CTF notes

Notes from this week’s CTF – geek notes for Tina. Should have collected notes on more challenges, but, eh…

Received a PCAP file that said it had secret coordinates in it. PCAP was completely USB traffic, specific URB_INTERRUPT

  • https://wiki.osdev.org/USB_Human_Interface_Devices#USB_keyboard
  • Isolated traffic for appropriate device, after examining device descriptor response to find keyboard
  • Started mapping out the HID keys by hand, until a teammate suggested https://github.com/TeamRocketIst/ctf-usb-keyboard-parser
  • Ultimately used tshark to extract the data, via tshark -r ~/Downloads/file.pcap -Y 'usb.device_address == 2 and usb.data_len > 0 and !(usbhid.data == 00:00:00:00:00:00:00:00)' -T fields -e usbhid.data | sed 's/../:&/g' | sed 's/^://g' > keys.txt
  • (Note: the second se is because the recommended one ended up prefixing all the lines with : – second sed strips it off)

Leave a Reply

Your email address will not be published. Required fields are marked *