USB ripper

Hi,

I just validated this challenge but with a method which is kind of “i can try dumb and desperate things, it costs nothing”.

Is there a logical and realistic path to investigate and get the flag or is it just CTF-like “try hard random things until you find” ?

edit: I have the answer, there is a logical way and a shitty one to get the flag

1 Like

research the author… it’s really simple from there. The “logical” way just requires some scripting to find patterns.

Fun challenge…and learned something new! :smiley:

Type your comment> @will135 said:

research the author… it’s really simple from there

Am I right, that i could find some information about Date from there?

I believe that I have found the event, but I cannot for the life of me figure out how to crack the result. Is all the information I need in the detected event? There is a tremendous amount of data to go through.

Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

Type your comment> @davidlightman said:

Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

pip3 install usbrip==2.1.3.post3

Yeah, I figured through git. Thanks!

anyone else getting issues with usbrip tool ?
somehow it can’t parse json file, give me this output…

tried to install in all possible ways, install all repos which are asked in github - still same…

[12:33:03] [INFO] Filtering events
Traceback (most recent call last):
File “/usr/local/bin/usbrip”, line 10, in
sys.exit(main())
File “/usr/local/lib/python3.7/dist-packages/usbrip/main.py”, line 103, in main
repres=repres
File “/usr/local/lib/python3.7/dist-packages/usbrip/lib/utils/debug.py”, line 39, in wrapper
result = func(args, **kwargs)
File “/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/usbevents.py”, line 145, in open_dump
events_to_show = _filter_events(events_dumped, sieve)
File “/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/usbevents.py”, line 487, in _filter_events
event_intersection = intersect_event_sets(events_by_external, events_by_date)
File “/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/common.py”, line 148, in intersect_event_sets
event_intersection_sorted = sorted(event_intersection, key=lambda i: i[‘conn’])
File “/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/common.py”, line 148, in
event_intersection_sorted = sorted(event_intersection, key=lambda i: i[‘conn’])
TypeError: string indices must be integers
[
] Shutted down at 2019-08-12 12:33:03
[*] Time taken: 0:00:00.101619

Hey guys, may be a dumb question but in the challenge by crack it he means to decrypt it?

@Dragonware It can’t be decrypted, you have to crack it

@Kougloff I got it! Thank You for the help.

Type your comment> @davidlightman said:

Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

yeah; it’s straightforward to edit the python code and get that fixed.

Cheers,

Only thing I get with the tool is:

[*] Started at 2019-08-14 10:14:21
[10:14:21] [INFO] Reading “/home/ant/Downloads/usb-ripper/auth.json”
new: 0.656 seconds
[10:14:21] [INFO] Opening authorized device list: “/home/ant/Downloads/usb-ripper/auth.json”
[10:14:22] [INFO] Searching for violations
[10:14:22] [INFO] Filtering events
[10:14:22] [INFO] No USB violation events found!

Or should i use events open ? Somehow it does nto work, give me several traceback errors on few components… Not sure if I need to edit every component or forumlate my command better…

Finally did this lol… what a mission :slight_smile:

@r0mka

I think it’s better you install another version. I also had problems too.

@Wolfstorm

Is the other version in the same github page ?

It seems that it cannot parse the syslog date format… Not sure if I have to modify script or i have to modify Syslog or i do not need to modify anything… ?

Thanks!

@r0mka

If you have 2.1.3 you pretty much don’t need to do any modifications. It’s a matter of pointing to the correct file(s) within the application’s commands.

If you use the correct commands then you will have the necessary information.

i got a violation events but don’t know which fields should be cracked

edited : I got it !

I think I have the event, (well there a few it could be but only one violation). Anyone want to hint me what and how to crack it, Tried John and RY with no joy on the three hex fields you get out of the tool.
Well I got something (a band name) but nothing that looks like a flag.

And the hint of using 2.1.3 was golden too had issues with the latest release…