This challenge consists in a pcap file showing net traffic, most of which was encrypted using TLS 1.2. The biggest challenge consisted in knowing what to look for. I looked for the first TCP stream available, and followed it, to find a link to Ralphie's webmail:
This link now leads to an empty inbox, but during the challenge, a single mail to another of those mailboxes was there. Its subject was 1337 and it had an empty body. Studying the body of the email did not give any information, neither did consulting the other mailbox.
Following another TCP streams reveals the presence of other emails in that same mailbox, exchanged with firstname.lastname@example.org, regarding a Little Orphan Annie Club.
So let's try to retrieve those emails and see what's inside. In wireshark, I did File > Export objects > HTTP to export any valid http webpage in the capture, and started looking into that. The first interesting thing I saw was this image:
Which was taken from this wikipedia page, about secret decoder rings used to do Caesar cypher in the 30s.
That explains the LOASS in the presentation of the challenge: Little Orphan Annie Secret Squadron.
So there must be a message encoded using that ring or something similar in the capture.
In the exported files are several emails, one of which is:
Ralphie, Set your ring to shift 8! The message is: ZMUMUJMZ BW LZQVS GWCZ WDITBQVM! Annie
REMEMBER TO DRINK YOUR OVALTINE!
Ralphie, I am writing to inform you of our recent data breach. We at Little Orphan Annie are working around the clock to rectify this situation, but our decoder rings have been compromised. We will be using a new secret code that you must figure out! Annie
Ralphie, The secret message this week uses a new type of encoding! The message is: ZmxhZ3todHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PXpkQV9fMnRL b0lVfQ== Annie