Logger

Name: Logger
Hint: A client reported that a PC might have been infected, as it's running slow. We've collected all the evidence from the suspect workstation, and found a suspicious trace of USB traffic. Can you identify the compromised data?
Base Points: Easy - Retired [0]
Rated Difficulty:
HTB-Bot
Creator: felamos

Download and unzip the file and check the hint:

 

Hint: A client reported that a PC might have been infected, as it's running slow. We've collected all the evidence from the suspect workstation, and found a suspicious trace of USB traffic. Can you identify the compromised data?

 

Files: keystrokes.pcapng

 

Open up the PCAP Next Generation (pcapng) file in Wireshark. We'll need to apply a Filter to capture the correct USB Interrupts:

 

usb.transfer_type == 0x01 and frame.len == 35 and !(usb.capdata == 00:00:00:00:00:00:00:00)

Now, if we export that to a pcapng file, we can deal with only the data we need. We can use tshark to get grab the capture data itself from that new pcapng file and export that to a txt file using:

 

tshark -r USB.pcapng -T fields -e usb.capdata | sed 's/../:&/g2' > capdata.txt

Now we just need to map the data to keystrokes. There is a python script that will do this for us here. So we clone that repo and run it against the new txt file, getting this output:

 

┌──(kali㉿kali)-[~/Desktop/HTB/Logger/ctf-usb-keyboard-parser]
└─$ python3 usbkeyboard.py ../capdata.txt                                      
⇪htb{⇪i_⇪c4n_533_⇪y⇪ou⇪r_⇪k3y2⇪} 

 

The "⇪" symbols are CAPSLOCK. We can "decipher" that into HTB{i_C4N_533_yOUr_K3Y2}