[CISCN 2022 初赛]ez_usb
前言
这题当时国赛的时候由于没有怎么碰过MISC,到最后一步没做出来,实在是难受,今天复盘了一下
Analyze
拿到题目附件是一个流量包,可以看到分别有2.4.0
,2.3.0
,2.2.0
,2.10.0
,2.8.1
,2.8.0
这些地址的USB流量,我们可以一个一个筛选出来,然后通过导出特定分组
进行保存,用UsbKeyboardDataHacker
来提取其中的信息,最终会发现2.10.1
和2.8.1
中有有效信息
这里展示一下2.8.1
的提取过程
# usb.src=="2.8.1"||usb.dst=="2.8.1"
31 0.010805 2.8.1 host USB 35 URB_INTERRUPT in
32 0.010818 host 2.8.1 USB 27 URB_INTERRUPT in
33 0.110764 2.8.1 host USB 35 URB_INTERRUPT in
34 0.110777 host 2.8.1 USB 27 URB_INTERRUPT in
35 0.166768 2.8.1 host USB 35 URB_INTERRUPT in
36 0.166785 host 2.8.1 USB 27 URB_INTERRUPT in
37 0.174769 2.8.1 host USB 35 URB_INTERRUPT in
38 0.174786 host 2.8.1 USB 27 URB_INTERRUPT in
39 0.278798 2.8.1 host USB 35 URB_INTERRUPT in
40 0.278807 host 2.8.1 USB 27 URB_INTERRUPT in
41 4.810816 2.8.1 host USB 35 URB_INTERRUPT in
42 4.810918 host 2.8.1 USB 27 URB_INTERRUPT in
43 4.930792 2.8.1 host USB 35 URB_INTERRUPT in
44 4.930859 host 2.8.1 USB 27 URB_INTERRUPT in
45 5.035138 2.8.1 host USB 35 URB_INTERRUPT in
46 5.035258 host 2.8.1 USB 27 URB_INTERRUPT in
47 5.145153 2.8.1 host USB 35 URB_INTERRUPT in
48 5.145319 host 2.8.1 USB 27 URB_INTERRUPT in
49 5.237095 2.8.1 host USB 35 URB_INTERRUPT in
50 5.237229 host 2.8.1 USB 27 URB_INTERRUPT in
51 5.340767 2.8.1 host USB 35 URB_INTERRUPT in
52 5.340861 host 2.8.1 USB 27 URB_INTERRUPT in
53 5.830805 2.8.1 host USB 35 URB_INTERRUPT in
[22:35:44] m1sceden4:UsbKeyboardDataHacker git:(master) $ python3 UsbKeyboardDataHacker.py /mnt/c/Users/M1sceden4/Desktop/ez_usb_aa5a121ba13f7e82d2df13af34ac3123/2.8.1.pcapng
[-] Unknow Key : 04
[-] Unknow Key : 04
[-] Unknow Key : 01
[-] Unknow Key : 01
[+] Found : 526172211a0700<CAP>c<CAP>f907300000d00000000000000c4527424943500300000002<CAP>a000000<CAP>02b9f9b0530778b5541d33080020000000666c61672<CAP>e<CAP>747874<CAP>b9b<CAP>a013242f3a<CAP>fc<CAP>000b092c229d6e994167c05<CAP>a7<CAP>8708b271f<CAP>fc<CAP>042ae3d251e65536<CAP>f9a<CAP>da87c77406b67d0<CAP>e6316684766<CAP>a86e844d<CAP>c81aa2<CAP>c72c71348d10c4<CAP>c<DEL>3d7b<CAP>00400700
2.10.1
提取数据如下
[22:36:11] m1sceden4:UsbKeyboardDataHacker git:(master) $ python3 UsbKeyboardDataHacker.py /mnt/c/Users/M1sceden4/Desktop/ez_usb_aa5a121ba13f7e82d2df13af34ac3123/2.10.1.pcapng
[+] Found : 35c535765e50074a
可以看到提取出了一串数据,看到5261..
估计这是一个rar,把<CAP>
和<DEL>
给去掉,剩下的数据拿到010editor
或者winhex
去生成一个rar文件(如果生成的rar报错的话可以尝试用winrar的修复功能),发现有密码,不是伪加密,密码则是2.10.1
中提取出来的那一串
解密得到flag
总之就是太菜了,我该怎么办qwq