Decrypting network traffic and finding HTTPS private key

Question

I've been battling with one school task for couple days and can't seem to find any idea how to solve it. The task is pretty simple:

Log in to the server using SSH. The answer to the task is in encrypted network traffic, which you have the ability to eavesdrop on, which a running web application can help with. HINT: HTTPS private key has been forgotten in Git

So I log in. Only tool I have sudo privileges is tcpdump. Quick use of ps aux returns the application which is in my interest.

/usr/bin/python3 /usr/local/bin/flask run --cert=/root/archive//cert.pem --key=/root//key.pem --host=0.0.0.0 --port=443

I do not have access to the root folder. Quick grab of network traffic with tcpdump allows me to save it to .pcap file. I check it with Wireshark and everything is in order, I see which message contains the answer—but obviously it's encrypted. So I try to open the app with my browser:

https://school_server_address:443

And it's an Apache server with two files and couple generic Git folders.

• One file is cert.pem, which seems to be the public key, since it starts with -----BEGIN CERTIFICATE-----. So there is no use for me from it, since I can't use it to decrypt the network traffic in Wireshark.

• The second file is a Python app which I don't quite understand. Here is the code:

  import os
  from flask import Flask, request
  from flask_autoindex import AutoIndex
  
  ppath = os.path.dirname(os.path.realpath(__file__))
  app = Flask(__name__)
  AutoIndex(app, browse_root=ppath, show_hidden=True)
  
  
  @app.route("/secret", methods=["POST"])
  def hello():
      # fetch password and compare
      with open("../password.txt", "r") as pfh, \
           open("../secret.txt", "r") as sfh:
          password = pfh.read().strip().split('=')[1]
          secret = sfh.read()
          if password == request.form.get('password', None):
              return secret
          return "Wrong password"
      return "Internal error"
  
  
  if __name__ == "__main__":
      app.run()
  

  I've tried opening the address in my browser:

    https://server_address:443/secret
  

  It just returns 404.

I know the information may not be easy to digest, since I'm trying to explain a task on a system only I can see, but do any of you have any idea how should I proceed with looking for the private HTTPS key? Are there more ideas I could deduce from the task description that I lack experience to do so? Thank you for any clues!

Answer 1

Your hint says that the "HTTPS private key has been forgotten in Git." This could mean several things, but I suspect it means that the private key was added and deleted from Git history, which in turn means you can get it back.

Trawling Git

Quick peek

If the Git history is short, git log --stat and the pager might be enough. Run the command below, Ctrl+D until you find the right commit, and git show it.

git log --all --stat --oneline

In an assignment like this with mocked up Git history, that's probably all you need. If not, you can take a closer look:

Deeper dive

Filtering for files

Since your ps aux output says --key=/root//key.pem, try hunting for it. This path filter will check all for .pem files in all tracked folders:

git log --all --stat -- ':**/*.pem'

Filtering for text changes

If you have some text in mind to look for in a delta, there are two ways to do so. For you, search text might be -----BEGIN or PRIVATE KEY.

This first command runs faster, but disregards file renames or matched instances that are added and removed from the same file. The optimization mostly ignores refactors, but might miss what you're looking for under rare, unexpected circumstances.

git log --all --stat -i --pickaxe-regex -S'private key'

This next command takes two passes through the history, making it slower than the previous one, but it checks for the text in every commit.

git log --all --stat -i -G'private key'

Filtering for commit message

It's unlikely to help with your assignment, but you can also search commit messages. Sensitive data is usually added along with other files in innocuous-sounding commits. But sometimes you get lucky and the commit that removes the sensitive data says what it's doing.

git log --all --stat -i --grep='key|secret|sensitive|private|credential|password'

Lesson

If you or anyone on your team puts secret data into Git, you can't just git rm it away. Its content stays there in the history forever. You need to use a tool like git filter-repo or git filter-branch to get rid of it, and everyone with a clone of the repo who has fetched it since the secret was introduced needs to fix theirs, too. This might mean throwing their repo away and cloning a fresh copy.

There are several ways to manage sensitive data. Whichever one you choose, you want to make it hard for a contributor to do the wrong thing.

Answer 2

While you have access to the .git folder:

• Download the .git folder :

  wget https://server_address:443/.git
  

• Check the status:

  git status 
  

• If there is some deleted and uncommitted files, they can be restored:

  git restore 
  

If that doesn't work,

• Check if there is another branch:

  git branch 
  

• If there is another branch, switch to it and check if the private key is there:

  grep -RHi "private key" .
  

Note that the /secret endpoint only accepts POST requests, and it will not work if you try to access it in the browser. Consider using Postman or curl instead:

curl -d 'password=thedecryptedpass' -X POST https://server_address:443/secret