[Forensics] Marshal in the Middle



  • Nevermind... and facepalm... it was obvious when I just looked at it.


  • That was like a WTF ahaahahha moment when I got it. :)

  • i found the Api_post_code in the wireshark,but how to find the flag?

  • Found plaintext data of user's actions but cannot seem to find the flag ...

  • i got the api request to the pastebin with confidential information, but while putting those as flag not working anymore, can some one please help here

  • Finally!!!!!!!!!!!!!!!!!!! got it. It was an awesome challenge guys

  • I loved this challenge!


  • Took me too long but I finally got it. The tools I need are right in front of me... =)

  • I have the evidence of an the exfil and the person deleting their tracks... can't find the flag though! Can someone give me a clue from here.

  • i am unable to understand some of the data...like there seem to be some strings whch dnt make sense .....can i pm smebdy??? this is my frst challnge

  • Can someone PM me? I believe I have the the solution in a specific file but like some others have mentioned it could be a wireshark issue. I will provide what I see on the screen and I guess can you give me a thumbs up/down to confirm?

  • I am having trouble with decoding. I read on here its obvious when you see it so I'm thinking my data is not showing everything. I have found the ex-filtrated data but cannot find the flag. PM with ideas!

  • Hm, found the packet trail where they cleaned up their tracks. Used the cert file, to decrypt the other stream, so able to see what they transmitted in clear text. But not sure where the flag is supposed to be.


  • Ahh, I just had to keep swimming downstream. That was an enduring challenge :3


  • Guys.. I need help identifying the flag.. What is it like?? Is it in a document?? Is it in a cryptographic form?? All i can see is an Encrypted data from the SSL tree and i am stuck.. I cannot even decode it...

  • Use Wireshark, follow the stream.


  • My biggest challenge seems to be getting Wireshark to accept the files and actually decrypt SSL traffic. I've modified one file to make it valid for the task and used the log, but either way, Wireshark only shows me encrypted data.


    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • I'm new to this Forensics, but want to hit on it, can somebody tell me the procedure to get the flag.
    Just hints.

  • Is there anybody who can help me on this.
    I found the file not sure, that one is the correct one. PM me I really need help on this.!!

  • Look at the logs. Find something of interest. View the relevant packets in wireshark.
  • Finally found the some interesting data, which was shredded by user, please somebody let me know how the flag will be.

  • I need help here to find flag

  • I had the same issue with using a newer version of Wireshark (2.6.1). Wasnt able to find the flag after analysing for ages. Decided to try on the version that comes with SIFT (2.2.6) and found the flag in a few minutes. Must be an issue with how the packets get decrypted....?

  • It is possible to do in newer versions of wireshark. Just need one extra step
  • Actually it does work fine and no extra step required. I realised that one of the files didnt download correctly :/

  • @natekhchan said:
    That was like a WTF ahaahahha moment when I got it. :)

    same feeling here. HAHAHAHA


  • I tried all ways what I got in my mind, no luck.
    Is the flag in encrypted format?

  • I followed the whole stream and spent too much time, still no luck, can somebody ping me to help on finding flag !!!!

  • edited August 2018

    Anyone can pm me about the flag ? I found the "session" where the exfil has been done, I know from whats been stolen, from what system by which "tool" and that the user cleaned up his 'mess' but cant see anything that looks like a flag.

    Update: Found it - no help needed


Sign In to comment.