DEFCON CTF 2009 Trivial 400
Doh, an oldie but goodie. Find password please.
http://shallweplayaga.me/trivial/105f86deaafc709c9746a33634f1dbda
まず何のファイルか確認
$ file 105f86deaafc709c9746a33634f1dbda 105f86deaafc709c9746a33634f1dbda: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
tcpdumpで取得したパケットファイル
Wireshark(http://www.wireshark.org/)で開くとHTTPS(SSL)通信をしているパケット
当然HTTP通信部分は暗号化されており確認できない
公開鍵(public key)をパケットファイルから取り出す
公開鍵(public key)をcert.binという名前で保存
$ hexdump -C cert.bin 00000000 30 82 03 a6 30 82 02 8e 02 09 00 cf 50 e7 6f f2 |0...0.......P.o.| 00000010 43 07 7b 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 |C.{0...*.H......| 00000020 05 00 30 81 95 31 0b 30 09 06 03 55 04 06 13 02 |..0..1.0...U....| 00000030 41 55 31 13 30 11 06 03 55 04 08 13 0a 53 6f 6d |AU1.0...U....Som| 00000040 65 2d 53 74 61 74 65 31 2c 30 2a 06 03 55 04 0a |e-State1,0*..U..| 00000050 13 23 44 69 75 74 69 6e 75 73 20 44 65 66 65 6e |.#Diutinus Defen| 00000060 73 65 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 |se Technologies | 00000070 43 6f 72 70 2e 31 14 30 12 06 03 55 04 0b 13 0b |Corp.1.0...U....| 00000080 49 54 20 53 65 63 75 72 69 74 79 31 0e 30 0c 06 |IT Security1.0..| 00000090 03 55 04 03 13 05 64 64 74 65 6b 31 1d 30 1b 06 |.U....ddtek1.0..| 000000a0 09 2a 86 48 86 f7 0d 01 09 01 16 0e 74 61 6c 6b |.*.H........talk| 000000b0 40 64 64 74 65 6b 2e 62 69 7a 30 1e 17 0d 30 39 |@ddtek.biz0...09| 000000c0 30 36 30 35 31 39 35 39 35 34 5a 17 0d 31 30 30 |0605195954Z..100| 000000d0 36 30 35 31 39 35 39 35 34 5a 30 81 95 31 0b 30 |605195954Z0..1.0| 000000e0 09 06 03 55 04 06 13 02 41 55 31 13 30 11 06 03 |...U....AU1.0...| 000000f0 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 65 31 |U....Some-State1| 00000100 2c 30 2a 06 03 55 04 0a 13 23 44 69 75 74 69 6e |,0*..U...#Diutin| 00000110 75 73 20 44 65 66 65 6e 73 65 20 54 65 63 68 6e |us Defense Techn| 00000120 6f 6c 6f 67 69 65 73 20 43 6f 72 70 2e 31 14 30 |ologies Corp.1.0| 00000130 12 06 03 55 04 0b 13 0b 49 54 20 53 65 63 75 72 |...U....IT Secur| 00000140 69 74 79 31 0e 30 0c 06 03 55 04 03 13 05 64 64 |ity1.0...U....dd| 00000150 74 65 6b 31 1d 30 1b 06 09 2a 86 48 86 f7 0d 01 |tek1.0...*.H....| 00000160 09 01 16 0e 74 61 6c 6b 40 64 64 74 65 6b 2e 62 |....talk@ddtek.b| 00000170 69 7a 30 82 01 20 30 0d 06 09 2a 86 48 86 f7 0d |iz0.. 0...*.H...| 00000180 01 01 01 05 00 03 82 01 0d 00 30 82 01 08 02 82 |..........0.....| 00000190 01 01 00 cf a2 db 24 a3 ec ea 35 73 af ce d6 f3 |......$...5s....| 000001a0 0c c7 39 2c 3e 62 62 eb d7 d0 2b e0 68 9b 9d 84 |..9,>bb...+.h...| 000001b0 a0 ce 2e 08 60 ea d4 a5 74 bd 5f 68 65 ab 5c 9e |....`...t._he.\.| 000001c0 a1 b2 d8 8b 12 0a 54 76 23 fe 1f 4e 2a 70 f4 2b |......Tv#..N*p.+| 000001d0 1c d3 4d a7 de a7 cc cf 74 35 e6 70 85 21 7f 7d |..M.....t5.p.!.}| 000001e0 af 94 39 2e 57 3d 22 c0 96 54 40 b8 72 30 7c b6 |..9.W="..T@.r0|.| 000001f0 52 6d 03 48 0a 58 35 70 97 8e 3a 68 01 3e d9 59 |Rm.H.X5p..:h.>.Y| 00000200 5a a0 95 82 14 68 fb d8 65 6d 23 52 af 21 2d 30 |Z....h..em#R.!-0| 00000210 9b 42 9e 0c 02 87 3a fc 31 29 d0 c4 a4 01 52 0f |.B....:.1)....R.| 00000220 6b 1d 2a 66 16 a8 14 d4 5b e3 a1 a7 ed 59 9f 2d |k.*f....[....Y.-| 00000230 48 7e 40 08 f7 2b 28 f6 c7 52 2c a2 14 a8 80 bb |H~@..+(..R,.....| 00000240 45 09 b8 67 2d eb 8f 26 6a 67 1c 4f 78 b8 de 08 |E..g-..&jg.Ox...| 00000250 7a 86 b5 4e 05 11 1b 2f d5 e9 bb dc 7e 03 ae 42 |z..N.../....~..B| 00000260 90 81 52 36 db 1d f5 8d 1b a5 b6 3d 07 bd 5e 7d |..R6.......=..^}| 00000270 26 04 ea bd 19 4d 74 da 2b 6f 37 49 f5 dd 66 4e |&....Mt.+o7I..fN| 00000280 71 55 66 37 21 1a 87 7f fa 57 45 74 20 13 10 1d |qUf7!....WEt ...| 00000290 ef 37 55 02 01 23 30 0d 06 09 2a 86 48 86 f7 0d |.7U..#0...*.H...| 000002a0 01 01 05 05 00 03 82 01 01 00 50 d9 49 39 83 19 |..........P.I9..| 000002b0 a4 ef 3a 36 51 6e ef a8 cd af a2 f2 64 a0 ea 71 |..:6Qn......d..q| 000002c0 a1 cf 67 c6 3b 88 04 5a 9b f4 19 f9 8c 66 18 e7 |..g.;..Z.....f..| 000002d0 3a 94 d9 99 48 66 c0 05 86 c0 c4 0b c5 a7 c8 9f |:...Hf..........| 000002e0 86 04 ca 2a 47 09 b8 b3 d3 29 78 b1 0f 32 9c 99 |...*G....)x..2..| 000002f0 6b 1e 40 87 b6 53 24 15 54 70 e2 12 79 5c 0a ed |k.@..S$.Tp..y\..| 00000300 89 6f f0 e9 51 6b e9 2b 16 aa d4 7f 86 b2 f1 98 |.o..Qk.+........| 00000310 f1 36 9a 9e 0c 88 0c 00 fa 98 26 fd 63 29 a5 ee |.6........&.c)..| 00000320 2a 1d d6 4d 22 a8 c6 46 1f 31 c0 29 b7 aa 5b bb |*..M"..F.1.)..[.| 00000330 75 65 08 fc 63 63 82 67 c4 ea 54 72 74 1f f8 c2 |ue..cc.g..Trt...| 00000340 8a bc a8 02 c0 6a 15 47 fc ab 4a e7 5e 52 8e ec |.....j.G..J.^R..| 00000350 42 b3 56 4b 67 77 4e 4c 9a 83 3c 5e 51 87 a9 b1 |B.VKgwNL..<^Q...| 00000360 8a a4 c8 46 08 35 b0 72 8a 60 65 5c 59 30 71 0d |...F.5.r.`e\Y0q.| 00000370 95 91 3c 61 89 9d cb f0 c7 4e 97 97 6c 76 cd 47 |..<a.....N..lv.G| 00000380 cb a2 2c 16 61 a4 64 16 77 94 28 a2 80 ba 3a 90 |..,.a.d.w.(...:.| 00000390 4d 1a b3 c0 46 1e 7b a5 f6 aa 30 ba eb f4 60 db |M...F.{...0...`.| 000003a0 8d 18 5a 69 dc c5 09 e8 55 c4 |..Zi....U.| $ openssl x509 -in cert.bin -inform DER -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: cf:50:e7:6f:f2:43:07:7b Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Diutinus Defense Technologies Corp., OU=IT Security, CN=ddtek/emailAddress=talk@ddtek.biz Validity Not Before: Jun 5 19:59:54 2009 GMT Not After : Jun 5 19:59:54 2010 GMT Subject: C=AU, ST=Some-State, O=Diutinus Defense Technologies Corp., OU=IT Security, CN=ddtek/emailAddress=talk@ddtek.biz Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:cf:a2:db:24:a3:ec:ea:35:73:af:ce:d6:f3:0c: c7:39:2c:3e:62:62:eb:d7:d0:2b:e0:68:9b:9d:84: a0:ce:2e:08:60:ea:d4:a5:74:bd:5f:68:65:ab:5c: 9e:a1:b2:d8:8b:12:0a:54:76:23:fe:1f:4e:2a:70: f4:2b:1c:d3:4d:a7:de:a7:cc:cf:74:35:e6:70:85: 21:7f:7d:af:94:39:2e:57:3d:22:c0:96:54:40:b8: 72:30:7c:b6:52:6d:03:48:0a:58:35:70:97:8e:3a: 68:01:3e:d9:59:5a:a0:95:82:14:68:fb:d8:65:6d: 23:52:af:21:2d:30:9b:42:9e:0c:02:87:3a:fc:31: 29:d0:c4:a4:01:52:0f:6b:1d:2a:66:16:a8:14:d4: 5b:e3:a1:a7:ed:59:9f:2d:48:7e:40:08:f7:2b:28: f6:c7:52:2c:a2:14:a8:80:bb:45:09:b8:67:2d:eb: 8f:26:6a:67:1c:4f:78:b8:de:08:7a:86:b5:4e:05: 11:1b:2f:d5:e9:bb:dc:7e:03:ae:42:90:81:52:36: db:1d:f5:8d:1b:a5:b6:3d:07:bd:5e:7d:26:04:ea: bd:19:4d:74:da:2b:6f:37:49:f5:dd:66:4e:71:55: 66:37:21:1a:87:7f:fa:57:45:74:20:13:10:1d:ef: 37:55 Exponent: 35 (0x23) Signature Algorithm: sha1WithRSAEncryption 50:d9:49:39:83:19:a4:ef:3a:36:51:6e:ef:a8:cd:af:a2:f2: 64:a0:ea:71:a1:cf:67:c6:3b:88:04:5a:9b:f4:19:f9:8c:66: 18:e7:3a:94:d9:99:48:66:c0:05:86:c0:c4:0b:c5:a7:c8:9f: 86:04:ca:2a:47:09:b8:b3:d3:29:78:b1:0f:32:9c:99:6b:1e: 40:87:b6:53:24:15:54:70:e2:12:79:5c:0a:ed:89:6f:f0:e9: 51:6b:e9:2b:16:aa:d4:7f:86:b2:f1:98:f1:36:9a:9e:0c:88: 0c:00:fa:98:26:fd:63:29:a5:ee:2a:1d:d6:4d:22:a8:c6:46: 1f:31:c0:29:b7:aa:5b:bb:75:65:08:fc:63:63:82:67:c4:ea: 54:72:74:1f:f8:c2:8a:bc:a8:02:c0:6a:15:47:fc:ab:4a:e7: 5e:52:8e:ec:42:b3:56:4b:67:77:4e:4c:9a:83:3c:5e:51:87: a9:b1:8a:a4:c8:46:08:35:b0:72:8a:60:65:5c:59:30:71:0d: 95:91:3c:61:89:9d:cb:f0:c7:4e:97:97:6c:76:cd:47:cb:a2: 2c:16:61:a4:64:16:77:94:28:a2:80:ba:3a:90:4d:1a:b3:c0: 46:1e:7b:a5:f6:aa:30:ba:eb:f4:60:db:8d:18:5a:69:dc:c5: 09:e8:55:c4
"Exponent: 35 (0x23)"となっている。通常は65537などが使われる。脆弱?
