Break The Syntax

Monkey See

Category: Forensic

TL;DR

We're given a USB Pcapng that 30k+ Packets. A couple of them contains details that the device is a keyboard

Solution

First we extract the leftover capture data from the packets using this command below

tshark -r monkey-see.pcapng -Y "usb" -T fields -e usb.capdata > output.txt

And the output will contains all leftover capture data like below.

Leftover Capture Data

010000150000000000
010000080000000000
010000160000000000
0100000c0000000000
010000110000000000
0100000e0000000000
0100002c0000000000
010000170000000000
010000150000000000
010000040000000000
010000110000000000
010000160000000000
010000190000000000
010000080000000000
010000150000000000
010000160000000000
010000120000000000
010000100000000000
010000080000000000
010000070000000000
0100000c0000000000
010000040000000000
0100000f0000000000
0100002c0000000000
010000160000000000
...
0100000c0000000000
010000080000000000
010000070000000000
010000110000000000
010000080000000000
010000160000000000
010000160000000000
0100002c0000000000
010000120000000000
010000180000000000
010000170000000000
010000070000000000
010000150000000000
010000040000000000
010000090000000000
010000170000000000
0100002c0000000000
010000160000000000
010000140000000000
010000180000000000
010000040000000000
010000110000000000
010000070000000000
010000080000000000
010000150000000000
010000100000000000
010000040000000000
010000110000000000
0100000c0000000000
010000040000000000

The next step is to make a solver that parse the capture data

solver.py

import sys

# Basic HID keycode → (unshifted, shifted) map for a US keyboard
HID_KEYCODE = {
    4: ("a", "A"),
    5: ("b", "B"),
    6: ("c", "C"),
    7: ("d", "D"),
    8: ("e", "E"),
    9: ("f", "F"),
    10: ("g", "G"),
    11: ("h", "H"),
    12: ("i", "I"),
    13: ("j", "J"),
    14: ("k", "K"),
    15: ("l", "L"),
    16: ("m", "M"),
    17: ("n", "N"),
    18: ("o", "O"),
    19: ("p", "P"),
    20: ("q", "Q"),
    21: ("r", "R"),
    22: ("s", "S"),
    23: ("t", "T"),
    24: ("u", "U"),
    25: ("v", "V"),
    26: ("w", "W"),
    27: ("x", "X"),
    28: ("y", "Y"),
    29: ("z", "Z"),
    30: ("1", "!"),
    31: ("2", "@"),
    32: ("3", "#"),
    33: ("4", "$"),
    34: ("5", "%"),
    35: ("6", "^"),
    36: ("7", "&"),
    37: ("8", "*"),
    38: ("9", "("),
    39: ("0", ")"),
    40: ("\n", "\n"),
    44: (" ", " "),
    45: ("-", "_"),
    46: ("=", "+"),
    47: ("[", "{"),
    48: ("]", "}"),
    49: ("\\", "|"),
    51: (";", ":"),
    52: ("'", '"'),
    53: ("`", "~"),
    54: (",", "<"),
    55: (".", ">"),
    56: ("/", "?"),
    0: ("", ""),  # no key
}

BACKSPACE = 0x2A
DELETE = 0x4C


def decode_line(hex_str):
    # Convert hex string to bytes
    b = bytes.fromhex(hex_str.strip())
    # If there's a report-ID byte (9-byte report), drop it:
    if len(b) > 8:
        b = b[1:]
    if len(b) < 8:
        return ""
    modifier = b[0]
    # USB HID reserves byte1, and bytes[2:8] are up to 6 keycodes
    keycodes = b[2:]
    out = []
    for kc in keycodes:
        if kc == 0:
            continue
        # Backspace/Delete
        if kc == BACKSPACE or kc == DELETE:
            out.append("\b")
            continue
        unsh, sh = HID_KEYCODE.get(kc, ("", ""))
        # shift mask: left=0x02, right=0x20
        if modifier & (0x02 | 0x20):
            out.append(sh or unsh.upper())
        else:
            out.append(unsh)
    return "".join(out)


def main():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <raw_hid_file>", file=sys.stderr)
        sys.exit(1)

    buf = []
    for line in open(sys.argv[1]):
        decoded = decode_line(line)
        for ch in decoded:
            if ch == "\b" and buf:
                buf.pop()
            else:
                buf.append(ch)
    print("".join(buf), end="")


if __name__ == "__main__":
    main()

