Statement:

ESD Secure Message boasts an encrypted online messaging system with an asymmetric encryption mechanism that is reputed to be tamper-proof.

The company has hired you to carry out a pentest on a well-defined perimeter over a very short period of time. As a result of this pentest, you were able to recover two items:

an interception of exchanges from one of the unsecured servers A raw export of one of the encrypted messages from the messaging application’s database.

Your mission: Complete the investigation of the recovered elements and find a way to decrypt the message from the ESD Secure Message application.

Author : shadowmedicis (ESDAcademy - ENI Nantes - HESD03)


The challenge provides a network capture in pcap format and an encrypted message.txt.enc file.

Looking at the contents of the PCAP, I see communication on port 25 (SMTP) : wildcard

In the network capture, I can see all traffic exchanged :

220 miniRelay Server v0.9.77d ready
EHLO DESKTOP-JB5J4SR
250-net
250-AUTH LOGIN
250 HELP
MAIL FROM:<tom.rip@esd-secure-message.fr>
250 tom.rip@esd-secure-message.fr Address Okay
RCPT TO:<john.legeyo@esd-secure-message.fr>
250 john.legeyo@esd-secure-message.fr Address Okay
DATA
354 Start mail input; end with <CRLF>.<CRLF>
MIME-Version: 1.0
From: tom.rip@esd-secure-message.fr
To: john.legeyo@esd-secure-message.fr
Reply-To: tom.rip@esd-secure-message.fr
Date: 20 Jun 2021 17:22:20 +0200
Subject: tom.rip@esd-secure-message.fr
Content-Type: multipart/mixed; boundary=--boundary_0_bb6793a1-acac-452c-b09f-79c3a99b40c8


----boundary_0_bb6793a1-acac-452c-b09f-79c3a99b40c8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGkgSm9obiwNCg0KSSBzZW5kIHlvdSB0aGUgbmV3IGNlcnRpZmljYXRlIGZvciByZW5ldyB0
aGUgY2VydGlmaWNhdGUgb2YgaHR0dHBzLy9hY2NvdW50LmVzZC1zZWN1cmUtbWVzc2FnZS5m
ci4NCllvdSBrbm93IHRoZSBwYXNzcGhyYXNlLCBpdOKAmXMgdGhlIHNhbWUgcGFzc3dvcmQg
b2YgdGhlIGxhdGVzdCBjZXJ0aWZpY2F0ZS4NCkl04oCZcyBsZWdhY3kg8J+YiSAuLg0KDQpU
ZWxsIG1lIHdoZW4geW91IGZpbmlzaCB0byBpbnN0YWxsIHRoaXMgY2VydGlmaWNhdGUuDQoN
CkJlc3QgcmVnYXJkcywNCg0KVG9tIFJJUA0KRVNEIFNlY3VyZSBNZXNzYWdlDQorMzMoMCk2
IDQ0IDYzIDcxIDEx
----boundary_0_bb6793a1-acac-452c-b09f-79c3a99b40c8
Content-Type: application/octet-stream; name="certificate willcard esd-secure-message.fr.zip"
Content-Transfer-Encoding: base64

