After this patch it successfully decrypted the TLS session and I got the flag.
Wireshark did not recognised the SSL stream for me by default, so I had to use the Decode As… > SSL option to make this work.
While NGG patched the Wireshark, I used Bouncy Castle to generate the master secret from the pre-master secret as Wireshark could decode the packet by using the master secret (but NOT with the pre master secret).
But I had to use the new PRF function which is used by TLS v1.2, the SHA256 one. I first tried to use the legacy (MD5+SHA1) one which did not work of course.
The decrypted stream was gziped too, so I had to decompress it manually.
Here is my python code to calculate the pre master secret from the private key primes (provided by NGG):
And this is my C# code to calculate the master secret from the premaster secret:
Setting this file in File > Preferences > Protocols > SSL as the (Pre)-Master-Secret log filename I could follow the SSL with the unpatched Wireshark too:
After decompressing the HTTP response body I got the file’s content:
A website showed the world map, clicking on your country (depending on your IP) gave you a part of the flag:
Clicking on other country said you cannot do that:
Usually on every ASIS CTF we have to use this trick, so if you haven’t know it yet, then don’t forget for next year. :)