Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This was a 100 point Forensics challenge, I spent a total of 4-5 hours on it which was probably more than necessary but at least I got it in the end :)

Information given

References used

These previous writeups were immensely helpful when I got stuck and wanted to give up multiple times, I'll mention how the clues I got from these writeups helped me get back on track later on 🙏

The process I used

Note: This post is going to be long as it documents not just the solution but how I got to the solution after overcoming certain obstacles !

After working with .pcapng files in my Networks course as well as .pcap files in previous CTF challenges, I knew the first step was to inspect the capture file in Wireshark.

At the time I didn't know where to begin, but based on the challenge description the packets would either be recording a link to a document containing the flag or the flag itself. Later on one of the writeups above showed that the GET DESCRIPTOR Response DEVICE packet would actually tell what the device was. Device

I initially thought all the data was stored in the "HID Report", and this webpage gave some insight as to how keys are stored in packets. But after reading the writeups, the data format was right but the actual data (each keystroke) was actually stored in URB_INTERUPT in packets. As shown here : data

I also learnt about the tshark tool from the other writeups which can be used to extract a particular data field from a specified packet type in a capture file. After running the command tshark -r task.pcap -T fields -e usb.capdata > key.txt the output was :

00:00:1a:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:05:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:34:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:20:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2f:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1a:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:21:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:37:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:05:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0a:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:37:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2f:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:21:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:30:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:33:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:22:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:32:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:23:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:36:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:34:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:13:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:05:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:24:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:22:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:24:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:13:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:26:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:10:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:30:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:37:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:25:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2d:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2f:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0d:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:22:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:18:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:26:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:25:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:11:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:34:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:33:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:26:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:21:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:30:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1c:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:21:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:34:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:33:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2e:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:13:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:09:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:21:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:1e:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:30:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:2d:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0e:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:24:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1f:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:22:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:14:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:21:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:37:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:1e:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:20:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:36:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:27:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:06:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:51:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:20:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:08:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:00:00:00:00:00:00
02:00:30:00:00:00:00:00
02:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:2d:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:52:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00
00:00:00:00:00:00:00:00
02:00:04:00:00:00:00:00:00:00
02:00:08:00:00:00:00:00:00:00
02:00:0f:00:02:00:00:00:00:00
02:00:0f:00:07:00:00:00:00:00
01:00:12:26:00:22:00:00:00:00
01:00:4f:27:d0:24:00:00:00:00
01:00:df:27:4b:26:00:00:00:00
01:00:39:29:84:28:00:00:00:00
01:00:cc:2a:25:2a:00:00:00:00
01:00:5f:2c:12:2c:00:00:00:00
01:00:b8:2d:71:2e:00:00:00:00
01:00:bc:2e:a1:2f:00:00:00:00
01:00:32:30:da:31:00:00:00:00
01:00:a8:31:55:33:00:00:00:00
01:00:c8:32:38:34:00:00:00:00
01:00:78:34:b4:35:00:00:00:00
01:00:62:36:2f:37:00:00:00:00
01:00:d5:36:12:38:00:00:00:00
01:00:bb:37:68:39:00:00:00:00
01:00:c1:39:55:3b:00:00:00:00
01:00:38:3b:84:3c:00:00:00:00
01:00:3b:3c:da:3d:00:00:00:00
01:00:ae:3c:bd:3e:00:00:00:00
01:00:94:3d:a1:3f:00:00:00:00
01:00:24:3e:12:40:00:00:00:00
01:00:d1:3e:d0:40:00:00:00:00
01:00:28:3f:f6:40:00:00:00:00
01:00:9b:3f:42:41:00:00:00:00
01:00:f1:3f:42:41:00:00:00:00
01:00:0e:40:68:41:00:00:00:00
01:00:47:40:68:41:00:00:00:00
01:00:64:40:8e:41:00:00:00:00
01:00:bb:40:8e:41:00:00:00:00
01:00:f4:40:b4:41:00:00:00:00
01:00:4b:41:00:42:00:00:00:00
01:00:84:41:4b:42:00:00:00:00
01:00:a1:41:71:42:00:00:00:00
01:00:f7:41:bd:42:00:00:00:00
01:00:31:42:09:43:00:00:00:00
01:00:6b:42:2f:43:00:00:00:00
01:00:fb:42:c7:43:00:00:00:00
01:00:a7:43:aa:44:00:00:00:00
01:00:37:44:00:46:00:00:00:00
01:00:3a:45:c7:47:00:00:00:00
01:00:77:46:b4:49:00:00:00:00
01:00:41:47:55:4b:00:00:00:00
01:00:ee:47:84:4c:00:00:00:00
01:00:7d:48:68:4d:00:00:00:00
01:00:f1:48:4b:4e:00:00:00:00
01:00:47:49:09:4f:00:00:00:00
01:00:ba:49:a1:4f:00:00:00:00
01:00:d7:49:ed:4f:00:00:00:00
01:00:2d:4a:38:50:00:00:00:00
01:00:4a:4a:38:50:00:00:00:00
01:01:4a:4a:38:50:00:00:00:00
01:00:4a:4a:38:50:00:00:00:00