公開鍵から秘密鍵を得るツール → http://github.com/brl/exegesis
$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa): A Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in A. Your public key has been saved in A.pub. The key fingerprint is: 69:a5:cb:53:3d:a8:66:ba:06:d3:98:b7:b0:4b:ef:78 ubuntu@ubuntu-vm
適当に対となるRSA鍵を作成
公開鍵は以下のようになる
$ cat A.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt5wrLz6OCHLZA1uPBD9oYoXChv7cdjRuffh+6A5/6 J43kaDmwlZ25jrWWAWtl7U9KumiU1/hnjcjexokSdG/bv609sej40JiVKpRkC2Sl6XHi8uUg9LuVy yhBWxmTg2kRUH9hSa7s+00rLfJLF8L9I6xqv1sNsW0SL/EXT1kQCP+ImljRzJS9aqv3LABOKmR4+Z nd1jBR1cX6qTx0U89mrFno2VqMk2y4krrpPRqoRxR3ur8rusZ4iJ79UbKFmm5WhS+VpGSVqNicQsI h5HLmPG4zVm3vrkxO1ZEePQ/MPbacdvWxukFVRFLSJlHXdLt9erA4fwbt208dw65v1lJsQ== ubun tu@ubuntu-vm
Base64でデコードする
$ base64 -d > B AAAAB3NzaC1yc2EAAAABIwAAAQEAt5wrLz6OCHLZA1uPBD9oYoXChv7cdjRuffh+6A5/6J43kaDmwl Z25jrWWAWtl7U9KumiU1/hnjcjexokSdG/bv609sej40JiVKpRkC2Sl6XHi8uUg9LuVyyhBWxmTg2k RUH9hSa7s+00rLfJLF8L9I6xqv1sNsW0SL/EXT1kQCP+ImljRzJS9aqv3LABOKmR4+Znd1jBR1cX6q Tx0U89mrFno2VqMk2y4krrpPRqoRxR3ur8rusZ4iJ79UbKFmm5WhS+VpGSVqNicQsIh5HLmPG4zVm3 vrkxO1ZEePQ/MPbacdvWxukFVRFLSJlHXdLt9erA4fwbt208dw65v1lJsQ== (Ctrl+D) $ hexdump -C B 00000000 00 00 00 07 73 73 68 2d 72 73 61 00 00 00 01 23 |....ssh-rsa....#| 00000010 00 00 01 01 00 b7 9c 2b 2f 3e 8e 08 72 d9 03 5b |.......+/>..r..[| 00000020 8f 04 3f 68 62 85 c2 86 fe dc 76 34 6e 7d f8 7e |..?hb.....v4n}.~| 00000030 e8 0e 7f e8 9e 37 91 a0 e6 c2 56 76 e6 3a d6 58 |.....7....Vv.:.X| 00000040 05 ad 97 b5 3d 2a e9 a2 53 5f e1 9e 37 23 7b 1a |....=*..S_..7#{.| 00000050 24 49 d1 bf 6e fe b4 f6 c7 a3 e3 42 62 54 aa 51 |$I..n......BbT.Q| 00000060 90 2d 92 97 a5 c7 8b cb 94 83 d2 ee 57 2c a1 05 |.-..........W,..| 00000070 6c 66 4e 0d a4 45 41 fd 85 26 bb b3 ed 34 ac b7 |lfN..EA..&...4..| 00000080 c9 2c 5f 0b f4 8e b1 aa fd 6c 36 c5 b4 48 bf c4 |.,_......l6..H..| 00000090 5d 3d 64 40 23 fe 22 69 63 47 32 52 f5 aa af dc |]=d@#."icG2R....| 000000a0 b0 01 38 a9 91 e3 e6 67 77 58 c1 47 57 17 ea a4 |..8....gwX.GW...| 000000b0 f1 d1 4f 3d 9a b1 67 a3 65 6a 32 4d b2 e2 4a eb |..O=..g.ej2M..J.| 000000c0 a4 f4 6a a1 1c 51 de ea fc ae eb 19 e2 22 7b f5 |..j..Q......."{.| 000000d0 46 ca 16 69 b9 5a 14 be 56 91 92 56 a3 62 71 0b |F..i.Z..V..V.bq.| 000000e0 08 87 91 cb 98 f1 b8 cd 59 b7 be b9 31 3b 56 44 |........Y...1;VD| 000000f0 78 f4 3f 30 f6 da 71 db d6 c6 e9 05 55 11 4b 48 |x.?0..q.....U.KH| 00000100 99 47 5d d2 ed f5 ea c0 e1 fc 1b b7 6d 3c 77 0e |.G].........m<w.| 00000110 b9 bf 59 49 b1 |..YI.|
