UIUCTF 2015 - Ovaltine (100 points)

NETWORK: Welcome to the 1337 LOASS...Ralphie!. ovaltine.7z

This challenge consists in a pcap file showing net traffic, most of which was encrypted using TLS 1.2. The biggest challenge consisted in knowing what to look for. I looked for the first TCP stream available, and followed it, to find a link to Ralphie's webmail:

This link now leads to an empty inbox, but during the challenge, a single mail to another of those mailboxes was there. Its subject was 1337 and it had an empty body. Studying the body of the email did not give any information, neither did consulting the other mailbox.

Following another TCP streams reveals the presence of other emails in that same mailbox, exchanged with 0rphan4nni3@gmail.com, regarding a Little Orphan Annie Club.

So let's try to retrieve those emails and see what's inside. In wireshark, I did File > Export objects > HTTP to export any valid http webpage in the capture, and started looking into that. The first interesting thing I saw was this image:

Which was taken from this wikipedia page, about secret decoder rings used to do Caesar cypher in the 30s. That explains the LOASS in the presentation of the challenge: Little Orphan Annie Secret Squadron. So there must be a message encoded using that ring or something similar in the capture.
In the exported files are several emails, one of which is:


Set your ring to shift 8!



I first wanted to decode that message using the setup from the Wikipedia, but "setting the ring to shift 8" could not correspond to that same ring, so I tried a classic Caesar cypher on a regular alphabet to get the following message:

That doesn't look like a flag, but at least I'm on the right track. Maybe the flag we are looking for is in a different email. Indeed, the last two emails received by Ralphie are the following:

I am writing to inform you of our recent data breach. We at Little Orphan Annie are working around the clock to rectify this situation, but our decoder rings have been compromised. We will be using a new secret code that you must figure out!


The secret message this week uses a new type of encoding!

The message is: ZmxhZ3todHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PXpkQV9fMnRL


So that message must be the flag. I fist thought that the string b0lVfQ== was the key to decode the message, and tried different Caesar cyper variation on the ascii table, but it was actually a base64 encoding (as the == at the end of the message indicate). A simple base64 decoding gave the following string: