CSAW CTF - Net 300

Monday, October 01, 2012 » airmack, csaw, ctf, luks, robbje, spq

Net 300 challenge of CSAW CTF

Description

Download and wireshark dongle.pcap. We get to know the device in package number 67: Teensy Keyboard/Mouse/Joystick. There is a working c implementation from http://www.pjrc.com/teensy/usb_keyboard.zip to figure out how the hardware is beeing used. Extract packages 102-2811 in human readable form and make it parsable.

1
grep -r Leftover blobb.tx | cut -d " "  -f4 | grep -v 0000000000000000 > clean.txt

and solveable through

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env python
import os
import sys
def trans(key, mod):
    int_mod= int(mod,16)
    key = int(key,16)
    returnvalue="WARNING"+ str(key)+ "WARNING"
    if key <=29:
        if int_mod == 0x02:
            returnvalue = chr(key-4+ord('A'))
        elif int_mod == 0x00:
            returnvalue = chr(key-4+ord('a'))
        else:
            returnvalue = "<"+ str(mod) +">" + chr(key-4+ord('a'))

    elif key >29 and key <= 39:
        returnvalue = str( (key-29)%10)
    elif key == 40:
        returnvalue = "\n"
    elif key == 44:
        returnvalue = " "
    elif key == 45:
        returnvalue = "-"
    elif key == 46:
        returnvalue = "+"
    elif key == 47:
        returnvalue = "{"
    elif key == 48:
        returnvalue = "}"

    return returnvalue 

f = open('/tmp/clean.txt', 'r')
for line in f:
    os.write(1, trans(line[4:6], line[0:2]))
f.close()

and recognizing(thanks rob) that these packages are not in chronologic order:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<80>rxterm -geometry 12x1+0+0
echo k
<80>rxterm -geometry 12x1+75+0
echo e
<80>rxterm -geometry 12x1+150+0
echo y
<80>rxterm -geometry 12x1+225+0
echo {
<80>rxterm -geometry 12x1+300+0
echo c
<80>rxterm -geometry 12x1+375+0
echo 4
<80>rxterm -geometry 12x1+450+0
echo 8
<80>rxterm -geometry 12x1+525+0
echo b
<80>rxterm -geometry 12x1+600+0
echo a
<80>rxterm -geometry 12x1+675+0
echo 9
<80>rxterm -geometry 12x1+0+40
echo 9
<80>rxterm -geometry 12x1+75+40
echo 3
<80>rxterm -geometry 12x1+150+40
echo d
<80>rxterm -geometry 12x1+225+40
echo 3
<80>rxterm -geometry 12x1+300+40
echo 5
<80>rxterm -geometry 12x1+450+40
echo c
<80>rxterm -geometry 12x1+375+40
echo 3
<80>rxterm -geometry 12x1+525+40
echo a
<80>rxterm -geometry 12x1+600+40
echo }

key{c48ba993d353ca}