top of page
  • BlueDolphin

US Cyber Games 2024 - Certified

Updated: Jun 11

Follow along with my YouTube video writeup below


Visual Workflow Summary


Summary

This Forensics challenge consisted of a plain text RSA key passed over HTTP, which we extract for the purposes of decrypting TLS encrypted application data. Once the analyst has retrieved the key, it may need to be formatted before saving as a .key file, and importing as a pre-shared master key into Wireshark, while filling out the proper IP address, PORT and protocol the key is to be used on.


Technical Workflow Summary
  1. Analyze PCAP file

  2. Identify plain text RSA key and TLS encrypted data streams.

  3. Extract and format RSA key

  4. Import RSA key into Wireshark

  5. Decrypt traffic and retrieve flag



Analyze PCAP file

Reviewing the PCAP file immediately reveals a plain text RSA key and a corresponding certificate.


Following this we see a TLS handshake which involves a certificate transfer and key exchange as apart of the process. While this handshake is secure, we have a plain text RSA key that undermines the entire encryption process.


The HTTP requests are encrypted with TLSv1.2 as per above and the data cannot be read.


Extract and format RSA Key


In this stage we copy our RSA key from the Wireshark file, which by default is expressed in Hexadecimal. While there is the certificate file directly below, this is not needed for this challenge, but you can extract and analyze the certificate.


Cyberchef allows us to decode the hexadecimal data and finally save the output to our local device.


Import the RSA key into Wireshark

Importing the key into RSA is a straight forwards process. First, we define the IP address, PORT and protocol we are looking to decrypt with our RSA key, and then we import our key. If we do not define our IP and Port the application will be unable to decrypt information. If we are dealing with a larger PCAP file, it could be the case where multiple RSA keys are used, across different streams.


Edit --> Preferences --> Protocols --> TLS





You can see below that we have defined our IP address which we have observed encrypted application data, the port and the protocol. Finally we call our RSA key as a .key file not a .pem file, out of habbit.


Decrypt the Data & Retrieve the Flag

What is interesting here, is the TLS data that was represented as application data is now expressed as HTTP traffic.


This is because the data was decrypted and expressed as HTTP traffic allowing us to obtain the flag.



The End



13 views0 comments

Comments


bottom of page