Guild icon
Project Sekai
🔒 BYUCTF 2023 / ✅-rev-ducky3
Avatar
Sutx BOT 05/19/2023 2:24 PM
Ducky3 - 500 points
Category: Rev Description: Alright fine, I'll make my own keyboard layout... Files:Tags: Medium
05/19/2023 2:24 PM
Sutx pinned a message to this channel. 05/19/2023 2:24 PM
Avatar
Sutx BOT 05/19/2023 2:24 PM
@Legoclones wants to collaborate 🤝
Avatar
sahuang 05/19/2023 2:25 PM
lol decoder cant decode it now
Avatar
Sutx BOT 05/19/2023 3:47 PM
@snwo wants to collaborate 🤝
Avatar
snwo 05/19/2023 4:36 PM
um.. @sahuang can you tell me what's the difference of ducky3 and previous 1,2 ?
Avatar
sahuang 05/19/2023 4:37 PM
https://github.com/dagonis/Mallard
GitHub - dagonis/Mallard: Ducky Script Decoder and More!
Ducky Script Decoder and More! Contribute to dagonis/Mallard development by creating an account on GitHub.
Thumbnail
16:37
you can use this tool to decode
16:37
in challenge 1, you got flag directly
16:37
in challenge 2,
Image attachment
16:38
basically its some keyboard layout and you type in those command to recover flag
Avatar
snwo 05/19/2023 4:38 PM
i got it
Avatar
sahuang 05/19/2023 4:38 PM
in challenge 3, if you use this script, it shows "invalid opcode 101" or sth
16:38
because they use their own layout
16:39
so the tool doesnt seem to work
16:39
but you can decode something
Avatar
snwo 05/19/2023 4:39 PM
what mean something?
Avatar
sahuang 05/19/2023 4:39 PM
If i changed code to this, I got STRING ' lFW.F10hNF4j+PAUSE U{!TABL>CAPSLOCK3|INSERT&?ZF3 uISYSRQ\]aPAUSEcS*DELETEENDQF9tLEFTYef^XgT/y STRING F1<bHOMEGa9EPAGEDOWN$RV"eD e7% &CAPSLOCKl>.Cy%h/{F1%&/CAPSLOCK%W F4/&WF7>hNb%3WTAB&%PAUSECAPSLOCK ]M
Image attachment
16:40
the key_code may not be in map
Avatar
snwo 05/19/2023 4:40 PM
ok i try to analysis
Avatar
sahuang 05/19/2023 4:40 PM
https://github.com/JPaulMora/Duck-Decoder/blob/master/mapping.png
16:40
here's the mapping
16:40
i suspect the numbers are changed
Avatar
Avatar
sahuang
If i changed code to this, I got STRING ' lFW.F10hNF4j+PAUSE U{!TABL>CAPSLOCK3|INSERT&?ZF3 uISYSRQ\]aPAUSEcS*DELETEENDQF9tLEFTYef^XgT/y STRING F1<bHOMEGa9EPAGEDOWN$RV"eD e7% &CAPSLOCKl>.Cy%h/{F1%&/CAPSLOCK%W F4/&WF7>hNb%3WTAB&%PAUSECAPSLOCK ]M
sahuang 05/19/2023 4:41 PM
from here you can actually see some valid words like "STRING", "DELETEEND", "PAUSE", etc
16:41
so they changed partially
Avatar
snwo 05/19/2023 4:41 PM
it'll be right thanks
Avatar
snwo 05/19/2023 7:47 PM
Image attachment
19:47
hmm
19:47
the max value of file was 101
19:48
it could be a 104 key layout
Avatar
sahuang 05/19/2023 7:49 PM
could be
19:49
he has his own layout, but we need to decode first, and some strings are known
Avatar
sahuang 05/19/2023 8:01 PM
@snwo they added a new file 💀
20:02
https://cyberjousting.com/files/d7b221861c8072fffb7218fc3a576d74/payload.txt?token=eyJ1c2VyX2lkIjoyMjAsInRlYW1faWQiOjkxLCJmaWxlX2lkIjo5MH0.ZGg4Mw.8P4plE2bFN7uf4gejaQsANSiLJk
Avatar
Avatar
snwo
Click to see attachment 🖼️
sahuang 05/19/2023 8:08 PM
it's hak5 USB rubber Duck i think, not sure how they map to 104 keys, didnt quite understand the given new payload
Avatar