And the output will be like below

solver output

resink transversomedial pharyngopathy postmineral myelosyphilis silverer evincement phrygium punnigram imminution environmental sleepify nope wauken indignance knotwort apocodeine escortee dogwatch eaglewood unbrotherliness mulse dermobranchiata typhic poststertorous indevout anatomicopathologic unimpenetrable hoggy urrhodin Dioecia unchapter nonumbilicate zwitterionic apportionable ferulic statefulness pharyngotonsillitis Mimulus recce mutinously reboant skibidi toilet chromatophilic lauder nirles esthesiometer semisocial unbeing kangaroo takosis inconvertibility anesthetist rumorproof thoracoscopy euphorbium bizet song dolichocephali platemaker vesicupapular electroforming dilatingly meethelp loincloth avowably counterindicate treacliness Epigonus airmark polarography precomposition lemography Apinage Taal logology probeer randomization poditic individualize castigate Biloculina overscrub koolah weetless erased layery discontinuee anaphylatoxin unwounded personalism howitzer hexahydroxy koku reamer tonguiness microgametocyte baba ludefisk novelwright swinehull Odonata indefinable faineance nidologist supracargo beriberic betso archheart snary Viminal Pygopodidae acetylenediurein asphalt preimpress fountainlet bejel unpictorially heliophyte chimopeelagic warison antivaccinist overtwine preremove nerval bufonite eradicator turtling winrace psychographic impalpably amygdalase Octogynia brimming grist casave brazilein afluking meliceris portative unsteck Madelon barramunda optotechnics metapterygium unromanticalness Jacobinism pricklingly blameless elderhood committeewoman comicocynical aggrate stentoronic flatwise bipyridyl untastable aegerian unmistrusted quadrigamist Meleagrinae helvite neuralist Swietenia unpleadable colorably mogilalism consequently atamasco inhospitality noncarnivorous counterruin gryposis ringe displeasedly incenter gallycrow whincow repudiationist unagile chaplain bekerchief subproduct pointingly Physonectae bumpingly hateful endogenous facticide velours carmoisin reaccomplish protistic recuperance tech withywind Galen Slavistic escropulo deglutination hydramnios Amphion beguilement glottiscope propagation entrancement disbelief goatlike Tanyoan thecium deforciant coachwhip enviableness duroquinone smirchy whisky forcing homosystemic underact autosyndesis sybaritism scorching testiere nonporphyritic cephalhematoma oxyquinoline azo scrimshorn unreeling burnt kilocycle lactenin Decimus patter jetbead Pygidium bitterroot thoke septated trinodal qualitied gotten unclassable Akhissar wholewise curse organophyly teleseme heptitol whitehass asclepiadeous labionasal presumptuous triketo thrombolymphangitis spokeswomanship unprejudicial ungoverned nonrectangular pleocrystalline slurbow unhandsome scoliotic phreatophyte criminalistics imitability zygozoospore nonliability disafforestation epigenetic Aves schistaceous verbomania epitenon proscriber histology propulsion elaidinic driftless upcover duteous distasteful dermatoxerasia Kaibartha spydom tonsor paedogenesis anticipatory unastonished Blackbeard gradient metachemistry caravan circumnutate infract adenia louse koel tributyrin lifey Desmidiaceae vinelet ingrowth uniovulate toying nonretentive conjunct pinnaglobin vastity appendicle redecline trekker hereby dicatalexis slackerism inaxon tribase cryptostome nonpresbyter breezily opusculum methought yarl fringent forsooth plicater balneotherapeutics uredosporic perceptive embouchure heterolysis imperence perfervidness pobs thorax perikronion charlatanic Bonapartism whilom outferret kelty macrospore predisposedly squawk extrafoliaceous inveteracy obtect decoyer Pelecaniformes dodecane gambet electrodynamism henter sunless burroweed busket trepidatory fermerer prewound thrifty twibil amateur myasthenia goave