Hackthebox – Deadly Arthropod

For this challenge, we’re presented with a packet capture file containing only USB events.

artrhopod capture file

After some googling I came accross this CTF blogpost which appeared to give just the info needed for the first steps and a basic Python script for interpreting the keystrokes.

root@kalivm:~/Arthropod# tshark -r deadly_arthropod.pcap -T fields -e usb.capdata > keystrokes.txt
root@kalivm:~/Arthropod# head -n2 keystrokes.txt 

root@kalivm:~/Arthropod# tail -n2 keystrokes.txt 

So they did contain the values, just not (yet) in the right format, and with some empty lines in the script too. Time to modify the file so that no empty lines exist and that the lines in there are provided with the right semi-colons.

root@kalivm:~/Arthropod# sed '/^$/d' keystrokes.txt > data.txt
root@kalivm:~/Arthropod# sed -i 's/.\{2\}/&:/g' data.txt
root@kalivm:~/Arthropod# head -n 2 data.txt 

Now the next thing to do, is run the provided python script to interpret each of these values and see what buttons have been pressed.

root@kalivm:~/Arthropod# ./read_data.py 

This appeared as if you had to follow the left and right arrows to ‘move’ the cursor and then get some string out of it. Since, at the time when I first did this challenge, was still learning a lot about python but didnt think myself capable of scripting a solution, I first solved it by hand, so I knew what solution to work towards. Only several weeks, and lots of python learning further, I decided to modify the original script so that it would create the flag for me instead.

#!/usr/bin/env python
import sys
def printFlag(flag):
   # Read each character in the provided flag to determine the next action 
   for fpos in range(len(flag)):
     #Move the cursor to the right
     if(flag[fpos] == '>'):
       strpos += 1
     #Move the cursor to the left
     elif(flag[fpos] == '< '):
       strpos -= 1
     #Insert the character at the current cursor position
       strpos += 1
     fpos += 1
   print "The flag is: ",
   for c in fflag:

# A table containing all valid USB Codes for pressed characters. 
usb_codes = {
   0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
   0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
   0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
   0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
   0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
   0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
   0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}",  0x32:"#~",
   0x33:";:", 0x34:"'\"",  0x36:",<", 0x37:".>", 0x4f:">", 0x50:"< "
lines = ["","","","",""]

pos = 0
#Read all lines in the extracted data
for x in open("data.txt","r").readlines():
   code = int(x[6:8],16)

   if code == 0:
   # newline or down arrow - move down
   if code == 0x51 or code == 0x28:
       pos += 1
   # up arrow - move up
   if code == 0x52:
       pos -= 1
   # select the character based on the Shift key
   if int(x[0:2],16) == 2:
       lines[pos] += usb_codes[code][1]
       lines[pos] += usb_codes[code][0]

for line in lines:
   #Check if the line contains the arrow keys, if so, print the flag. 
   if "<" in line:
      print line

By adding the ‘printFlag’ function, and detecting if the provided line contained a ‘<‘ symbol, I was able to finally automatically with some help from python, print the flag:

root@kalivm:~/Arthropod# ./read_data.py 
The flag is: HTB{If_It_<NOFLAG>t'5_a_K3yb0ard...}

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.