Although I could not catch up with the challenges at their time I like to practice the challenges and spread the knowledge. This challenge is named “The great Escape” and let me quote it :
Note: complete solution would be found on my researchgate platform profile here
Hello,
We’ve been suspecting Swiss Secure Cloud of secretly doing some pretty advanced research in artificial intelligence and this has recently been confirmed by the fact that one of their AIs seems to have escaped from their premises and has gone rogue. We have no idea whether this poses a threat or not and we need you to investigate what is going on. Luckily, we have a spy inside SSC and they were able to intercept some communications over the past week when the breach occurred. Maybe you can find some information related to the breach and recover the rogue AI.X Note: All the information you need to solve the 3 parts of this challenge is in the pcap. Once you find the exploit for a given part, you should be able to find the corresponding flag and move on to the next part.
End of quote
we got a pcap file that has everything we need in order to conduct our analysis. Let’s open the file using “wireshark” network analysis tool
When scrolling and roaming in the traffic there’s TLS Traffic which is encrypted so I realized that there’s something lurking among this TSL traffic. After going on with the traffic there’s FTP traffic as noted in the pic
Now if we continue we see that there’s a login process with a username ‘Bob’ and a password ‘toto123’
Keep scrolling you would find the transmitted data over FTP which is a ‘BGP Key’ and this key might be the jackpot to decrypt The targeted SSL communications
Right-click on the packet and “follow up TCP stream”
Opening leafpad and saving the key in .key file
Then we continue scrolling down to inspect the rest of the traffic then you will find SMTP Traffic which means there’re some communications that need to be searched and reviewed
We see that an email message which has been sent between two parties which forces us to follow with the packet and see what’s going on by click on ‘follow TCP stream” and we will find the email message with some hints about transferring code to a third provider managed by “Rog”
This could indicate that the IP address which is used to transmit the files to the offsite pointed in the message would have the targeted communications that need to be decrypted.
Let’s add our recent BGP key to Wireshark and add the IP address 52.214.142.175 as the IP to which the encrypted traffic belongs.
Not so long we will be presented with the SSL communications decrypted and we would find the flag in a hidden HTTP header after inspecting the SSL traffic one by one