toolmark ornithon geminately unrhymed Serridentines presbyopia unoperably preventer salten grimily conduplicated theomania gyromagnetic antimycotic malacanthid sensationistic vibraculoid eater zig bordello hounding outweary hoyle nonrendition potlike surflike rubification dulcifluous Saturnalian unconfidence Apneumona hedgy subharmonic undisputed monotypic pontifex Phalarism precursive uncock echinoderm antu rollick natricine presuperintendence pinnaclet precondemnation Atheriogaea volumescope Austrophilism stinking wildness noncoloring spaying somniloquy xi hierogrammatical winer ironback tarnside lampers handcraft glossophagine philophilosophos nonconcludent overaccumulate disbutton kinetomer thermostimulation stenogastric ovoviviparously recept firetop roughroot Muncerian prefiction Ovinae reactivity oncin pointer absolve unaccommodatingly telson ayelp rebegin unhomely Octavian scope Pentelic revocability juvenal spinobulbar erinaceous hield anaglyph strongylid strangling kala fibroplastic adactyl Pauline undispellable Frederick amylopsin informative Sisseton roominess unsurpassableness painstaker saturator BtSCTF{m0nk3y_tYpE!!1!!oneone!} foliature unfructuously gold fractionally sparkless conceptional kettledrummer inventory knoxvillite indeformable Honduran beennut unelementary epicranial Anopla Anselm strabismical declarative agricultural abdominous Hansardization profanely untwisted tipstaff prederivation scrollwise unrefusingly soulfulness spyfault raiseman beroll oscheoplasty Lentibulariaceae onagraceous Nora eellike semiupright Tatary ninut baseball unifoliolate nextly shamefacedly unharbor omphaloncus sweatband premake hook fitchee sendable xyloid Lin preindication alpine planarioid mastlike servitude patterny goffering unfrightened genderer cafeneh forthwith intermenstruum bluggy buzylene faceteness Placophora mispleading sniffly dredge neurocity terminable trest stythe pitchometer breaker glossarize macrosymbiont perisphere torse garter ring bedstring hawserwise pyrocellulose soho silklike ateleological kinematic nectariferous freezer Byronic congressionist dandruffy Balkar tonsillectome crooningly hypodorian interregnum mystificatory flanched nonimmigrant ophthalmomalacia unhero meningocortical apologizer Jatulian nystagmus bailer worldling preadjunct deprivative babblishly ganglioid themeless gastrohelcosis housewifeliness psychoanalyzer pyelolithotomy ethmoid cyclomania cyathium fiduciary upher ethnize hexastemonous echinodermic sigillarian grubbiness overeducate flyflap tart statometer sixpence Capernaitish Delsartean celery astragalus overjoyful synactic unexceptionably Orobanche driblet rampire Mil wellington unepic pondage octocentenary Ansel unmackly nonfermentative silk angiolith sparrer frigorify preofficially bridle princeps pentathionic doltishness trunkless Idiosepiidae autohypnotization lingenberry nonsetting prescapula proagrarian nonlover bumbaste aischrolatreia tupanship proctoclysis basilweed counternoise interparietale Saccobranchiata tonga iceland mandelic monkeyish fanon sled taxine rattlingly monolithic oxbiter scelerat primitivism grapnel recreative plumbum enthusiastical stomachlessness busher uninsured unobjective collyrium aspheterism mantology monk troolie ghaist unplebeian fusible unjagged lazaret childlike Sid dihydroxy extractible hammy impetition rissel principalness parsonage yogoite extratension bombastic reblow Phajus merchantableness Dyophysitism attainability mycomycete unequated exalate rerun pneumonic supersympathy commenceable borele telemetric muskellunge eutropic Actaeon consentiently deferment microdrawing behammer Acacian guanaco unkillable eave empyrean nondivergent dubitatingly existentially pelvisternum Siva Birkenhead sneeshing Inodes worriedness outdraft squandermania%

Flag: BtSCTF{m0nk3y_tYpE!!1!!oneone!}