![]() The idea here is that HTTPS traffic that travels over the Internet is confidential, a random router or person who happens to capture your packages cannot decrypt the HTTPS without the decryption key. This is because HTTPS encrypts point to point between applications. I was searching for the flag inside the transferred files ( File -> Export-> HTTP objects) but it was not there, after a while I found it in the HTTP header.Įnter your email address to follow this blog and receive notifications of new posts by email. Wireshark is not able to decrypt the content of HTTPS. ![]() The protocol should be http as the port no for 52.214.142.175 is 443 ( default for https). In the RSA key list add all the information we got. Let’s use all the information we gathered from the SMTP protocol ( IP : 52.214.142.175, PORT : 443) and FTP (the private key) to decrypt the SSL traffic. To confirm, see if there is any traffic originating from 52.214.142.175 in the PCAP file. So this might be the right IP address we are looking for. Power up the Wireshark or tcpdump and listen to the network traffic, in this explanation I use Wireshark for simply the user interface. The two addresses found in the email points to 52.214.142.175 : 443. You can see the sender informing about moving the code from Swiss Secure Cloud to. Use the filter “smtp” and read the contents of the email. ![]() But how? The answer is in the hint transmitted in the email (SMTP traffic). We have 4+ HTTP servers involved and the important task is to find the right one that has the flag. ![]() Use the filter “ssl” to see the encrypted traffic. We have the private key and all we have to do is to use it and decrypt the TLS packets. Once selected, click on 'Protocols.' Under Protocols, select 'IEEE 802.11,' and then click 'Enable decryption.' To add the network key, click 'Edit' next to 'Decryption keys' to open the window to add passwords and PSKs. Save that as a text file ( private_key.txt). Go to the 'Wireshark' drop-down menu and select the 'Preferences' option. Do a TCP stream, you can see the transferred private key. The first task is to retrieve the private key file from the FTP traffic. TLS has the actual flag, FTP has the private key to decrypt the TLS traffic and SMTP has the clue that will help us in filtering the traffic of interest i.e the right TLS packets. From the given PCAP file you must have noticed the traffic from OSCP, HTTP, FTP, SMTP and TLS protocol.
0 Comments
Leave a Reply. |