Wargames.my 2017 - Chal11 - Ysoserial

November 20, 2017

We were given a pcap file containing USB storage and keyboard traffic.

We extract the keyboard data and map them to their respective keys with this python script that I made for a different CTF before:

mappings = {
        "04":"a",
        "05":"b",
        "06":"c",
        "07":"d",
        "08":"e",
        "09":"f",
        "0a":"g",
        "0b":"h",
        "0c":"i",
        "0d":"j",
        "0e":"k",
        "0f":"l",
        "10":"m",
        "11":"n",
        "12":"o",
        "13":"p",
        "14":"q",
        "15":"r",
        "16":"s",
        "17":"t",
        "18":"u",
        "19":"v",
        "1a":"w",
        "1b":"x",
        "1c":"y",
        "1d":"z",
        "1e":"1",
        "1f":"2",
        "20":"3",
        "21":"4",
        "22":"5",
        "23":"6",
        "24":"7",
        "25":"8",
        "26":"9",
        "27":"0",
        "28":"\n",
        "2c":" ",
        "2d":"-",
        "2e":"=",
        "2f":"[",
        "30":"]",
        "34":"'",
        "37":".",
        "38":"/",
        "58":"\n",
        "33":";"
}

shiftmap = {
        "04":"A",
        "05":"B",
        "06":"C",
        "07":"D",
        "08":"E",
        "09":"F",
        "0a":"G",
        "0b":"H",
        "0c":"I",
        "0d":"J",
        "0e":"K",
        "0f":"L",
        "10":"M",
        "11":"N",
        "12":"O",
        "13":"P",
        "14":"Q",
        "15":"R",
        "16":"S",
        "17":"T",
        "18":"U",
        "19":"V",
        "1a":"W",
        "1b":"X",
        "1c":"Y",
        "1d":"Z",
        "1e":"!",
        "1f":"@",
        "20":"#",
        "21":"$",
        "22":"%",
        "23":"^",
        "24":"&",
        "25":"*",
        "26":"(",
        "27":")",
        "28":"\n",
        "2c":" ",
        "2d":"_",
        "2e":"+",
        "2f":"{",
        "30":"}",
        "34":"\"",
        "37":">",
        "38":"?",
        "33":":"
}

output = []
current_index = 0
keys = open('ysoserial.txt')
for line in keys:
        code = line[4:6]
        if code == "00":
                continue
        else:
                shift = line[0:2]
                if shift == "02":
                        if code in shiftmap:
                                output.insert(current_index,shiftmap[code])
                                current_index += 1
                        else:
                                output.insert(current_index,'['+code+']')
                                current_index += 1
                else:
                        if code in mappings:
                                output.insert(current_index,mappings[code])
                                current_index += 1
                        elif code == "4f":
                                current_index += 1
                        elif code == "50":
                                current_index -= 1
                        elif code == "2a":
                                current_index -= 1
                                del output[current_index]
                        else:
                                output.insert(current_index,'['+code+']')
                                current_index += 1
keys.close()

print "".join(output)

Output of that script:

[[email protected] wgmy2017]$ python2 ysoserial.py
Is this the real life? Is this just fantasy?
snot-flag.txt
python dec.py S3Cre7 QkgSYmQPXMEV0zPQXwsK3SszYgG=

cd secret[31]
dir
copy not-flag.txt g:[31]
[52]
copy dec.py g:[31]
[]

I tried to directly decoding the base64 string but only got rubbish output. We need dec.py to decode the string.

From the decoded keyboard packet, it seems like this guy is transferring dec.py to G: drive, possibly a USB storage. Lets see if we can find the script in the pcap

A-ha!

[[email protected] wgmy2017]$ python2 dec.py S3Cre7 QkgSYmQPXMEV0zPQXwsK3SszYgG=
[+] Plain: UniVers4l_53r1al_bu5

Flag is: UniVers4l_53r1al_bu5