h4x0rpsch0rr's

EPIC HINT published six hours before the end: The server’s ciphersuites have been carefully chosen to allow this attack. (Plus the server was patched a little bit.)

We have a HTTPS server and client talking to each other with you right in the middle! The client essentially executes

curl --cacert server.crt https://nsa.gov

with some magic to redirect the transmitted data to your socket, to which the server responds with a lovely German-language poem.

NOTE: There is nothing else hosted on the server; no need to brute-force filenames. Moreover, it may behave untypically due to hackiness.

Your task is to make the client receive a CTF-themed adaption of another German poem instead; to be precise, the HTTP response must consist of the following bytes:

00000000  57 61 6c 6c 65 21 20 57  61 6c 6c 65 0a 4d 61 6e  |Walle! Walle.Man|
00000010  63 68 65 20 53 74 72 65  63 6b 65 2c 0a 44 61 73  |che Strecke,.Das|
00000020  73 20 7a 75 6d 20 5a 77  65 63 6b 65 0a 46 6c 61  |s zum Zwecke.Fla|
00000030  67 67 65 6e 20 66 6c 69  65 c3 9f 65 6e 2c 0a 55  |ggen flie..en,.U|
00000040  6e 64 20 6d 69 74 20 72  65 69 63 68 65 6d 2c 20  |nd mit reichem, |
00000050  76 6f 6c 6c 65 6d 20 53  63 68 77 61 6c 6c 65 0a  |vollem Schwalle.|
00000060  5a 75 20 64 65 6e 20 50  75 6e 6b 74 65 6e 20 73  |Zu den Punkten s|
00000070  69 63 68 20 65 72 67 69  65 c3 9f 65 6e 2e 0a     |ich ergie..en..|

Upon receiving this response from the server, the client sends the flag to you through the same connection used to intercept the HTTPS traffic, so make sure not to overlook it!

Server: https://130.211.200.153:4433
Client: nc 130.211.200.153 9955

(If you just forward everything from one of those ports to the other, the connection succeeds and everything works fine. Then hack.)

NOTE: The setup for this challenge is not entirely trivial, so if you’re confused about unexpected things happening, please contact yyyyyyy on IRC. There is also a good chance something’s broken.