20バイト目以降(RSA公開鍵領域)を、cert.binの中にあるRSA公開鍵に置き換える
$ hexdump -C C 00000000 00 00 00 07 73 73 68 2d 72 73 61 00 00 00 01 23 |....ssh-rsa....#| 00000010 00 00 01 01 00 cf a2 db 24 a3 ec ea 35 73 af ce |........$...5s..| 00000020 d6 f3 0c c7 39 2c 3e 62 62 eb d7 d0 2b e0 68 9b |....9,>bb...+.h.| 00000030 9d 84 a0 ce 2e 08 60 ea d4 a5 74 bd 5f 68 65 ab |......`...t._he.| 00000040 5c 9e a1 b2 d8 8b 12 0a 54 76 23 fe 1f 4e 2a 70 |\.......Tv#..N*p| 00000050 f4 2b 1c d3 4d a7 de a7 cc cf 74 35 e6 70 85 21 |.+..M.....t5.p.!| 00000060 7f 7d af 94 39 2e 57 3d 22 c0 96 54 40 b8 72 30 |.}..9.W="..T@.r0| 00000070 7c b6 52 6d 03 48 0a 58 35 70 97 8e 3a 68 01 3e ||.Rm.H.X5p..:h.>| 00000080 d9 59 5a a0 95 82 14 68 fb d8 65 6d 23 52 af 21 |.YZ....h..em#R.!| 00000090 2d 30 9b 42 9e 0c 02 87 3a fc 31 29 d0 c4 a4 01 |-0.B....:.1)....| 000000a0 52 0f 6b 1d 2a 66 16 a8 14 d4 5b e3 a1 a7 ed 59 |R.k.*f....[....Y| 000000b0 9f 2d 48 7e 40 08 f7 2b 28 f6 c7 52 2c a2 14 a8 |.-H~@..+(..R,...| 000000c0 80 bb 45 09 b8 67 2d eb 8f 26 6a 67 1c 4f 78 b8 |..E..g-..&jg.Ox.| 000000d0 de 08 7a 86 b5 4e 05 11 1b 2f d5 e9 bb dc 7e 03 |..z..N.../....~.| 000000e0 ae 42 90 81 52 36 db 1d f5 8d 1b a5 b6 3d 07 bd |.B..R6.......=..| 000000f0 5e 7d 26 04 ea bd 19 4d 74 da 2b 6f 37 49 f5 dd |^}&....Mt.+o7I..| 00000100 66 4e 71 55 66 37 21 1a 87 7f fa 57 45 74 20 13 |fNqUf7!....WEt .| 00000110 10 1d ef 37 55 |...7U|
$ echo 'ssh-rsa '`base64 -w 0 C`' ubuntu@ubuntu-vm' > D.pub $ cat D.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz6LbJKPs6jVzr87W8wzHOSw+YmLr19Ar4GibnYSgzi 4IYOrUpXS9X2hlq1yeobLYixIKVHYj/h9OKnD0KxzTTafep8zPdDXmcIUhf32vlDkuVz0iwJZUQLhy MHy2Um0DSApYNXCXjjpoAT7ZWVqglYIUaPvYZW0jUq8hLTCbQp4MAoc6/DEp0MSkAVIPax0qZhaoFN Rb46Gn7VmfLUh+QAj3Kyj2x1IsohSogLtFCbhnLeuPJmpnHE94uN4Ieoa1TgURGy/V6bvcfgOuQpCB UjbbHfWNG6W2PQe9Xn0mBOq9GU102itvN0n13WZOcVVmNyEah3/6V0V0IBMQHe83VQ== ubuntu@ub untu-vm
あとはexegesisに任せる(使い方はREADMEを参照)
