This is my write-up of a Networking challenge Not My Modulus on the CTF site 247CTF.com
We are trying to decrypt a packet capture taken on our internal network. We know you can decrypt the data using the correct private key, but we simply have too many. Can you identify the correct key?
Open encrypted.pcap with Wireshark.
Select the number 6 where Info states “server Hello, Certificate, Server Hello Done”
Open
Transport Layer Security
|
-> TLSv1.2 Record Layer: Handshake Protocol: Certificate
|
-> Handshake Protocol: Certificate
|
-> Certificates (869 bytes)
|
-> Certificate: 3082035e30820246a0030201020209009924aa2296d5c26e... (id-at-commonName=127.0.0.1,id-at-organizationalUnitName=net100,id-at-organizationName=247CTF,id-at-countryName=US)
Right click on it, select Export Packet Bytes and export as cert-exported-from-wireshark.der.
#!/bin/bash
PUB_KEY_MODULUS=$(openssl x509 -inform der -in cert-exported-from-wireshark.der -noout -modulus | openssl md5 )
echo $PUB_KEY_MODULUS
for filename in keys/*; do
PRIVATE_KEY_MODULUS=$(openssl rsa -noout -modulus -in $filename | openssl md5)
if [ "$PUB_KEY_MODULUS" = "$PRIVATE_KEY_MODULUS" ]; then
echo
echo $filename
tshark -r encrypted.pcap -o "tls.keys_list: 172.17.0.2,8443,http,$filename" -z "follow,ssl,ascii,0"
fi
done