[Forensics] Hackit 2017 - USB ducker


USB ducker
foren100

Description: This file was captured from one of the computers at the Internet cafe. We think that the hacker was using this computer at that time. Try to get his secret documents. ( flag format is flag{…} )

Attachment: (none)

Webpage: https://mega.nz/#!NVJ1kZCR!mDxd7V0rHtMStePa-tUEHPW-SyAxQ6f1zRDCTxX8y3M

Hint: (none)

PS: If you are here just for the script there’s a much better and more updated version at https://github.com/TeamRocketIst/ctf-usb-keyboard-parser

Another USB pcap, after analysing it with wireshark we can see that we have two devices one is a keyboard(bInterfaceClass: HID: 0x3) and the other is a mouse(Unknown)…

Mouse

keyboard

Keyboard

keyboard

We can clearly see we that HID: 0x3 is a keyboard by searching for strings in wireshark EDIT -> Find Packet
keyboard

I actually tried to see what the hacker did with the mouse but didn’t found anything special just a straight line of clicks you could parse the mouse inputs with tshark like this for example:

1
tshark -r task.pcap -Y "usb.transfer_type == 0x01 && usb.bInterfaceClass!=3" -Tfields -e usb.capdata > mouse

Moving on to the keyboard since the mouse didn’t got us anything special we just got the output from the keyboard

1
tshark -r task.pcap -Y "usb.transfer_type == 0x01 && usb.bInterfaceClass==3" -Tfields -e usb.capdata > keyboard

Now the tricky part here is, the hacker used the arrow keys! making it harder to make a script to spit out the keyboard inputs, well during the CTF I got frustrated, and choose to make it by hand by looking at the table on https://usb.org/sites/default/files/documents/hut1_12v2.pdf (table 12). The keyboard inputs can be read like this:

1
2
3
4
5
      |-> The value of the keypressed you can "decode" this value from the table 12 above
|
02:00:20:00:00:00:00:00
|
|--> This value is 02 when shift is pressed and 00 when it isn't

When the CTF finished I ended up doing a script to do this (it’s not perfect there is alot of more things to consider).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/python
# -*- coding: utf-8 -*-
# better and more updated version at https://github.com/TeamRocketIst/ctf-usb-keyboard-parser
KEY_CODES = {
0x04:['a', 'A'],
0x05:['b', 'B'],
0x06:['c', 'C'],
0x07:['d', 'D'],
0x08:['e', 'E'],
0x09:['f', 'F'],
0x0A:['g', 'G'],
0x0B:['h', 'H'],
0x0C:['i', 'I'],
0x0D:['j', 'J'],
0x0E:['k', 'K'],
0x0F:['l', 'L'],
0x10:['m', 'M'],
0x11:['n', 'N'],
0x12:['o', 'O'],
0x13:['p', 'P'],
0x14:['q', 'Q'],
0x15:['r', 'R'],
0x16:['s', 'S'],
0x17:['t', 'T'],
0x18:['u', 'U'],
0x19:['v', 'V'],
0x1A:['w', 'W'],
0x1B:['x', 'X'],
0x1C:['y', 'Y'],
0x1D:['z', 'Z'],
0x1E:['1', '!'],
0x1F:['2', '@'],
0x20:['3', '#'],
0x21:['4', '$'],
0x22:['5', '%'],
0x23:['6', '^'],
0x24:['7', '&'],
0x25:['8', '*'],
0x26:['9', '('],
0x27:['0', ')'],
0x28:['\n','\n'],
0x2C:[' ', ' '],
0x2D:['-', '_'],
0x2E:['=', '+'],
0x2F:['[', '{'],
0x30:[']', '}'],
0x32:['#','~'],
0x33:[';', ':'],
0x34:['\'', '"'],
0x36:[',', '<'],
0x38:['/', '?'],
0x37:['.', '>'],
0x2b:['\t','\t'],
0x4f:[u'→',u'→'],
0x50:[u'←',u'←'],
0x51:[u'↓',u'↓'],
0x52:[u'↑',u'↑']
}

#tshark -r ./usb.pcap -Y 'usb.capdata' -T fields -e usb.capdata > keyboards.txt
datas = open('keyboard').read().split('\n')[:-1]
cursor_x = 0
cursor_y = 0
offset_current_line = 0
lines = ['','','','','']
output = ''

for data in datas:
shift = int(data.split(':')[0], 16) / 2
key = int(data.split(':')[2], 16)
if key == 0:
continue
if KEY_CODES[key][shift] == u'↑':
lines[cursor_y] += output
output = ''
cursor_y -= 1
elif KEY_CODES[key][shift] == u'↓':
lines[cursor_y] += output
output = ''
cursor_y += 1
elif KEY_CODES[key][shift] == u'→':
cursor_x += 1
elif KEY_CODES[key][shift] == u'←':
cursor_x -= 1
elif KEY_CODES[key][shift] == '\n':
lines[cursor_y] += output
cursor_x = 0
cursor_y += 1
output = ''
else:
output += KEY_CODES[key][shift]
cursor_x += 1

print '\n'.join(lines)

Now running the script

1
2
3
4
5
6
teamrocketist@Debian ~/D/H/c/h/f/for100> python key2.py
w{w$ju},'pt]=j%;9+ps&#,
k#>bn$:6pjim0{u'h;fks!s-
flag{k3yb0ard_sn4ke_2.0}
b[[e[fu~7d[=>*(0]'$1c$ce
3'ci.[%=%&k(lc*2y4!}%qz3

The flag is flag{k3yb0ard_sn4ke_2.0}