Home [Writeup] Hexion CTF 2020
Post
Cancel

[Writeup] Hexion CTF 2020

Posted Apr 13, 2020
By
2 min read

Mirate

In this challenge, we will see the flag after being encrypted; when we type some words to the text box, we will receive the encrypted words corresponding with our input words.

IMG

And here is my cover:

IMG

Flag: hexCTF{Don7_judge_a_B0Ok_by_1ts_c0v3r}

T&J

In this challenge we receive the pcap file, after opening the file in Wireshark, it’s a USB capture pcap.

Look at the leftover captured data, it only shows 4 bytes hex strings. Therefore, I realized there is a possibility that it can be a mouse capture, and the challenge’s description helped to ensure this idea more definitely.

Can you help Tom catch Jerry?

Luckily, I did some research about USB capture (keyboard and mouse) before, so I know what action to take next. You can read this writeup of rootusers to know more detail.

First, I extracted USB data capture by tshark:

1
2
3
4
5
6
7
8
9
10
11
12

# tshark -r jerry.pcapng -T fields -e usb.capdata > 1.txt
# tail -n 10 1.txt
0000ff000000ffff
00ff0000ffff0000
0000ff000000ffff
0000ff000000ffff
00ff0000ffff0000
00ff0000ffff0000
00ff0000ffff0000
00ff0000ffff0000
0100000000000000
0000000000000000

For some reasons I do not know why my data lost : so I added it

1
2
3
4
5
6
7
8
9
10
11

# tail -n 10 2.txt 
00:00:ff:00:00:00:ff:ff
00:ff:00:00:ff:ff:00:00
00:00:ff:00:00:00:ff:ff
00:00:ff:00:00:00:ff:ff
00:ff:00:00:ff:ff:00:00
00:ff:00:00:ff:ff:00:00
00:ff:00:00:ff:ff:00:00
00:ff:00:00:ff:ff:00:00
01:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00

Next I change it to the coordinates

1
2
3
4
5
6
7
8
9
10
11
12

# awk -F: 'function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum("0x"$2));y+=comp(strtonum("0x"$3))}$1=="01"{print x,y}' 2.txt > 3.txt
# tail -n 10 data3.txt 
1928 264
1928 265
1927 265
1927 266
1926 266
1925 266
1924 266
1923 266
1922 266
-1701 29

After got the coordinates, I plot it into Gnuplot.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# gnuplot

	G N U P L O T
	Version 5.2 patchlevel 8    last modified 2019-12-01 

	Copyright (C) 1986-1993, 1998, 2004, 2007-2019
	Thomas Williams, Colin Kelley and many others

	gnuplot home:     http://www.gnuplot.info
	faq, bugs, etc:   type "help FAQ"
	immediate help:   type "help"  (plot window: hit 'h')

Terminal type is now 'qt'

gnuplot> plot '3.txt'

And here is it

IMG

Flag: hexCTF{y3t_an0th3r_pc4p_ch4ll3nge}

P/S: Thank you GinaTU aka Tứ Diệp Thảo to help me edit this post

Writeup, HexionCTF2020
forensics writeup HexionCTF
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents