TLS hacking with cash prize

The developers of TLS-implementation in the OCaml language have announced a BTC Piñata competition to prove the reliability of their defense. It is known that contests can not be a real proof, but this one is very much fun, and with a small cash prize.



So, two hackers have opened a demo server ownme.ipredator.se .



On the server is the key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh . The server will give us the key if we present a certificate.

')

The organizers have provided a mechanism for MiTM us. We can pass through the traffic between the virtual machines BTC Piñata (TLS-server and TLS-client). As you know, this traffic has the necessary certificate, you only need to extract it in some way.



The TLS server interface is on port 10000, the TLS client is on port 10002, and port 10001 is used to forward traffic to us at 40001.



So, we initiate the server communication with the client and listen to port 40001.



For example, on Node.js, this is done in the following script:

var net = require("net"); var server = net.connect({ host: 'ownme.ipredator.se', port: 10002 }); var client = net.connect({ host: 'ownme.ipredator.se', port: 10000 }); server.on('data', console.log.bind(console, 'server')); client.on('data', console.log.bind(console, 'client')); client.pipe(server).pipe(client); 

Now we record and analyze traffic.



The contest organizers themselves admit that there are no additional conditions. In theory, you can try to lure the key away from them in another way: phishing, social engineering, rectal cryptanalysis (in a figurative sense), or some other clever trick.







The code and libraries of BTC Piñata are open .

List of installed software on a demo server .