Trivia 400 walkthrough

I am embarrassed we did not solve this one; one of our guys checked SSL blacklists
and it wasn't there. But you can't blame him too much since the existing guides 
for how to check keys are very SSH centric. 

Step 1) Extract the certificate from wireshark
(see picture)
Step 2) Extract the RSA public key and exponent

openssl x509 -in CERTexport -inform DER -text -noout

Interestingly the exponent is 35, this is more typical of ssh-keygen. 
This is probably a helping hand from ddtek. It''s possibly why it
did not show up in the SSL blacklist our guy looked at.


Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
    Modulus (2048 bit):
        00:cf:a2:db:24:a3:ec:ea:35:73:af:ce:d6:f3:0c:
        c7:39:2c:3e:62:62:eb:d7:d0:2b:e0:68:9b:9d:84:
        a0:ce:2e:08:60:ea:d4:a5:74:bd:5f:68:65:ab:5c:
        9e:a1:b2:d8:8b:12:0a:54:76:23:fe:1f:4e:2a:70:
        f4:2b:1c:d3:4d:a7:de:a7:cc:cf:74:35:e6:70:85:
        21:7f:7d:af:94:39:2e:57:3d:22:c0:96:54:40:b8:
        72:30:7c:b6:52:6d:03:48:0a:58:35:70:97:8e:3a:
        68:01:3e:d9:59:5a:a0:95:82:14:68:fb:d8:65:6d:
        23:52:af:21:2d:30:9b:42:9e:0c:02:87:3a:fc:31:
        29:d0:c4:a4:01:52:0f:6b:1d:2a:66:16:a8:14:d4:
        5b:e3:a1:a7:ed:59:9f:2d:48:7e:40:08:f7:2b:28:
        f6:c7:52:2c:a2:14:a8:80:bb:45:09:b8:67:2d:eb:
        8f:26:6a:67:1c:4f:78:b8:de:08:7a:86:b5:4e:05:
        11:1b:2f:d5:e9:bb:dc:7e:03:ae:42:90:81:52:36:
        db:1d:f5:8d:1b:a5:b6:3d:07:bd:5e:7d:26:04:ea:
        bd:19:4d:74:da:2b:6f:37:49:f5:dd:66:4e:71:55:
        66:37:21:1a:87:7f:fa:57:45:74:20:13:10:1d:ef:
        37:55
    Exponent: 35 (0x23)


Step 3) Generate an ssh public key and replace
      with the extracted RSA pubkey

There may be a better way of doing this,
this is the convoluted method I used.

ssh-keygen -t rsa -b 2048 
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/adc/.ssh/id_rsa): JUNK

spacelab:trivia400 adc$ cat JUNK.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsIdKSb/ibXzxUJGvRmuPnV3x0LOQg2pVrGEdM/VCrvm5B8kbAKi4Fw6V3Z/zCNf+/6xviMGLp4CqtOwq1qHVk85eYvmYOP5eFz5qNlJ7RJOdEYqbYOnswUo6qeODYU5IyT2dJv3KIU+wFipNu8hvTqLEfm+XVvpByhL3rLnTfcKHoq9yO7T2FKcwOtzjtliiO4gU0j6/cH8JWlKL25e0vbuEghDlk0P6pEWuRd397SOqkoEfi5mLDsKQ3W7TtqzsqWMeHAQ/hsmBW8VuBsnJA12JjVpeEIPWTBup3F74I/QrB4OgZdoG/fLcCxigUsWRSGhkw2VaI0k4kJZrQbiwEw== adc@spacelab.local
spacelab:trivia400 adc$ python
Python 2.6.2 (r262:71600, Apr 16 2009, 09:17:39) 
[GCC 4.0.1 (Apple Computer, Inc. build 5250)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> basefile=base64.b64decode("AAAAB3NzaC1yc2EAAAABIwAAAQEAsIdKSb/ibXzxUJGvRmuPnV3x0LOQg2pVrGEdM/VCrvm5B8kbAKi4Fw6V3Z/zCNf+/6xviMGLp4CqtOwq1qHVk85eYvmYOP5eFz5qNlJ7RJOdEYqbYOnswUo6qeODYU5IyT2dJv3KIU+wFipNu8hvTqLEfm+XVvpByhL3rLnTfcKHoq9yO7T2FKcwOtzjtliiO4gU0j6/cH8JWlKL25e0vbuEghDlk0P6pEWuRd397SOqkoEfi5mLDsKQ3W7TtqzsqWMeHAQ/hsmBW8VuBsnJA12JjVpeEIPWTBup3F74I/QrB4OgZdoG/fLcCxigUsWRSGhkw2VaI0k4kJZrQbiwEw==")
>>> 

#find the dummy RSA modulus, this will be replaced with the one from the CERT file
spacelab:trivia400 adc$ openssl rsa  -in JUNK -pubout | openssl rsa -pubin -text -noout
writing RSA key
Modulus (2048 bit):
    00:b0:87:4a:49:bf:e2:6d:7c:f1:50:91:af:46:6b:
    8f:9d:5d:f1:d0:b3:90:83:6a:55:ac:61:1d:33:f5:
    42:ae:f9:b9:07:c9:1b:00:a8:b8:17:0e:95:dd:9f:
    f3:08:d7:fe:ff:ac:6f:88:c1:8b:a7:80:aa:b4:ec:
    2a:d6:a1:d5:93:ce:5e:62:f9:98:38:fe:5e:17:3e:
    6a:36:52:7b:44:93:9d:11:8a:9b:60:e9:ec:c1:4a:
    3a:a9:e3:83:61:4e:48:c9:3d:9d:26:fd:ca:21:4f:
    b0:16:2a:4d:bb:c8:6f:4e:a2:c4:7e:6f:97:56:fa:
    41:ca:12:f7:ac:b9:d3:7d:c2:87:a2:af:72:3b:b4:
    f6:14:a7:30:3a:dc:e3:b6:58:a2:3b:88:14:d2:3e:
    bf:70:7f:09:5a:52:8b:db:97:b4:bd:bb:84:82:10:
    e5:93:43:fa:a4:45:ae:45:dd:fd:ed:23:aa:92:81:
    1f:8b:99:8b:0e:c2:90:dd:6e:d3:b6:ac:ec:a9:63:
    1e:1c:04:3f:86:c9:81:5b:c5:6e:06:c9:c9:03:5d:
    89:8d:5a:5e:10:83:d6:4c:1b:a9:dc:5e:f8:23:f4:
    2b:07:83:a0:65:da:06:fd:f2:dc:0b:18:a0:52:c5:
    91:48:68:64:c3:65:5a:23:49:38:90:96:6b:41:b8:
    b0:13
Exponent: 35 (0x23)

