Writeup Cyber Threat Force : Usb key cemetery
Note: I did not solve this challenge during the CTF, but my teammate Volker did.
For this challenge, we were given a zip containing an encoded syslog (sysloc.enc
), and an auth.json
file:
The goal of the challenge is to find the serial number of the rubber ducky which was connected to the machine for which we have the syslog.
The file doesn’t look like any well known format, so we can assume (quite safely) that the encryption is a simple XOR. We’ll use the known plaintext XOR tool from Didier Stevens.
A good candidate for the plaintext is Linux 5.10.0-kali8-amd64 xhci-hcd
, which will surely appear.
That seems like a valid syslog! After looking for a short while, we find:
Apr 12 20:21:25 kali kernel: [ 1.830063] usb 1-2: Product: Fake_KeyBoard
Apr 12 20:21:25 kali kernel: [ 1.830064] usb 1-2: Manufacturer: APT43.
Apr 12 20:21:25 kali kernel: [ 1.830065] usb 1-2: SerialNumber: 854be9ee57ef47ce74e73904998d61c8846e9239
The flag is CYBERTF{854be9ee57ef47ce74e73904998d61c8846e9239}
.
You can view the sources on github or read other writeups.