This question giving a packet “miro.pcap“ and a python file “client.py“.
Just read through the code, you will find this client.py is an easy puzzle game play with server end.
Your goal is to go out the maze, and get the flag.
However, the code will raise Exception because of the missing command.
1
2
3
4
5
6
7
8
9
10
11
12
13
| ...
if user_input == "u":
raise Exception
elif user_input == "d":
tls_client.send("6423e47152f145ee5bd1c014fc916e1746d66e8f5796606fd85b9b22ad333101\n")
elif user_input == "r":
tls_client.send("34660cfdd38bb91960d799d90e89abe49c1978bad73c16c6ce239bc6e3714796\n")
elif user_input == "l":
raise Exception
else:
print "Invalid input!"
exit()
...
|
Next, We try the packet.
Find that this is a SSL packet.
First, get the certificate …
1
| tshark -V -r miro.pcap -T jsonraw 'ssl.handshake.certificates' | grep 'ssl.handshake.certificate_raw' | uniq
|
1
2
3
4
| from libnum import *
certificate = n2s(0x308202eb30820253a003020102020900fbe0b7a606242e81300d06092a864886f70d01010b050030818d310b3009060355040613024b523110300e06035504080c074461656a656f6e3110300e06035504070c074461656a656f6e310e300c060355040a0c054270736563310e300c060355040b0c0542707365633111300f06035504030c08636f6465676174653127302506092a864886f70d0109011618636f646567617465323031384062707365632e636f2e6b72301e170d3138303132393036353534315a170d3238303133303036353534315a30818d310b3009060355040613024b523110300e06035504080c074461656a656f6e3110300e06035504070c074461656a656f6e310e300c060355040a0c054270736563310e300c060355040b0c0542707365633111300f06035504030c08636f6465676174653127302506092a864886f70d0109011618636f646567617465323031384062707365632e636f2e6b7230819f300d06092a864886f70d010101050003818d0030818902818101c20bdc017e3caa3c579b40d439e2ecd70f12c4d7f2764784c95a3fddba00981ba9ce5b227ade47b0a7a0a8acaba4541ab95c52f6b6de3df9ec090c6c356445b21be437abe10214d0b4a398a96743bbf70c864687fb2ec929f01d6edab2d987fe09799ad2204a2704f33061dbf9c2e03b332f0ba1a446644c864a06cd586d480b0203010001a350304e301d0603551d0e04160414e8f676ea725a71e65047d68f0b44a49c24fbc823301f0603551d23041830168014e8f676ea725a71e65047d68f0b44a49c24fbc823300c0603551d13040530030101ff300d06092a864886f70d01010b0500038182000007329a4379ece6c24e52df8ab92ec578cbc11bfffd446c8ffa9636a59eb90527d365393e111b19b9748cadaba984af5bf1256962c01f70b33e938963a0bb81bb83462822ae8ebcd3361b7fd1650cdd2005d03e4784dc2c629757fcf36a0c5769f92d31f9d68d97eccfb878c95adfc12b472f27fb94c4ac930ac066479b6ead6a)
with open('cert.der','wb') as der:
der.write(certificate)
|
1
| openssl x509 -inform der -pubkey -noout -in cert.der > public_key.pem
|
Load the pem
1
2
3
4
5
6
7
8
9
| from Crypto.PublicKey import RSA
pem = b''
with open('public_key.pem','rb') as f :
for line in f.readlines():
pem += line
pub = RSA.importKey(pem)
n, e = pub.n, pub.e
|
1
2
3
4
5
6
| p = 17777324810733646969488445787976391269105128850805128551409042425916175469483806303918279424710789334026260880628723893508382860291986009694703181381742497
q = 17777324810733646969488445787976391269105128850805128551409042425916175469168770593916088768472336728042727873643069063316671869732507795155086000807594027
priv = RSA.construct((n, e, invmod(e, (p - 1) * (q - 1))))
with open('private_key','wb') as f:
f.write(priv.exportKey('PEM'))
|
After getting the private key.
- Right click the session …
- Add the Key by clicking the “key File” block
- Right click the session again, choosing Follow > SSL stream
- We get the command!!!
Recover the code
1
2
3
4
5
6
7
8
9
10
11
12
13
| ...
if user_input == "u":
tls_client.send("9de133535f4a9fe7de66372047d49865d7cdea654909f63a193842f36038d362\n")
elif user_input == "d":
tls_client.send("6423e47152f145ee5bd1c014fc916e1746d66e8f5796606fd85b9b22ad333101\n")
elif user_input == "r":
tls_client.send("34660cfdd38bb91960d799d90e89abe49c1978bad73c16c6ce239bc6e3714796\n")
elif user_input == "l":
tls_client.send("27692894751dba96ab78121842b9c74b6191fd8c838669a395f65f3db45c03e2\n")
else:
print "Invalid input!"
exit()
...
|
Finish the game and get the flag!!!!
Flag:{C4n_y0u_d3crypt_th3_P4ck3t??}
