Unleash the Beast!

CTFなどのメモに使います

CSA CTF 2019 - Monkey

f:id:imurasheen:20190508000120p:plain

Our team solved all issues of this competition, and we got 3rd place!!

 

The attached file is pcap file.

It seems USB capture data.

 

So I processed the capture data by the following procedure.

(1)Open the pcap file by Wireshark, and filtered by this criteria : usb.src=="1.9.1"

(2)Save the filtered packets as 191.pcapng

    "File"->"Export Specified Packets"

(3)By using the tshark.exe, extract the USB leftover data from the 191.pcapng.

    .\tshark.exe -r "C:\Users\win10pro\Desktop\CSA CTF\191.pcapng" -T fields -e usb.capdata > 191result.txt

 

Then I got the following data in 191result.txt.

Maybe it is the input from USB-keyboard, so I translate the data by the conversion table on this site.

Keyboard scancodes: USB

 

20:00:00:00:00:00:00:00
20:00:06:00:00:00:00:00 C
20:00:16:06:00:00:00:00 S
20:00:16:00:00:00:00:00
20:00:16:04:00:00:00:00 A
20:00:00:00:00:00:00:00
20:00:06:00:00:00:00:00 C
20:00:00:00:00:00:00:00
20:00:17:00:00:00:00:00 T
20:00:00:00:00:00:00:00
20:00:09:00:00:00:00:00 F
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2f:00:00:00:00:00 {
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2d:00:00:00:00:00 _
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00 n
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00 f
00:00:09:0c:00:00:00:00 i
00:00:0c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00 n
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00 i
00:00:17:00:00:00:00:00 t
00:00:08:17:00:00:00:00 e
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2d:00:00:00:00:00 _
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:10:00:00:00:00:00 m
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00 o
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00 n
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00 k
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:08:1c:00:00:00:00 y
00:00:1c:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2d:00:00:00:00:00 _
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00 t
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00 h
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00 e
00:00:00:00:00:00:00:00
00:00:12:00:00:00:00:00 o
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00 r
00:00:08:15:00:00:00:00 e
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:10:00:00:00:00:00 m
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:30:00:00:00:00:00 }
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:2a:00:00:00:00:00 BackSpace
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00 0 <-input zero
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:2a:00:00:00:00:00 BackSpace
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00 0 <-input zero
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:2a:00:00:00:00:00 BackSpace
00:00:00:00:00:00:00:00
00:00:1e:00:00:00:00:00 1<-input 1
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:2a:00:00:00:00:00 BackSpace
00:00:00:00:00:00:00:00
00:00:1e:00:00:00:00:00 1<-input 1
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:50:00:00:00:00:00 F3
00:00:00:00:00:00:00:00
00:00:2a:00:00:00:00:00 BackSpace
00:00:00:00:00:00:00:00
00:00:1e:00:00:00:00:00 1<-input 1
00:00:00:00:00:00:00:00

(1)Input following sentence : CSACTF{the_infinite_monkey_theorem}

F3 means "move the cursor to left".
(2)Move the cursor to left 4 times, and erase a character by BackSpace, then input "0".
  CSACTF{the_infinite_monkey_the0rem}
(3)Move the cursor to left 9 times, and erase a character by BackSpace, then input "0".
  CSACTF{the_infinite_m0nkey_the0rem}
(4)Move the cursor to left 5 times, and erase a character by BackSpace, then input "1".
  CSACTF{the_infin1te_m0nkey_the0rem}
(5)Move the cursor to left 2 times, and erase a character by BackSpace, then input "1".
  CSACTF{the_inf1n1te_m0nkey_the0rem}
(6)Move the cursor to left 3 times, and erase a character by BackSpace, then input "1".
  CSACTF{the_1nf1n1te_m0nkey_the0rem}
 
So the flag is : CSACTF{the_1nf1n1te_m0nkey_the0rem}