Hack The Box Marshal In The Middle Writeup

Published:
September 14, 2024

This is a writeup for the retired Hack The Box Marshal In The Middle challenge.

These are the challenge instructions:

The security team was alerted to suspicous network activity from a production web server.<br>Can you determine if any data was stolen and what it was?

ZIP archive

First, we check if we have the correct archive:

sha256sum "challenges/marshal_in_the_middle/Marshal in the Middle.zip"

Comparing the checksum to the one given by Hack The Box, it seems like we have the correct archive:

cdf53bab266ab4b8a28b943516bc064e9f966dae0a33503648694e15cb50ae2b  challenges/marshal_in_the_middle/Marshal in the Middle.zip

We proceed by unpacking the archive:

unzip -P hackthebox \
  "challenges/marshal_in_the_middle/Marshal in the Middle.zip" \
  -d challenges/marshal_in_the_middle/ar/

We immediately see that this archive contains a packet capture.

Archive:  challenges/marshal_in_the_middle/Marshal in the Middle.zip
  inflating: challenges/marshal_in_the_middle/ar/bro/conn.log
[...]
  inflating: challenges/marshal_in_the_middle/ar/secrets.log

Deciphering the TLS conversations

We open chalcap.pcapng in Wireshark:

There are 13641 packets contained in packet dump chalcap.pcapng.

There are 13641 packets contained in packet dump chalcap.pcapng. Open in new tab (full image size 297 KiB)

We try to decipher the individual TLS connections using bundle.pem. We also need to tell Wireshark where the key log secrets.log is. Here’s some more information on deciphering TLS in Wireshark.

Screenshot of bundle.pem and secrets.log added to Wireshark

Screenshot of bundle.pem and secrets.log added to Wireshark Open in new tab (full image size 79 KiB)

Analyze individual conversations

Now that all TLS conversations are deciphered, we can proceed two different ways:

Stripping protocol headers

In order to strip away all L1-L6 information, we can use the “Export PDUs to File…” dialog and filter by HTTP, HTTP 2, and HTTP 3:

Exporting packet contents

Exporting packet contents Open in new tab (full image size 39 KiB)

In a new Wireshark window, we see all HTTP conversations stripped of their lower-layer protocol data:

All L7 HTTP/2/3 conversations exported

All L7 HTTP/2/3 conversations exported Open in new tab (full image size 258 KiB)

Filtering by http.file_data contains "HTB" will show the packet containing the flag and inspecting the packet contents manually reveals the flag.

Exporting HTTP objects

We can also export all HTTP bodies directly using the “Export Objects” dialog in Wireshark instead:

Exporting objects instead of PDUs

Exporting objects instead of PDUs Open in new tab (full image size 269 KiB)

We click “Save All” and store the HTTP objects in a new folder.

Grepping for the flag

Now that we have dumped all HTTP objects in a new folder, we search for the flag by grepping for HTB:

grep -e "HTB" -r challenges/marshal_in_the_middle/http_objects/

Immediately, we find the flag:

challenges/marshal_in_the_middle/http_objects/api_post(4).php:HTB{...}

The above file contains a long array of American Express credit card numbers being uploaded. Better call the bank!

1 4m h4ckerm4n

1 4m h4ckerm4n Open in new tab (full image size 63 KiB)

AAAAAAAAND, that’s exactly why need forward secrecy: It helps prevent exposure of confidential communications over HTTPS in case key material is leaked.

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index