Home > Writeups > DEADROP Network 3 - TLS Session

DEADROP Network 3 - TLS Session

A TLS-encrypted PCAP paired with a session key log file. Load both into Wireshark to decrypt the traffic and recover the flag from the plaintext HTTP response.

Date: March 01, 2026 Category: Network Difficulty: Medium Views: 13
Tags:
network pcap tls decryption session-keys wireshark https DEADROP

TLS Session

Overview

A TLS 1.2 session capture along with the NSS key log file. Decrypt the traffic in Wireshark to find an HTTP file download embedded mid-stream.

Solution

Load the PCAP in Wireshark, then configure TLS decryption:

Edit > Preferences > Protocols > TLS
(Pre)-Master-Secret log filename: [browse to session_keys.log]

The traffic decrypts immediately. Filter to HTTP:

http

Three requests are visible: - GET /api/status: JSON status response - GET /api/version: JSON version response
- GET /files/personnel_roster_partial.txt: file download

Right-click the /files/... response, follow the HTTP stream. The response body is a partial personnel roster for DEADROP field assets, with most assignments redacted. The flag is at the bottom as a training exercise verification token.

To extract the file body directly:

tshark -r tls_session.pcapng \
  -o "tls.keylog_file:session_keys.log" \
  -Y 'http.response.code == 200' \
  -T fields -e http.file_data \
  | xxd -r -p

Flag: DEADROP{tls_decryption_is_cheating_and_i_love_it}

Key Takeaway

TLS protects data in transit, but only if the session keys stay secret. The NSS key log format (used by Firefox, Chrome, curl) is a standard way to capture keys for legitimate debugging and for forensic decryption when logs are available.

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat deadrop-network-3-tls-session.md | wc -l

Published 2026-03-01 • Network