Rating: 5.0
Caleb was designing a problem for MetaCTF where the flag would be in the telnet plaintext. Unfortunately, he accidentally stopped the packet capture right before the flag was supposed to be revealed. Can you still find the flag? Note: You'll need to decrypt in CyberChef rather than using a command line utility.
Upon opening the provided PCAP file, using context clues from the title, we right clicked on the first TCP packet and went Follow > TCP Stream as shown below.
After doing so, we find the encrypted PGP message below:
Now that we have the encrypted PGP message, we need to find a key to decrypt this.
Heading back into Wireshark, I incremented the TCP stream to 1 to see what other information I could find.
After right-clicking on the first packet and following this new TCP stream, I found the private PGP key!
Unfortunately, this private PGP key can't be used on its own. It is password protected so we still needed to locate some sort of password.
Heading back into Wireshark, I incremented the TCP stream one more time to 2, right-clicked on the first packet, and followed a new TCP stream again. This time, I found a telnet session, though it is hard to read as is.
In order to make above more readable, at the bottom of the window, I switched from the Entire Conversation to 10.0.2.6:23 -> 10.0.2.9:59704 (1213 bytes) to read the blue text alone.
When examined closer, we can see the command that was used to create the private PGP key.
In the command, we see the passphrase farnha. This is all the information we need to crack the PGP message!
In order to crack the PGP message, we booted up CyberChef. We dragged the PGP Decrypt module into the Recipe section and filled in the private PGP key and private password. We put the PGP message in the Input section in the top right.
Unfortunately, the flag isn't quite usable as of yet. To fix this, we dragged in the Magic module to the bottom of the recipe.
THE FLAG IS SHOWN IN THE BELOW IMAGE, PROCEED IF YOU WISH
<details> <summary> Flag Spoilers</summary> MetaCTF{cleartext_private_pgp_keys} </details>
We learned that following TCP streams is a great way to find information. To search through all TCP streams in a PCAP file, it is helpful to increment the stream at the top of the Wireshark window so we don't have to go searching through the PCAP for all of the TCP streams. We also learned that CyberChef is incredibly powerful for decryption.
