2022 CISCN Preliminary ez_usb WriteUp

This article is an excellent article from the Kx forum, author ID: wx_莫克斯

Preparation

USB Protocol Specifications

l USB UARTl USB HIDl USB Memory

The one at the top is the standard serial port implementation, which can connect to MCUs like STM32 or ESP8266 via USB.

The middle one can be used for BadUSB (to simulate keyboard input).

The one at the bottom should be for accessing USB drives.

Each type of USB device, especially human-computer interaction devices and storage devices, has a unique pair of numbers known as the Vendor ID and Product ID. The Vendor ID indicates which manufacturer produced the product, while the Product ID is the product identifier.

The HID device descriptor includes not only the 5 standard USB descriptors (device descriptor, configuration descriptor, interface descriptor, endpoint descriptor, string descriptor) but also three HID class-specific descriptors: HID descriptor, report descriptor, and entity descriptor.

In addition to the three specific descriptors that explain HID devices, the relevant parts of the 5 standard descriptors for HID devices are:

In the device descriptor:bDeviceClass, bDeviceSubClass, bDeviceProtocol must all be 0.

In the interface descriptor:bInterfaceClass must be 0x03, bInterfaceSubClass can be 0 or 1 (1 indicates that the HID device is a boot device, which is generally meaningful for PCs, meaning that the BIOS can recognize the HID device during startup, and only standard mice or keyboards can be called Boot Devices), and 0 indicates that the HID device can only be recognized after the operating system has booted.bInterfaceProtocol values are as follows:

A Question from buu

At that time, due to unfamiliarity with USB traffic analysis and the confusing information online, I found a problem-solving article for analysis.

CTF-BUUCTF-MISC-USB

(https://blog.csdn.net/weixin_43880435/article/details/106027737)

buu USB 1-point question

First, fix the RAR file header, which contains a file named 233.png.

233.png can be extracted into a QR code using stegsolver.

Using the QR code generator, I was able to extract a string:

ci{v3erf_0tygidv2_fc0}

There is also a fkm file, which contains a zip file header 503B; save it as zip and then extract.

It was mentioned that you can use tshark to extract commands.

tshark -r key.pcap -T fields -e usb.capdata > usbdata.txt

But I actually used UsbKeyboardDataHacker to get results.

Vigenère cipher, the password is xinan.

fa{i3eei_0llgvgn2_sc0}

Close to the flag, it has the characteristics of a fence password.

Indeed, it is.

Main Topic

Based on the identifiers, find the status of the devices:

2.4.0 Unknown device

2.8.0 Keyboard

2.10.0 Logitech

2.3.0 Lite-on Technology

2.4.0 Intel Bluetooth

Use usb.addr as a filtering condition to filter out data, then export in groups.

usb.addr== "2.8.1"usb.addr== "2.10.1"

2.8.1 contains a compressed package, marked with a RAR file header.

Remove the identifier and create a new hex file.

Tips: Pasting hex in 010editor requires entering Edit mode.

2.10.1 contains the password 35c535765e50074a, which should be the mouse signal.

Extracting will yield the flag.

The Path Taken

At that time, I recklessly used ready-made scripts to try, but ended up with nothing.

Imitating others, I used several posts to extract capdata with tshark.

tshark -r ez_usb.pcapng -T fields -e usb.capdata > usbdata.txt

Unfortunately, I ended up with an empty txt file.

After looking at the HID part, I thought the capture should be usbhid.data.

tshark -r ez_usb.pcapng -T fields -e usbhid.data > usbdata.txt

Now there are results.

Found a script to handle colons and spaces (forgot where I got it from).

#!/usr/bin/env python#-*- coding: utf-8 -*-info = '''Run under kali: tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt to extract traffic packet information, then use this script to filter out spaces and other content, and add colons'''print(info) f_data  = input("Please enter the path of the txt file to be processed:")shujian = int(input("For mouse traffic information, please enter 8, for keyboard traffic enter 16:"))f = open(f_data,'r') # Organizing into out.txtwith open('out.txt','w') as f_out:    for i in f.readlines():        s = i.strip()        # Mouse traffic length is 8, keyboard traffic length is 16        if len(s) == shujian:            # Mouse traffic length is 8, keyboard traffic length is 16            nsl = [s[j:j+2] for j in range(0,shujian,2)]            ns = ":".join(nsl)            f_out.write(ns)            f_out.write('\n')

Data organization completed, starting conversion.

//tran.pynormalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"} shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(`, "27": ")",             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}output = []keys = open('out.txt') # This is the data for plus and colonfor line in keys:    try:        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":             continue        if line[6:8] in normalKeys.keys():            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']        else:            output += ['[unknown]']    except:        passkeys.close() flag=0print("output :" + "".join(output))for i in range(len(output)):    try:        a=output.index('<DEL>')        del output[a]        del output[a-1]    except:        passfor i in range(len(output)):    try:        if output[i]=="<CAP>":            flag+=1            output.pop(i)            if flag==2:                flag=0        if flag!=0:            output[i]=output[i].upper()    except:        passprint ('output :' + "".join(output))

Then obtained a data packet with a RAR file header.

At that time, I spent a lot of effort to fix this package.But in hindsight, as long as all the data is mixed together, it is all good.

If lucky, you might be able to use binwalk to separate it.

Epilogue

The routine for this kind of question is to hide the data in capdata, then find a script to read it and it’s done.

At that time, I managed to extract a zip package from the USB, but I didn’t separate the information from 2.8.1, and even after fixing the file header, I still couldn’t extract the file. It can only be said that the preparation was indeed insufficient, leaving regrets.

Supplement

Used EXP

https://github.com/WangYihang/UsbKeyboardDataHacker/blob/master/UsbKeyboardDataHacker.py

References

At that time, I couldn’t solve it on site, so I did my best to Bing+Google, and after the competition, I found that I had looked at quite a few materials, so I organized them.

In-depth understanding of USB traffic packet capture and analysis

https://www.cnblogs.com/ECJTUACM-873284962/p/9473808.html

Basic analysis of compressed packages in CTF problem-solving skills

https://www.freebuf.com/column/199854.html

Official description of USB by Wireshark

https://wiki.wireshark.org/USB

Supplementary & Consolidation Exercises

About USB traffic analysis

https://www.jianshu.com/p/92064f2e9dcb

[Technical Sharing] Learning USB Traffic Capture and Analysis from CTF

https://www.anquanke.com/post/id/85218

Memory Forensics & USB Traffic Analysis – [University Battle “Epidemic”] ez_mem&usb

https://blog.csdn.net/qq_42939527/article/details/104755640

2022 CISCN Preliminary ez_usb WriteUp

Kx ID: wx_莫克斯

https://bbs.pediy.com/user-home-916399.htm

*This article is original by Kx forum wx_莫克斯. Please indicate the source from Kx community when reprinting.

2022 CISCN Preliminary ez_usb WriteUp

# Previous Recommendations

1. Flutter APP Reverse Engineering Practice

2. APT Turla Sample Analysis

3. CVE-2021-24086 Vulnerability Analysis

4. In-depth Analysis of BattlEye Kernel Driver Detection Module

5. Seccomp BPF and Container Security

6. “Controlling” a Router Device with U-Boot

Share

Like

Watching

USB Protocol Specifications

The one at the top is the standard serial port implementation, which can connect to MCUs like STM32 or ESP8266 via USB.

Used EXP

References

Supplementary & Consolidation Exercises

Related posts

Leave a Comment Cancel reply