[Forensics] Marshal in the Middle

Look at the logs. Find something of interest. View the relevant packets in wireshark.

Finally found the some interesting data, which was shredded by user, please somebody let me know how the flag will be.

I need help here to find flag

I had the same issue with using a newer version of Wireshark (2.6.1). Wasnt able to find the flag after analysing for ages. Decided to try on the version that comes with SIFT (2.2.6) and found the flag in a few minutes. Must be an issue with how the packets get decrypted…?

It is possible to do in newer versions of wireshark. Just need one extra step

Actually it does work fine and no extra step required. I realised that one of the files didnt download correctly :confused:

@natekhchan said:
That was like a WTF ahaahahha moment when I got it. :slight_smile:

same feeling here. HAHAHAHA

I tried all ways what I got in my mind, no luck.
Is the flag in encrypted format?

I followed the whole stream and spent too much time, still no luck, can somebody ping me to help on finding flag !!!

Anyone can pm me about the flag ? I found the “session” where the exfil has been done, I know from whats been stolen, from what system by which “tool” and that the user cleaned up his ‘mess’ but cant see anything that looks like a flag.

Update: Found it - no help needed

Hi! Anyone I can PM regarding this challenge? The API of the “website” keeps on returning an error message. I’ve double checked the parameters and they seem to be the correct ones. Is there anything I’m missing?

Hope this is ok, just a great read on the Wireshark tool here, oh the whitty ways to use it: https://sharkfesteurope.wireshark.org/assets/presentations17eu/15.pdf

I beginning to lose hope on this one, is the flag in the HTB{} format?

@AgentTiro said:
It is possible to do in newer versions of wireshark. Just need one extra step

What extra step? I sort of gave up on this before the summer but now I’ve come back and still cant get past the first hurdle. Wireshark doesn’t seem to like my attempts to decrypt the data (and I’ve followed the advice @ https://wiki.wireshark.org/SSL#Preference_Settings

I still havent managed to get anywhere with this.

Is there anyone out there who has solved it and doesn’t mind giving me a tip or two about why I dont seem to be able to get wireshark to decrypt the vital SSL traffic?

I can see the cleartext suspicious traffic on the next stream, and then a huge amount of traffic which looks like normal web browsing. But nothing I do seems to be able to assign the private key to the traffic I want it to decrypt.

Any and all help really, really welcomed! :smile:

@TazWake said:
I still havent managed to get anywhere with this.

Is there anyone out there who has solved it and doesn’t mind giving me a tip or two about why I dont seem to be able to get wireshark to decrypt the vital SSL traffic?

I can see the cleartext suspicious traffic on the next stream, and then a huge amount of traffic which looks like normal web browsing. But nothing I do seems to be able to assign the private key to the traffic I want it to decrypt.

Any and all help really, really welcomed! :smile:

Having this exact same problem. Using older versions of Wireshark hasn’t helped. Extracting the private key from the PEM file to its own, separate file (as suggested by various Wireshark articles) hasn’t helped. I see the two binary streams as well as the cleartext exfiltration session, but I can’t do a f***ing thing with any of it. Incredibly frustrating.

@opt1kz said:
Having this exact same problem. Using older versions of Wireshark hasn’t helped. Extracting the private key from the PEM file to its own, separate file (as suggested by various Wireshark articles) hasn’t helped. I see the two binary streams as well as the cleartext exfiltration session, but I can’t do a f***ing thing with any of it. Incredibly frustrating.

I’ve even tried with other tools such as network miner but got nowhere :frowning:

I cannot seem to figure out how to import the private key properly. Have tried extracting private key from .pem. Don’t know if I am doing it wrong. Have also tried the secrets.log file as master secret log. Still unable to see anything but tcp stream 2 in plain text. Would love some input.

@bluebaytuna said:
Hi! Anyone I can PM regarding this challenge? The API of the “website” keeps on returning an error message. I’ve double checked the parameters and they seem to be the correct ones. Is there anything I’m missing?

I think I am at the same point. Have you any news about this?

Took me quite a while, first time I’ve done anything like this. Really fun challenge. The hard part is just learning how to use wireshark imo, it’s such a complex tool with so many capabilities that it can be difficult to figure out how to use them and what they do.

If you’re at the spot that I was stuck on for a while, and most other people seem to be stuck on, where you think you’ve found out what was stolen, but only have 4 lines or so, you’re on the right track. Refer to the link in @TazWake’s previous post and research how to perform this action in wireshark. There’s some pretty good tutorials out there.