[Forensics] Marshal in the Middle

Finally!!! got it. It was an awesome challenge guys

I loved this challenge!

Took me too long but I finally got it. The tools I need are right in front of me… =)

I have the evidence of an the exfil and the person deleting their tracks… can’t find the flag though! Can someone give me a clue from here.

bump

i am unable to understand some of the data…like there seem to be some strings whch dnt make sense …can i pm smebdy??? this is my frst challnge

Can someone PM me? I believe I have the the solution in a specific file but like some others have mentioned it could be a wireshark issue. I will provide what I see on the screen and I guess can you give me a thumbs up/down to confirm?

I am having trouble with decoding. I read on here its obvious when you see it so I’m thinking my data is not showing everything. I have found the ex-filtrated data but cannot find the flag. PM with ideas!

Hm, found the packet trail where they cleaned up their tracks. Used the cert file, to decrypt the other stream, so able to see what they transmitted in clear text. But not sure where the flag is supposed to be.

Ahh, I just had to keep swimming downstream. That was an enduring challenge :3

Guys… I need help identifying the flag… What is it like?? Is it in a document?? Is it in a cryptographic form?? All i can see is an Encrypted data from the SSL tree and i am stuck… I cannot even decode it…

Use Wireshark, follow the stream.

My biggest challenge seems to be getting Wireshark to accept the files and actually decrypt SSL traffic. I’ve modified one file to make it valid for the task and used the log, but either way, Wireshark only shows me encrypted data.

I’m new to this Forensics, but want to hit on it, can somebody tell me the procedure to get the flag.
Just hints.

Is there anybody who can help me on this.
I found the file not sure, that one is the correct one. PM me I really need help on this.!!

Look at the logs. Find something of interest. View the relevant packets in wireshark.

Finally found the some interesting data, which was shredded by user, please somebody let me know how the flag will be.

I need help here to find flag

I had the same issue with using a newer version of Wireshark (2.6.1). Wasnt able to find the flag after analysing for ages. Decided to try on the version that comes with SIFT (2.2.6) and found the flag in a few minutes. Must be an issue with how the packets get decrypted…?

It is possible to do in newer versions of wireshark. Just need one extra step