[Forensics] Marshal in the Middle

k4r4koyun · April 26, 2018, 2:19pm

@genxweb said:
Will this challenge end in a standard flag? I believe I know what is ex filled wondering if we need to crack any of the data. Trying not to give away any spoilers. I have a stream the stream shows some commands gathering some sensitive data and sending it off. i dont have a forensics background, just taking a shot from the knowledge i have and some classes I have taken.

I’ve got the trail of our guy but it looks like I can get the first and the second part of something but not the third part and I’m sure that the third part has the juice.

genxweb · April 26, 2018, 6:32pm

Yeah Iam stuck there on the in the middle part. found the sensitive data and where it came from then looked there and think i have the packet but for some reason that packet does not seem to decode.

SamuraiZombie · April 27, 2018, 5:38am

By any chance is the legible? like in the format of HTB{Blah}? I found where it looks to be posting the contents of a well known file from /etc/* and the break down of the cert. Any particular area that should be looked at more?

k4r4koyun · April 27, 2018, 10:17am

BTW which version of Wireshark did you guys use? I have 2.4.5 on my box and I believe there might be a bug with the challenge on that version

k4r4koyun · April 27, 2018, 2:08pm

@k4r4koyun said:
BTW which version of Wireshark did you guys use? I have 2.4.5 on my box and I believe there might be a bug with the challenge on that version

The challenge is bugged. Do not try to do this one with up-to-date Wireshark installed in Kali Linux. I have downloaded Wireshark 2.1.1 from their site on my Windows computer and the flag is there.

rotarydrone · April 28, 2018, 12:57am

Hi @k4r4koyun , I tested on Version 2.4.5 (Git v2.4.5 packaged as 2.4.5-1) on Kali 64 bit, and everything worked properly. Perhaps something was misconfigured?

k4r4koyun · April 28, 2018, 8:11am

@rotarydrone said:
Hi @k4r4koyun , I tested on Version 2.4.5 (Git v2.4.5 packaged as 2.4.5-1) on Kali 64 bit, and everything worked properly. Perhaps something was misconfigured?

Don’t think so, I didn’t change settings of my wireshark but decryption on my Kali was problematic. Can’t really say much from here without spoiling

H3XTEC · May 6, 2018, 4:50pm

i have a question about this challange. can anyone pm me ?

andremilke · May 7, 2018, 4:52pm

I got some information about the pastebin, the traffic. But the flag is not there. I think the flag is in another flow of information, I got the content but I can’t put this in a plain text. Could someone let me a hint?

andremilke · May 7, 2018, 6:00pm

I got it.

osku · May 9, 2018, 8:02am

Stuck too, found out the session invoking the exfil, also the likely related POSTs, but can’t figure out how to make use of the private key? Anyone mind nudging me towards how to try better?

osku · May 9, 2018, 12:33pm

Nevermind… and facepalm… it was obvious when I just looked at it.

parzival604 · May 12, 2018, 5:01am

That was like a WTF ahaahahha moment when I got it.

FTNTT · May 16, 2018, 10:30am

i found the Api_post_code in the wireshark,but how to find the flag?

LeDeceiver · May 19, 2018, 3:25pm

Found plaintext data of user’s actions but cannot seem to find the flag …

vinodyadav · May 22, 2018, 5:08pm

i got the api request to the pastebin with confidential information, but while putting those as flag not working anymore, can some one please help here

vinodyadav · May 22, 2018, 6:03pm

Finally!!! got it. It was an awesome challenge guys

charybdis · May 22, 2018, 6:17pm

I loved this challenge!

LeDeceiver · May 24, 2018, 10:59am

Took me too long but I finally got it. The tools I need are right in front of me… =)

michaellamb1 · May 24, 2018, 12:01pm

I have the evidence of an the exfil and the person deleting their tracks… can’t find the flag though! Can someone give me a clue from here.