>>> basefile.find("\x00\xb0\x87\x4a")
20

#replace it with the modulus from the cret
python z/play/hextoxx.py 
\x00\xcf\xa2\xdb\x24\xa3\xec\xea\x35\x73\xaf\xce\xd6\xf3\x0c\xc7\x39\x2c\x3e\x62\x62\xeb\xd7\xd0\x2b\xe0\x68\x9b\x9d\x84\xa0\xce\x2e\x08\x60\xea\xd4\xa5\x74\xbd\x5f\x68\x65\xab\x5c\x9e\xa1\xb2\xd8\x8b\x12\x0a\x54\x76\x23\xfe\x1f\x4e\x2a\x70\xf4\x2b\x1c\xd3\x4d\xa7\xde\xa7\xcc\xcf\x74\x35\xe6\x70\x85\x21\x7f\x7d\xaf\x94\x39\x2e\x57\x3d\x22\xc0\x96\x54\x40\xb8\x72\x30\x7c\xb6\x52\x6d\x03\x48\x0a\x58\x35\x70\x97\x8e\x3a\x68\x01\x3e\xd9\x59\x5a\xa0\x95\x82\x14\x68\xfb\xd8\x65\x6d\x23\x52\xaf\x21\x2d\x30\x9b\x42\x9e\x0c\x02\x87\x3a\xfc\x31\x29\xd0\xc4\xa4\x01\x52\x0f\x6b\x1d\x2a\x66\x16\xa8\x14\xd4\x5b\xe3\xa1\xa7\xed\x59\x9f\x2d\x48\x7e\x40\x08\xf7\x2b\x28\xf6\xc7\x52\x2c\xa2\x14\xa8\x80\xbb\x45\x09\xb8\x67\x2d\xeb\x8f\x26\x6a\x67\x1c\x4f\x78\xb8\xde\x08\x7a\x86\xb5\x4e\x05\x11\x1b\x2f\xd5\xe9\xbb\xdc\x7e\x03\xae\x42\x90\x81\x52\x36\xdb\x1d\xf5\x8d\x1b\xa5\xb6\x3d\x07\xbd\x5e\x7d\x26\x04\xea\xbd\x19\x4d\x74\xda\x2b\x6f\x37\x49\xf5\xdd\x66\x4e\x71\x55\x66\x37\x21\x1a\x87\x7f\xfa\x57\x45\x74\x20\x13\x10\x1d\xef\x37\x55

>>> certmod="\x00\xcf\xa2\xdb\x24\xa3\xec\xea\x35\x73\xaf\xce\xd6\xf3\x0c\xc7\x39\x2c\x3e\x62\x62\xeb\xd7\xd0\x2b\xe0\x68\x9b\x9d\x84\xa0\xce\x2e\x08\x60\xea\xd4\xa5\x74\xbd\x5f\x68\x65\xab\x5c\x9e\xa1\xb2\xd8\x8b\x12\x0a\x54\x76\x23\xfe\x1f\x4e\x2a\x70\xf4\x2b\x1c\xd3\x4d\xa7\xde\xa7\xcc\xcf\x74\x35\xe6\x70\x85\x21\x7f\x7d\xaf\x94\x39\x2e\x57\x3d\x22\xc0\x96\x54\x40\xb8\x72\x30\x7c\xb6\x52\x6d\x03\x48\x0a\x58\x35\x70\x97\x8e\x3a\x68\x01\x3e\xd9\x59\x5a\xa0\x95\x82\x14\x68\xfb\xd8\x65\x6d\x23\x52\xaf\x21\x2d\x30\x9b\x42\x9e\x0c\x02\x87\x3a\xfc\x31\x29\xd0\xc4\xa4\x01\x52\x0f\x6b\x1d\x2a\x66\x16\xa8\x14\xd4\x5b\xe3\xa1\xa7\xed\x59\x9f\x2d\x48\x7e\x40\x08\xf7\x2b\x28\xf6\xc7\x52\x2c\xa2\x14\xa8\x80\xbb\x45\x09\xb8\x67\x2d\xeb\x8f\x26\x6a\x67\x1c\x4f\x78\xb8\xde\x08\x7a\x86\xb5\x4e\x05\x11\x1b\x2f\xd5\xe9\xbb\xdc\x7e\x03\xae\x42\x90\x81\x52\x36\xdb\x1d\xf5\x8d\x1b\xa5\xb6\x3d\x07\xbd\x5e\x7d\x26\x04\xea\xbd\x19\x4d\x74\xda\x2b\x6f\x37\x49\xf5\xdd\x66\x4e\x71\x55\x66\x37\x21\x1a\x87\x7f\xfa\x57\x45\x74\x20\x13\x10\x1d\xef\x37\x55"
>>> base64.b64encode(basefile[:20] + certmod)
'AAAAB3NzaC1yc2EAAAABIwAAAQEAz6LbJKPs6jVzr87W8wzHOSw+YmLr19Ar4GibnYSgzi4IYOrUpXS9X2hlq1yeobLYixIKVHYj/h9OKnD0KxzTTafep8zPdDXmcIUhf32vlDkuVz0iwJZUQLhyMHy2Um0DSApYNXCXjjpoAT7ZWVqglYIUaPvYZW0jUq8hLTCbQp4MAoc6/DEp0MSkAVIPax0qZhaoFNRb46Gn7VmfLUh+QAj3Kyj2x1IsohSogLtFCbhnLeuPJmpnHE94uN4Ieoa1TgURGy/V6bvcfgOuQpCBUjbbHfWNG6W2PQe9Xn0mBOq9GU102itvN0n13WZOcVVmNyEah3/6V0V0IBMQHe83VQ=='
>>> 
>>> 
	