$ ssh-keygen -l -f D.pub 2048 88:81:8d:ca:32:09:4e:87:2d:88:59:31:0b:45:74:b1 D.pub $ tar zxvf brl-exegesis-3b554ac.tar.gz $ cd brl-exegesis-3b554ac $ make $ ls COPYING README debian exegesis.c exegesis.o sshtool.c xcrypt Makefile README.Packaging exegesis exegesis.h keysets sshtool.h xssh $ cd .. $ grep 88:81:8d:ca brl-exegesis-3b554ac/keysets/* brl-exegesis-3b554ac/keysets/rsa_2048_32_le.out: 88:81:8d:ca:32:09:4e:87:2d:88:59:31:0b:45:74:b1 18342 rsa 2048 32 0 $ brl-exegesis-3b554ac/exegesis -t rsa -b 2048 -p 18342 -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAz6LbJKPs6jVzr87W8wzHOSw+YmLr19Ar4GibnYSgzi4IYOrU pXS9X2hlq1yeobLYixIKVHYj/h9OKnD0KxzTTafep8zPdDXmcIUhf32vlDkuVz0i wJZUQLhyMHy2Um0DSApYNXCXjjpoAT7ZWVqglYIUaPvYZW0jUq8hLTCbQp4MAoc6 /DEp0MSkAVIPax0qZhaoFNRb46Gn7VmfLUh+QAj3Kyj2x1IsohSogLtFCbhnLeuP JmpnHE94uN4Ieoa1TgURGy/V6bvcfgOuQpCBUjbbHfWNG6W2PQe9Xn0mBOq9GU10 2itvN0n13WZOcVVmNyEah3/6V0V0IBMQHe83VQIBIwKCAQAXutc3YzEE0uimYMgb xvIya3TYC04nSv2zPye6OwsQP8ZxeexqrkGHPyGP7VP1OQLOELC5MhK99PL9iUB5 9KpvRmKW1ZQNR/0ULHjbXtI801XA08l1GH6oT5gFiph+ctvNuAoUvGkXkaV8fDYY 1yhLmdZyZezYZD6NG1Q/rciZ5fiK/GMEg4IH067v99X5ww+QpnnQzzzUidLFcCEu WUpQqhb0ejkavRkRI3ZkF1kmiMU5x1nAnH8b7XmzLHlvjkRKQfe2DCLwMylUuEBq 0MKS7GyWrF+JzR4XiyFV4gyWzJkw/ZMh1tcATLOJGrwmn3CGdElCVKmR8XNlhxr4 vfmbAoGBAOyQAGkXiS8+P8iEXQE40fTIykNXS7dkvr9YG5YzVMCEzd+qP+Cm41Vg kl40mE8Tt2lv6/74z73eVpbUKMTKAo/vbfCvaPwjTW68F6GSSjANGRLlsovuDZJh glKhF36OaTSD6+uNy7HXj3XnKqnu2GzC+Goa1nzK88TqhUXKLhnnAoGBAOCyZm99 KUjOCKDJPH3o4G1rm7rac1A7LPRVqOakZnN5as6lu6J2eDvri/5gVqnk1EAEbz7Y QVEJmvkE8B0gZ0/U1ejy3KgQrsQcn9kJo6q/iRIR3r031VyNhAcN67lPA0wotsHk R+QdG10GkbYwieDbry9oRLHPUP19L55TQtVjAoGBAJt0ko40CbFUytQ5uXXU4b4d jDrhmCgPAQFlyPxNnhgcwc1+gb+DnLRyqVPZa2cqNrMAZ+IROA8Oc2puKWtgLZHJ OZ4qIGstJEF0SgsW/Y1Kb5ATSXHlk+PZrWl/zZxO9K17Q0MFaJlwZZafOUsZTGS6 oz5paGCioDDx4ozyk1LZAoGATQn3PCrplU30VGJAoDKWFuMQ0lmGnyo7THUj905P AwUOrUAjEyFNy2azp6wAdMN7+LEQMs3NQFsQj+RvlPUqvEj44idhmLVDO+yOk45G vjMKbJhpn/XiwKWMWjCol05KRf9Umj+jnqrkz2/3cao95rG4aAZ989INI7XkcMwW 6hMCgYEAk37dl9nIK+e75DU2QQufWrDDyeNMTwtcYB79qwgqTI1+RzaRjGTh3wOL 82aZX8XG6qbBuvbDRNRW95vRI6uzzTGuzSHuOUyE+W68ZGJsq3lP+V+5fHA068mq T0XTGVsSyzpoy1QHyVU4s9auVK/2o3hwuTcZ5eko8iIvyqquCQo= -----END RSA PRIVATE KEY----- $ brl-exegesis-3b554ac/exegesis -t rsa -b 2048 -p 18342 > pri.key
秘密鍵が出来たので、後はこれをWiresharkに読み込ませてHTTP通信を復元する
メニューの Edit -> Preferences -> Protocols -> SSL -> RSA key list を以下に変更
ssl.keys_list: 192.168.1.43,443,http,C:\Temp\pri.key
"C:\Temp\pri.key"はpri.keyのパス
これでHTTPS通信が復号される
中をのぞくとPOSTにてパスワードがサーバへ送られている
