Deadly Arthropod
5 minutes to read
We are given a PCAP file called deadly_arthropod.pcap with some USB events:
Identifying the device
There is an event that shows that the USB device is a keyboard (actually, Razer BlackWidow Ultimate 2013):
Therefore, we will need to analyze key strokes, like in Logger. Hardware devices use a protocol known as Human Interface Device (HID). More information can be found at Wikipedia. In fact, there is a documentation manual attached: ww.usb.org, where some HID tables are found (Section 10: “Keyboard/Keypad Page (0x07)”):
This table can also be found in this GitHub Gist.
Filtering events
Now we need to find out which events have the key stroke information. It seems that packets with length 35 bytes are interesting. So, let’s filter them:
Let’s remove the ones that have zero data (0000000000000000) and also the ones that start with 02 and the rest is all zero (0200000000000000):
Alright, know we are left with all the key stroke codes. The only thing we need to do is decode them.
Use of tshark
The above filtering can also be done with tshark from the command line:
$ tshark -r deadly_arthropod.pcap | grep ' 35 $' | awk '{ print $6 }' | grep -v '0[02]00000000000000'
0000080000000000
00000e0000000000
0000160000000000
02001f0000000000
00000b0000000000
0000040000000000
0000060000000000
00000e0000000000
0000170000000000
00000b0000000000
0000080000000000
0000050000000000
0000120000000000
00001b0000000000
0000370000000000
0000080000000000
0000180000000000
0000280000000000
0200170000000000
00000b0000000000
00001e0000000000
0000160000000000
0200060000000000
0000270000000000
0000180000000000
00000f0000000000
0000070000000000
0200050000000000
0000200000000000
0200100000000000
00001c0000000000
0200150000000000
0000200000000000
0000040000000000
00000f0000000000
0200130000000000
02001f0000000000
0000160000000000
0000160000000000
00001a0000000000
0000270000000000
0000150000000000
0000070000000000
0000280000000000
0200140000000000
02000e0000000000
0000500000000000
02002d0000000000
00004f0000000000
0000370000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
02000b0000000000
00004f0000000000
0000220000000000
0000500000000000
0000500000000000
02002f0000000000
02002d0000000000
0000500000000000
02000c0000000000
00004f0000000000
00004f0000000000
0000060000000000
00000e0000000000
00004f0000000000
0000340000000000
00004f0000000000
00004f0000000000
0000050000000000
0000270000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
02000c0000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0200170000000000
00004f0000000000
00004f0000000000
0000090000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
02002d0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
0200300000000000
0000500000000000
0000370000000000
0000500000000000
0000370000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000200000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000180000000000
0000500000000000
0000500000000000
0000170000000000
02002d0000000000
00004f0000000000
00004f0000000000
0000040000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0200050000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
0000170000000000
00004f0000000000
0000220000000000
0000500000000000
0000500000000000
0000500000000000
02000c0000000000
00004f0000000000
00004f0000000000
00004f0000000000
02002d0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
0000040000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
0000040000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
00004f0000000000
0000070000000000
0000500000000000
0000500000000000
0000500000000000
0000500000000000
00001c0000000000
00004f0000000000
00004f0000000000
00004f0000000000
0000150000000000
Decoding process
In Logger, I did the decoding manually, since there were some CAPS keys involved and there were a few events. For this challenge, we have almost 200 events. Further, there are RIGHT and LEFT arrows involved, so we will need to parse all the key strikes to find the information that is printed on the screen.
There are some projects on GitHub that parse key strokes. For example: USB-Keyboard-Parser. I took inspiration of one of these projects and built my own parser in Python. My code takes the USB events from stdin.
Flag
If we run the script on the tshark filtered output, we will see the flag:
$ tshark -r deadly_arthropod.pcap | grep ' 35 $' | awk '{ print $6 }' | grep -v '0[02]00000000000000' | python3 solve.py
0000080000000000 e
00000e0000000000 k
0000160000000000 s
02001f0000000000 @
00000b0000000000 h
0000040000000000 a
0000060000000000 c
00000e0000000000 k
0000170000000000 t
00000b0000000000 h
0000080000000000 e
0000050000000000 b
0000120000000000 o
00001b0000000000 x
0000370000000000 .
0000080000000000 e
0000180000000000 u
0000280000000000 [ENTER]
0200170000000000 T
00000b0000000000 h
00001e0000000000 1
0000160000000000 s
0200060000000000 C
0000270000000000 0
0000180000000000 u
00000f0000000000 l
0000070000000000 d
0200050000000000 B
0000200000000000 3
0200100000000000 M
00001c0000000000 y
0200150000000000 R
0000200000000000 3
0000040000000000 a
00000f0000000000 l
0200130000000000 P
02001f0000000000 @
0000160000000000 s
0000160000000000 s
00001a0000000000 w
0000270000000000 0
0000150000000000 r
0000070000000000 d
0000280000000000 [ENTER]
0200140000000000 Q
02000e0000000000 K
0000500000000000 [LEFT]
02002d0000000000 _
00004f0000000000 [RIGHT]
0000370000000000 .
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
02000b0000000000 H
00004f0000000000 [RIGHT]
0000220000000000 5
0000500000000000 [LEFT]
0000500000000000 [LEFT]
02002f0000000000 {
02002d0000000000 _
0000500000000000 [LEFT]
02000c0000000000 I
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000060000000000 c
00000e0000000000 k
00004f0000000000 [RIGHT]
0000340000000000 '
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000050000000000 b
0000270000000000 0
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
02000c0000000000 I
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0200170000000000 T
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000090000000000 f
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
02002d0000000000 _
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0200300000000000 }
0000500000000000 [LEFT]
0000370000000000 .
0000500000000000 [LEFT]
0000370000000000 .
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000200000000000 3
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000180000000000 u
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000170000000000 t
02002d0000000000 _
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000040000000000 a
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0200050000000000 B
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000170000000000 t
00004f0000000000 [RIGHT]
0000220000000000 5
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
02000c0000000000 I
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
02002d0000000000 _
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000040000000000 a
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000040000000000 a
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000070000000000 d
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
0000500000000000 [LEFT]
00001c0000000000 y
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
00004f0000000000 [RIGHT]
0000150000000000 r
eks@hackthebox.eu
Th1sC0uldB3MyR3alP@ssw0rd
HTB{If_It_Quack5_It'5_a_K3yb0ard...}
This script can be found in here: solve.py.