USB Sniffer Packet Challenge: Cryptoverse CTF (Forensics)
Hello everyone, what's up!!!
Recently, I participated in a CTF conducted by Cryptoverse and solved a few questions up to my level. However, we should always push ourselves to grow, and with that motivation, I solved a forensic challenge based on a USB sniffer packet.
Challenge:
A group of hackers has stolen a sensitive piece of data, and it’s up to you to recover it. We only found this USB sniffer capture that was taken during the cyberattack. Can you uncover the message the hackers left for us?
Note: All alphabetical characters in the flag are lower-case.
Solution:
So, let's download the file in Kali and rename the file so that it will be easy for us.
Now let's do the most common step: open the file in WireShark.
As we can see here, there are packets with configurations, and if we check on that, we will get the descriptions of the device used, but it isn’t related to the
Let us scroll down a bit and check other packets.
After scrolling down, we will observe that there are packets of lengths 27 and 35, and there is “HID Data,” which contains some kind of string.
Let's filter out the packets based on this. For this, we can use the filter “usb.transfer_type==0x01.”.
Hmm, intresting so we got the packets which contains the data. But as I mentioned earlier the packets with length 35 has HID Data. So, we need those packets.
We can use filter “usb.transfer_type==0x01 and frame.len==35 and !(usb.capdata == 00:00:00:00:00:00:00:00)”.
Great we get all the packets with length 35. Now we can analyse these packets more efficienty.
Now its time to extract the HID Data. To do that we can put HID Data as a coloumn.
Now we can extract the data. We will extract the data in a csv file, in a file named hiddata.csv
Now lets read the contents of the file hiddata.
We only need the hiddata so we can cut others with -delimiter.
Command:
cat hiddata.csv | cut -d “,” -f 7 | cut -d “\”” -f 2 | grep -vE “HID Data” > hexoutput.txt
Excellent we got all the data from the file. However when I was wandering around the USB sniffer capture I come accross a github repo, where these data are known as keystrokes. So we need a code to change these values into readable text.
https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup/tree/master
Code:
#!/usr/bin/python
#coding=utf-8
import os, operator, sys
newmap = {
#2: “ “,
4: “a”,
5: “b”,
6: “c”,
7: “d”,
8: “e”,
9: “f”,
10: “g”,
11: “h”,
12: “i”,
13: “j”,
14: “k”,
15: “l”,
16: “m”,
17: “n”,
18: “o”,
19: “p”,
20: “q”,
21: ‘r’,
22: ‘s’,
23: ‘t’,
24: ‘u’,
25: ‘v’,
26: ‘w’,
27: ‘x’,
28: ‘y’,
29: ‘z’,
30: ‘1’,
31: ‘2’,
32: ‘3’,
33: ‘4’,
34: ‘5’,
35: ‘6’,
36: ‘7’,
37: ‘8’,
38: ‘9’,
39: ‘0’,
40: ‘\r\n’,
41: ‘ESC’,
42: “del”,
43: ‘tab’,
44: ‘space’,
45: ‘-’,
47: ‘{‘,
48: ‘}’,
55: ‘*’,
56: ‘/’,
57: ‘CapsLock’,
79: ‘>’,
80: ‘<’
}
message = “”
myKeys = open(“hexoutput.txt”)
i = 1
for line in myKeys:
# print line
bytesArray = bytearray.fromhex(line.strip())
# print “BytesArray = “, str(bytesArray)
for byte in bytesArray:
if byte != 0:
#print (“Debug Byte = “, str(byte))
keyVal = int(byte)
if keyVal in newmap:
#print (newmap[keyVal])
message += newmap[keyVal]
# message.append(newmap[keyVal])
#print (“DEBUG Key Value: “, str(keyVal), “Equals: “, str(newmap[keyVal]))
print (message)
else:
pass
# print (“\r\nNo map found for this value: “ + str(keyVal))
i += 1
# #print format(byte, ‘02X’)
# i+=1
After using this code, I got my flag.
But wait a minute; something is wrong. Here we have additional 3s and 1s.
So after I removed the 3's, I got something like this:
Okk great Now it looks like a flag, but the 1 shouldn’t be there. If we use our CTF knowledge, then these 1s should be exclamation marks (!). So the final flag will be
cvctf{w1r3shark_fun!!!}
Conclusion:
It was a great CTF. I loved this forensic challenge as it challenged me to push my limits.
Thank you for reading this.
Sayonara 👋