Who Are The Living Ghosts?

A living ghost is a 'disgusting' but perhaps accurate term applied to a person who has come to the UK to claim asylum and been unsuccessful http://www.church-poverty.org.uk/campaigns/li..

Once this happens, and if his/her appeal fails then there is an expectation that the individual will return voluntarily to his/her country of origin, and if this does not happen he or she will lose all access to public support i.e. no rights to accommodation, no rights to seek employment, no rights to claim government benefits, no rights to social care and the most basic rights to medical care.

In this situation, a person becomes virtually invisible hence the term 'Living Ghost'. Nobody really sees the living ghost except when crime is committed or when the housing shortage hits an all time high. This is the time when the living ghost is most noticed.

I have always found this to be particularly odd as the living ghost has no entitlement to housing and if he/she has no access to employment or benefits how is he/she meant to survive?

I have to say however, that the people I know in this situation have never been involved with the criminal justice system, in fact they are terrified of the police. In their countries, if you get arrested, you are usually out cold by the time you reach the patrol car or dead.

Now you might wonder how the hell a person in this situation actually manages to survive? How do they eat? Where do they sleep? Do they sleep? What happens if they become ill? and please don't forget that many people seeking asylum in the UK have often fled their own countries in fear for their lives, they may have been detained & tortured, raped or lost family members as a result of war, the list is endless.

It shouldn't be so difficult to survive though should it? I mean, they take our jobs (err sorry! no permission to work!) our houses (oops! no permission to access housing) Oh yes!! lets not forget our women because we really have no independent thought processes do we?

Taking into account the atrocities that some of these people have endured in their lives, is it not suprising that people do not return 'voluntarily'?

Now in many cases, the Home Office http://www.ukba.homeoffice.gov.uk/ do not deport people back home, why? because their countries are known to be unsafe, it's just their accounts of what happened that weren't believed.
So when this happens they are left destitute and are living on our streets, in our democratic country in the 21st century how disgusting is that?

Welcome To The United Kingdom!



Where's my vote?

Where's my vote?
People just want the right to choose their own government

Man holds a picture of his murdered friend

Man holds a picture of his murdered friend
Killed for speaking out against the corrupt Ahmadinejad regime
STOP EXECUTIONS IN IRAN!

According to the United Nations Convention Against Torture 1984, Article I, the term "torture" means any act by which severe pain or suffering, whether physical or mental, is intentionally inflicted on a person for such purposes as obtaining from him or a third person information or a confession, punishing him for an act he or a third person has committed or is suspected of having committed, or intimidating or coercing him or a third person, or for any reason based on discrimination of any kind, when such pain or suffering is inflicted by or at the instigation of or with the consent or acquiescence of a public official or other person acting in an official capacity. It does not include pain or suffering arising only from, inherent in or incidental to lawful sanctions.Iran is not signatory of Convention Against Torture but it doesn't give Iranian government any right to torture Iranians.

Surely Things Aren't Really That Bad Are They? Come on, What's for Tea?

Now before you sit down and eat, I'd like you to try a little exercise, anyone can join in and it will only take about 10 minutes maximum. It doesn't matter who you are, whether you are a council worker, a politician, the Prime Minister, homeless, destitute it really does not matter.
Just close your eyes for a moment and imagine this.......

You live in a beautiful country, lets say Iran to keep it simple. Things are hard but your country is amazing, beautiful buildings, warmth, the smell of home cooking and incense wafting by as you relax after a day's hard work. You have always struggled, never really fitted in because your father is Iranian and your Mother Kurdish but nevertheless that's part of life and there are mixed race people everywhere.
Suddenly you are jolted from your relaxation by banging on your door so you rush to see what the problem is.
It must have only taken a few seconds to reach the door but when you get there you see your elderly father being taken by military police handcuffed with a gun to his head.
You stare in horror and then being the eldest son you need to make sure your mum & sister are ok.
In your mum's room you see her crying on the bed and just as you are walking over to her your sister screams so you rush to her room but one soldier is still there so you can't do a thing except witness her rape and torture that seems to last a lifetime. Your mum knows whats happened and she is praying that she will die. Imagine that!
Imagine this is the 5th, 6th 7th or 8th time this has happened?
Your father, well you never saw him again after the first time, your sister could face execution for having sex before marriage and now who will marry her anyway?
Your Mother well she still wants to die but can't quite get there & you! are meant to protect them but you know the interrogators will be back for you because your're half Kurdish and you support independence for Kurdish people and they really don't like that.
Imagine that!! so you flee to protect your own life and also you feel that it may be easier on your family if you aren't there.
You don't know where you will end up when you smuggle yourself onto lorries, boats e.t.c or even if you will get to the other end alive but you do it....you are amazing imagine that!

This exercise wasn't made up, it was based upon real life history. A close friend of mine who I will call S experienced this and more on a regular basis. S is a man who was detained, raped and tortured systematically by the Iranian regime. Other examples include.......

Thousands face mass eviction from homes and market stalls in Zimbabwe
Up to 200 people from an informal settlement in the Harare suburb of Gunhill in Zimbabwe face being forcibly evicted without being given adequate notice or any consultation or due process. Thousands of vendors across Harare also face forcible removal from their market stalls. The majority of those to be affected are poor women whose principal source of livelihood is selling fruits, vegetables and other wares at market stalls like Mbare Musika and Mupedzanhamo in Harare.The Deputy Mayor of the Harare City Council stated in July 2009 that the city authorities are considering evicting people from "illegal settlements and market places to restore order." He claimed that the targeted people pose a health hazard and violate the city's by-laws.
www.hrw.org/ (Human Rights Watch 2009)


Iranian girl prisoners systematically raped before execution
The Iranian practice of raping girl prisoners before execution has been reported previously, but perhaps never with such clear documentation. "Progressives" who support this regime should keep it in mind. It is unlikely that there will be any investigation by the UN or a human rights group.

Ami Isseroff

'I wed Iranian girls before execution'
Jul. 19, 2009SABINA AMIDI, Special to The Jerusalem Post , THE JERUSALEM POST
In a shocking and unprecedented interview, directly exposing the inhumanity of Supreme Leader Ali Khamenei's religious regime in Iran, a serving member of the paramilitary Basiji militia has told this reporter of his role in suppressing opposition street protests in recent weeks.
He has also detailed aspects of his earlier service in the force, including his enforced participation in the rape of young Iranian girls prior to their execution.
He said he had been a highly regarded member of the force, and had so "impressed my superiors" that, at 18, "I was given the 'honor' to temporarily marry young girls before they were sentenced to death."
In the Islamic Republic it is illegal to execute a young woman, regardless of her crime, if she is a virgin, he explained. Therefore a "wedding" ceremony is conducted the night before the execution: The young girl is forced to have sexual intercourse with a prison guard - essentially raped by her "husband."
"I regret that, even though the marriages were legal," he said.
Why the regret, if the marriages were "legal?"
"Because," he went on, "I could tell that the girls were more afraid of their 'wedding' night than of the execution that awaited them in the morning. And they would always fight back, so we would have to put sleeping pills in their food. By morning the girls would have an empty expression; it seemed like they were ready or wanted to die.
"I remember hearing them cry and scream after [the rape] was over," he said. "I will never forget how this one girl clawed at her own face and neck with her finger nails afterwards. She had deep scratches all over her."

Still hungry?

Oh Mr. Brown! (Gordon) you are an exception enjoy your tea!

(THIS IS THE UNITED KINGDOM)

The United Kingdom is a Country of Democracy, Equality and Values the Protection of Human Rights.

So you have arrived in the United Kingdom tired, hungry, traumatised and dehydrated but nevertheless grateful to be in a country where you know you will not be executed..(there's a good start).

Despite your frail state however you manage with the help of an interpreter to complete a lengthy document stating your claim for asylum and why you were forced to flee your beautiful country with the wonderful history and the smell of home cooking e.t.c. for a country you know absolutely nothing about....You are amazing!

