CHALLENGE: Operation Recover Intel
CATEGORY : Forensics
DESCRIPTION:
The player has been recruited as an agent by the Impossible Mission Force (IMF) to investigate a confiscated USB drive. The USB drive was confiscated from a suspected terrorist and is believed to contain critical information that could stop an imminent attack. The player must extract the data from the USB and uncover the hidden flag.
Flag Formate : n0va[]
We are provided with Pcap file : ooops.pcap
“Attention all hackers! The Impossible Mission Force (IMF) needs your help in Operation Recover Intel! A suspected terrorist was caught with a USB drive containing critical information that could stop an imminent attack, and it’s up to you to extract the data and uncover the hidden flag. No pressure, right?
The first step is to analyze the provided pcap file using Wireshark, which shows that the USB protocol is being used. Don’t worry if you’re not familiar with USB packets — just Google it like everyone else does.
I got this : https://ctf-wiki.mahaloz.re/misc/traffic/protocols/USB/
As it turns out, the USB packets are actually transferring keystrokes, which could contain the flag. But in order to decode them, we need to extract the HID data. After exporting the data as raw text and using some fancy command line tricks, we can finally extract the relevant characters that we need.
For that..!!
Using Sublime ,we can easily remove the “HID Data: ”
Now, we have
So, now that we’ve got our HID data, we need to extract only the main characters that we need. And by main characters, I don’t mean Batman or Spider-Man (although that would be pretty cool). I mean the 5th and 6th characters of the byte value.
To do this, we can use a combination of grep and cut. First, we'll use grep to search for the exact pattern we need. And no, we're not talking about a pattern for a fancy sweater (although that would also be pretty cool). We're talking about the hexadecimal pattern that matches our desired byte value.
Once we’ve found that pattern, we can use cut to extract the 5th and 6th characters from the byte value. Think of it like trimming your hair - we're just cutting off the parts we don't need.
So, let’s put it all together. Here’s the command we can use:
$cat 00000.txt | grep -oE "[[:xdigit:]]{16}$" | cut -c 1-16 | cut -c5-6And just like that, we’ve got our main characters!
But wait, there’s more! We need to substitute those values with their equivalent characters in order to get the flag. For that, we wrote a simple python script is here .
# Open the input file
with open('input.txt', 'r') as f:
# Read the content of the file
content = f.read()
# Define the dictionary of equivalent values
equivalent = {
'04': 'a', '05': 'b', '06': 'c', '07': 'd', '08': 'e', '09': 'f',
'0a': 'g', '0b': 'h', '0c': 'i', '0d': 'j', '0e': 'k', '0f': 'l',
'10': 'm', '11': 'n', '13': 'p', '14': 'q', '15': 'r', '16': 's',
'17': 't', '18': 'u', '19': 'v', '1A': 'w', '1b': 'x', '1c': 'y',
'1d': 'z', '1e': '1', '1f': '2', '20': '3', '21': '4', '22': '5',
'24': '7', '25': '8', '26': '9', '27': '0', '2f': '[', '12': '0',
'30': ']', '2d': '-'
}
# Define an empty string variable to store the result
result = ""
# Iterate over each line of the content
for line in content.splitlines():
# Split the line into a list of values
values = line.split()
# Iterate over each value and look up the equivalent value in the dictionary
for value in values:
# Get the equivalent value from the dictionary and append it to the result string
result += equivalent.get(value, "")
# Print the result string without any spaces or newlines
print(result, end="")After all that hard work, we finally have the flag in our hands. It’s like winning a game of capture the flag, except instead of running around a field and dodging opponents, we’re sitting at a computer and dodging command line errors. Ah, the life of a hacker!”
FLAG : n0va[3v3ry-m15510n-1mp0551bl3-un71l-50m30n3-c0mpl3t35–1t]
If you have any queries or need to get in touch, you can reach me at the following links:
LinkedIn: https://www.linkedin.com/in/mr-g0d-hacktivist/
Email: mlvishal.2002@gmail.com
Feel free to contact me through either of these channels. Looking forward to hearing from you!
