Man In The Middle

Posted byStasyHsiehPosted in2. Technology & Science

This is a record of myself doing assignment Man In the Middle at Cybersecurity Program in Georgia Tech.

The following task 2.4 is the most difficult for me.

Flag 2 Instructions

Your second task will require you to recover a payload from the conversation. There are multiple ways to do this. You can use Wireshark, pyShark or any other library available.

Steps to Crack Assignment 2.4

1. Filter the Network Traffic in Wireshark

  • Filter for ZIP Files: Use the following Wireshark display filter to locate ZIP file transfers in the provided .pcap file (mitm_2025.pcap): http.request.uri contains ".zip"
  • Identify Relevant ZIP File: Locate mitm_private.zip in the filtered network traffic. This ZIP file contains the private key required for decryption.

2. Extract the Key from mitm_private.zip

  • Download and Extract:
    • Retrieve the ZIP file from the identified HTTP request or TCP stream.
    • Extract its contents to retrieve mitm_private.key.

3. Decrypt file_1600

  • Obtain and Prepare file_1600:
    • Use Wireshark or other tools to locate and download the file_1600 transfer via DCC or similar protocols.
  • Decrypt Using the Key: Use gpg to decrypt file_1600 with mitm_private.key: gpg --decrypt --default-key mitm_private.key file_1600 > decrypted_file

4. Execute the Decrypted Script

  • Inspect and Run the Python Script:
    • The decrypted file should contain a Python script.
    • Run the script and follow its prompts: python decrypted_file.py
  • Input Your GTID:
    • Enter your GTID when prompted.
    • The script will output the required hash.

Key Details:

  • Filter ZIP files in Wireshark: "http.request.uri contains '.zip'".
  • ZIP file name: mitm_private.zip.
  • Purpose of the ZIP file: Extract mitm_private.key.
  • Final Task: Use the private key to decrypt file_1600, run the script, and generate the required hash by inputting your GTID.

Flag 3

The Attorney General lets you know that they think there is a web server in here that is phishy and is spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks with these values. The Attorney General needs the following information to track the folks operating the website:

Task 3.1

  • The site domain name (Record just the site’s domain name and the top-level-domain (TLD) name, with the period. E.G: something.hostname.tld)

Task 3.2

  • What is the public IP address?

Task 3.3

  • The primary nameserver for this domain (You may need to look outside the pcap for this information. Think about tools that will give you the nameserver data for a specific domain)

Task 3.4

  • The hash provided by entering your Georgia Tech ID in the field (i.e. 9021042) (NOTE: The website is real and safe to access)

Published by StasyHsieh

A physicist by training, I’ve traversed seven countries, shaping my path through Cybersecurity, AI, and Astrophysics, while nurturing a deep passion for art, writing, and societal change. I advocate for inclusivity in STEM and explore the intersections of equality, economics, and the evolving digital world. My work—whether in technology or the arts—seeks to provoke thought and inspire change. Let’s connect and explore the dance between innovation and humanity.

Leave a comment