![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-5.jpg "Challenge")

Fill in the field «TACAS+ Encryption Key» with the deciphered key and then click “OK” button.
Filter all the packets by selecting "tacplus" filter, and extract all messages in relation with TACAS+ protocol.

![alt text](https://0xbluesky.io/CTF/WRITEUP/sharkyctf/RattataTACACS-6.jpg "Challenge")

And we now have access to the flag, in plain text mode :

Original writeup (https://www.0xbluesky.io/CTF/WRITEUP/Sharkyctf2020.html#RATTATATACACS).