UEsDBBQAAAAIAAaF1FIkQbPIJQoAADQNAAALAAAAcHJpdmF0ZS5rZXl1l7cS4zoSRXNV6R8m
55sSvXkZvfeeGZ1IiZ6i//rlbr4IkCAA0H379O2//10ML8rGH8el/1iOHNAe/0fl4/+dPB/W
POR/vXMs//2D/sMbrBNbHs89Hxyv/pX79/DvH5p3/8IY/pdl2H8gnOVYiIRIlkEpjkYomIcF
iAMFDOEEiMSej+cD6xr+sGMipWS4dkj3ys5kvzSOmuphIzisaS5PzCoTH3Rb4nIInL9FaOZW
VRe9Inj33SvMwcnJzb1p6hpBf38ukTREU4fNwjJLefEHuUx99TaIzFyPlRllw9YVa4Ld06XW
gH8+qMPArWBnI0JZTRIS01gvCk2ywpSjfC4Qj3cruuJZbiFYytc7RLycfrlVtk6cxeS+8Xxc
y+rDY8sRk/tVJc/2F0SDYb/dwrk9RDsysDi7PrZ1cSkiOqpm4CuS+FENgmox8GPwfEiJvr5E
okSctF7VHj0B4PuSZ3xnqBwtiNV5xXI1eoPNMdReJ95HoV9UsKnyO1qiuWKejz4NpDewwX0x
L95xnuKRcJczOhXpOlc7xBpkuFoLEV8s6DxoyXk2z98cTwWOnpgoKzwfTD/to8g6HtKNBiNH
asgUjHRGEnZYkd5vEsPmTf/ZFKl4g7yGhnakXWSNt3U+UkayPx9ZBQWloEpreRFX+DvmOGw+
iV9LTRofOvNmW3LeR17gmHjdh6wOPY1Yl2ttanYQ2218PpxPl73WPkuk083kQmKnb1wN/kKU
BzANhkny40u3hTIFTJMG89cqs2qNrVymsHS8gd7zUb4uaRZgW9ya3qSH1Sb9W9GbWFQai4Gq
stkSLIh9JETOaTYvCmeXCDpCVZlflC7A4PORY1zST2Vv41MgXylMT2CFOdlGUwMV1wwCv11o
XKuVzvSGJaiuQqT4yrYLQIyi077sHclX+HFe04+vIXeqgV1attEhsB2oIGPDMLOOW+pkIBis
d8zj+m/5Fc2lTa8tQUH8CpvnY7dktYuPzpG5xI0wTpmxY48NHtdJUPupFGSuJlEHpPML7fUt
jA26Wzkmvtq3T1dvwH0+jhe8MIgOQod+wd7JFlUjn13uFG8+Dbb0msXZLqKqGfgfaQoJ8qY3
xKJHvMV2hd/Ju7KUOdpw4Nd7FJgyTPdyog5SI7j+DfibK0NE6vfCIUSRJ+CcQoermn9ZaxVB
GgEW9fGS54MloN63Ds7MNWln1MPygtMX7grvQQjXmZkY0JYMwyYHOECrJvNTb6QcjppKhv52
v/L5EPW6KGv0rX5prievBVqdKD2WSB42qKLeSYWQPDuPfmIwif5BLyhtVz2rP66ajD+sPe/K
8tlzPD90hXwCtSFxuzI1RReNaW0vE47xLsQJ7CVeveljldRpNs5Zan3iRsC02hf/PB8/mp94
ytxaSD9fYeLpmc7Aa5rK2XbsJw6z1sewne4oETnNp11kaTn+NNSRMWm29oXzfHhyrdypRJFT
Hj8fkerGVyOFZ/RmyXLi6wu+rtqTDMW2Sv5klMYAsYWjU7LCVCkBqOL5OIeNmyIy/NXk+cHD
WKElepgrGpbCFI6PZDK0M33Dhoh/kc8tqami52rhFNCSkXXQo+eDTwkh+OIhZTJiufD25Ebf
Ynl9yGEgSqJunR9IsyGeoijUp5j1oyL7wxJflfgGTQ8n9fMRUj7KCcsHWimsXX1jUBhtEE+b
qDxA6EW6cDnOfzPtN62V69Osh9Uo5jYTJbO1eOPEz0dAgcMAJz/Llgjrpo++QRfo+NqNueaT
fJllBYupyNsmuFk/FnTtqHPfTA3nzJTbNstNORyW+zAD18h4t/z5Bs1I/YUsvqZ9mIMjwtHu
xZb9AmgN2KeKISMXAzv896I3NbSP9vkw8VwPmdJ15MbXfgC7rUAEtYD9Rb0iZd88YMIsOFRT
35k/g7W/L2tZm/X9Iey0xkXppj0Mx79a8DKwbd7sPLM8BImIMNdLsrP2OVjQ2HQh8iqldeAZ
