Not My Modulus (net)

PUBLISHED ON 04/04/2020 — EDITED ON 05/04/2020 — 247CTF, INFOSEC

Intro

This is my write-up of a Networking challenge Not My Modulus on the CTF site 247CTF.com

Instructions

We are trying to decrypt a packet capture taken on our internal network. We know you can decrypt the data using the correct private key, but we simply have too many. Can you identify the correct key?

Howto

https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file

Open encrypted.pcap with Wireshark.

Select the number 6 where Info states “server Hello, Certificate, Server Hello Done”

Open

Transport Layer Security
 |
  -> TLSv1.2 Record Layer: Handshake Protocol: Certificate
   |
    -> Handshake Protocol: Certificate
     |
     -> Certificates (869 bytes)
      |
      -> Certificate: 3082035e30820246a0030201020209009924aa2296d5c26e... (id-at-commonName=127.0.0.1,id-at-organizationalUnitName=net100,id-at-organizationName=247CTF,id-at-countryName=US)

Right click on it, select Export Packet Bytes and export as cert-exported-from-wireshark.der.

#!/bin/bash

PUB_KEY_MODULUS=$(openssl x509 -inform der -in cert-exported-from-wireshark.der -noout -modulus | openssl md5 )

echo $PUB_KEY_MODULUS

for filename in keys/*; do
    PRIVATE_KEY_MODULUS=$(openssl rsa -noout -modulus -in $filename | openssl md5)
    if [ "$PUB_KEY_MODULUS" = "$PRIVATE_KEY_MODULUS" ]; then
        echo
        echo $filename
        tshark -r encrypted.pcap -o "tls.keys_list: 172.17.0.2,8443,http,$filename" -z "follow,ssl,ascii,0"
    fi
done

See Also