[Forensics] Marshal in the Middle

I’m struggling with this one too. Pretty sure I found the exfiltrated data but not able to locate the flag. Can someone help me out? PM to avoid spoilers.

Will this challenge end in a standard flag? I believe I know what is ex filled wondering if we need to crack any of the data. Trying not to give away any spoilers. I have a stream the stream shows some commands gathering some sensitive data and sending it off. i dont have a forensics background, just taking a shot from the knowledge i have and some classes I have taken.

@genxweb you have a lead, just follow it. You have everything you need already.

I think I also solved it. I could decrypt the messages from the attacker and read the sensible data, but I cannot find the correct flag. Can someone help me to find the exact flag.

@genxweb said:
Will this challenge end in a standard flag? I believe I know what is ex filled wondering if we need to crack any of the data. Trying not to give away any spoilers. I have a stream the stream shows some commands gathering some sensitive data and sending it off. i dont have a forensics background, just taking a shot from the knowledge i have and some classes I have taken.

I’ve got the trail of our guy but it looks like I can get the first and the second part of something but not the third part and I’m sure that the third part has the juice.

Yeah Iam stuck there on the in the middle part. found the sensitive data and where it came from then looked there and think i have the packet but for some reason that packet does not seem to decode.

By any chance is the legible? like in the format of HTB{Blah}? I found where it looks to be posting the contents of a well known file from /etc/* and the break down of the cert. Any particular area that should be looked at more?

BTW which version of Wireshark did you guys use? I have 2.4.5 on my box and I believe there might be a bug with the challenge on that version

@k4r4koyun said:
BTW which version of Wireshark did you guys use? I have 2.4.5 on my box and I believe there might be a bug with the challenge on that version

The challenge is bugged. Do not try to do this one with up-to-date Wireshark installed in Kali Linux. I have downloaded Wireshark 2.1.1 from their site on my Windows computer and the flag is there.

Hi @k4r4koyun , I tested on Version 2.4.5 (Git v2.4.5 packaged as 2.4.5-1) on Kali 64 bit, and everything worked properly. Perhaps something was misconfigured?

@rotarydrone said:
Hi @k4r4koyun , I tested on Version 2.4.5 (Git v2.4.5 packaged as 2.4.5-1) on Kali 64 bit, and everything worked properly. Perhaps something was misconfigured?

Don’t think so, I didn’t change settings of my wireshark but decryption on my Kali was problematic. Can’t really say much from here without spoiling

i have a question about this challange. can anyone pm me ?

I got some information about the pastebin, the traffic. But the flag is not there. I think the flag is in another flow of information, I got the content but I can’t put this in a plain text. Could someone let me a hint?

I got it.

Stuck too, found out the session invoking the exfil, also the likely related POSTs, but can’t figure out how to make use of the private key? Anyone mind nudging me towards how to try better?

Nevermind… and facepalm… it was obvious when I just looked at it.

That was like a WTF ahaahahha moment when I got it. :slight_smile:

i found the Api_post_code in the wireshark,but how to find the flag?

Found plaintext data of user’s actions but cannot seem to find the flag …

i got the api request to the pastebin with confidential information, but while putting those as flag not working anymore, can some one please help here