Asylum is given under the 1951 United Nations Convention Relating to the Status of Refugees http://www.asylumrights.org.uk/convention.htm.

To be recognised as a refugee, you must have left your country and be unable to go back because you have a well-founded fear of persecution because of your:
.race;
.religion;
.nationality;
.political opinion; or
.membership of a particular social group.

In 2007, 19 out of every 100 people who applied for asylum were recognised as refugees and given asylum.

Eventually you are offered accommodation with the support of NASS National Asylum Support Service (NASS) just until a decision is made about whether you will be granted leave to remain in the United Kingdom. You are also provided with vouchers so that you can eat.
www.asylumsupport.info/nass.htm

Things seem to be a little easier now and you can relax and recover from your ordeal in the knowledge that you will be safe but you can't look for a job to support yourself or access a house independently not yet! not until you become a British Citizen so you'll just have to hope for the best for now and wait until you get your UK leave to remain.

This means that it will be almost impossible to learn English Language at the moment because you don't really have the chance to mix in with British people as most of them congregate in places like 'Workplaces' or 'Housing Communities' all the places you can't go.

I guess you could go to social places like clubs or pubs but you don't have any money to do that and they don't accept vouchers sorry! but I guess you have freedom of choice don't you?




Beyond What is Visible

You were once a stranger to me but now I know you,
Not all of you, that could never be
Always a part of you that no one will ever see, not even me.

Once a stranger with beautiful brown eyes, the most beautiful eyes I have ever seen,
Eyes that felt nothing, no emotion nothing in between, this life and beyond.

We were once strangers but then we touched,
Not in the way some might think, not too much.
The touch we shared was deep and true,
Not physical but you did touch me and I did touch you.

You were once a stranger to me but now I know you,
Not all of you, that could never be.
Sometimes there's a moment when your eyes melt me,
So warm and compassionate, oh such a change in time, or is it?
Maybe I was blind.

We dont have words but thats fine,
I don't speak your language and you don't speak mine
But when you touched me I understood what you needed to say, it just needed time.




The Decision.........Dont worry!! Help is at hand. This is the United Kingdom.

So today is the day! the letter has arrived and with anticipation you open it.
You don't understand.............
You told the truth, explained why you had to flee your country, about the rape the torture why have they refused your application?
Why?
Quickly you must try and lodge an appeal against this decision.
The Home Office have stated that certain things are untrue or overstated but you know you told the truth.

You admit and acknowledge that when you lodged your claim, you were traumatised, tired, hungry and dehydrated and had travelled for thousands of miles in appalling conditions but you told the truth.
So you lodge your appeal and this fails too so what now?

Another letter arrives... you breath a sigh of relief as this could be to say that they made a mistake, they were wrong but no, its from NASS to say that in 28 days you must leave your home and return voluntarily to your country as you are now not permitted to remain in the UK. In 28 days time your vouchers will cease also.

So far you have managed alone with your memories of what happened to you and your family, tormented and unable to sleep you have paced the floor, even turned to alcohol which in your country is prohibited but you coped now its different. Who can you turn to? where can you get help when you don't even speak English?
Maybe the nurse in the hospital will understand as you wake up with both your wrists bandaged.

Relax! This is the United Kingdom there is always a way forward.

In the UK there is something called Section 4 support

Section 4 support

Applying for support

This page explains how you may qualify for short-term support if your application for asylum was unsuccessful, you are unable to return to the country you came from and would otherwise be homeless or without the money to buy food (we call this 'destitute').
If your asylum application has been rejected, you must return to your country of origin as soon as possible. However, you may be able to receive short-term support while you are waiting to return to your country. This is known as section 4 support because it is given under the terms of section 4 of the Immigration and Asylum Act 1999.
There are strict requirements you must meet in order to qualify for section 4 support. You must be destitute and satisfy one of the following requirements:
you are taking all reasonable steps to leave the United Kingdom or placing yourself in a position where you can do so;
you are unable to leave the United Kingdom because of a physical barrier to travel or for some other medical reason;
you are unable to leave the United Kingdom because the UK Border Agency believes there is no safe route available;
you have either applied for a judicial review of your asylum application in Scotland or applied for a judicial review of your asylum application in England, Wales or Northern Ireland and been given permission to proceed with it; or
accommodation is necessary to prevent a breach of your rights, within the meaning of the Human Rights Act 1998.

http://www.ukba.homeoffice.gov.uk/asylum/support/apply/section4/

So What is Section 4 all about?

Now Section 4 of The Asylum and Immigration Act 1999 is a magical piece of legislation put in place by the Home Office to help you so please trust them and do not listen to anyone who tells you otherwise.

Yes thats right! The Home Office were the people who looked at your asylum claim and refused it.

Lets take a closer look at Section 4 and what you must do to get it....

1- You must be willing to leave the UK and you must be putting yourself in a position to do so.

Oh but wait! you came to the UK fleeing for your life so this wont work.

2-You cannot leave the UK because you are unable to travel due to physical barriers.

Hmmm at the moment you are not registered as having these kinds of problems and even if you had, who would be aware of it? You have no access to anything and in any case you can't speak English.

3- you are unable to leave the United Kingdom because the UK Border Agency believes there is no safe route available;

Well your asylum claim was refused so the Home Office obviously believe it is safe.

4-
you have either applied for a judicial review of your asylum application in Scotland or applied for a judicial review of your asylum application in England, Wales or Northern Ireland and been given permission to proceed

Your asylum claim and appeal was refused (Not doing too well here)

5-
accommodation is necessary to prevent a breach of your rights, within the meaning of the Human Rights Act 1998.

Damn!! They just took your accommodation.

On a positive note, your local authority (The city where you live) know about this so they should help shouldn't they?
Let's hear what they have to say,and what they are planning to do about it..............

Home
About MCC Manchester
MCC Manchester News
News, events and activities in the life of the Metropolitan Community Church, Manchester (UK).
May 30, 2009
Support for refused asylum seekersPosted by Steve Gray under Social action Tags: , , , , Leave a Comment

Refused asylum seekers left destitute in the UK
Background information

No doubt you will have heard or read reports about how the UK is meant to be a “soft touch” for asylum seekers. Yet, in reality, the level of support provided to asylum seekers is far lower than that of income support and is usually withdrawn altogether if a claim is refused.

Many refused asylum seekers are, in fact, unable to return to their home countries due to the risks they would face because of, for example, armed conflicts, generalised violence and repressive regimes. As a result, many refused asylum seekers from countries where such problems are rife (including Zimbabwe, Iran, Iraq, Sudan, Afghanistan, Somalia, the Democratic Republic of Congo and Eritrea) are being forced into destitution, as they are not permitted to work here.

To make matters worse, it appears as though this could be part of a deliberate strategy on the part of the UK Government. Certainly, this is the view of the Joint Committee on Human Rights, which recently reviewed the treatment of asylum seekers in the UK and reached the following conclusion:

“We have been persuaded by the evidence that the Government has indeed been practising a deliberate policy of destitution of this highly vulnerable group.

We believe that the deliberate use of inhumane treatment is unacceptable. We have seen instances in all cases where the Government’s treatment of asylum seekers and refused asylum seekers falls below the requirements of the common law of humanity and of international human rights law”.
In light of this, we are calling on you to support the Still Human Still Here Campaign, which is fully endorsed by Amnesty International and many other reputable organisations (http://stillhumanstillhere.wordpress.com/).

The Still Human Still Here Campaign is dedicated to highlighting the plight of tens of thousands of refused asylum seekers who are destitute in the UK.

Supporters of the campaign believe that the denial of any means of subsistence to refused asylum seekers as a matter of government policy is both inhumane and ineffective.
Its supporters are calling on the Government to:
End the threat and use of destitution as a tool of Government policy against refused asylum seekers

Continue financial support and accommodation to refused asylum seekers as provided during the asylum process and grant permission to work until such a time as they have left the UK or have been granted leave to remain

Continue to provide full access to health care and education throughout the same period

What can I do?

