encrypted traffic

File Attachment :

Challenge Idea :

the idea of this challenge is decrypting https traffic using a master log file and extracting a protected secret zip file that contains base64 encoded flag

Walkthrough :

first thing let's open the pcapng file in wireshark and analyze the traffic

first let's see what are all the protocols captured in this network file

based on the name of the challenge which is encrypted traffic we should focus more on TLS protocol which is responsible for encrypting http traffic

in the task attachment we have sslkey.log which can be used as a pre-master secret log file to decrypt HTTPS traffic to do that go to edit -> preferences -> protocols -> TLS -> (pre)-master secret log filename and browse to the sslkey.log file and then click ok

again let's take a look at the protocol hierarchy at statistics -> protocol hierarchy

we can notice that a new protocol is introduced which is a result of the decryption of https traffic

in wireshark let's filter by http

let's export http files and take a look at there content and try to search for the leaked information

go to file -> export objects -> http

let's save all the files and try to examine the files for any leaked infos.

first thing we have to check the files type because for exemple the file show is a png file but we can't see its content unless we have added the .png extention to the filename

after looking at all the files there's an interesting file which is a zip file

let's change the name and add the extension of zip

unzipping the file asks for a password, in the beginning i have tried to crack it using john and then i tried to find the password from the http traffic but the password was in front of my eyes which was CODEBY{w3ll_d0n3!}

a file called flag is extracted, examining its type it shows that its an executable

Flag :

CODEBY{tls_4nd_w1resh4rk_<3}

PreviousForensics NextHuntress CTF 2023

Last updated 1 year ago

Was this helpful?