Tags: morse usb pcap hid caps 

Rating: 4.0

# Gh0st in the machine (forensic,60p)

> mY CoMputEr IS ActIng uP. cAn yOu heLP mE?
> Flag format: BITS(WORDS.IN.CAPS)

In this task we were given a pcap containing two minutes worth of keyboard USB capture. Apart from the actual keystrokes
(which turned out to spell link to Rick Roll video...), there were some packets going from the host to the keyboard.
They contained only a single byte, alternating 0x01 and 0x03. As we soon found out, these bits correspond to keyboard state,
and the changing bit meant Caps Lock status. This was consistent with challenge description, which had some problems with
letter case.

We rememembered a recent article about exfiltration of data using those LEDs and thought this could be used here as well.
so we wrote a quick script (parse3.py), calculating a difference between times the Caps Lock is turned on and off.
They seemed to follow a certain pattern, and we soon thought it could be Morse code. We treated 300ms or longer pulses
as dash and shorter as a dot, and using online morse converter gave us something close enough to flag (we had to guess two
characters).

Original writeup (https://github.com/p4-team/ctf/tree/master/2017-02-04-bitsctf/ghost_in_the_machine).
norajFeb. 5, 2017, 4:31 p.m.

shitty WU as usual


akrasuski1Feb. 6, 2017, 2:41 p.m.

Feel free to point out how this could be improved. Screenshots from Wireshark are probably redundant - everyone can open up the pcap himself and see the packets I'm talking about. Other than that, all the actions leading to solution were explained in the writeup, I believe?