tl;dr

• USB leftover Capture data extraction.

## Description

As you and your convoy circle the barren lands on your light cycles you notice something strange in the distance. Upon further investigation you find what seems to be the remnants of a battle.

Bodies, robotic and organic alike, are strewn all over the place. You begin scavenging for supplies and weapons, suddenly a man near death thrusts his hand and grabs your arm. “Please” he croaks, “find my friends”.

He hands you a USB as he takes his last breath. You plug the drive into your mechanical arm and the contents start flooding your HUD. It contains this message and an encrypted file.

## Initial Analysis

In this challenge we got a 7z file which was password protected and a text file. I don’t know why they have given that text file, as of now my aim was to crack the password for the ‘7z file’.

So, I used an online tool to crack the 7z password. And it gave me the password as “toor”, using this as the password for the archive and extracting it, got a pcap.

On analysing that pcap file, all the packets present in that pcap file are related to USB Protocol and on observing the left over capture data got to know that it was based on the keyboard Strokes.

## Futher Analysis

So, on googling found a script for USB Keyboard Strokes and i have rewritten that code such that it will automate all the process we do manually and will give the flag out. The code follows,

import os
usb_codes = &#123;
0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$", 0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)", 0x2C:" ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[&#123;", 0x30:"]&#125;", 0x32:"#~", 0x33:";:", 0x34:"'\"", 0x36:",<", 0x37:".>", 0x4f:">", 0x50:"<" &#125; l = ["","","","",""] pos = 0 os.system('tshark -r location.pcap -T fields -e usb.capdata > d.txt') f=open("d.txt","r").readlines() a=[] for i in range(0,len(f)): d=str(f[i]) d=d[0:23] if((d[0:2]=="00" or d[0:2]=="02") and d[6:8] != "00"): a.append(d) a='\n'.join(a) b=open('k1','w') b.write(a) b.close() for x in open("k1","r").readlines(): c = int(x[6:8],16) if c == 0: continue # newline or down arrow - move down if c == 0x51 or c == 0x28: pos += 1 continue # up arrow - move up if c == 0x52: pos -= 1 continue # select the character based on the Shift key if int(x[0:2],16) == 2: l[pos] += usb_codes[c][1] else: l[pos] += usb_codes[c][0] print l[0] After running the above code for USB keyboard hid keys, got an output as some random string, The random string is : synt{jne_arire_punatrf} I understood that random string was a Caesar Cipher. So I re-modified the above code such a way that we get the deciphered flag as we can see that the difference between s and f is 13, so I remodified like that. Modified code is, import os usb_codes = &#123; 0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF", 0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL", 0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR", 0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX", 0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[&#123;", 0x30:"]&#125;",  0x32:"#~",
0x33:";:", 0x34:"'\"",  0x36:",<",  0x37:".>", 0x4f:">", 0x50:"<"
&#125;
l = ["","","","",""]

pos = 0

os.system('tshark -r location.pcap -T fields -e usb.capdata > d.txt')

a=[]

for i in range(0,len(f)):
d=str(f[i])
d=d[0:23]
if((d[0:2]=="00" or d[0:2]=="02") and d[6:8] != "00"):
a.append(d)

a='\n'.join(a)

b=open('k1','w')
b.write(a)
b.close()

c = int(x[6:8],16)

if c == 0:
continue
# newline or down arrow - move down
if c == 0x51 or c == 0x28:
pos += 1
continue
# up arrow - move up
if c == 0x52:
pos -= 1
continue
# select the character based on the Shift key
if int(x[0:2],16) == 2:
l[pos] += usb_codes[c][1]
else:
l[pos] += usb_codes[c][0]

print l[0]

new_str = ''
temp = []
for letter in l[0]:
if ord(letter) >= 97 and ord(letter) <= 122:
temp.append(chr(97 + (ord(letter) - 97 + 13) % 26))

else:
temp.append(letter)
new_str = new_str.join(temp)

print new_str

## Flag

Flag: flag{war_never_changes}

If you liked my solution, please do share it. I’m available on Twitter: @NihithNihi