Root Me: SSL — HTTP exchange

Category: Network

The challenge involves analyzing .pcap file having multiple protocols.

In this particular challenge we need to analyze HTTPs protocol and find the missing flag.

Prerequisites:

  • Knowledge of a network capture analyzing tool.
  • Knowledge of the HTTPS protocols.

You can find the challenge at below link :

https://www.root-me.org/en/Challenges/Network/SSL-HTTP-exchange

Statement

This challenge comes from the 19th DEFCON CTF’s qualification

CLUE : “google is your friend : inurl:server.pem…”

First lets download the ch5.pcap file from the challenge and open it in Wireshark

In the .pcap file we can see TCP and TLSv1 protocol and by going with the challenge statement, I think we need to decrypt TLSv1 traffic.

The first question that we need to ask: what is needed to decrypt the TLSv1 traffic?

Ans: We need private key to decrypt TLSv1 traffic.

Next Question: Where are we going to find the key?

Answer: Lets take a look at the problem statement . In the clue it states : google is your friend.


So lets start by searching for defcon 19 private key in google and go through the results and you will come across below url

After opening the url we can see it consists of 3 parts :

  1. BEGIN Certificate/END CERTIFICATE
  2. BEGIN RSA PRIVATE KEY / END RSA PRIVATE KEY
  3. BEGIN CERTIFICATE REQUEST/ END CERTIFICATE REQUEST

Next lets, save the RSA key in a text file and save it as rsakey.pem


Now that we have the RSA key, next step is to import it in wireshark

For this navigate to Edit > Preferences >protocol>ssl > rsa key list

and add rsakey.pem

Once RSA key is imported, right click on TLSv1 stream and click on follow tls stream

After this we can see the message in clear text

Got It!!

Leave a Comment

Your email address will not be published. Required fields are marked *