Using some 2041 knowledge, I got rid of the parts I didn't need and narrowed the data down to the most important parts

cat key.txt | egrep "^([0-9][0-9]:){7}00$" | sed 's/:00//g;s/00:*//g' | egrep [0-9] > key2.txt

28
28
09
28
05
28
20
34
52
52
52
02
02:20
02
52
02
02
02
02:21
02
51
02
02:37
02
05
51
04
51
08
51
06
37
52
09
52
02
02
52
11
02
02:21
02
52
18
02
02:30
02
51
02
02:33
02
51
20
51
18
51
02
02:22
02
52
02
02:32
02
52
52
23
52
36
34
51
13
51
05
51
24
51
02
02:22
02
02
02:24
02
52
07
52
27
52
52
13
17
51
51
04
51
51
02
02:26
02
52
52
15
52
10
52
30
51
27
51
07
51
02
02:37
02
51
06
52
02
02:25
02
52
02
02
52
02
02
52
02
02:22
02
51
18
51
16
51
02
02:26
02
51
02
02:25
02
52
27
52
11
52
34
52
33
26
51
51
21
51
30
51
21
52
34
52
52
33
52
02
02
13
51
09
51
08
51
02
02:21
02
51
02
02
02
02:30
02
52
52
02
02
52
52
16
02
02:24
02
51
16
51
51
06
51
02
02:22
02
14
52
02
02:21
02
52
37
52
02
02
52
02
02:20
02
36
51
16
51
27
51
06
51
20
52
08
52
02
02:30
02
52
52

Notice that some lines have 02 and then a 2 digit hexadecimal number. According to the USB HID Usage Tables , the 02 infront corresponds to the Left Shift being pressed, while the digits after that corresponds to keys on the keyboard. For example : 09 = f , 02 followed by 09 = F and so on ... keytable

I further converted the data into an easier to read format where ** means the left-shift was being pressed.

cat key2.txt | sed 's/02:/**/g' > key3.txt

28
28
09
28
05
28
20
34
52
52
52
02
**20
02
52
02
02
02
**21
02
51
02
**37
02
05
51
04
51
08
51
06
37
52
09
52
02
02
52
11
02
**21
02
52
18
02
**30
02
51
02
**33
02
51
20
51
18
51
02
**22
02
52
02
**32
02
52
52
23
52
36
34
51
13
51
05
51
24
51
02
**22
02
02
**24
02
52
07
52
27
52
52
13
17
51
51
04
51
51
02
**26
02
52
52
15
52
10
52
30
51
27
51
07
51
02
**37
02
51
06
52
02
**25
02
52
02
02
52
02
02
52
02
**22
02
51
18
51
16
51
02
**26
02
51
02
**25
02
52
27
52
11
52
34
52
33
26
51
51
21
51
30
51
21
52
34
52
52
33
52
02
02
13
51
09
51
08
51
02
**21
02
51
02
02
02
**30
02
52
52
02
02
52
52
16
02
**24
02
51
16
51
51
06
51
02
**22
02
14
52
02
**21
02
52
37
52
02
02
52
02
**20
02
36
51
16
51
27
51
06
51
20
52
08
52
02
**30
02
52
52