0000 50 4f 53 54 20 2f 6e 65 78 74 2e 68 74 6d 6c 20 POST /ne xt.html 0010 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 HTTP/1.1 ..Host: 0020 64 64 74 65 6b 0d 0a 55 73 65 72 2d 41 67 65 6e ddtek..U ser-Agen 0030 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 t: Mozil la/5.0 ( 0040 58 31 31 3b 20 55 3b 20 4c 69 6e 75 78 20 69 36 X11; U; Linux i6 0050 38 36 3b 20 65 6e 2d 55 53 3b 20 72 76 3a 31 2e 86; en-U S; rv:1. 0060 39 2e 30 2e 31 30 29 20 47 65 63 6b 6f 2f 32 30 9.0.10) Gecko/20 0070 30 39 30 34 32 35 31 33 20 55 62 75 6e 74 75 2f 09042513 Ubuntu/ 0080 38 2e 30 34 20 28 68 61 72 64 79 29 20 46 69 72 8.04 (ha rdy) Fir 0090 65 66 6f 78 2f 33 2e 30 2e 31 30 0d 0a 41 63 63 efox/3.0 .10..Acc 00a0 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 ept: tex t/html,a 00b0 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c pplicati on/xhtml 00c0 2b 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e +xml,app lication 00d0 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 2a 2f 2a 3b 71 /xml;q=0 .9,*/*;q 00e0 3d 30 2e 38 0d 0a 41 63 63 65 70 74 2d 4c 61 6e =0.8..Ac cept-Lan 00f0 67 75 61 67 65 3a 20 65 6e 2d 75 73 2c 65 6e 3b guage: e n-us,en; 0100 71 3d 30 2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e q=0.5..A ccept-En 0110 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 coding: gzip,def 0120 6c 61 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 late..Ac cept-Cha 0130 72 73 65 74 3a 20 49 53 4f 2d 38 38 35 39 2d 31 rset: IS O-8859-1 0140 2c 75 74 66 2d 38 3b 71 3d 30 2e 37 2c 2a 3b 71 ,utf-8;q =0.7,*;q 0150 3d 30 2e 37 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 =0.7..Ke ep-Alive 0160 3a 20 33 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f : 300..C onnectio 0170 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 52 n: keep- alive..R 0180 65 66 65 72 65 72 3a 20 68 74 74 70 73 3a 2f 2f eferer: https:// 0190 64 64 74 65 6b 2f 74 65 6d 70 2e 68 74 6d 6c 0d ddtek/te mp.html. 01a0 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 .Content -Type: a 01b0 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 pplicati on/x-www 01c0 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 -form-ur lencoded 01d0 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 ..Conten t-Length 01e0 3a 20 33 34 0d 0a 0d 0a 75 73 65 72 3d 64 64 74 : 34.... user=ddt 01f0 65 6b 26 70 61 73 73 77 6f 72 64 3d 30 39 38 37 ek&passw ord=0987 0200 50 4f 49 55 25 33 42 6c 6b 6a POIU%3Bl kj
password=0987POIU%3BlkjというデータがPOSTされている
よって"0987POIU%3Blkj"が答え
exegesisというツールを知っているかどうか?
それがトリビア的(Trivial)な問題だったということだろうか?