Category : Forensics

Difficulty : Warm-up

Challenge Description

1
2
3
4
5
Here is a packet capture of my computer when I was preparing my presentation on Google Slides. Can you reproduce the contents of the slides?

Note: If you find a "fake flag", submit it here. Some text next to the flag says that it is not accepted, but now it is. There are 2 flags in the challenge, and both are accepted. Part 1 accepts the flag that is easier to get.

flag format: ACSC\{[ -~]+\}

We are given a relatively large pcap file with a size of 184 MB. Let’s open it in Wireshark and take a look. The first thing I always check when I get a large pcap file is the Protocol Hierarchy tab from the Statics menu to see what protocols are used, we can also take a look at the Capture File Properties to see how many packets the capture has [401193 packets ] and how long it has been running [00:09:50] this is probably not related to the challenge but it is always good to look at.

The protocols used in the capture are as follows

wshark

there is no interesting things in particular but if we look at the actual communication we can see some usb keystrokes being captured which is unusual so let’s export them but first let’s apply the following as filter in Wireshark so we can only see the keystrokes 

1
usb.transfer_type == 0x01 && usb.bInterfaceClass == 3

wshark

Now I am going to highlight all the packets and go to File > Export Specified Packets

wshark

and save them as new file which am gonna call filtered.pcapng

wshark

Now let’s use tshark to extract the data

1
tshark -r filtered.pcapng -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata

wshark

We can see a lot of output so am gonna redirect it to a file which I’ll call output.txt and use sed to add the : 

1
tshark -r filtered.pcapng -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > output.txt

The output should look like this

wshark

Finally let’s use this python script right here to parse the data and convert it to a human readable text

https://github.com/carlospolop-forks/ctf-usb-keyboard-parser

1
python usbkeyboard.py output.txt

We got our data and what it looks like a flag starting with ACSC{. However there are many repeated chars

wshark

am gonna write some code to clean it a bit

1
2
3
4
5
6
7
8
9
with open('data.txt', 'r') as f:
    text = f.read()

cleaned_text = ''
for c in range(len(text)):
    if c == 0 or text[c] != text[c-1]:
        cleaned_text += text[c]

print(cleaned_text)

this looks so much better but still there are some repeated ‘a’ and ‘b’

wshark

but we can get the flag by removing the extra chars manually

1
flag:ACSC{f0r3ns1cs_is_s0_fun}