The challenge involves analyzing .pcap file having multiple protocols.
In this particular challenge we need to analyze HTTPs protocol and find the missing flag.
- Knowledge of a network capture analyzing tool.
- Knowledge of the HTTPS protocols.
You can find the challenge at below link :
This challenge comes from the 19th DEFCON CTF’s qualification
CLUE : “google is your friend : inurl:server.pem…”
First lets download the ch5.pcap file from the challenge and open it in Wireshark
In the .pcap file we can see TCP and TLSv1 protocol and by going with the challenge statement, I think we need to decrypt TLSv1 traffic.
The first question that we need to ask: what is needed to decrypt the TLSv1 traffic?
Ans: We need private key to decrypt TLSv1 traffic.
Next Question: Where are we going to find the key?
Answer: Lets take a look at the problem statement . In the clue it states : google is your friend.
So lets start by searching for defcon 19 private key in google and go through the results and you will come across below url
After opening the url we can see it consists of 3 parts :
- BEGIN Certificate/END CERTIFICATE
- BEGIN RSA PRIVATE KEY / END RSA PRIVATE KEY
- BEGIN CERTIFICATE REQUEST/ END CERTIFICATE REQUEST
Next lets, save the RSA key in a text file and save it as rsakey.pem
Now that we have the RSA key, next step is to import it in wireshark
For this navigate to Edit > Preferences >protocol>ssl > rsa key list
and add rsakey.pem
Once RSA key is imported, right click on TLSv1 stream and click on follow tls stream
After this we can see the message in clear text