w98ZqNckDSKmpSQQAXefD3f3J0/zENRAgP8iWV7Z1/UmruzVNqAhfys3K62J6cQ1HK+gPAg2
mcmtZ9Yd4ao6u/tFiYQzLbaDAn91/wRerOI07ov+Za6J8ihabKg6Y1rbj1nYRchQpyM8pyO2
TNUr/mWf/vkgQ4fxbpkvoOrENtwFclTAEp9jSaZivYk4C29FrmZ1C/uqIAf9COTcpGorTqgK
zG15s3puHBz3ehs0anVCiaqXpmZRGA/f6hQVb3jLbC+OtLqkJ9JE9GybG9jP4Rbkg9JAt6on
HtZFniIT+gWXPS1ZLhVga5sAfsTFHmXUEDGIqg5Ww+uIwPF3pd6SCoug9h0y2VN2s9r08L00
DIhOlDFp59KEVCxzRjwM38ZpnDVhIBOoat1I0nxD+9DMsbv4Ic3pe/4QbXg+hg5oggrQj7pR
TlXR87qEct4sgDxL+VJxHP20XrRdt4zu6wApuZbZqwAkMx/5LH/gHQetSNwix6WZG/TWhPLD
Evak+0Heq1Lwt1JKjXIQsgNQHTZYsfvjTKkGp+irg6vMSsn0fHz33nIalUhG9WB3zrIMozIA
8Cd/bPV3noDNBKjxWySCjNPPN0805Q0eqtqDU2b/EPj2MHPZNG3W4749ZsB7ODgaZBwxcanz
OrwMiHsF1gO6832o8CKRRGSrsmKb6DCnMNj04J6P1BHUGHCRRth4tGo5G98geM6aCl+ZAOG9
UCwvFzWhOsvNIOcc38XFg3Pc/N3vkchYz0f2DehdNJbvkhQZ9b777s8PcG2N7J849952dhoS
DCb99SRIsxBpu4OIE3fmVslvgtC+OZlzpn1ZYBnHHZeuKwSLpipOvw8DCq5doo3XCdAXYT9g
wQqH0B9+wXxqCOnYJWQ47LjjYIQaAUJqKeqoBLkRI+G46Fo7jaEtD3kgNx4IylZ3UxCiCrSJ
tOqWTf3dO2jVxGE+H8vrVk6CWQmZJtXse9FgoWp6ZToNuRqbG8pbdqocADzCfhPY1/aFxVRT
IxJ+i5kffPN8JEq3lpQYge572HdWRkPIc7+SrRegJPRs0R8JNQH+ZunxNSuT6+4HSzUqh285
ezXO7R9csrptjao4eP19x3iFGkIV2TAWbyNoEcRYoTvbBchG5JDPO+9In6ovtFsv41Ur9fa9
symgwgv8Abdt+XSnvKVdO89dFdNgPPjkMtxw6ZEgMrbXOlB8kqVXaZaE3WGaiflztvi31+fV
UTHrxI+bbULFdrbmIE9c07tArI+49NwWIsrjkAzsWd7agMUuowusy55Wbkyp+xe98wXyQ/Qv
PYUFD95OcAQ/3MI6fZxJt3dE8z2HP11U7bcdvV45q+I14S21wAWWbEnz8/EapW4NhjiQZF4y
ICG4wg+a3OUbFD5EY+UeF+6vbsNY/JV7dH6ho522xCDaOKvS87odKaW3d09jdalFe24j0oU5
OK9fdN9MkOjylLmmi73UsJ/f2x5PTUwxgTxCSOJYb2uu3KT93+jDG9z/GYn+A1BLAwQUAAAA
CABIhdRSxcetfyAGAAA2CAAABgAAAGNhLmNydH1Wya6DOhbcR8o/9B61mEJIFr0w82TATAF2
YQiEISSE+eube6/0Vq1mZR2VD1Vll+1//3ycKKvmv3jR8VRJ5YEn/laPB6iq0rrxPGCtAswq
BwrV5xIrxSI5cFpwfwiBeWr6/BtONpK7WUCRpnexWk6pCZBoHA8cAnPmiQYEtQxIX+RKyDuN
uggbMLnCDPaWkKtjF/mM4HiiDQHxh5tn2Wul8XjI5GCDDprFIhIChHQBDJJPoALdzDKWgyH3
RAhB9zuLn2fBCUwRumBW/vDC8SBw6cdogy3myS2+mWTa+kNyC7aUkl6xy7RpBXJpJlboAQpW
YDEFtI+z+17bfmq7D17xTxUq/sJvQPtjH3lgZw/R5Uf7z/9UAcSyX0sWIvx/VO4+gHTXyZTJ
