USB ripper

edited August 10 in Challenges

Hi,

I just validated this challenge but with a method which is kind of "i can try dumb and desperate things, it costs nothing".

Is there a logical and realistic path to investigate and get the flag or is it just CTF-like "try hard random things until you find" ?

edit: I have the answer, there is a logical way and a shitty one to get the flag

Comments

  • edited August 10

    research the author... it's really simple from there. The "logical" way just requires some scripting to find patterns.

    will135

  • Fun challenge...and learned something new! :smiley:

  • Type your comment> @will135 said:

    research the author... it's really simple from there

    Am I right, that i could find some information about Date from there?

  • edited August 11

    I believe that I have found the event, but I cannot for the life of me figure out how to crack the result. Is all the information I need in the detected event? There is a tremendous amount of data to go through.

  • Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

  • Type your comment> @davidlightman said:

    Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

    pip3 install usbrip==2.1.3.post3

  • Yeah, I figured through git. Thanks!

  • anyone else getting issues with usbrip tool ?
    somehow it can't parse json file, give me this output...

    tried to install in all possible ways, install all repos which are asked in github - still same...

    [12:33:03] [INFO] Filtering events
    Traceback (most recent call last):
    File "/usr/local/bin/usbrip", line 10, in
    sys.exit(main())
    File "/usr/local/lib/python3.7/dist-packages/usbrip/main.py", line 103, in main
    repres=repres
    File "/usr/local/lib/python3.7/dist-packages/usbrip/lib/utils/debug.py", line 39, in wrapper
    result = func(*args, **kwargs)
    File "/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/usbevents.py", line 145, in open_dump
    events_to_show = _filter_events(events_dumped, sieve)
    File "/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/usbevents.py", line 487, in _filter_events
    event_intersection = intersect_event_sets(events_by_external, events_by_date)
    File "/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/common.py", line 148, in intersect_event_sets
    event_intersection_sorted = sorted(event_intersection, key=lambda i: i['conn'])
    File "/usr/local/lib/python3.7/dist-packages/usbrip/lib/core/common.py", line 148, in
    event_intersection_sorted = sorted(event_intersection, key=lambda i: i['conn'])
    TypeError: string indices must be integers
    [*] Shutted down at 2019-08-12 12:33:03
    [*] Time taken: 0:00:00.101619

  • Hey guys, may be a dumb question but in the challenge by crack it he means to decrypt it?

  • @Dragonware It can't be decrypted, you have to crack it

  • @Kougloff I got it! Thank You for the help.

  • Type your comment> @davidlightman said:

    Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

    yeah; it's straightforward to edit the python code and get that fixed.

    Cheers,

    Sociaslkas

  • Only thing I get with the tool is:

    [*] Started at 2019-08-14 10:14:21
    [10:14:21] [INFO] Reading "/home/ant/Downloads/usb-ripper/auth.json"
    new: 0.656 seconds
    [10:14:21] [INFO] Opening authorized device list: "/home/ant/Downloads/usb-ripper/auth.json"
    [10:14:22] [INFO] Searching for violations
    [10:14:22] [INFO] Filtering events
    [10:14:22] [INFO] No USB violation events found!

    Or should i use events open ? Somehow it does nto work, give me several traceback errors on few components... Not sure if I need to edit every component or forumlate my command better..

  • Finally did this lol... what a mission :-)

  • @r0mka

    I think it's better you install another version. I also had problems too.
  • @Wolfstorm

    Is the other version in the same github page ?

    It seems that it cannot parse the syslog date format.... Not sure if I have to modify script or i have to modify Syslog or i do not need to modify anything... ?

    Thanks!

  • @r0mka

    If you have 2.1.3 you pretty much don't need to do any modifications. It's a matter of pointing to the correct file(s) within the application's commands.

    If you use the correct commands then you will have the necessary information.

  • edited August 15

    i got a violation events but don't know which fields should be cracked

    edited : I got it !

  • edited August 21

    I think I have the event, (well there a few it could be but only one violation). Anyone want to hint me what and how to crack it, Tried John and RY with no joy on the three hex fields you get out of the tool.
    Well I got something (a band name) but nothing that looks like a flag.

    And the hint of using 2.1.3 was golden too had issues with the latest release..

  • The result you get if you do everything correctly is not in the usual flag format iirc, you'll have to surround it with HTB{} when submitting.

    Gordin
    Press F to give respect

  • @Gordin Thanks, that worked, if it wasn't for your reply I'd have assumed I only had part of the solution and kept trying to decrypt all the rest of the data.

  • @>; @GChester said:

    @Gordin Thanks, that worked, if it wasn't for your reply I'd have assumed I only had part of the solution and kept trying to decrypt all the rest of the data.

    hi, check your PM please, looking for a tip.

  • Learned to use a new tool, funny and short challenge

  • Type your comment> @socialkas said:

    Type your comment> @davidlightman said:

    Using the relevant tool I get a backtrace about wrong timestamp format. Has anyone experienced this issue?

    yeah; it's straightforward to edit the python code and get that fixed.

    Cheers,

    Can you give a little more detail on editing the python code? I have 2.1.4-2 can get the time error.

    FYI installed via "pip3 install appname"

  • @Br1a1d said:

    Can you give a little more detail on editing the python code? I have 2.1.4-2 can get the time error.

    Save yourself time, go back to 2.1.3 and try again...

  • ugg what an undeeded Hassel on this on... the creator of the tool and challenge did not make their update compatible and now i have to search for older versions....

  • The only tool that I used was awk, grep and sed.

    limbernie
    Write-ups of retired machines

Sign In to comment.