Bsides Ctf Thekey
by eshaan7
Challenge: TheKey(for 100 points) [Forensics | BsidesSF 2019 CTF]
We are given a thekey.pcapng packet file. On analyzing with wireshark, we see that we have a lot of usb data on this pcap file.
let´s extract the Leftover Capture Data with tshark
tshark -r thekey.pcapng -T fields -e usb.capdata
we need only numbers without zeros and separators
tshark -r thekey.pcapng -T fields -e usb.capdata | grep -v '00:00:00:00:00:00:00:00' | cut -d ':' -f3
save this to usb_keys.txt
using sublime, I removed the newline chars converted the keys into hex value and basically a python list (regex are awesome!)
keys = [ "0x19", "0x0C", "0x0C", "0x10", "0x2C", "0x09", "0x0"...............
Next, on the pdf (Page 53), we have a key map of a USB Keyboard
I had to manually copy & paste the key bindings and then scrap it using tr -d " " -f1 and sublime(again, learn regex!) and converted it to another python list!
{ "0x00" :"",
"0x04" :"a",
"0x05" :"b",
"0x06" :"c",
"0x07" :"d",
... }
but wait, we have too much data, let’s use a python script to do the work for us! :D
run the script and get the flag!
oh ok not really, the output is really messed up, what we did was replicate these key-taps on a terminal and that got us a clear idea about the flag, it is a keyboard capture afterall! But I tried submitting this flag and it kept saying it’s wrong so I changed it to uppercase and voila!
The flag is: CTF{MY_FAVOURITE_EDITOR_IS_VIM}