y2nSTfQhp/4xLmbjh7EqSlV0c5okrBdBAPpf9+9uR+A5gljsHLjT7wwwz6H+ZJqUQkNKBVUW
ao1xI5uU3v2g/DF+qXNRqM8fJ3n3I7tqQgtI5I4HgHwATiovzOAHoYNuX2vEn3qyyiIr6Y0g
HrfFcruRu1h4aTA4RWjpOkbiW5pG/3k8LNgJLWMQw/i53GbsrAow1siv6pGaXpvPO/MwvNTF
CfdJXejhMQiQpb/hsFni+hrcVDseVpmklxwjKMPPr6Svt8D0r6HBCwzL2EKL6lrmdXnbtWHW
x4lFcd24ScXcNzdx1FOUjoc7S1Z44UVDt5qDRtPMpRlBi8Ozk3aBmNhnSp2nODO65DZPTS6o
gQThQt+6eGyWgWWOB52syoeDqQ1Tqrf2sQqtMFB1Ty5h/Wp5AOdE0hvz+63pmMzVVyltLK3U
zqCrjCcn4+t48BZPu78MY3C49Cxcs/LevR10q9n+1NSScaPL+U1fQnQPzQbgUGQrQ7n6X+95
OlUX6FvHw0PRIuMmXx9O9o2YJju/JPt5ycvCuRm9gYf9yGyWt6njw4V63XlFAZck8zwSywMi
pncVvTTdCwJdKT+VmHCZa4qi1uA0fArjE0Eb61aH0HnZloQIWvFXpb2pG/BZlWaLLh00HA8K
/uwbXEOnq9cUJ30U/N7F5qibOCYgwUC9powqUjpS6GXcPYaeBM82LK2MCerrqLDHw0ZGvmw3
9nAaLy3PaqDnKQmnNfLpe2sDeya7eIJvvmQ5lIh37jKjMAjOJPTXDGQ3zD4ekLeGH3uA+rq8
a/RN8Gflfmin1caF0p78hcXH0MQwSQCRdVNWYAwDa5WhuGqgfauc/LOr98ghwHUknH0PZD/J
UdBJlArk03dMmG2qpRLvAtzwkwEYZN6i3kU0K/OeV4eo9mxyxSx14P+ihT+0B5CCc8DfEyRy
+G+668/xUNZP+ToTHEBfCQCLB4UIfNzMKRoQ0SOkZiyi2/AzlLnhvENr4IyrwUJ+OfemMn/Y
+MeHhZbmj1vPJ/9sDIkrO/NdbMFl08oIx7dgzUc7dZl5+7JZ/TR8lLSqM/dsVznlFnfHg9jX
fno+iX6FqB41vWhooCCc8CFtmpGopB2cmNsatlpT61uunW3tPthe9gxnf33r8+7kl7xKMlVm
5ip1bYtyIHLR5QxihZUY/CVZM1HaEy2QNkcymOepD47miPTptc7H7ddh9yEKSMKwyGvYwFec
iN0btitiTy4xNojH3n0WJnEnS5XVGXdSijhoFJj3kcR7IFUEDufjQb5yOC3uDQvlbdckfYVW
thb5dhHGYNX7e3LXq1f3/tIPRnt225XBhYdykpX3wKKHRu+r+a1sHSBdtbQzFbiLPrWf3N1G
wu61gdnovsT2+yzvHV203v6HWKTgnjwaeeqRlFXqmTgeKODDwiDvvUln9tmT0vFmP7Zv1+WJ
O+0n08cqXQ9b+VReS/fELrW5kZa9KuiVD9b55u3pHjzvUgK8XhbZqC5CXM0bMUNRLW4X12dM
UL/778RemDavp3sJhxif+tIMe7yiyfdPLq7vaeIvDhlFrzxWN6x/37LS1wyImaDVXqdRV3jr
firXq44eg/N+9DV0nlnt9fn7KRP7+aD4L9e7supXDIsYWu5wJt2YM2TFcnDpcbFIJ0FfTBW5
e3W5IVxRjbU+b2XBfmq98tF/joffR4BoCv/jYfBfUEsBAh8AFAAAAAgABoXUUiRBs8glCgAA
NA0AAAsAJAAAAAAAAAAgAAAAAAAAAHByaXZhdGUua2V5CgAgAAAAAAABABgAOciZLeJl1wE5
yJkt4mXXAeCmmg7fZdcBUEsBAh8AFAAAAAgASIXUUsXHrX8gBgAANggAAAYAJAAAAAAAAAAg
AAAATgoAAGNhLmNydAoAIAAAAAAAAQAYACseYHfiZdcBKx5gd+Jl1wFs+F934mXXAVBLBQYA
AAAAAgACALUAAACSEAAAAAA=
----boundary_0_bb6793a1-acac-452c-b09f-79c3a99b40c8--