We are asking you to write to your local MP in order to highlight the issue and ask for his or her support. Please feel free to use the model letter below (preferably adapting it, where possible) for this purpose. If you don’t know who your

MP is, you can find out at http://www.theyworkforyou.com/.

Then, all you need to do is send your letter (addressed to your own MP) to:
House of CommonsLondonSW1 0AA
If you receive a reply from your MP, please send a copy to The Human Rights Action Centre, 17-25 New Inn Yard, London, EC2A 3EA

Well, they have been persuaded so theres a good thing, but it looks like they are going to do absolutely nothing!



Please Don't Be The Next Living Ghost

The inspiration for this blog has been given to me by some truly amazing people who I have been fortunate to meet along life's journey. Unfortunately, although it would be an honour to use their full titles I am only able to identify them by initials.
Some of the mentioned people have fled their countries in fear of their lives, and some sadly did not make it.

I would like to take this opportunity to thank these people from the bottom of my heart for allowing me to be a part of their journey and for being courageous enough to come forward with their stories.

I hope that after visiting my blog you will share some of your own experiences and be proactive in writing letters and doing whatever it takes to make changes to the current asylum laws.

This can be done, it just takes time and determination and most of all a willingness to stand in unity.

S.M -A courageous and amazing man of Kurdish-Iranian origin. Having experienced torture & detention for political reasons he fled to the UK in fear for his life. This man has diagnosed Post Traumatic Stress Disorder and needs close monitoring due to five previous and serious suicide attempts. Initial asylum claim failed and now in the process of appeal. If returned to Iran he faces definite execution.
This man lives in Manchester England.

S.G.T- A courageous and amazing man of Kurdish Iranian origin, having fled his country for political reasons he still awaiting the outcome of his asylum claim to remain in the UK. A member of the PKK (Kurdish Independence Party) he will definitely face execution by hanging if returned.
This man lives in Manchester England.

S.H - A courageous and amazing Iranian man who fled Iran following his relationship with a girl of Jewish origin. The Basij police cut her throat in front of him and beat him so badly that he sustained a 7" scar on his head from a machete type blade (His father was one of Basij). In the UK he became a 'living ghost' and eventually returned to Iran as he could take no more pain and hopelessness from his destitute situation. He was subsequently executed by hanging, accused of espionage.

A.A -An amazing and couragious man who fled his home country of Iran because of political reasons. He is currently destitute on the streets of Manchester UK having failed his asylum application and appeal. He is now a living ghost.

F.A -Also a courageous and amazing man from Iran who was picked up and detained following a protest in the UK against the Ahmadinejad regime in his home country in which his family are stuck. This man faces deportation back to Iran where he is likely to be executed as an opposer of the Ahmadinejad government.
This man lives in Manchester England

A.R.Z -A courageous and amazing man from Afghanistan currently in the UK.
This man has his leave to remain in the United Kingdom but is so mentally affected by the atrocities and torture he endured in his country, he is unable to ever feel safe. He is dependent upon opium and living in Manchester England

M.M- A courageous and amazing young man of Iranian origin. Having fled his country because of sexuality reasons he came to the UK.
Homosexuality in Iran is punishable by the death penalty and his partner was hung at the age of just 23yrs.
This man failed in his application for asylum and in his appeal against the decision. He is now a living ghost in Manchester England.

M. An amazing and courageous young man from Eritrea who fled to the UK in fear for his life after all his family, mother, father, 2 brothers and his baby sister were slaughtered in front of his eyes by militia.
He escaped by hiding in a cupboard. He is awaiting the outcome of his appeal for asylum in the UK. He currently resides in accommodation provided by NASS due to his young age.

A.S An amazing and courageous man from Iran who has been deeply affected by the aftermath of the Iran Iraq war in which he served as a soldier. This man has serious mental health problems and the need for counselling but cannot access it having no access to support after his asylum claim and appeal were refused in the UK. Recently he stitched his own mouth and went on hunger strike just so someone would listen. He lives in Manchester.

MB, An amazing and Courageous Angolan man who was detained in Yarl's Wood with his 13-year-old son, was found hanged in a stairwell on the morning of his 35th birthday.
M's last words to his son were 'be brave, work hard, do well at school'

EN, An amazing and Courageous 26-year-old Zimbabwean man who was found drowned after his asylum claim and appeal to remain in the UK had failed.

HN-An amazing and Courageous man from Iran who was found with a gunshot wound two weeks after his asylum claim was refused.
H, was homosexual and fled Iran in March 2000 after being imprisoned for three months for his sexuality and sought sanctuary in the UK. He feared being executed if he was returned to Iran - where homosexuality is a 'crime' punishable by death.


Please Check out the following links and make a difference: Additionally, please contact me at:
morgana.1@hotmail.co.uk


http://stllhumanstillhere.wordpress.com/
http://www.church-poverty.org.uk/campaigns/li..
http://www.irr.org.uk/2005/september/ha000021.html
http://www.redcross.org.uk/.
http://www.torturecare.org.uk./
http://www.refugee-action.org.uk/manchester.
http://www.sareli.org.uk./
http://www.samaritans.org./
http://www.woodstreetmission.org.uk./

http://www.qva.org.uk/

http://www.immigrationboards.com


Saturday, 27 May 2023

CTF: FluxFingers4Future - Evil Corp Solution

For this years hack.lu CTF I felt like creating a challenge. Since I work a lot with TLS it was only natural for me to create a TLS challenge. I was informed that TLS challenges are quite uncommon but nevertheless I thought it would be nice to spice the competition up with something "unusual". The challenge mostly requires you to know a lot of details on how the TLS record layer and the key derivation works. The challenge was only solved by one team (0ops from China) during the CTF. Good job!



So let me introduce the challenge first.

The Challenge


You were called by the incident response team of Evil-Corp, the urgently need your help. Somebody broke into the main server of the company, bricked the device and stole all the files! Nothing is left! This should have been impossible. The hacker used some secret backdoor to bypass authentication. Without the knowledge of the secret backdoor other servers are at risk as well! The incident response team has a full packet capture of the incident and performed an emergency cold boot attack on the server to retrieve the contents of the memory (its a really important server, Evil Corp is always ready for such kinds of incidents). However they were unable to retrieve much information from the RAM, what's left is only some parts of the "key_block" of the TLS server. Can you help Evil-Corp to analyze the exploit the attacker used?

(Flag is inside of the attackers' secret message).


TT = Could not recover

 key_block:
6B 4F 93 6A TT TT TT TT  TT TT 00 D9 F2 9B 4C B0
2D 88 36 CF B0 CB F1 A6  7B 53 B2 00 B6 D9 DC EF
66 E6 2C 33 5D 89 6A 92  ED D9 7C 07 49 57 AD E1
TT TT TT TT TT TT TT TT  56 C6 D8 3A TT TT TT TT
TT TT TT TT TT TT TT TT  94 TT 0C EB 50 8D 81 C4
E4 40 B6 26 DF E3 40 9A  6C F3 95 84 E6 C5 86 40
49 FD 4E F2 A0 A3 01 06

If you are not interested in the solution and want to try the challenge on your own first, do not read past this point. Spoilers ahead.


The Solution

So lets analyze first what we got. We have something called a "key_block" but we do not have all parts of it. Some of the bytes have been destroyed and are unknown to us. Additionally, we have a PCAP file with some weird messages in them. Lets look at the general structure of the message exchange first.



So looking at the IP address and TCP ports we see that the attacker/client was 127.0.0.1:36674 and was talking with the Server 127.0.0.1:4433. When looking at the individual messages we can see that the message exchange looked something like this:

ENC HS MESSAGE .... ENC HS MESSAGE ->
<- SERVER HELLO, CERTIFICATE, SERVER HELLO DONE
ENC HS MESSAGE .... ENC HS MESSAGE CCS ENC HS MESSAGE, ENC HS MESSAGE ->
<-CCS, ENC HS MESSAGE
ENC HEARTBEAT ->
<- ENC HEARTBEAT
-> ENC APPLICATION DATA
<- INTERNAL ERROR ... INTERNAL ERROR

So this message exchange appears weird. Usually the client is supposed to send a ClientHello in the beginning of the connection, and not encrypted handshake messages. The same is true for the second flight of the client. Usually it transmits its ClientKeyExchange message here, then a ChangeCipherSpec message and finally its Finished message. If we click at the first flight of the client, we can also see some ASCII text fragments in its messages.

Furthermore we can assume that the message sent after the ChangeCipherSpec from the server is actually a TLS Finished message.

Since we cannot read a lot from the messages the client is sending (in Wireshark at least), we can look at the messages the server is sending to get a better hold of what is going on. In the ServerHello message the server selects the parameters for the connection. This reveals that this is indeed a TLS 1.1 connection with TLS_RSA_WITH_AES_256_CBC_SHA , no compression and the Heartbeat Extension negotiated. We can also see that the ServerRandom is: 1023047c60b420bb3321d9d47acb933dbe70399bf6c92da33af01d4fb770e98c (note that it is always 32 bytes long, the UNIX time is part of the ServerRandom).

Looking at the certificate the server sent we can see that the server used a self-signed certificate for Evil.corp.com with an 800-bit RSA modulus:

00ad87f086a4e1acd255d1d77324a05ea7d250f285f3a6de35b9f07c5d083add5166677425b8335328255e7b562f944d55c56ff084f4316fdc9e3f5b009fefd65015a5ca228c94e3fd35c6aba83ea4e20800a34548aa36a5d40e3c7496c65bdbc864e8f161

and the public exponent 65537.


If you pay very close attention to the handshake you can see another weird thing. The size of the exchanged HeartbeatMessages is highly uneven. The client/attacker sent 3500 bytes, the server is supposed to decrypt these messages, and reflect the contents of them. However, the Server sent ~64000 bytes instead. The heartbeat extension became surprisingly well known in 2014, due to the Heartbleed bug in OpenSSL. The bug causes a buffer over-read on the server, causing it to reflect parts of its memory content in return to malicious heartbeat requests. This is a good indicator that this bug might play a role in this challenge.

But what is this key_block thing we got from the incident response team? TLS 1.1 CBC uses 4 symmetric keys in total. Both parties derive these keys from the "master secret" as the key_block. This key_block is then chunked into the individual keys. You can imagine the key_block as some PRF output and both parties knowing which parts of the output to use for which individual key. In TLS 1.1 CBC the key_block is chunked as follows: The first N bytes are the client_write_MAC key, the next N bytes are the server_write_MAC key, the next P bytes are the client_write key and the last P bytes are the server_write key. N is the length of the HMAC key (which is at the time of writing for all cipher suites the length of the HMAC) and P is the length of the key for the block cipher.

In the present handshake AES-256 was negotiated as the block cipher and SHA (SHA-1) was negotiated for the HMAC. This means that N is 20 (SHA-1 is 20 bytes) and P is 32 (AES-256 requires 32 bytes of key material).

Looking at the given key_block we can chunk it into the individual keys:
client_write_MAC = 6B4F936ATTTTTTTTTTTT00D9F29B4CB02D8836CF
server_write_MAC = B0CBF1A67B53B200B6D9DCEF66E62C335D896A92
client_write = EDD97C074957ADE1TTTTTTTTTTTTTTTT56C6D83ATTTTTTTTTTTTTTTTTTTTTTTT
server_write = 94TT0CEB508D81C4E440B626DFE3409A6CF39584E6C5864049FD4EF2A0A30106

Since not all parts of the key_block are present, we can see that we actually have 14/20 bytes of the client_write_MAC key, the whole server_write_MAC key, 12/32 bytes of the client_write key and 31/32 bytes of the server_write key.

The client_write_MAC key is used in the HMAC computations from the client to the server (the server uses the same key to verify the HMAC),
The server_write_MAC key is used in the HMAC computations from the server to the client (the client uses the same key to verify the HMAC),
The client_write key is used to encrypt messages from the client to the server, while the server_write key is used to encrypt messages from the server to the client.

So looking at the keys we could compute HMAC's from the client if we could guess the remaining 6 bytes. We could compute HMAC's from the server directly, we have not enough key material to decrypt the client messages, but we could decrypt server messages if we brute-forced one byte of the server_write key. But how would you brute force this byte? When do we know when we got the correct key? Lets look at how the TLS record layer works to find out :)

The Record Layer

TLS consists out of multiple protocols (Handshake, Alert, CCS, Application (and Heartbeat)). If one of those protocols wants to send any data, it has to pass this data to the record layer. The record layer will chunk this data, compress it if necessary, encrypt it and attach a "record header" to it.


This means, that if we want to decrypt a message we know that if we used the correct key the message should always have a correct padding. If we are unsure we could even check the HMAC with the server_write_MAC key.

In TLS 1.0 - TLS 1.2 the padding looks like this:

1 byte padding  : 00
2 bytes padding: 01 01
3 bytes padding: 02 02 02
4 bytes padding: 03 03 03 03
...

So if we guessed the correct key we know that the plaintext has to have valid padding.
An ideal candidate for our brute force attack is the server Finished message. So lets use that to check our key guesses.
The ciphertext looks like this:
0325f41d3ebaf8986da712c82bcd4d55c3bb45c1bc2eacd79e2ea13041fc66990e217bdfe4f6c25023381bab9ddc8749535973bd4cacc7a4140a14d78cc9bddd


The first 16 bytes of the ciphertext are the IV:
IV: 0325f41d3ebaf8986da712c82bcd4d55
Therefore the actual ciphertext is:
Ciphertext: c3bb45c1bc2eacd79e2ea13041fc66990e217bdfe4f6c25023381bab9ddc8749535973bd4cacc7a4140a14d78cc9bddd

The 256 key candidates are quick to check, and it is revealed that 0xDC was the missing byte.
(The plaintext of the Finished is 1400000C455379AAA141E1B9410B413320C435DEC948BFA451C64E4F30FE5F6928B816CA0B0B0B0B0B0B0B0B0B0B0B0B)

Now that we have the full server_write key we can use it to decrypt the heartbeat records.

This is done in the same way as with the Finished. Looking at the decrypted heartbeat messages we can see a lot of structured data, which is an indicator that we are actually dealing
with the Heartbleed bug. If we convert the content of the heartbeat messages to ASCII we can actually see that the private key of the server is PEM encoded in the first heartbeat message.

Note: This is different to a real heartbeat exploit. Here you don't usually get the private key nicely encoded but have to extract it using the coppersmith's attack or similar things. I did not want to make this challenge even harder so I was so nice to write it to the memory for you :)


The private key within the Heartbeat messages looks like this:
-----BEGIN RSA PRIVATE KEY-----
MIIB3gIBAAJlAK2H8Iak4azSVdHXcySgXqfSUPKF86beNbnwfF0IOt1RZmd0Jbgz
UyglXntWL5RNVcVv8IT0MW/cnj9bAJ/v1lAVpcoijJTj/TXGq6g+pOIIAKNFSKo2
pdQOPHSWxlvbyGTo8WECAwEAAQJkJj95P2QmLb5qlgbj5SXH1zufBeWKb7Q4qVQd
RTAkMVXYuWK7UZ9Wa9nYulyjvg9RoWOO+SaDNqhiTWKosQ+ZrvG3A1TDMcVZSkPx
bXCuhhRpp4j0T9levQi0s8tR1YuFzVFi8QIzANNLrgK2YOJiDlyu78t/eVbBey4m
uh2xaxvEd8xGX4bIBlTuWlKIqwPNxE8fygmv4uHFAjMA0j7Uk1ThY+UCYdeCm4/P
eVqkPYu7jNTHG2TGr/B6hstxyFpXBlq6MJQ/qPdRXLkLFu0CMwCf/OLCTQPpBiQn
y5HoPRpMNW4m0M4F46vdN5MaCoMUU+pvbpbXfYI3/BrTapeZZCNfnQIzAJ7XzW9K
j8cTPIuDcS/qpQvAiZneOmKaV5vAtcQzYb75cgu3BUzNuyH8v2P/Br+RJmm5AjMA
jp9N+xdEm4dW51lyUp6boVU6fxZimfYRfYANU2bVFmbsSAU9jzjWb0BuXexKKcX7
XGo=
-----END RSA PRIVATE KEY-----

We should store it in a file and decode it with OpenSSL to get the actual key material.

