Tags: forensics network 

Rating: 5.0

# Moneylovers
### Challenge Text

> Author: Artur Khanov ([@awengar](https://t.me/awengar))
> We captured a transmission between a client and his bank. Help us hack it
> [**moneylovers.tar.gz**](https://cybrics.net/files/moneylovers.tar.gz)

### Challenge Work

Looking at the packet capture we see that this is a ton of TLSv1.2 connections, as if somebody is connecting to the same place over and over. Looking closely we do see it is reaching out to a public IP address.... ``


Looking at the source code of this page we notice this odd bit:

$(document).ready(function() {

var mx = e.offsetX;
var my = e.offsetY;
type: "POST",
url : "/key",
data: JSON.stringify({x : mx, y: my}),
contentType: "application/json",
complete: function (a){
if (a.responseJSON.status == "OK"){
if (a.responseJSON.status == "FLAG"){

type: "GET",
url : "/getflag",
complete: function (a){
if (a.responseJSON.status == "OK"){

It seems that every single time we are pressing a button in the keypad a POST request is made to the server at the `/key` endpoint. Extrapolating from this, it seems our packet capture is an excrypted exchange of the key here in this manner.

After trying all sorts of stuff from Postman to `dirsearch` I finally decided to try entering a different protocol: ``:

Index of

Up to higher level directory
Name Size Last Modified
289 KB 7/13/20 9:25:00 AM PDT

Looking at log.txt, it appears to be a Master-Secret log, something that Wireshark explicitly accepts... We loaded this into Wireshark via `Preferences > TLS > (Pre)-Master-Secret log filename` and now we could see POST requests in plain text.

I exported the POST packets to JSON via Wireshark, and then extracted the click data:

import json

json_file = json.loads(open("clicks.json","r").read())

for a in json_file:
click_info = a["_source"]["layers"]["http"]["http.file_data"]

My teammate Unblvr then took this info and repeated the clicks to get the flag:

from requests import session
import json

inputs = [

s = session()
s.get("", verify=False)
URL = ""
for inp in inputs:
r = s.post(URL, json=inp, verify=False)

print(s.get("", verify=False).text)


> cybrics{B4NK_S4V35_U_M0N3Y}

Original writeup (https://github.com/turnipsoup/ctfwriteups/tree/master/cybric2020/moneylovers).