Hackthebox – Deadly Arthropod
For this challenge, we’re presented with a packet capture file containing only USB events.
After some googling I came accross this CTF blogpost which appeared to give just the info needed for the first steps and a basic Python script for interpreting the keystrokes.
root@kalivm:~/Arthropod# tshark -r deadly_arthropod.pcap -T fields -e usb.capdata > keystrokes.txt
root@kalivm:~/Arthropod# head -n2 keystrokes.txt
root@kalivm:~/Arthropod# tail -n2 keystrokes.txt
0000150000000000
0000000000000000So they did contain the values, just not (yet) in the right format, and with some empty lines in the script too. Time to modify the file so that no empty lines exist and that the lines in there are provided with the right semi-colons.
root@kalivm:~/Arthropod# sed '/^$/d' keystrokes.txt > data.txt
root@kalivm:~/Arthropod# sed -i 's/.\{2\}/&:/g' data.txt
root@kalivm:~/Arthropod# head -n 2 data.txt
00:00:08:00:00:00:00:00:
00:00:00:00:00:00:00:00:Now the next thing to do, is run the provided python script to interpret each of these values and see what buttons have been pressed.
root@kalivm:~/Arthropod# ./read_data.py
eks@hackthebox.eu
Th1sC0uldB3MyR3alP@ssw0rd
QK<_>.<<<<H>5<<{_<I>>ck>'>>b0<<<<<<<<<I<<<<T>>f>>>>>>_>>>>>>}<.<.<<<<3<<<<<<<<u<<t_>>a<<<<<<<<<<B>>>>>>>>>>>>>>t>5<<<I>>>_>>>>>a<<<<<<a>>>>>>d<<<<y>>>rThis appeared as if you had to follow the left and right arrows to ‘move’ the cursor and then get some string out of it. Since, at the time when I first did this challenge, was still learning a lot about python but didnt think myself capable of scripting a solution, I first solved it by hand, so I knew what solution to work towards. Only several weeks, and lots of python learning further, I decided to modify the original script so that it would create the flag for me instead.
#!/usr/bin/env python
import sys
def printFlag(flag):
strpos=0
fpos=0
fflag=['']
# Read each character in the provided flag to determine the next action
for fpos in range(len(flag)):
#Move the cursor to the right
if(flag[fpos] == '>'):
strpos += 1
#Move the cursor to the left
elif(flag[fpos] == '< '):
strpos -= 1
#Insert the character at the current cursor position
else:
fflag.insert(strpos,str(flag[fpos]))
strpos += 1
fpos += 1
print "The flag is: ",
for c in fflag:
sys.stdout.write(c)
# A table containing all valid USB Codes for pressed characters.
usb_codes = {
0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
0x2C:" ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}", 0x32:"#~",
0x33:";:", 0x34:"'\"", 0x36:",<", 0x37:".>", 0x4f:">", 0x50:"< "
}
lines = ["","","","",""]
pos = 0
#Read all lines in the extracted data
for x in open("data.txt","r").readlines():
code = int(x[6:8],16)
if code == 0:
continue
# newline or down arrow - move down
if code == 0x51 or code == 0x28:
pos += 1
continue
# up arrow - move up
if code == 0x52:
pos -= 1
continue
# select the character based on the Shift key
if int(x[0:2],16) == 2:
lines[pos] += usb_codes[code][1]
else:
lines[pos] += usb_codes[code][0]
for line in lines:
#Check if the line contains the arrow keys, if so, print the flag.
if "<" in line:
printFlag(line)
else:
print lineBy adding the ‘printFlag’ function, and detecting if the provided line contained a ‘<‘ symbol, I was able to finally automatically with some help from python, print the flag:
root@kalivm:~/Arthropod# ./read_data.py
eks@hackthebox.eu
Th1sC0uldB3MyR3alP@ssw0rd
The flag is: HTB{If_It_<NOFLAG>t'5_a_K3yb0ard...}
