Closed ikornaselur closed 8 years ago
ikornaselur
commented
8 years ago You can open the capture file in Wireshark and you'll see that it's an interception of USB traffic. What I've found is bString: PI Engineering and bString: Kinesis Keyboard Hub, indicating that i's some PI Engineering device connected to a Kinesis Keyboard Hub?
I assume the data in the packet will be the keyboard key presses in some form.
ikornaselur
commented
8 years ago There's something interesting in the URB_INTERRUPT in packets in the end. All the packets that have teh destination host have a Leftover Capture Data. Here's the package data:
Leftover Capture Data: 2000000000000000 shift
Leftover Capture Data: 20000a0000000000 capital I
Leftover Capture Data: 2000000000000000 shift
Leftover Capture Data: 0000000000000000 no shift?
Leftover Capture Data: 00000c0000000000 lower case c
Leftover Capture Data: 0000000000000000 no shift?
Leftover Capture Data: 0000070000000000 lower case e
Leftover Capture Data: 0000000000000000 no shift?
Leftover Capture Data: 0200000000000000 shift (this one starts with `02` instead of `20` though)
Leftover Capture Data: 02000c0000000000 capital C
Leftover Capture Data: 0200000000000000 shift
Leftover Capture Data: 02000e0000000000 capital T
Leftover Capture Data: 0200000000000000 shift
Leftover Capture Data: 02001c0000000000 capital F
Leftover Capture Data: 0200000000000000 shift
Leftover Capture Data: 0000000000000000 no shift
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 02002f0000000000 {
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0200360000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 00000d0000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000270000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 02002d0000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000130000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 00001e0000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 2000000000000000
Leftover Capture Data: 2000190000000000
Leftover Capture Data: 2000000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000200000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0200330000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 02002d0000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 00001b0000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000360000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000200000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0200120000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000240000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 2000000000000000
Leftover Capture Data: 2000170000000000
Leftover Capture Data: 2000000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 02002d0000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000210000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 02000f0000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0200170000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000360000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000210000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000170000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0000220000000000
Leftover Capture Data: 0000000000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0200300000000000
Leftover Capture Data: 0200000000000000
Leftover Capture Data: 0000000000000000
ikornaselur
commented
8 years ago I've marked some of the first lines with what I think the code is. Assuming it starts with IceCTF, it actually makes sense (the two c presses match)
ikornaselur
commented
8 years ago This assumes the following code for the following letters:
07 e
08
09
0a i
0b
0c c
0d
0e t
0f
1c fThat kinda doesn't make sense to me though. The order is weird? upper and lower case letters have the same hex value here (assuming IceCTF, since it has the same code for c and C, just shift around it)
ikornaselur
commented
8 years ago So I found the official usb hid spec document. From my comment above I assumed that 2f meant {, so I cmd+f'd for it in the pdf file and found this page 54
Looks promising!
ikornaselur
commented
8 years ago Well.. what I get from that is
GidIKY{<j0_p1V3:_x,3O7T_4LT,4t5}
Definitely looks like a flag. I mean, GidIKY is like IceCTF, but it's off. Not sure how.
ikornaselur
commented
8 years ago Here's the data I extracted. First column is what I believe is "shift is being held at the same time", but it's sometimes 20 and sometimes 02, so not sure there.
Next column is the UsageID code and then the next two columns are the Keyboard X and Y from the pdf file.
20 0a g G
00 0c i I
00 07 d D
02 0c i I
02 0e k K
02 1c y Y
02 2f [ {
02 36 , <
00 0d j J
00 27 0 )
02 2d - _
00 13 p P
00 1e 1 !
20 19 v V
00 20 3 #
02 33 ; :
02 2d - _
00 1b x X
00 36 , <
00 20 3 #
02 12 o O
00 24 7 &
20 17 t T
02 2d - _
00 21 4 $
02 0f l L
02 17 t T
00 36 , <
00 21 4 $
00 17 t T
00 22 5 %
02 30 ] }Figured it out! These are elite hackers! Of course they're using Dvorak. Found a qwerty <-> dvorak "translator" online:
Just had to replace the {, _ and } and it was good to go.
Description
This traffic was picked up by one of our agents. We think this might be a conversation between two elite hackers that we are investigating. Can you see if you can analyze the data? intercept.pcapng
Solution
Flag is:
IceCTF{Wh0_l1K3S_qw3R7Y_4NYw4y5}