Hacking Series Part 16
Category: Forensics
We are given a Wireshark packet capture file called “capture.pcap” and an RSA key called “picopico.key”. When you open capture.pcap in Wireshark you see a TLS stream that is likely to hold the flag somewhere in it.
When you follow the TLS stream, you can tell that it’s obviously encrypted since that is the job of the protocol. You can still make out a few headers, but none of these contain relevant information to find the flag. Using the given key file, we can decrypt the TLS stream by setting an RSA key in Wireshark’s TLS preferences.
To find the preferences for the TLS protocol, go to Edit > Preferences > Protocols > TLS > RSA keys list. Then add a key to the list and press OK for all preferences windows.
Now, if you go back and try to follow the TLS stream again, you will see the decrypted stream.
In the Pico-Flag header, the flag is found.
picoCTF{nongshim.shrimp.crackers}
