Unleash the Beast!

CTFなどのメモに使います

BSidesSF 2019 CTF - thekey(Forensics 100)

f:id:imurasheen:20190305230734p:plain

Open thekey.pcapng by WireShark, I found the capture of USB inputs.

Maybe it contains the capture data of USB device when make the flag.txt.

 

Little guessing,,,the "most frequent input source" would be the input device which used to make the flag.txt.

I think it's address is : 1.69.1

 

Followings are my analysing steps.

(1)At Wireshark, filitering by the source address of the USB device.
 Usb.src == "1.69.1"
(2)Export the filterd packets by Wireshark.

    "File"->"Export Specified Packets"
 → 69.pcapng
(3)Use the tshark.exe, Extract the USB leftover data.

    note: You can find the tshark.exe in your install directory of Wireshark.
 .\tshark.exe -r 69.pcapng -T fields -e usb.capdata > 69result.txt
(4)Convert the leftover data to key inputs.
 I referred to the following sites.

https://www.win.tue.nl/~aeb/linux/kbd/scancodes-14.html

http://wiki.onakasuita.org/pukiwiki/?HID%2F%E3%82%AD%E3%83%BC%E3%82%B3%E3%83%BC%E3%83%89

https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2

USB leftover data consists of 8 octets.

1st octet: Modifier masks
  This octet is used when push the Ctrl,Shift,Alt and Meta key.
2nd octet: Reserved??
  I've never seen this octet is used.
3rd-8th octet: scan codes
  This octet is used when push the alphabet keys, number keys, and more.
  There are 6 slots. If 2 or more keys are pushed sametime,multiple slots are used.

[Followings are samples.]
00:00:00:00:00:00:00:00 All 0 means "no keys are pushed"
20:00:00:00:00:00:00:00 Clicked Right-shift
20:00:17:00:00:00:00:00 Clicked Right-shift + "t" -> "T" is inputted.
00:00:17:00:00:00:00:00 Right-shit key is released
00:00:00:00:00:00:00:00 All keys are released
00:00:0b:00:00:00:00:00 Clicked "h" -> "h" is inputted
00:00:00:00:00:00:00:00 All keys are relased
00:00:08:00:00:00:00:00 Clicked "e" -> "e" is inputted
00:00:00:00:00:00:00:00 All keys are released

->This sample data means, "The" is inputted from USB device.

Followings are all of leftover datas which inputted from 1.69.1.

00:00:00:00:00:00:00:00
00:00:19:00:00:00:00:00 v
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:0c:10:00:00:00:00 
00:00:10:2c:00:00:00:00 m
00:00:2c:00:00:00:00:00 space
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00 f
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00 l
00:00:04:00:00:00:00:00 a
00:00:04:0a:00:00:00:00 
00:00:0a:00:00:00:00:00 g
00:00:00:00:00:00:00:00
00:00:37:00:00:00:00:00 .
00:00:17:00:00:00:00:00 
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00
00:00:1b:00:00:00:00:00 x
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00 
00:00:28:00:00:00:00:00 enter
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:17:00:00:00:00:00 T
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:00:00:00:00:00:00
00:00:2c:00:00:00:00:00 space
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00 f
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00 l
00:00:04:00:00:00:00:00 a
00:00:04:0a:00:00:00:00 
00:00:0a:00:00:00:00:00 g
00:00:00:00:00:00:00:00
00:00:2c:00:00:00:00:00 space
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00 s
00:00:00:00:00:00:00:00
00:00:2c:00:00:00:00:00 space
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00 c
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00 f
00:00:00:00:00:00:00:00
00:00:29:00:00:00:00:00 Esc
00:00:00:00:00:00:00:00
00:00:19:00:00:00:00:00 v  
00:00:00:00:00:00:00:00 
00:00:05:00:00:00:00:00 b  vim command:"ctf" is selected.
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:18:00:00:00:00:00 
00:00:18:00:00:00:00:00 U  vim command:The selected characters are changed to uppercase.
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:04:00:00:00:00:00 A  vim command:Cursor is moved to after "CTF".
20:00:00:00:00:00:00:00 Right-Shift
20:00:2f:00:00:00:00:00 {
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:10:00:00:00:00:00 m
00:00:00:00:00:00:00:00
00:00:1c:00:00:00:00:00 y
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:2d:00:00:00:00:00 _
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00 f
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00 a
00:00:00:00:00:00:00:00
00:00:19:00:00:00:00:00 v
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00 o
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00 r
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:17:08:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:2d:00:00:00:00:00 _
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00 d
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00 o
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00 r
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:2d:00:00:00:00:00 _
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00 s
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:2d:00:00:00:00:00 _
00:00:00:00:00:00:00:00
00:00:19:00:00:00:00:00 v
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:10:00:00:00:00:00 m
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:30:00:00:00:00:00 }
00:00:00:00:00:00:00:00
00:00:29:00:00:00:00:00 Esc
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h Cursor is moved to left. -> 19 times.
00:00:00:00:00:00:00:00   
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00 a
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00 u
00:00:00:00:00:00:00:00
00:00:29:00:00:00:00:00 Esc
00:00:00:00:00:00:00:00
00:00:19:00:00:00:00:00 v
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:2f:00:00:00:00:00 {  ->All characters after the "{" are selected.
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:18:00:00:00:00:00 U  vim command:All selected characters are changed to uppercase.
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:29:00:00:00:00:00 Esc
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00 Right-Shift
20:00:33:00:00:00:00:00 :
00:00:33:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1a:00:00:00:00:00 w
00:00:00:00:00:00:00:00
00:00:14:00:00:00:00:00 q  Save the flag.txt, and close the file.
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
04:00:00:00:00:00:00:00
04:00:2b:00:00:00:00:00
04:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00

 Unfortunately, I'm not a vim user.

So I installed the vim on my ubuntu, and reproduced the above input sequences.

And got the flag.

CTF{MY_FAVOURITE_EDITOR_IS_VIM}