spacelab:trivia400 adc$ cat blah.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz6LbJKPs6jVzr87W8wzHOSw+YmLr19Ar4GibnYSgzi4IYOrUpXS9X2hlq1yeobLYixIKVHYj/h9OKnD0KxzTTafep8zPdDXmcIUhf32vlDkuVz0iwJZUQLhyMHy2Um0DSApYNXCXjjpoAT7ZWVqglYIUaPvYZW0jUq8hLTCbQp4MAoc6/DEp0MSkAVIPax0qZhaoFNRb46Gn7VmfLUh+QAj3Kyj2x1IsohSogLtFCbhnLeuPJmpnHE94uN4Ieoa1TgURGy/V6bvcfgOuQpCBUjbbHfWNG6W2PQe9Xn0mBOq9GU102itvN0n13WZOcVVmNyEah3/6V0V0IBMQHe83VQ== haha


Step 4) thanks bruce :)

spacelab:trivia400 adc$ ssh-keygen -l -f blah.pub 
2048 88:81:8d:ca:32:09:4e:87:2d:88:59:31:0b:45:74:b1 blah.pub (RSA)	


spacelab:play adc$ grep 88:81:8d:ca ../bleidl/exegesis/keysets/rsa*
../bleidl/exegesis/keysets/rsa_2048_32_le.out:88:81:8d:ca:32:09:4e:87:2d:88:59:31:0b:45:74:b1 18342 rsa 2048 32 0