>> openssl rsa -in key.pem -text -noout
RSA Private-Key: (800 bit, 2 primes)
modulus:
    00:ad:87:f0:86:a4:e1:ac:d2:55:d1:d7:73:24:a0:
    5e:a7:d2:50:f2:85:f3:a6:de:35:b9:f0:7c:5d:08:
    3a:dd:51:66:67:74:25:b8:33:53:28:25:5e:7b:56:
    2f:94:4d:55:c5:6f:f0:84:f4:31:6f:dc:9e:3f:5b:
    00:9f:ef:d6:50:15:a5:ca:22:8c:94:e3:fd:35:c6:
    ab:a8:3e:a4:e2:08:00:a3:45:48:aa:36:a5:d4:0e:
    3c:74:96:c6:5b:db:c8:64:e8:f1:61
publicExponent: 65537 (0x10001)
privateExponent:
    26:3f:79:3f:64:26:2d:be:6a:96:06:e3:e5:25:c7:
    d7:3b:9f:05:e5:8a:6f:b4:38:a9:54:1d:45:30:24:
    31:55:d8:b9:62:bb:51:9f:56:6b:d9:d8:ba:5c:a3:
    be:0f:51:a1:63:8e:f9:26:83:36:a8:62:4d:62:a8:
    b1:0f:99:ae:f1:b7:03:54:c3:31:c5:59:4a:43:f1:
    6d:70:ae:86:14:69:a7:88:f4:4f:d9:5e:bd:08:b4:
    b3:cb:51:d5:8b:85:cd:51:62:f1
prime1:
    00:d3:4b:ae:02:b6:60:e2:62:0e:5c:ae:ef:cb:7f:
    79:56:c1:7b:2e:26:ba:1d:b1:6b:1b:c4:77:cc:46:
    5f:86:c8:06:54:ee:5a:52:88:ab:03:cd:c4:4f:1f:
    ca:09:af:e2:e1:c5
prime2:
    00:d2:3e:d4:93:54:e1:63:e5:02:61:d7:82:9b:8f:
    cf:79:5a:a4:3d:8b:bb:8c:d4:c7:1b:64:c6:af:f0:
    7a:86:cb:71:c8:5a:57:06:5a:ba:30:94:3f:a8:f7:
    51:5c:b9:0b:16:ed
exponent1:
    00:9f:fc:e2:c2:4d:03:e9:06:24:27:cb:91:e8:3d:
    1a:4c:35:6e:26:d0:ce:05:e3:ab:dd:37:93:1a:0a:
    83:14:53:ea:6f:6e:96:d7:7d:82:37:fc:1a:d3:6a:
    97:99:64:23:5f:9d
exponent2:
    00:9e:d7:cd:6f:4a:8f:c7:13:3c:8b:83:71:2f:ea:
    a5:0b:c0:89:99:de:3a:62:9a:57:9b:c0:b5:c4:33:
    61:be:f9:72:0b:b7:05:4c:cd:bb:21:fc:bf:63:ff:
    06:bf:91:26:69:b9
coefficient:
    00:8e:9f:4d:fb:17:44:9b:87:56:e7:59:72:52:9e:
    9b:a1:55:3a:7f:16:62:99:f6:11:7d:80:0d:53:66:
    d5:16:66:ec:48:05:3d:8f:38:d6:6f:40:6e:5d:ec:
    4a:29:c5:fb:5c:6a

So now we got the private key. But what do we do with it? Since this is an RSA handshake we should be able to decrypt the whole session (RSA is not perfect forward secure). Loading it into Wireshark does not work, as Wireshark is unable to read the messages sent by the client. What is going on there?

De-fragmentation


So if you do not yet have a good idea of what the record layer is for, you can imagine it like envelops. If someone wants to send some bytes, you have to put them in an envelop and transmit them. Usually implementations use one big envelop for every message, however you can also send a single message in multiple envelops.

The attacker did exactly that. He fragmented its messages into multiple records. This is not very common for handshake messages but fine according to the specification and accepted by almost all implementations. However, Wireshark is unable to decode these kinds of messages and therefore unable to use our private key to decrypt the connection. So we have to do this step manually.

So each record has the following fields:
Type | Version | Length | Data
If we want to reconstruct the ClientHello message we have to get all the data fields of the records of the first flight and decode them.
This is simply done by clicking on each record in Wireshark and concatenating the data fields. This step is at least on my Wireshark version (3.0.5) not very easy as the copying is actually buggy, and Wireshark is not copying the correct bytes.

 As you can see in the image, the record is supposed to have a length of 8 bytes, but Wireshark is only copying 4 bytes. I am not sure if this bug is actually only in my version or affects all Wireshark versions. Instead of copying the records individually I therefore copied the whole TCP payload and chunked it manually into the individual records.

16030200080100009e03020000
160302000800000000004e6f62
16030200086f64796b6e6f7773
1603020008696d616361740000
16030200080000000000002053
1603020008746f70206c6f6f6b
1603020008696e67206e6f7468
1603020008696e6720746f2066
1603020008696e646865726500
16030200080200350100005300
16030200080f00010113370015
16030200084576696c436f7270
1603020008206b696c6c732070
1603020008656f706c65000d00
16030200082c002a0102020203
16030200080204020502060201
16030200080102010301040105
16030200080106010103020303
160302000803040305030603ed
1603020008edeeeeefefff0100
16030200020100

If we structure this data it looks like this:
Type  Version Length  Payload
16    0302    0008    0100009e03020000
16    0302    0008    00000000004e6f62
16    0302    0008    6f64796b6e6f7773
16    0302    0008    696d616361740000
16    0302    0008    0000000000002053
16    0302    0008    746f70206c6f6f6b
16    0302    0008    696e67206e6f7468
16    0302    0008    696e6720746f2066
16    0302    0008    696e646865726500
16    0302    0008    0200350100005300
16    0302    0008    0f00010113370015
16    0302    0008    4576696c436f7270
16    0302    0008    206b696c6c732070
16    0302    0008    656f706c65000d00
16    0302    0008    2c002a0102020203
16    0302    0008    0204020502060201
16    0302    0008    0102010301040105
16    0302    0008    0106010103020303
16    0302    0008    03040305030603ed
16    0302    0008    edeeeeefefff0100
16    0302    0002    0100

The actual message is the concatenation of the record payloads:

0100009e0302000000000000004e6f626f64796b6e6f7773696d6163617400000000000000002053746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e64686572650002003501000053000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100

So what is left is to parse this message. There is an easy way on how to do this an a labor intensive manual way. Lets do the manual process first :) .
We know from the record header that his message is in fact a handshake message (0x16).
According to the specification handshake messages look like this:
    
      struct {
          HandshakeType msg_type;    /* handshake type */
          uint24 length;             /* bytes in message */
          select (HandshakeType) {
              case hello_request:       HelloRequest;
              case client_hello:        ClientHello;
              case server_hello:        ServerHello;
              case certificate:         Certificate;
              case server_key_exchange: ServerKeyExchange;
              case certificate_request: CertificateRequest;
              case server_hello_done:   ServerHelloDone;
              case certificate_verify:  CertificateVerify;
              case client_key_exchange: ClientKeyExchange;
              case finished:            Finished;
          } body;
      } Handshake;
    
This is RFC speak for: Each handshake message starts with a type field which says which handshake message this is, followed by a 3 byte length field which determines the length of rest of the handshake message.
So in our case the msg_type is 0x01 , followed by a 3 Byte length field (0x00009e, 158[base10]). 0x01 means ClientHello (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7). This means we have to parse the bytes after the length field as a ClientHello.
    
      {
          ProtocolVersion client_version;
          Random random;
          SessionID session_id;
          CipherSuite cipher_suites<2..2^16-2>;
          CompressionMethod compression_methods<1..2^8-1>;
          select (extensions_present) {
              case false:
                  struct {};
              case true:
                  Extension extensions<0..2^16-1>;
          };
      } ClientHello;

This means: The next 2 bytes are the ProtocolVersion, the next 32 bytes are the ClientRandom, the next byte is the SessionID Length, the next SessionID Length many bytes are the SessionID, the next 2 bytes are the CipherSuite Length bytes, followed by CipherSuite Length many CipherSuites, followed by a 1 byte Compression Length field, followed by Compression Length many CompressionBytes followed by a 2 byte Extension Length field followed by extension length many ExtensionBytes. So lets try to parse this:

 Handshakye Type   : 01
Handshake Length  : 00009e
ProtocolVersion   : 0302
ClientRandom      : 000000000000004e6f626f64796b6e6f7773696d616361740000000000000000
SessionID Length  : 20
SessionID         : 53746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e6468657265
CipherSuite Length: 0002
CipherSuites      : 0035
Compression Length: 01
CompressionBytes  : 00
Extension Length  : 0053
ExtensionBytes:   : 000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100

This is manual parsing is the slow method of dealing with this. Instead of looking at the specification to parse this message we could also compare the message structure to another ClientHello. This eases this process a lot. What we could also do is record the transmission of this message as a de-fragmented message to something and let Wireshark decode it for us. To send the de-fragmented message we need to create a new record header ourselves. The record should look like this:

Type   : 16
Version: 0302
Length : 00A2
Payload: 0100009e0302000000000000004e6f626f64796b6e6f7773696d6163617400000000000000002053746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e64686572650002003501000053000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100

To send this record we can simply use netcat:


 echo '16030200A20100009e0302000000000000004e6f626f64796b6e6f7773696d6163617400000000000000002053746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e64686572650002003501000053000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100' | xxd -r -p | nc localhost 4433


Now we can use Wireshark to parse this message. As we can see now, the weired ASCII fragments we could see in the previous version are actually the ClientRandom, the SessionID, and a custom extension from the attacker. Now that we have de-fragmented the message, we know the ClientRandom: 000000000000004e6f626f64796b6e6f7773696d616361740000000000000000


De-fragmenting the ClientKeyExchange message


Now that we have de-fragmented the first flight from the attacker, we can de-fragment the second flight from the client. We can do this in the same fashion as we de-fragmented the ClientHello.

16    0302    0008    1000006600645de1
16    0302    0008    66a6d3669bf21936
16    0302    0008    5ef3d35410c50283
16    0302    0008    c4dd038a1b6fedf5
16    0302    0008    26d5b193453d796f
16    0302    0008    6e63c144bbda6276
16    0302    0008    3740468e21891641
16    0302    0008    0671318e83da3c2a
16    0302    0008    de5f6da6482b09fc
16    0302    0008    a5c823eb4d9933fe
16    0302    0008    ae17d165a6db0e94
16    0302    0008    bb09574fc1f7b8ed
16    0302    0008    cfbcf9e9696b6173
16    0302    0002    f4b6

 14    0302    0001    01

 16    0302    0030    cbe6bf1ae7f2bc40a49709a06c0e3149a65b8cd93c2525b5bfa8f696e29880d3447aef3dc9a996ca2aff8be99b1a4157
16    0302    0030    9bf02969ca42d203e566bcc696de08fa80e0bfdf44b1b315aed17fe867aed6d0d600c73de59c14beb74b0328eacadcf9

Note that his time we have 3 record groups. First there is chain of handshake records, followed by a ChangeCipherSpec record, followed by 2 more handshake records. The TLS specification forbids that records of different types are interleaved. This means that the first few records a probably forming a group of messages. The ChangeCipherSpec record is telling the server that subsequent messages are encrypted. This seems to be true, since the following records do not appear to be plaintext handshake messages.

So lets de-fragment the first group of records by concatenating their payloads:

1000006600645de166a6d3669bf219365ef3d35410c50283c4dd038a1b6fedf526d5b193453d796f6e63c144bbda62763740468e218916410671318e83da3c2ade5f6da6482b09fca5c823eb4d9933feae17d165a6db0e94bb09574fc1f7b8edcfbcf9e9696b6173f4b6

Since this is a handshake message, we know that the first byte should tell us which handshake message this is. 0x10 means this is a ClientKeyExchange message. Since we already know that TLS_RSA_WITH_AES_256_CBC_SHA was negotiated for this connection, we know that this is an RSA ClientKeyExchange message.

These messages are supposed to look like this (I will spare you the lengthy RFC definition):

Type (0x10)
Length (Length of the content) (3 bytes)
EncryptedPMS Length(Length of the encrypted PMS) (2 bytes)
EncrpytedPMS  (EncryptedPMS Length many bytes)
    
For our message this should look like this:

 Type: 10
Length: 000066
Encrypted PMS Length: 0064
Encrypted PMS: 5de166a6d3669bf219365ef3d35410c50283c4dd038a1b6fedf526d5b193453d796f6e63c144bbda62763740468e218916410671318e83da3c2ade5f6da6482b09fca5c823eb4d9933feae17d165a6db0e94bb09574fc1f7b8edcfbcf9e9696b6173f4b6

Now that we got the Encrypted PMS we can decrypt it with the private key. Since the connection negotiated RSA as the key exchange algorithm this is done with:

encPMS^privKey mod modulus = plainPMS

We can solve this equation with the private key from the leaked PEM file.

2445298227328938658090475430796587247849533931395726514458166123599560640691186073871766111778498132903314547451268864032761115999716779282639547079095457185023600638251088359459150271827705392301109265654638212139757207501494756926838535350 ^ 996241568615939319506903357646514527421543094912647981212056826138382708603915022492738949955085789668243947380114192578398909946764789724993340852568712934975428447805093957315585432465710754275221903967417599121549904545874609387437384433 mod 4519950410687629988405948449295924027942240900746985859791939647949545695657651701565014369207785212702506305257912346076285925743737740481250261638791708483082426162177210620191963762755634733255455674225810981506935192783436252402225312097

Solving this equation gives us:

204742908894949049937193473353729060739551644014729690547520028508481967333831905155391804994508783506773012994170720979080285416764402813364718099379387561201299457228993584122400808905739026823578773289385773545222916543755807247900961

in hexadecimal this is:

00020325f41d3ebaf8986da712c82bcd4d554bf0b54023c29b624de9ef9c2f931efc580f9afb081b12e107b1e805f2b4f5f0f1000302476574204861636b6564204e6f6f622c20796f752077696c6c206e65766572206361746368206d65212121212121

The PMS is PKCS#1.5 encoded. This means that it is supposed to start with 0x0002 followed by a padding which contains no 0x00 bytes, followed by a separator 0x00 byte followed by a payload. In TLS, the payload has to be exactly 48 bytes long and has to start with the highest proposed protocol version of the client. We can see that this is indeed the case for our decrypted payload. The whole decrypted payload is the PMS for the connection.

This results in the PMS: 0302476574204861636b6564204e6f6f622c20796f752077696c6c206e65766572206361746368206d65212121212121 (which besides the protocol version is also ASCII :) )

Now that we have the PMS its time to revisit the key scheduling in TLS. We already briefly touched it but here is a overview:

As you can see, we first have to compute the master secret. With the master secret we can reconstruct the key_block. If we have computed the key_block, we can finally get the client_write key and decrypt the message from the attacker.


 master secret = PRF ( PMS, "master secret", ClientRandom | ServerRandom)

 key_block = PRF (master_secret, "key expansion", ServerRandom |  ClientRandom )

Where "master secret" and "key expansion" are literally ASCII Strings.


Note that in the key_block computation ClientRandom and ServerRandom are exchanged.



