CISCN 2022 初赛 ez_usb

Uncategorized
2.3k words

前言

这题当时国赛的时候由于没有怎么碰过MISC,到最后一步没做出来,实在是难受,今天复盘了一下

Analyze

拿到题目附件是一个流量包,可以看到分别有2.4.0,2.3.0,2.2.0,2.10.0,2.8.1,2.8.0这些地址的USB流量,我们可以一个一个筛选出来,然后通过导出特定分组进行保存,用UsbKeyboardDataHacker来提取其中的信息,最终会发现2.10.12.8.1中有有效信息

这里展示一下2.8.1的提取过程

# usb.src=="2.8.1"||usb.dst=="2.8.1"
31	0.010805	2.8.1	host	USB	35	URB_INTERRUPT in
32	0.010818	host	2.8.1	USB	27	URB_INTERRUPT in
33	0.110764	2.8.1	host	USB	35	URB_INTERRUPT in
34	0.110777	host	2.8.1	USB	27	URB_INTERRUPT in
35	0.166768	2.8.1	host	USB	35	URB_INTERRUPT in
36	0.166785	host	2.8.1	USB	27	URB_INTERRUPT in
37	0.174769	2.8.1	host	USB	35	URB_INTERRUPT in
38	0.174786	host	2.8.1	USB	27	URB_INTERRUPT in
39	0.278798	2.8.1	host	USB	35	URB_INTERRUPT in
40	0.278807	host	2.8.1	USB	27	URB_INTERRUPT in
41	4.810816	2.8.1	host	USB	35	URB_INTERRUPT in
42	4.810918	host	2.8.1	USB	27	URB_INTERRUPT in
43	4.930792	2.8.1	host	USB	35	URB_INTERRUPT in
44	4.930859	host	2.8.1	USB	27	URB_INTERRUPT in
45	5.035138	2.8.1	host	USB	35	URB_INTERRUPT in
46	5.035258	host	2.8.1	USB	27	URB_INTERRUPT in
47	5.145153	2.8.1	host	USB	35	URB_INTERRUPT in
48	5.145319	host	2.8.1	USB	27	URB_INTERRUPT in
49	5.237095	2.8.1	host	USB	35	URB_INTERRUPT in
50	5.237229	host	2.8.1	USB	27	URB_INTERRUPT in
51	5.340767	2.8.1	host	USB	35	URB_INTERRUPT in
52	5.340861	host	2.8.1	USB	27	URB_INTERRUPT in
53	5.830805	2.8.1	host	USB	35	URB_INTERRUPT in

[22:35:44] m1sceden4:UsbKeyboardDataHacker git:(master) $ python3 UsbKeyboardDataHacker.py /mnt/c/Users/M1sceden4/Desktop/ez_usb_aa5a121ba13f7e82d2df13af34ac3123/2.8.1.pcapng
[-] Unknow Key : 04
[-] Unknow Key : 04
[-] Unknow Key : 01
[-] Unknow Key : 01
[+] Found :     526172211a0700<CAP>c<CAP>f907300000d00000000000000c4527424943500300000002<CAP>a000000<CAP>02b9f9b0530778b5541d33080020000000666c61672<CAP>e<CAP>747874<CAP>b9b<CAP>a013242f3a<CAP>fc<CAP>000b092c229d6e994167c05<CAP>a7<CAP>8708b271f<CAP>fc<CAP>042ae3d251e65536<CAP>f9a<CAP>da87c77406b67d0<CAP>e6316684766<CAP>a86e844d<CAP>c81aa2<CAP>c72c71348d10c4<CAP>c<DEL>3d7b<CAP>00400700

2.10.1提取数据如下

[22:36:11] m1sceden4:UsbKeyboardDataHacker git:(master) $ python3 UsbKeyboardDataHacker.py /mnt/c/Users/M1sceden4/Desktop/ez_usb_aa5a121ba13f7e82d2df13af34ac3123/2.10.1.pcapng
[+] Found : 35c535765e50074a

可以看到提取出了一串数据,看到5261..估计这是一个rar,把<CAP><DEL>给去掉,剩下的数据拿到010editor或者winhex去生成一个rar文件(如果生成的rar报错的话可以尝试用winrar的修复功能),发现有密码,不是伪加密,密码则是2.10.1中提取出来的那一串

解密得到flag

总之就是太菜了,我该怎么办qwq