Using this knowledge, I wrote a simple Python script to quickly transcribe the hex values to the proper "keystrokes"

import sys, re

def convert(line):
    return {
        '04': 'a',
        '05': 'b',
        '06': 'c',
        '07': 'd',
        '08': 'e',
        '09': 'f',
        '0a': 'g',
        '0b': 'h',
        '0c': 'i',
        '0d': 'j',
        '0e': 'k',
        '0f': 'l',
        '10': 'm',
        '11': 'n',
        '12': 'o',
        '13': 'p',
        '14': 'q',
        '15': 'r',
        '16': 's',
        '17': 't',
        '18': 'u',
        '19': 'v',
        '1a': 'w',
        '1b': 'x',
        '1c': 'y',
        '1d': 'z',
        '1e': '1',
        '1f': '2',
        '20': '3',
        '21': '4',
        '22': '5',
        '23': '6',
        '24': '7',
        '25': '8',
        '26': '9',
        '27': '0',
        '28': '\\n',
        '29': 'esc',
        '2a': 'del',
        '2b': '\\t',
        '2c': '<space>',
        '2d': '-',
        '2e': '=',
        '2f': '[',
        '30': ']',
        '31': '\\',
        '32': '#/~',
        '33': ';',
        '34': '.',
        '35': '`',
        '36': ',',
        '37': '.',
        '38': '/',
        '39': 'CAPS',
        '51': 'Down',
        '52': 'Up'
    }.get(line, line)    # return result else return same thing if no result


for line in sys.stdin:

	line = line.rstrip()
	if "*" in line:
		print "SHIFT + " + convert(line[2:])
	else:
		print convert(line)

After running the script with the input, the final output I got was

w
\n
k
\n
f
\n
b
\n
3
.
Up
[
Up
l
Up
SHIFT + 3
Up
SHIFT + [
w
SHIFT + 4
Down
SHIFT + .
b
Down
a
g
Down
[
e
Down
c
i
.
[
Up
[
f
Up
SHIFT + [
k
Up
n
SHIFT + 4
Up
j
u
SHIFT + ]
Down
SHIFT + ;
Down
3
Down
u
Down
SHIFT + 5
=
Up
SHIFT + #/~
Up
y
Up
6
Up
,
.
Down
p
Down
b
Down
7
Down
SHIFT + 5
SHIFT + 7
Up
d
Up
0
Up
j
Up
p
t
Down
i
Down
a
Down
[
Down
k
SHIFT + 9
Up
=
Up
r
Up
m
Up
]
=
Down
0
Down
d
Down
SHIFT + .
Down
l
c
Up
SHIFT + 8
Up
SHIFT + -
Up
SHIFT + [
Up
j
SHIFT + 5
Down
u
Down
s
Down
SHIFT + 9
Down
SHIFT + 8
2
Up
0
Up
n
Up
.
Up
;
9
Down
h
Down
4
Down
]
Down
y
4
Up
.
Up
k
Up
;
Up
SHIFT + =
p
Down
f
Down
e
Down
SHIFT + 4
Down
SHIFT + 1
SHIFT + ]
Up
1
Up
SHIFT + -
Up
k
Up
s
SHIFT + 7
Down
s
Down
2
Down
c
Down
SHIFT + 5
q
Up
SHIFT + 4
Up
.
Up
SHIFT + 1
Up
SHIFT + 3
,
Down
s
Down
0
Down
c
Down
z
3
Up
e
Up
SHIFT + ]
Up
-
Up
i
Here is the twist that the other challenges didn't have, it took awhile but I figured it out !

At first I got stuck because I ignored the Up and Down keys and just typed out a in a few lines, but then after that didn't work I noticed that because the flag is in flag{...} format something must be wrong. The word flag can be seen but it's not in the right sequence ...

jumble

perhaps the person is obfuscating the flag by purposely shifting up and down while typing out the flag ?

Last push

So the final step was just to follow the initial starting words, but once on the correct line just ignore any Up's followed by Down's (basically stay on the same line) and continue typing out to get the flag !

The flag is : flag{k3yb0ard_sn4ke_2.0} 🐍

Reflections / Things I Learnt

This challenge was a reminder that even unconventional obfuscation can throw you off if you're not careful !!! I learnt a lot about USB packets and sniffing from this challenge. I assume that in real-life scenarios a keylogger could be used to capture these packets which could then be read later on ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment