After this patch it successfully decrypted the TLS session and I got the flag.
KT’s notes
Wireshark did not recognised the SSL stream for me by default, so I had to use the Decode As… > SSL option to make this work.
While NGG patched the Wireshark, I used Bouncy Castle to generate the master secret from the pre-master secret as Wireshark could decode the packet by using the master secret (but NOT with the pre master secret).
But I had to use the new PRF function which is used by TLS v1.2, the SHA256 one. I first tried to use the legacy (MD5+SHA1) one which did not work of course.
The decrypted stream was gziped too, so I had to decompress it manually.
Here is my python code to calculate the pre master secret from the private key primes (provided by NGG):
And this is my C# code to calculate the master secret from the premaster secret:
Setting this file in File > Preferences > Protocols > SSL as the (Pre)-Master-Secret log filename I could follow the SSL with the unpatched Wireshark too:
After decompressing the HTTP response body I got the file’s content:
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading