[Forensics] Marshal in the Middle

13

Comments

  • Hi! Anyone I can PM regarding this challenge? The API of the "website" keeps on returning an error message. I've double checked the parameters and they seem to be the correct ones. Is there anything I'm missing?

  • Hope this is ok, just a great read on the Wireshark tool here, oh the whitty ways to use it: https://sharkfesteurope.wireshark.org/assets/presentations17eu/15.pdf

  • I beginning to lose hope on this one, is the flag in the HTB{} format?

  • @AgentTiro said:
    It is possible to do in newer versions of wireshark. Just need one extra step

    What extra step? I sort of gave up on this before the summer but now I've come back and still cant get past the first hurdle. Wireshark doesn't seem to like my attempts to decrypt the data (and I've followed the advice @ https://wiki.wireshark.org/SSL#Preference_Settings

  • I still havent managed to get anywhere with this.

    Is there anyone out there who has solved it and doesn't mind giving me a tip or two about why I dont seem to be able to get wireshark to decrypt the vital SSL traffic?

    I can see the cleartext suspicious traffic on the next stream, and then a huge amount of traffic which looks like normal web browsing. But nothing I do seems to be able to assign the private key to the traffic I want it to decrypt.

    Any and all help really, really welcomed! :smile:

  • @TazWake said:
    I still havent managed to get anywhere with this.

    Is there anyone out there who has solved it and doesn't mind giving me a tip or two about why I dont seem to be able to get wireshark to decrypt the vital SSL traffic?

    I can see the cleartext suspicious traffic on the next stream, and then a huge amount of traffic which looks like normal web browsing. But nothing I do seems to be able to assign the private key to the traffic I want it to decrypt.

    Any and all help really, really welcomed! :smile:

    Having this exact same problem. Using older versions of Wireshark hasn't helped. Extracting the private key from the PEM file to its own, separate file (as suggested by various Wireshark articles) hasn't helped. I see the two binary streams as well as the cleartext exfiltration session, but I can't do a f***ing thing with any of it. Incredibly frustrating.

    opt1kz

  • @opt1kz said:
    Having this exact same problem. Using older versions of Wireshark hasn't helped. Extracting the private key from the PEM file to its own, separate file (as suggested by various Wireshark articles) hasn't helped. I see the two binary streams as well as the cleartext exfiltration session, but I can't do a f***ing thing with any of it. Incredibly frustrating.

    I've even tried with other tools such as network miner but got nowhere :(

  • I cannot seem to figure out how to import the private key properly. Have tried extracting private key from .pem. Don't know if I am doing it wrong. Have also tried the secrets.log file as master secret log. Still unable to see anything but tcp stream 2 in plain text. Would love some input.

  • @bluebaytuna said:
    Hi! Anyone I can PM regarding this challenge? The API of the "website" keeps on returning an error message. I've double checked the parameters and they seem to be the correct ones. Is there anything I'm missing?

    I think I am at the same point. Have you any news about this?

  • edited November 2018

    Took me quite a while, first time I've done anything like this. Really fun challenge. The hard part is just learning how to use wireshark imo, it's such a complex tool with so many capabilities that it can be difficult to figure out how to use them and what they do.

    If you're at the spot that I was stuck on for a while, and most other people seem to be stuck on, where you think you've found out what was stolen, but only have 4 lines or so, you're on the right track. Refer to the link in @TazWake's previous post and research how to perform this action in wireshark. There's some pretty good tutorials out there.

    --Skunkfoot

  • edited November 2018

    I am looking at those Bro log files but I can't find anything that would stand out... I am obviously not suppose to go through all the 13000 lines manually. HTB is killing me :D Any hints? I know pretty well how to search stuff in wireshark but I'm kind of lost. Hard to search if no ideas what to look for. Any hints?

    Arrexel

  • Don't think I used the bro files for anything. IIRC, everything you need should be in the root directory

    --Skunkfoot

  • edited November 2018

    Got it! Man.... Once I got over the decryption hurdle if was like 2 minutes.... That's me.. I get stuck on some trivial technicality. But hey, I learned something new. I never had to decrypt stuff in Wireshark before.

    Arrexel

  • @iVirus said:
    The impact of the work done by Diffie-Hellman is absolutely Not Ephemeral ;)

    To those still stuck, review this ^ hint.

  • @TazWake said:
    I still havent managed to get anywhere with this.

    Is there anyone out there who has solved it and doesn't mind giving me a tip or two about why I dont seem to be able to get wireshark to decrypt the vital SSL traffic?

    I can see the cleartext suspicious traffic on the next stream, and then a huge amount of traffic which looks like normal web browsing. But nothing I do seems to be able to assign the private key to the traffic I want it to decrypt.

    Any and all help really, really welcomed! :smile:

    Same here any hint would be much appriciated

  • For me, the best tip I can give is dont try to read the streams - nothing I did make that work. However, there are other things you can do in WireShark to get it to dump data to a folder, which you can then analyse.

  • make sure you have an up-to-date wireshark

  • I've found the sensitive data from the stream. What's the next step?

  • Can anyone PM me about this challenge? I don't want to spoil !! and wan't to ask somethings!

  • I'm stuck on it, got the DNS tunnel thing - But how to extract with what tools, not sure what the next step is here.

    Anyone?

  • Hi all, I've got something but I don't want to spoil, anyone can PM me? Thx!

    Arrexel

  • Just spent a lot of time on this one just to figure out Wireshark 2.4.6 and 3.0.0 on OS X neither would decrypt correctly. 2.6.7 worked fine with exact same settings as other 2 versions so I don't think it was misconfiguration. 2.6.6 in Kali worked fine too, didn't try any other versions. Once decrypt worked, the flag was obvious in expected format.

  • ya I have figured it was an issue I almost wondered why it was not working and I kind of figured the bundle was needed to be modified to get the decryption working once I noticed I wasn't getting decryption I just put it aside I am glad you cleared up which version worked I will do a reinstall of that version later

  • Finally found it! FYI it works with Wireshark 3.0.0 on Win10

    Arrexel

  • I suggest this video to understand how to decrypt SSL

    If you appreciate my help, please give me +1 respect :)
    https://www.hackthebox.eu/home/users/profile/113070.

  • Finally I got it :smiley: and this worked with the last version of Wireshark on Win10 also in Kali linux. check out very well advance preferences on Wireshark, if you need any help PM.. Cheers.

    M1ndcr4ck

  • Got it. If you need help PM.
    Cheers from Portugal :+1:

  • edited April 3

    I found something similar to the flag and I can not respond. Help.

  • Bad API request, invalid api_option
    why is so!! I am geeting problem!! Anyone here to give me small nudge !!

Sign In to comment.