Rating:
# unknown
Given zip
Inside can see it is a TAR archive. Extract the TAR archive it to get flag
Or could have just used strings on the original file
# Couch Potato
Given .wav file
`https://github.com/colaclanth/sstv`
# wreck
Given a `dump: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from 'python3 wreck.py'`
Ran strings on the dump and saw `flag.jpg`
Use binwalk extract the files.
# duck-pics
Given pcacp and can see its probably some hid data from a keyboard
```
https://github.com/TeamRocketIst/ctf-usb-keyboard-parser/blob/master/usbkeyboard.py
```
Extract data and add colons to fit the format needed by the script
```
tshark -r capture.pcapng -Y 'usb.src == "1.1.1"' -T fields -e usbhid.data |sed 's/../:&/g2' > output
```
```
python3 convert.py output
```
A couple tweaks and we got the flag
# reduce_recycle
Given a .zip and a 7z
Running bkcrack we can see the encryption method was Zipcrypto
```
https://github.com/kimci86/bkcrack
```
The challenge description mentions both files were protected with the same password so if we can crack the .zip we should be able to open the 7z
Create the plaintext and run bkcrack
same command -x 0 saying plaintext hex starting at the beginning of the file.
It cracks, just for fun a pic of a dog
What we really want tho is the password to open up the 7z
We can also use hashcat
`7z x important_flags.7z`
# the_CIA
Given a pdf file.
It is password protected and partially encrypted. We can still get some information about the file and see its using 40-bit encryption.
Reading this series of blog posts gives us all we need to crack it. The key to the challenge is.... the key.
`https://blog.didierstevens.com/2017/12/28/cracking-encrypted-pdfs-part-3/`
First step is to get the hash with john. Hashcat doesnt want the title at the front so we have to take that out.
Should look like
The hint in the description tells us that the first byte in the key is `b8`. Using hashcat with this info it cracked in a couple minutes.
Without that first byte hint it was expected to take over aday.
The key is `b895821f14`
Now with this key we can keep reading the blog post and Mr Stevens explains he forked and modded `qpdf` to be able to decrypt pdfs with the key instead of the password.
OG qpdf was updated. Could have also used
```
qpdf --password=b895821f14 --password-is-hex-key --decrypt here.pdf unlocked.pdf
```
Additionally, with the key and hash it is also possible to get the password.
Open the pdf
Take text into cyberchef for the rot 47 and base64 decoding.
# hall-effect
Extract hid data with tshark
`
tshark -r capture.pcapng -Y 'usb.src == "1.6.2"' -T fields -e usbhid.data > data
`
Keymap
Create the solve script
Command Detection:
The first byte of the HID packet (data[0] == 0xA9) indicates a valid command.
The second byte (cmd = data[1]) represents the specific command. The command ID is looked up in the cmds dictionary to determine what type of action it represents.
If the command is AMC_SET_TRAVAL, the script begins processing keypresses by looking at the row_mask data.
HID Keypress Mapping:
The HID data uses a matrix-based system, where the keyboard is represented as rows and columns in MAP_MATRIX. Each key on the keyboard is mapped to a specific row and column.
The row_mask stores which keys have been pressed. The script iterates through each row and column using nested loops (for r in range(6) and for c in range(15)).
For each key that has been pressed (row_mask[r] & (0x01 << c)), the corresponding key from MAP_MATRIX is retrieved and appended to final_message.
<details>
<summary>Python script for HID pcap keyboard</summary>
```
cmds = {
"AMC_GET_VERSION": 0x01,
"AMC_GET_PROFILES_INFO": 0x10,
"AMC_SELECT_PROFILE": 0x11,
"AMC_GET_PROFILE_RAW": 0x12,
"AMC_SET_PROFILE_NAME": 0x13,
"AMC_SET_TRAVAL": 0x14,
"AMC_SET_ADVANCE_MODE": 0x15,
"AMC_CLEAR_PROFILE": 0x1D,
"AMC_SAVE_PROFILE": 0x1F,
"AMC_GET_CURVE": 0x20,
"AMC_SET_CURVE": 0x21,
"AMC_GET_GAME_CONTROLLER_MODE": 0x22,
"AMC_SET_GAME_CONTROLLER_MODE": 0x23,
"AMC_GET_REALTIME_TRAVEL": 0x30,
"AMC_CALIBRATE": 0x40,
"AMC_GET_CALIBRATE_STATE": 0x41,
"AMC_GET_CALIBRATED_VALUE": 0x42,
}
packets = open("./data").readlines()
MAP_MATRIX = [
["ESC", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12", "DEL", "MUTE"],
["GRV", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "-", "=", "BSPC", "PGUP"],
["TAB", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "[", "]", "PGDN"],
["CAPS", "a", "s", "d", "f", "g", "h", "j", "k", "l", ":", "'", "NUHS", "ENT", "HOME"],
["LSFT", "NUBS", "z", "x", "c", "v", "b", "n", "m", ",", ".", "/", "RSFT", "UP"],
["LCTL", "LGUI", "LALT", "SPC", "RALT", "WIN_FN", "RCTL", "LEFT", "DOWN", "RGHT"],
]
SHIFTED_SYMBOLS = {
"1": "!",
"2": "@",
"3": "#",
"4": "$",
"5": "%",
"6": "^",
"7": "&",
"8": "*",
"9": "(",
"0": ")",
"-": "_",
"=": "+",
"[": "{",
"]": "}",
":": ":",
"'": "\"",
",": "<",
".": ">",
"/": "?",
}
final_message = []
previous_key = None
for pkt in packets:
pkt = pkt.strip()
data = bytes.fromhex(pkt)
if data and data[0] == 0xA9:
cmd = data[1]
cmd_id = list(cmds.keys())[list(cmds.values()).index(cmd)]
if cmd_id == "AMC_SET_TRAVAL":
profile = data[2]
mode = data[3]
act_pt = data[4]
sens = data[5]
rls_sens = data[6]
entire = data[7]
row_mask = [0] * 6
matrix = [[0] * 15 for _ in range(6)]
if not entire:
for i in range(6):
j = 8 + i * 3
row_mask[i] = int.from_bytes(data[j : j + 3], byteorder="little")
for r in range(6):
for c in range(15):
try:
if row_mask[r] & (0x01 << c):
key = MAP_MATRIX[r][c]
if key == "LSFT":
# Capitalize or modify the last appended key
if previous_key and previous_key.isalpha():
final_message[-1] = previous_key.upper()
elif previous_key in SHIFTED_SYMBOLS:
final_message[-1] = SHIFTED_SYMBOLS[previous_key]
else:
final_message.append(key)
previous_key = key
except IndexError:
print(f"Error accessing MAP_MATRIX at row {r}, col {c}")
final_string = ''.join(final_message)
print(final_string)
```
</details>
Output + a couple tweaks and we get the flag.