spacelab:exegesis adc$ ./exegesis -t rsa -b 2048 -p 18342
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAz6LbJKPs6jVzr87W8wzHOSw+YmLr19Ar4GibnYSgzi4IYOrU
pXS9X2hlq1yeobLYixIKVHYj/h9OKnD0KxzTTafep8zPdDXmcIUhf32vlDkuVz0i
wJZUQLhyMHy2Um0DSApYNXCXjjpoAT7ZWVqglYIUaPvYZW0jUq8hLTCbQp4MAoc6
/DEp0MSkAVIPax0qZhaoFNRb46Gn7VmfLUh+QAj3Kyj2x1IsohSogLtFCbhnLeuP
JmpnHE94uN4Ieoa1TgURGy/V6bvcfgOuQpCBUjbbHfWNG6W2PQe9Xn0mBOq9GU10
2itvN0n13WZOcVVmNyEah3/6V0V0IBMQHe83VQIBIwKCAQAXutc3YzEE0uimYMgb
xvIya3TYC04nSv2zPye6OwsQP8ZxeexqrkGHPyGP7VP1OQLOELC5MhK99PL9iUB5
9KpvRmKW1ZQNR/0ULHjbXtI801XA08l1GH6oT5gFiph+ctvNuAoUvGkXkaV8fDYY
1yhLmdZyZezYZD6NG1Q/rciZ5fiK/GMEg4IH067v99X5ww+QpnnQzzzUidLFcCEu
WUpQqhb0ejkavRkRI3ZkF1kmiMU5x1nAnH8b7XmzLHlvjkRKQfe2DCLwMylUuEBq
0MKS7GyWrF+JzR4XiyFV4gyWzJkw/ZMh1tcATLOJGrwmn3CGdElCVKmR8XNlhxr4
vfmbAoGBAOyQAGkXiS8+P8iEXQE40fTIykNXS7dkvr9YG5YzVMCEzd+qP+Cm41Vg
kl40mE8Tt2lv6/74z73eVpbUKMTKAo/vbfCvaPwjTW68F6GSSjANGRLlsovuDZJh
glKhF36OaTSD6+uNy7HXj3XnKqnu2GzC+Goa1nzK88TqhUXKLhnnAoGBAOCyZm99
KUjOCKDJPH3o4G1rm7rac1A7LPRVqOakZnN5as6lu6J2eDvri/5gVqnk1EAEbz7Y
QVEJmvkE8B0gZ0/U1ejy3KgQrsQcn9kJo6q/iRIR3r031VyNhAcN67lPA0wotsHk
R+QdG10GkbYwieDbry9oRLHPUP19L55TQtVjAoGBAJt0ko40CbFUytQ5uXXU4b4d
jDrhmCgPAQFlyPxNnhgcwc1+gb+DnLRyqVPZa2cqNrMAZ+IROA8Oc2puKWtgLZHJ
OZ4qIGstJEF0SgsW/Y1Kb5ATSXHlk+PZrWl/zZxO9K17Q0MFaJlwZZafOUsZTGS6
oz5paGCioDDx4ozyk1LZAoGATQn3PCrplU30VGJAoDKWFuMQ0lmGnyo7THUj905P
AwUOrUAjEyFNy2azp6wAdMN7+LEQMs3NQFsQj+RvlPUqvEj44idhmLVDO+yOk45G
vjMKbJhpn/XiwKWMWjCol05KRf9Umj+jnqrkz2/3cao95rG4aAZ989INI7XkcMwW
6hMCgYEAk37dl9nIK+e75DU2QQufWrDDyeNMTwtcYB79qwgqTI1+RzaRjGTh3wOL
82aZX8XG6qbBuvbDRNRW95vRI6uzzTGuzSHuOUyE+W68ZGJsq3lP+V+5fHA068mq
T0XTGVsSyzpoy1QHyVU4s9auVK/2o3hwuTcZ5eko8iIvyqquCQo=
-----END RSA PRIVATE KEY-----

--------
step 6) 
Preferences -> SSL -> RSA key list

ssl.keys_list: 192.168.1.43,443,http,/tmp/fun.key

ip = server client is talking to

-----------
GET /temp.html HTTP/1.1
Host: ddtek
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Fri, 05 Jun 2009 20:19:49 GMT
Server: Apache/2.2.4 (Ubuntu) mod_ssl/2.2.4 OpenSSL/0.9.8e
Last-Modified: Fri, 05 Jun 2009 20:06:11 GMT
ETag: "25813f-ea-6c7dd2c0"
Accept-Ranges: bytes
Content-Length: 234
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

<html>
<body>
<form name="input" action="next.html" method="post">
Username:
<input type="text" name="user" />
<br>
Password:
<input type="text" name="password" /> 
<br>
<input type="submit" value="Submit"" />
</form>
</body>
</html>

POST /next.html HTTP/1.1
Host: ddtek
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ddtek/temp.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

user=ddtek&password=0987POIU%3BlkjHTTP/1.1 200 OK
Date: Fri, 05 Jun 2009 20:20:03 GMT
Server: Apache/2.2.4 (Ubuntu) mod_ssl/2.2.4 OpenSSL/0.9.8e
Last-Modified: Fri, 05 Jun 2009 20:11:12 GMT
ETag: "258140-3a-7e6eb800"
Accept-Ranges: bytes
Content-Length: 58
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html

<html>
<body>
<h1><b> CONGRATS! </b></h1>
</body>
</html>