To do this computation we can either implement the PRF ourselfs, or easier, steal it from somewhere. The PRF in TLS 1.1 is the same as in TLS 1.0. Good places to steal from are for example openssl (C/C++), the scapy project (python), the TLS-Attacker project (java) or your favourite TLS library. The master secret is exactly 48 bytes long. The length of the key_block varies depending on the selected cipher suite and protocol version. In our case we need 2 * 20 bytes (for the 2 HMAC keys) + 2 * 32 bytes (for the 2 AES keys) = 104 bytes.

I will use the TLS-Attacker framework for this computation. The code will look like this:


This results in the following master secret: 292EABADCF7EFFC495825AED17EE7EA575E02DF0BAB7213EC1B246BE23B2E0912DA2B99C752A1F8BD3D833E8331D649F  And the following key_block:
6B4F936ADE9B4010393B00D9F29B4CB02D8836CFB0CBF1A67B53B200B6D9DCEF66E62C335D896A92EDD97C074957ADE136D6BAE74AE8193D56C6D83ACDE6A3B365679C5604312A1994DC0CEB508D81C4E440B626DFE3409A6CF39584E6C5864049FD4EF2A0A30106

Now we can chunk our resulting key_block into its individual parts. This is done analogously to the beginning of the challenge.

client_write_mac key = 6B4F936ADE9B4010393B00D9F29B4CB02D8836CF
server_write_mac key = B0CBF1A67B53B200B6D9DCEF66E62C335D896A92
client_write key = EDD97C074957ADE136D6BAE74AE8193D56C6D83ACDE6A3B365679C5604312A19
server_write key = 94DC0CEB508D81C4E440B626DFE3409A6CF39584E6C5864049FD4EF2A0A30106

Now that we have the full client_write key we can use that key to decrypt the application data messages. But these messages are also fragmented. But since the messages are now encrypted, we cannot simply concatenate the payloads of the records, but we have to decrypt them individually and only concatenate the resulting plaintext.

Analogue to the decryption of the heartbeat message, the first 16 bytes of each encrypted record payload are used as an IV

IV, Ciphertext Plaintext
6297cb6d9afba63ec4c0dd7ac0184570    a9c605307eb5f8ccbe8bbc210ff1ff14943873906fad3eca017f49af8feaec87      557365723A20726FB181CF546350A88ACBE8D0248D6FF07675D1514E03030303
063c60d43e08c4315f261f8a4f06169a    cdb5818d80075143afe83c79b570ab0b349b2e8748f8b767c54c0133331fb886    6F743B0A50617373D6F734D45FB99850CCAF32DF113914FC412C523603030303
cd839b95954fcadf1e60ee983cbe5c21    ac6f6e1fe34ae4b1214cded895db4746b8e38d7960d7d45cb001aab8e18c7fc7    3A20726F6F743B0A937048A265327642BD5626E00E4BC79618F9A95C03030303
8092d75f72b16cb23a856b00c4c39898    8df099441e10dca5e850398e616e4597170796b7202e2a8726862cd760ebacdf    6563686F20224F7769EACFBEEB5EE5D1F0B72306F8C78AD86CB4835003030303
8e9f83b015fce7f9c925b8b64abee426    224a5fbd2d9b8fc6ded34222a943ec0e8e973bcf125b81f918e391a22b4b0e65    6E6564206279204061736E93BFDC5103C8C2FE8C543A72B924212E8403030303
0e24ba11e41bfcf66452dc80221288ce    a66fb3aed9bdc7e08a31a0e7f14e11ce0983ec3d20dd47c179425243b14b08c9    6963306E7A31223B84A3CAFA7980B461DE0A6410D6251551AE401DD903030303
0465fdb05b121cdc08fa01cdacb2c8f4    eff59402f4dbf35a85cc91a6d1264a895cd1b3d2014c91fbba03ec4c85d058c9     0A7375646F20726DB97422D8B30C54CC672FFEC3E9D771D4743D96B903030303
e2ddbbb83fe8318c41c26d57a5813fab    89549a874ff74d83e182de34ecf55fff1a57008afd3a29ef0d839b991143cd2a      202F202D72663B0A996F3F1789CB9B671223E73C66A0BA578D0C0F3203030303
524f5210190f73c984bd6a59b9cf424c    b7f30fafe5ea3ac51b6757c51911e86b0aa1a6bbf4861c961f8463154acea315    0A666C61677B436868BF764B01D2CDCB2C06EA0DFC5443DABB6EC9AE03030303
32765985e2e594cddca3d0f45bd21f49    a5edfe89fdb3782e2af978585c0e27ba3ef90eb658304716237297f97e4e72bc    696D696368616E67FBF32127FA3AF2F97770DE5B9C6D376A254EF51E03030303
e0ae69b1fa54785dc971221fd92215fb    14e918a9e6e37139153be8cb9c16d2a787385746f9a80d0596580ba22eaf254e    61467233346B7D8BE8B903A167C44945E7676BF99D888A4B86FA8E0404040404

The plaintext then has to be de-padded and de-MACed.

Data HMAC Pad:
557365723A20726F    B181CF546350A88ACBE8D0248D6FF07675D1514E    03030303
6F743B0A50617373    D6F734D45FB99850CCAF32DF113914FC412C5236    03030303
3A20726F6F743B0A    937048A265327642BD5626E00E4BC79618F9A95C    03030303
6563686F20224F77    69EACFBEEB5EE5D1F0B72306F8C78AD86CB48350    03030303
6E65642062792040    61736E93BFDC5103C8C2FE8C543A72B924212E84    03030303
6963306E7A31223B    84A3CAFA7980B461DE0A6410D6251551AE401DD9    03030303
0A7375646F20726D    B97422D8B30C54CC672FFEC3E9D771D4743D96B9    03030303
202F202D72663B0A    996F3F1789CB9B671223E73C66A0BA578D0C0F32    03030303
0A666C61677B4368    68BF764B01D2CDCB2C06EA0DFC5443DABB6EC9AE    03030303
696D696368616E67    FBF32127FA3AF2F97770DE5B9C6D376A254EF51E    03030303
61467233346B7D      8BE8B903A167C44945E7676BF99D888A4B86FA8E    0404040404

This then results in the following data:

Data:
557365723A20726F6F743B0A506173733A20726F6F743B0A6563686F20224F776E656420627920406963306E7A31223B0A7375646F20726D202F202D72663B0A0A666C61677B4368696D696368616E6761467233346B7D8B

Which is ASCII for:

 User: root;
Pass: root;
echo "Owned by @ic0nz1";
sudo rm / -rf;

 flag{ChimichangaFr34k}


Honestly this was quite a journey. But this presented solution is the tedious manual way. There is also a shortcut with which you can skip most of the manual cryptographic operations.

The Shortcut

After you de-fragmented the messages you can patch the PCAP file and then use Wireshark to decrypt the whole session. This way you can get the flag without performing any cryptographic operation after you got the private key. Alternatively you can replay the communication and record it with Wireshark. I will show you the replay of the messages. To recap the de-fragmented messages looks like this:

ClientHello
0100009e0302000000000000004e6f626f64796b6e6f7773696d6163617400000000000000002053746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e64686572650002003501000053000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100

ClientKeyExchange:
1000006600645de166a6d3669bf219365ef3d35410c50283c4dd038a1b6fedf526d5b193453d796f6e63c144bbda62763740468e218916410671318e83da3c2ade5f6da6482b09fca5c823eb4d9933feae17d165a6db0e94bb09574fc1f7b8edcfbcf9e9696b6173f4b6

We should now add new (not fragmented) record header to the previously fragmented message. The messages sent from the server can stay as they are. The ApplicationData from the client can also stay the same. The messages should now look like this

ClientHello
16030200A20100009e0302000000000000004e6f626f64796b6e6f7773696d6163617400000000000000002053746f70206c6f6f6b696e67206e6f7468696e6720746f2066696e64686572650002003501000053000f000101133700154576696c436f7270206b696c6c732070656f706c65000d002c002a010202020302040205020602010102010301040105010601010302030303040305030603ededeeeeefefff01000100

ServerHello / Certificate / ServerHelloDone
160302006A1000006600645de166a6d3669bf219365ef3d35410c50283c4dd038a1b6fedf526d5b193453d796f6e63c144bbda62763740468e218916410671318e83da3c2ade5f6da6482b09fca5c823eb4d9933feae17d165a6db0e94bb09574fc1f7b8edcfbcf9e9696b6173f4b61403020001011603020030cbe6bf1ae7f2bc40a49709a06c0e3149a65b8cd93c2525b5bfa8f696e29880d3447aef3dc9a996ca2aff8be99b1a415716030200309bf02969ca42d203e566bcc696de08fa80e0bfdf44b1b315aed17fe867aed6d0d600c73de59c14beb74b0328eacadcf9

ClientKeyExchange / ChangeCipherSpec / Finished
160302006A1000006600645de166a6d3669bf219365ef3d35410c50283c4dd038a1b6fedf526d5b193453d796f6e63c144bbda62763740468e218916410671318e83da3c2ade5f6da6482b09fca5c823eb4d9933feae17d165a6db0e94bb09574fc1f7b8edcfbcf9e9696b6173f4b61403020001011603020030cbe6bf1ae7f2bc40a49709a06c0e3149a65b8cd93c2525b5bfa8f696e29880d3447aef3dc9a996ca2aff8be99b1a415716030200309bf02969ca42d203e566bcc696de08fa80e0bfdf44b1b315aed17fe867aed6d0d600c73de59c14beb74b0328eacadcf9')

ApplicationData
1703020030063c60d43e08c4315f261f8a4f06169acdb5818d80075143afe83c79b570ab0b349b2e8748f8b767c54c0133331fb8861703020030cd839b95954fcadf1e60ee983cbe5c21ac6f6e1fe34ae4b1214cded895db4746b8e38d7960d7d45cb001aab8e18c7fc717030200308092d75f72b16cb23a856b00c4c398988df099441e10dca5e850398e616e4597170796b7202e2a8726862cd760ebacdf17030200308e9f83b015fce7f9c925b8b64abee426224a5fbd2d9b8fc6ded34222a943ec0e8e973bcf125b81f918e391a22b4b0e6517030200300e24ba11e41bfcf66452dc80221288cea66fb3aed9bdc7e08a31a0e7f14e11ce0983ec3d20dd47c179425243b14b08c917030200300465fdb05b121cdc08fa01cdacb2c8f4eff59402f4dbf35a85cc91a6d1264a895cd1b3d2014c91fbba03ec4c85d058c91703020030e2ddbbb83fe8318c41c26d57a5813fab89549a874ff74d83e182de34ecf55fff1a57008afd3a29ef0d839b991143cd2a1703020030524f5210190f73c984bd6a59b9cf424cb7f30fafe5ea3ac51b6757c51911e86b0aa1a6bbf4861c961f8463154acea315170302003032765985e2e594cddca3d0f45bd21f49a5edfe89fdb3782e2af978585c0e27ba3ef90eb658304716237297f97e4e72bc1703020030e0ae69b1fa54785dc971221fd92215fb14e918a9e6e37139153be8cb9c16d2a787385746f9a80d0596580ba22eaf254e

What we want to do now is create the following conversation:
CH->
<-SH, CERT, SHD
-> CKE, CCS, FIN
-> APP, APP ,APP

This will be enough for Wireshark to decrypt the traffic. However, since we removed some messages (the whole HeartbeatMessages) our HMAC's will be invalid.

We need to record an interleaved transmission of these message with Wireshark. I will use these simple python programs to create the traffic:




If we record these transmissions and tick the flag in Wireshark to ignore invalid HMAC's we can see the plaintext (if we added the private key in Wireshark).

Challenge Creation

I used our TLS-Attacker project to create this challenge. With TLS-Attacker you can send arbitrary TLS messages with arbitrary content in an arbitrary order, save them in XML and replay them. The communication between the peers are therefore only two XML files which are loaded into TLS-Attacker talking to each other. I then copied parts of the key_block from the debug output and the challenge was completed :)

 If you have question in regards to the challenge you can DM me at @ic0nz1
Happy Hacking
More information

  1. Hack Tools Download
  2. Free Pentest Tools For Windows
  3. Hacking Tools Free Download
  4. Beginner Hacker Tools
  5. What Is Hacking Tools
  6. Pentest Tools Github
  7. Wifi Hacker Tools For Windows
  8. Pentest Tools Framework
  9. Hacker Tools For Pc
  10. Underground Hacker Sites
  11. Pentest Recon Tools
  12. Hack Tools Mac
  13. Pentest Tools Free
  14. What Are Hacking Tools
  15. Hack Tools For Windows
  16. Game Hacking
  17. Hack Tools Download
  18. Hacking Tools For Windows Free Download
  19. Pentest Tools Download
  20. Tools For Hacker
  21. How To Make Hacking Tools
  22. Hacking Tools 2019
  23. Pentest Tools
  24. Hack Tools Pc
  25. Top Pentest Tools
  26. Top Pentest Tools
  27. Hack Tools Online
  28. Hacker Tools 2020
  29. Tools Used For Hacking
  30. Physical Pentest Tools
  31. Hack Tools
  32. Hacking Tools For Windows 7
  33. Pentest Tools Tcp Port Scanner
  34. Easy Hack Tools
  35. Nsa Hacker Tools
  36. Hacker Tools Linux
  37. Pentest Tools Nmap
  38. Hack Tool Apk No Root
  39. Hacking Tools Windows
  40. Hacking Tools
  41. Pentest Tools For Android
  42. Hacking Tools And Software
  43. Pentest Tools For Mac
  44. Hack Tools For Pc
  45. Hak5 Tools
  46. Nsa Hack Tools Download
  47. Hacking Tools 2019
  48. Hacking Tools Windows
  49. Hacker Hardware Tools
  50. Hacker Tools Linux
  51. Pentest Tools For Windows
  52. Wifi Hacker Tools For Windows
  53. What Are Hacking Tools
  54. Hacker Tools Linux
  55. Hacker Tools Online
  56. Pentest Tools For Ubuntu
  57. Hack Tools Github
  58. Hack And Tools
  59. New Hack Tools
  60. Tools For Hacker
  61. Hacker Tools For Ios
  62. Pentest Tools Framework
  63. Tools Used For Hacking
  64. Hacking Tools For Pc
  65. Pentest Tools Download
  66. Termux Hacking Tools 2019
  67. Pentest Tools Alternative
  68. Hack Website Online Tool
  69. Hacking Tools Name
  70. Pentest Tools For Mac
  71. Pentest Tools Nmap
  72. Pentest Tools Tcp Port Scanner
  73. Hacker Tools
  74. Pentest Recon Tools
  75. Hacker Techniques Tools And Incident Handling
  76. Hacker Tools For Mac
  77. Hacking Tools Mac
  78. Wifi Hacker Tools For Windows
  79. Hacking Tools For Pc
  80. Game Hacking
  81. Pentest Tools Subdomain
  82. Termux Hacking Tools 2019
  83. Pentest Tools Port Scanner
  84. Easy Hack Tools
  85. Hacker Security Tools
  86. Pentest Tools Bluekeep
  87. Hacking Tools Pc
  88. Hacker Tools 2020
  89. Pentest Tools Website Vulnerability
  90. Pentest Tools Find Subdomains
  91. Hacker Tools 2020
  92. Physical Pentest Tools
  93. Hacking Tools Usb
  94. Hacker Tools Software
  95. Hacker Tools Online
  96. Pentest Tools For Windows
  97. Free Pentest Tools For Windows
  98. Best Hacking Tools 2020
  99. Hacking Tools For Windows 7
  100. Easy Hack Tools
  101. Hacker Tools Github
  102. Hacker Tools Windows
  103. Hack Website Online Tool
  104. Hacking Tools Software
  105. Pentest Tools Bluekeep
  106. Best Hacking Tools 2019
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)