tl;dr

  • USB leftover Capture data extraction.

Description

As you and your convoy circle the barren lands on your light cycles you notice something strange in the distance. Upon further investigation you find what seems to be the remnants of a battle.

Bodies, robotic and organic alike, are strewn all over the place. You begin scavenging for supplies and weapons, suddenly a man near death thrusts his hand and grabs your arm. “Please” he croaks, “find my friends”.

He hands you a USB as he takes his last breath. You plug the drive into your mechanical arm and the contents start flooding your HUD. It contains this message and an encrypted file.

Click here, to download challenge file.

Initial Analysis

In this challenge we got a 7z file which was password protected and a text file. I don’t know why they have given that text file, as of now my aim was to crack the password for the ‘7z file’.

Protected 7z

So, I used an online tool to crack the 7z password. And it gave me the password as “toor”, using this as the password for the archive and extracting it, got a pcap.

Display pcap

On analysing that pcap file, all the packets present in that pcap file are related to USB Protocol and on observing the left over capture data got to know that it was based on the keyboard Strokes.

Futher Analysis

So, on googling found a script for USB Keyboard Strokes and i have rewritten that code such that it will automate all the process we do manually and will give the flag out. The code follows,

import os
usb_codes = {
   0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
   0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
   0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
   0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
   0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
   0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
   0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}",  0x32:"#~",
   0x33:";:", 0x34:"'\"",  0x36:",<",  0x37:".>", 0x4f:">", 0x50:"<"
   &#125;
l = ["","","","",""]

pos = 0

os.system('tshark -r location.pcap -T fields -e usb.capdata > d.txt')

f=open("d.txt","r").readlines()

a=[]

for i in range(0,len(f)):
  d=str(f[i])
  d=d[0:23]
  if((d[0:2]=="00" or d[0:2]=="02") and d[6:8] != "00"):
    a.append(d)

a='\n'.join(a)

b=open('k1','w')
b.write(a)
b.close()

for x in open("k1","r").readlines():
   c = int(x[6:8],16) 
   if c == 0:
       continue
   # newline or down arrow - move down
   if c == 0x51 or c == 0x28:
       pos += 1
       continue
   # up arrow - move up
   if c == 0x52:
       pos -= 1
       continue
   # select the character based on the Shift key
   if int(x[0:2],16) == 2:
       l[pos] += usb_codes[c][1]
   else:
       l[pos] += usb_codes[c][0]

print l[0]

After running the above code for USB keyboard hid keys, got an output as some random string,

Random String

The random string is : synt{jne_arire_punatrf}

I understood that random string was a Caesar Cipher. So I re-modified the above code such a way that we get the deciphered flag as we can see that the difference between s and f is 13, so I remodified like that. Modified code is,

import os
usb_codes = &#123;
   0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
   0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
   0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
   0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
   0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
   0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
   0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[&#123;", 0x30:"]&#125;",  0x32:"#~",
   0x33:";:", 0x34:"'\"",  0x36:",<",  0x37:".>", 0x4f:">", 0x50:"<"
   &#125;
l = ["","","","",""]

pos = 0

os.system('tshark -r location.pcap -T fields -e usb.capdata > d.txt')

f=open("d.txt","r").readlines()

a=[]

for i in range(0,len(f)):
  d=str(f[i])
  d=d[0:23]
  if((d[0:2]=="00" or d[0:2]=="02") and d[6:8] != "00"):
    a.append(d)

a='\n'.join(a)

b=open('k1','w')
b.write(a)
b.close()

for x in open("k1","r").readlines():
   c = int(x[6:8],16)

   if c == 0:
       continue
   # newline or down arrow - move down
   if c == 0x51 or c == 0x28:
       pos += 1
       continue
   # up arrow - move up
   if c == 0x52:
       pos -= 1
       continue
   # select the character based on the Shift key
   if int(x[0:2],16) == 2:
       l[pos] += usb_codes[c][1]
   else:
       l[pos] += usb_codes[c][0]

print l[0]

new_str = ''
temp = []
for letter in l[0]:
    if ord(letter) >= 97 and ord(letter) <= 122:
        temp.append(chr(97 + (ord(letter) - 97 + 13) % 26))

    else:
        temp.append(letter)
new_str = new_str.join(temp)

print new_str

Flag

flag

Flag: flag{war_never_changes}

If you liked my solution, please do share it. I’m available on Twitter: @NihithNihi