Today I review the challenge "The Cyber War Continues" from SwampCTF 2019.

You can download files of this challenge here.

TL; DR

You have at your disposal 2 files.

  1. A ciphered text message
  2. A ciphered archive.

The text message is ciphered with Rail Fence. Once deciphered it give the password to open the archive.

The archive contains an USB communication capture file: "location.pcap".

This communication is coming from something like a RUBBER DUCKY. You must extract from it the password.


Step 1: Decipher the message

I used this tool to decipher the text message.

Once reformatted, I get the following:

the overlord are approaching this message is the last way we will be able to contact our brothers and sister in the resistance our stronghold has been weakended and we fear food and water rations will runout soon the weapon situation is worse our last plasma rifle has broken and is beyond repair the techwear were lyon for personal shielding protection is gaining more and more wear by the day our situation is grimi hope this message finds the resistance i am heavily encrypting it when you arrive at our new stronghold you will need to use the password toor to gain entrance our location will be passed along in another form to ensure maximum protection god speed

The password is toor and open the archive.

7z e secret_location.7z

Step 2: Extract data from USB capture

As you can see, we get a capture of USB transmission

It was the first time I was confronted with this kind of file. I searched the internet for similar challenges (if possible with writeup).

A friend of mine give a link to this writeup.

A good hint I almost missed.

this is probably a capture of USB keyboard traffic; the key was typed in and is subsequently buried in the traffic

This will prove useful for the future.

Reading the write-up and googling stuff I found useful things:

  1. Packet flag's "Interruption" means data transfer
  2. Data transferred is inside the "DataLeftOver" or 'usb.capdata' column name
  3. I'm looking only for data from the USB to the host (In Wireshark term's where source is "1.2.1")

In order to extract only the data I used tshark (CLI of wireshark)

tshark  -r location.pcap -T fields -e usb.capdata -Y 'usb.src == "1.2.1" && usb.transfer_type == 0x01 && !(usb.capdata == 00:00:00:00:00:00:00:00)' | sed 's/://g' > hexoutput.txt

NB: I used sed to format the output.

I adapted the python script from the write-up of AliBawazeEer in order to convert the data into keystroke.

The HID map I used can be found here, on page 53.

#!/usr/local/bin/python

newmap = {
 2: "",
 3: "",
 4: "a",
 5: "b",
 6: "c",
 7: "d",
 8: "e",
 9: "f",
 10: "g",
 11: "h",
 12: "i",
 13: "j",
 14: "k",
 15: "l",
 16: "m",
 17: "n",
 18: "o",
 19: "p",
 20: "q",
 21: "r",
 22: "s",
 23: "t",
 24: "u",
 25: "v",
 26: "w",
 27: "x",
 28: "y",
 29: "z",
 30: "1",
 31: "2",
 32: "3",
 33: "4",
 34: "5",
 35: "6",
 36: "7",
 37: "8",
 38: "9",
 39: "0",
 40: "ENTER",
 41: "ESC",
 42: "DEL",
 43: "TAB",
 44: " ",
 45: "-",
 46: "=",
 47: "[",
 48: "]",
 }

myKeys = open('hexoutput2.txt')
i = 1
letters =""

for line in myKeys:
    bytesArray = bytearray.fromhex(line.strip())
    #print "Line Number: " + str(i)
    
    for byte in bytesArray:
        if byte != 0:
            keyVal = int(byte)

	    if keyVal in newmap:
               #print "Value map : " + str(keyVal) + " -> " + newmap[keyVal]
	       letters += newmap[keyVal]
	      
	   
    #print format(byte, '02X')
    i+=1
print letters

The script output the following:

synt[jne-arire-punatrf]

It's pretty clear that I should get something as:

flag{SOME_STUFF}

So I thought the flag was encoded using ROT13.

Once deciphered I get:

flag[war-never-changes]	

Tried to submit that flag and failed...

So I looked again at my documentation on the HID and decided to replace the value of 45, 47 and 48 by their uppercase equivalents

This time I got the right flag

flag{war_never_changes}

Conclusion

Thanks to my friend "blublu"  for his help (He will recognize himself).

Even if at the time of the CTF I was not able to completely solve this challenge, it is important, in my opinion, in order to progress to train on the challenges that were difficult.

Tips for myself (that can be useful to others too):

  • Always take time to make search.

Even if CTF are timed competitions, it is necessary to take the time to invest a challenge. Take the time to read the resources at your disposal.
Don't hesitate to read other's writeup, because it's the most efficient way to learn (learn + practice).

  • Take the time to take a step back.

Better to solve a single challenge and learn things than to stay in your comfort zone.

  • Being first is not an end in itself.

The fact that the competition is limited in time and that we play with people who have a level well above our is a source of stress that will impel us to go too fast and miss obvious things.
A CTF must be above all a fun thing where I can learn new things.


Yes, I know it's pretty obvious advices, but as I said before it's in first place tips for myself.


Social stuff / Questions / Comments

Feel free to reach or tips me !

Mail: a_ghost_soul@protonmail.com
Twitter: @GhostAgs

If you appreciate my work please consider make a donation
Tipeee: https://fr.tipeee.com/ags-syndrome