Tags: xfrm wireshark 

Rating: 1.0

<span>Challenge : MISC/IoT/Networks 100 pts


 Approach/Solution :


First going through the conversation we realise that someone tried to login, failed </span>2 times but succeeded third time. The login credentials are username : "reds" and password : "ynwa". If we carefully examine output of other commands executed by the user we will see the ip xfrm state command.

ip xfrm is a tool used in linux to encrypt the payloads of packets for different protocols, more can be found here. The output of the command is here.

From the output we know all the parameters (ESB protocol used, AES with cbc mode with key and sha1 hash auth with hash value used) that were used for encrypting the packets. After searching internet to decrypt the payloads of packets encrypted using ESB and AES, I realised this can be done. Thankfully we don't need to write our own tool to decrypt the payloads as wireshark has the facility inbuilt. This post really helped to decrypt the payloads. 

After that go through the conversation that were decrypted by this and you will find some HTML code requesting flag.png. After that we know flag.png was transferred over the network but was encrypted. Now we can directly export the image from wireshark.