Forensics: Key Mission Writeup
Key Mission is a one-star classified Challenge in HTB’s Cyber Apocalypse 2021. When downloading the challenge and unzipping the file, we get a key_mission.pcap file. As per usual with pcap files the first thing I do is check out possible strings using:
$ strings key_mission.pcap
No cigar. Next routine step is to open the file with wireshark and inspect the packets:
We can see that the protocol is USB and the Info given is URB_INTERRUPT. I scanned the whole hexdump for a clue but there was nothing interesting. A quick google later, I found out that the URB_INTERRUPT are packets from the source keyboard, which we can isolate in wireshark with the filter:
usb.trasfer_type == 0x01
What we are now interested in is the Leftover Capture Data; A series of 8 bytes that signify keypresses. More specifically, the third byte being the Usage ID for the key pressed.
We can easily extract this data using tshark. We specify using ‘-e usb.capdata’ to only target the Leftover Capture Data, and remove any colons using ‘tr -d :’. Moreover, judging from WireShark, we can also see that every second row is missing capture data, which would result in empty rows in our output. Thus, we have to format it in the end using grep before saving it to a file.
$ tshark -r key_mission.pcap -T fields -e usb.capdata | tr -d : | grep -v '^$' > data.txt
We now have the entire stream nicely formatted and ready to be analysed. From what I read online, the first byte in each line represents a modifier; i.e something that tells us whether Ctrl, Alt, or Shift are being held while typing the key. (Since we know the format of the flag is CHTB{} we can be sure that case sensitivity is important here). The first line for example starts with 0x02, which represents a Left Shift (Right Shift would be 0x20). With all that in mind, I looked up a python script (because I am lazy) to translate these bytes into actual Keys. I found this one which exactly suited the needs of this challenge and have attached it and the source below:
With this handy script we can now translate the data stream we saved into keystrokes. It’s used as follows:
$ python3 decodeusbkeypress.py data.txt
Note that the end of the flag is a bit scuffed but you should be able to interpret it correctly regardless.
Resources:
Disclaimer:
This article is made for educational purposes. The ethical hacking information provided is to be used responsibly. Its sole purpose is to inform about Cyber Security.
Readers assume full responsibility for how they use the information provided and it is highly discouraged to use the content with malicious intent. Further, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
