0xOPOSEC 24/02/2022 Challenge

Thursday, Feb 24, 2022 | 2 minute read | Updated at Thursday, Feb 24, 2022

Description

“I just got this new keyboard from Vodaphone Portugal, but it looks like something fishy is going on. Could you help me?”

Solving

  • Opening the pcap file It turns out to be a USB communication capture

image

  • The file was small and had USB_INTERRUPT events that encode key presses

  • After a little bit of google fu, I found that the Leftover Capture Data field has a series of 8 bytes strung together (the third byte is the Usage ID for the key pressed)

  • So one way to decode this was to look at Leftover Capture Data and convert the key presses to human readable output

  • Knowing this I extracted all Leftover Capture Data from the pcap file (tshark -r dump.pcapng -T fields -e usb.capdata | grep .) and created a python script to help me decode the dumped data

  • Output from the tshark command

01000900
01000000
01000f00
01000000
01000400
01000000
01000a00
01000000
01202f00
...
01000000
01203000
01200000
01002800
01000000
#!/usr/bin/python3
import sys

lower_case_key = {
    1:None,	2:None,	3:None,	4:"a",	5:"b",	6:"c", 
    7:"d", 	8:"e",	9:"f", 	10:"g",	11:"h",	12:"i", 
    13:"j",	14:"k",	15:"l",	16:"m",	17:"n",	18:"o",
    19:"p",	20:"q",	21:"r",	22:"s",	23:"t",	24:"u", 
    25:"v",	26:"w",	27:"x",	28:"y",	29:"z",	30:"1", 
    31:"2",	32:"3",	33:"4",	34:"5",	35:"6",	36:"7", 
    37:"8",	38:"9",	39:"0",	40:"Enter",	41:"esc",42:"del", 
    43:"tab", 44:"space",	45:"-", 
    46:":", 47:"[", 48:"]", 49:"\\",50:" ", 51:",", 
    52:"'", 53:"`", 54:",", 55:".", 56:"/", 57:"CapsLock",
    79:"RightArrow",80:"LeftArrow", 84:"/", 85:"*", 86:"-",	
    87:"+", 88:"Enter", 89:"1", 90:"2", 91:"3", 92:"4",	93:"5",
    94:"6",	95:"7", 96:"8", 97:"9", 98:"0", 99:"."
}


upper_case_key = {
    1:None, 2:None, 3:None,5:"B", 6:"C",7:"D",8:"E",
    9:"F",10:"G",11:"H",12:"I",13:"J",14:"K",
    15:"L",	16:"M",	17:"N",	18:"O",	19:"P",	20:"Q",
    21:"R",	22:"S",	23:"T",	24:"U",	25:"V",	26:"W",
    27:"X",	28:"Y",	29:"Z",	30:"!",	31:"@",	32:"#",
    33:"$",	34:"%",	35:"^",	36:"&",	37:"*",	38:"(",
    39:")",	40:"Enter",41:"esc",42:"del",43:"tab",44:"space",
    45:"_",	46:"+",	47:"{",	48:"}",	49:"|",	50:" ",
    51:":",	52:"\"",53:"~",54:"<",55:">",	56:"?",
    57:"CapsLock",79:"RightArrow",80:"LeftArrow",
    84:"/",	85:"*",	86:"-",	87:"+",	88:"Enter",	89:"1",
    90:"2",	91:"3",	92:"4",	93:"5",	94:"6",	95:"7",
    96:"8",	97:"9",	98:"0",99:"."
}

def replace(res : str)-> str:
    return res.replace("[","{").replace("]","}").replace("-","_")
    

def main() -> str:
    res = ""
    if len(sys.argv) == 2:
        # open file with "Leftover Capture Data" field from pcap
        with open(sys.argv[1]) as keycodes:
            for line in keycodes:
                # convert string to bytearray
                bytesArray = bytearray.fromhex(line.strip())
                # see if a key was pressed(range goes from 4 to 99)
                key_press = int(bytesArray[2])
                if key_press > 3 and key_press < 100:
                    # see if left shift or right shift was presses
                    if bytesArray[0] == 0x02 or bytesArray[0] == 0x20 :
                        res += upper_case_key[key_press]
                    else:
                        res += lower_case_key[key_press]
    else:
        print("python3 exploit.py file")
    
    return replace(res)


if __name__ == "__main__":
    print(main())
flag{usb_sniff_sniff}

References

© 2018 - 2025 Bruno Blog

🌱 Powered by Hugo with theme Dream.

About me

My name is Bruno Teixeira and I am an Offensive Cyber Security Analyst. Focused on learning Information Security and Systems Administration. Always doing some side projects to improve my coding skills and learn new technologies on the way.

Work Experience

Education

Work Experience as a Trainee

Social Links