.
250 Ok

I’ll start by decoding the first text string in base64 :

echo -n "SGkgSm9obiwNCg0KSSBzZW5kIHlvdSB0aGUgbmV3IGNlcnRpZmljYXRlIGZvciByZW5ldyB0aGUgY2VydGlmaWNhdGUgb2YgaHR0dHBzLy9hY2NvdW50LmVzZC1zZWN1cmUtbWVzc2FnZS5mci4NCllvdSBrbm93IHRoZSBwYXNzcGhyYXNlLCBpdOKAmXMgdGhlIHNhbWUgcGFzc3dvcmQgb2YgdGhlIGxhdGVzdCBjZXJ0aWZpY2F0ZS4NCkl04oCZcyBsZWdhY3kg8J+YiSAuLg0KDQpUZWxsIG1lIHdoZW4geW91IGZpbmlzaCB0byBpbnN0YWxsIHRoaXMgY2VydGlmaWNhdGUuDQoNCkJlc3QgcmVnYXJkcywNCg0KVG9tIFJJUA0KRVNEIFNlY3VyZSBNZXNzYWdlDQorMzMoMCk2IDQ0IDYzIDcxIDEx" | base64 -d

Hi John,

I send you the new certificate for renew the certificate of htttps//account.esd-secure-message.fr.
You know the passphrase, it’s the same password of the latest certificate.
It’s legacy 😉 ..

Tell me when you finish to install this certificate.

Best regards,

Tom RIP
ESD Secure Message
+33(0)6 44 63 71 11

I then decide to decode the base64 encoded string to reconstruct the zip file :

echo -n "UEsDBBQAAAAIAAaF1FIk...BQYAAAAAAgACALUAAACSEAAAAAA=" | base64 -d > certificate.zip

file certificate.zip                                                                       
certificate.zip: Zip archive data, at least v2.0 to extract, compression method=deflate

The zip contains the certificate and the private key, I now need to use the private key to decrypt the message.txt.enc.

I start by checking whether the private key has a blank passphrase with openssl :

openssl rsa -in private.key -out private_out.key                                           
Enter pass phrase for private.key:
Could not read private key from private.key
40273626677F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
40273626677F0000:error:04800065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:467:

The private key has a password, so I decide to carry out a bruteforce dictionary attack with John The Ripper to recover it :

ssh2john.py private.key > hash.txt && john --wordlist=rockyou.txt hash.txt

private.key:antiflag
1 password hash cracked, 0 left

Now that I know the password, I’ve tried many times to decrypt the file with openssl but I had the following error :

openssl rsautl -decrypt -inkey private.key -in message.txt.enc -out message.txt

The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Enter pass phrase for private.key:
RSA operation error
409710DC9C7F0000:error:0200006C:rsa routines:rsa_ossl_private_decrypt:data greater than mod len:../crypto/rsa/rsa_ossl.c:407:

In the end, I wasn’t able to decrypt the file before the end of the CTF.

I had to use the smime parameter to decrypt the file :

openssl smime -decrypt -inkey private.key -in message.txt.enc -out message.txt

cat message.txt

Hi !

Congratulations you managed to decipher this message.

To validate this challenge, I invite you to enter the following FLAG: 
ESD{doesnt_send_private_keys_over_an_unsecured_channel}

Good luck for the future ;)

Flag: ESD{doesnt_send_private_keys_over_an_unsecured_channel}