[Plaid 2014] forensic : curlcore 본문
[Plaid 2014] forensic : curlcoreZero Day 2016. 8. 27. 16:15
First, Open the curlcore.sh and we could see the codes ...
and capture the packets as dumpcap file named "capture". So, let's see capture file with Wireshark
But it was downloaded over HTTPS protocol which means encrypted with SSL. So, we need to decrypt that packets.
We can find encryption algorithm and the Session ID from packet.
Wireshark supports decryption if private key and Session ID are exist.
We already found the Session ID. Then, where is private key ( SSL master key )?
Google says "Curl depends on OpenSSL for supporting TLS protocol. So let's find where OpenSSL stores private key on memory.
I found the structure on ssl.h. SSL master_key ( private key ) is stored near the session_id what we found.
Then all we got to do is just searching near the session id and we'll get the private key.
On tmp/corefile, we can find that structure's data.
As following picture,
From that info, making SSL master key what Wireshark required.
Apply that key then we can see the plain text!
The flag is congratz_you_beat_openssl_as_a_whitebox