Solution to nc3 Klikkety Klack

18/12/17 — capitol

acab

name:

Klikkety Klack

category:

various

points:

n/a

Writeup

The danish police are running a CTF in order to show that they are cool with the kids here.

We got a pcapng file that seems to contain communication between an usb keyboard of type HP Basic USB Keyboard KU-0316 Keyboard and a computer.

Some simple awk and python did the trick, first get byte number three from the usb capture data like this:

tshark -r /tmp/2.pcapng -T fields -e usb.capdata|awk -F':' '{print($3)}'|awk 'NF > 0' > data.txt

and then translate it to characters with this python program:

mappings = {
        0x04:"A",
        0x05:"B",
        0x06:"C",
        0x07:"D",
        0x08:"E",
        0x09:"F",
        0x0A:"G",
        0x0B:"H",
        0x0C:"I",
        0x0D:"J",
        0x0E:"K",
        0x0F:"L",
        0x10:"M",
        0x11:"N",
        0x12:"O",
        0x13:"P",
        0x14:"Q",
        0x15:"R",
        0x16:"S",
        0x17:"T",
        0x18:"U",
        0x19:"V",
        0x1A:"W",
        0x1B:"X",
        0x1C:"Y",
        0x1D:"Z",
        0x1E:"1",
        0x1F:"2",
        0x20:"3",
        0x21:"4",
        0x22:"5",
        0x23:"6",
        0x24:"7",
        0x25:"8",
        0x26:"9",
        0x27:"0",
        0x28:"\n",
        0x2C:" ",
        0x2D:"-",
        0x2E:"=",
        0x2F:"[",
        0x30:"]"
        }
 
nums = []
keys = open('data.txt')
for line in keys:
        nums.append(int(line.strip(),16))
keys.close()
 
output = ""
for n in nums:
        if n in mappings:
                output += mappings[n]
        else:
                output += 'x'
 
print 'output :' + output

That gave us the output:

output: xJxxEEGx xHxAARR xLxIIGGEx xTTEESSTxEETx xMxIINx xTxOxAxSxTTEERxMxAxLLWWAxRREx 
xOxGx xIINNGGEENN xAxNxTxIxVxIIRxUUSx xDxExTTExCxTxEERRExDxEx xDDExNxx1xx xxFxxExDxTx 
xMxAxNxxx xxDxxExNx xHxAARx xSxHxAxxx2x556x 
x4x2xCx3xDx3xBxAx5xCx0x9x9x1x0x6xFxCx2x1xAxBx5x3x9x0x8x4x9x5xDx5xExFx2xFxFx9xFxCxAxAx8x9x0xBx1xCx7xExFx4x3x8x6xBxCx0x8x9x3xFx2xFxxxxxxxFx2xFx

Checking the hash 42C3D3BA5C099106FC21AB53908495D5EF2FF9FCAA890B1C7EF4386BC0893F2F on virustotal.com we found this comment:

This evil malware that infected my toaster made a call to 45.63.119.180 on port 9999 and send the text "HELLO". I think that server is a C2-server.

Connecting to that ip/port gave us another link, where we could download a binary

running strings on that binary gave us something that looked like an url:

nc3ctffqH
qn5ozfjyH
.onion/

and the string: 23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL

after decompiling the binary the important part was this:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax@1
  int v4; // ST0C_4@1
  int result; // eax@1
  __int64 v6; // rsi@1
  __int64 v7; // [sp+10h] [bp-70h]@1
  __int64 v8; // [sp+18h] [bp-68h]@1
  __int64 v9; // [sp+20h] [bp-60h]@1
  char v10; // [sp+28h] [bp-58h]@1
  __int16 v11; // [sp+68h] [bp-18h]@1
  __int64 v12; // [sp+78h] [bp-8h]@1

  v12 = *MK_FP(__FS__, 40LL);
  v3 = time(0LL);
  srand(v3);
  v4 = rand();
  v7 = 8171331223976895342LL;
  v8 = 8748917902158425713LL;
  v9 = 13350748694671150LL;
  memset(&v10, 0, 0x40uLL);
  v11 = 0;
  puts("23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL");
  printf("%s%d\n", &v7, (unsigned int)v4);
  result = 0;
  v6 = *MK_FP(__FS__, 40LL) ^ v12;
  return result;
}

We changed the init of srand to be the epoch of the date in the string, and got this url.

That gave us the flag:

DO_IT_FOR_THIS_ADORABLE_LITTLE_PUPPY_LOOK_AT_THE_PUPPY_MARGE