snwo 05/19/2023 8:20 PM
Oh
Avatar
snwo 05/19/2023 8:29 PM
and I guessed that valid words like PAUSE, DELETE also should be replaced to other letters
20:30
i think there should be a different letter in that spot
Avatar
sahuang 05/19/2023 8:33 PM
maybe payload.txt is some sort of layout
20:33
then we need to parse data our own and map
Avatar
Avatar
snwo
and I guessed that valid words like PAUSE, DELETE also should be replaced to other letters
sahuang 05/19/2023 11:12 PM
i now think maybe payload.txt -> encodes to inject.bin
23:12
sth like that
23:12
but i have no idea because it has no description or explanation lol
Avatar
snwo 05/19/2023 11:14 PM
STRING abcdefghijklmnopqrstuvwxyz STRING ABCDEFGHIJKLMNOPQRSTUVWXYZ STRING 0123456789 STRING !@#$%^&*()-_ idk why special char and numbers have different lengths
Avatar
sahuang 05/19/2023 11:14 PM
same
Avatar
snwo 05/19/2023 11:16 PM
abc -> ABC is shifted but 012~ -> !@# do not math
Avatar
sahuang 05/19/2023 11:24 PM
https://docs.hak5.org/hak5-usb-rubber-ducky/ducky-script-basics/hello-world
Hello, World!
23:24
search payload.txt
23:25
it could be some layout
23:25
not necessarily have to match one line by the next
Avatar
sahuang 05/19/2023 11:52 PM
but yeah im kinda sure the payload.txt is used to generate inject.bin, only problem is the layout
Avatar
snwo 05/19/2023 11:55 PM
um are they might be same contents ? payoad.txt, inject.bin
Avatar
sahuang 05/19/2023 11:55 PM
i think so
23:56
could be
Avatar
Sutx BOT 05/19/2023 11:56 PM
@4n0nym4u5 wants to collaborate 🤝
Avatar
snwo 05/19/2023 11:57 PM
oh he came to give the answer
Avatar
sahuang 05/19/2023 11:57 PM
hmm?
00:04
out.txt
3.13 KB
Avatar
4n0nym4u5 05/20/2023 12:04 AM
i came just to see here as well 😅
Avatar
sahuang 05/20/2023 12:04 AM
here's the parsed data
00:05
There's ONLY 0x02 and 0x00
00:08
key_codes and shifted codes prob changed
00:08
to their own layout
00:09
all 2 solved teams did 2 and 3 in 20 min so i assume its sth easy that we missed
Avatar
snwo 05/20/2023 12:10 AM
yes it should
00:11
STRING 'lFW.hNj+U{! TAB STRING L>3|&?ZuI\]acS* DEL STRING Qt LEFT STRING Yef^XgT/y<bGa9E$RV"eD e7%&l>.Cy%h/{%&/%W/&WF7>hNb%3W TAB STRING &%]M when using duck decoder, it paresed 5 string
Avatar
Avatar
sahuang
but yeah im kinda sure the payload.txt is used to generate inject.bin, only problem is the layout
Legoclones 05/20/2023 12:13 AM
correct
Avatar
Avatar
snwo
um are they might be same contents ? payoad.txt, inject.bin
Legoclones 05/20/2023 12:13 AM
correct
Avatar
sahuang 05/20/2023 12:14 AM
ok so 101 keycode is new line maybe, called 4 times
00:14
in total 58 different keycodes
00:19
@snwo there are 26 lines between first 101 and second 101
Avatar
snwo 05/20/2023 12:19 AM
could be match one by one ?
00:19
oh yes
Avatar
sahuang 05/20/2023 12:19 AM
but only 45 for second and third
00:19
so idk why
00:19
A-Z is 45
00:21
also consider there are 4 101's
00:23
modifier 0x02 is caps
00:23
keyboard layout is changed but 0x02 wont
Avatar
snwo 05/20/2023 12:28 AM
hm, if they are same contents, why cap enabled
00:29
has the layout mixed upper / lower case ?
Avatar
sahuang 05/20/2023 12:29 AM
could be
00:29
the modifier is not changed
00:29
so 0x00 no modifier 0x02 has caps (edited)
00:30
#define KEY_MOD_LSHIFT 0x02
Avatar
sahuang 05/20/2023 12:39 AM
however first 26 lines dont match a-z so idk
Avatar
snwo 05/20/2023 12:39 AM
and the unique letter length does not match to payload
Avatar
sahuang 05/20/2023 12:39 AM
key_code: 15 on L3 and L19, L3 is 0x00 and L19 is 0x02
00:40
yeah a bit confused
Avatar
snwo 05/20/2023 12:40 AM
short than payload.txt (edited)
Avatar
sahuang 05/20/2023 12:43 AM
have you tried use official tool to encode payload.txt
Avatar
snwo 05/20/2023 12:43 AM
Image attachment
Avatar
sahuang 05/20/2023 12:43 AM
oh
00:43
this is encoded from official tool?
00:43
and use US default layout
Avatar
snwo 05/20/2023 12:44 AM
got code on some github
00:45
Image attachment
00:45
Image attachment
00:46
used us format
Avatar
sahuang 05/20/2023 12:46 AM
ic
00:48
yeah
00:48
i got the same
00:48
so
00:48
it doesnt have the "print string" in payload
00:53
there's supposed to be 74 lines but got 115 for chal file
00:53
weird
00:55
oh maybe rest lines are flag?
00:55
key_code: 57 modifier: 0x0 is u
00:56
Image attachment
00:57
close?
Avatar
snwo 05/20/2023 12:57 AM
oh it might be
00:57
duplicated code could be part of flag ?
Avatar
sahuang 05/20/2023 12:59 AM
second part doesnt match for some reason
01:00
if i replace first 26 lines by a-z
01:00
then its supposed to be A-Z but
01:00
v w x y z key_code: 29 modifier: 0x2 key_code: 60 modifier: 0x0 b
01:00
the b is there
Avatar
Avatar
sahuang
used /ctf solve
Sutx BOT 05/20/2023 1:05 AM
✅ Challenge solved.
Avatar
sahuang 05/20/2023 1:05 AM
nice
Avatar
snwo 05/20/2023 1:05 AM
/?XCzuctfX1Xh0p3Xz0uXenj0zed?thi5XverzXJuCHX%
01:05
wait
Avatar
sahuang 05/20/2023 1:05 AM
substitute + guess
Avatar
snwo 05/20/2023 1:06 AM
*()-_CzuctfX1_h0p3_z0u_enj0zed-thi5_verz_JuCHX
01:06
i found some
Avatar
sahuang 05/20/2023 1:06 AM
first 26 lines a-z line 53-62 use 012...9 line 63-... use !....-_
01:06
then you get partial flag
01:06
and guess the rest
01:06
byuctf{1_h0p3_y0u_enj0yed-thi5_very_much}
Avatar
snwo 05/20/2023 1:06 AM
byuctf{1_h0p3_y0u_enj0yed-thi5_very_much}
01:06
oh
Avatar
sahuang 05/20/2023 1:07 AM
yeah
01:07
some guessing lol
Avatar
snwo 05/20/2023 1:07 AM
it use same layout as ducky2
Avatar
sahuang 05/20/2023 1:07 AM
layout is in payload.txt i think
01:08
but yeah anyway gg
01:08
gonna sleep, gl on last rev
Avatar
snwo 05/20/2023 1:08 AM
whoa
Avatar
Legoclones 05/20/2023 1:23 AM
yayy!!
01:23
Nice solve
01:23
Was guessing needed?
Avatar
sahuang 05/20/2023 1:23 AM
yeah a bit
Avatar
Legoclones 05/20/2023 1:23 AM
ohh 😦 I included all characters, numbers, and symbols so you
01:24
*you'd have a base reference for each char
01:24
then you just match up the last opcodes with what you got from original strings
Avatar
sahuang 05/20/2023 1:25 AM
yeah not too guessy compared with last few forensics/steg
Avatar
Legoclones 05/20/2023 1:25 AM
okay cool
01:25
q10/paleontology are hard and seems kinda guessy to me too, but you can't always win \o/
01:26
crconfusion doesn't seem guessy to me, but I also made the challenge so maybe chall author bias
Avatar
sahuang 05/20/2023 1:26 AM
yeah i had feeling crc might be easier than other 2
Avatar
Legoclones 05/20/2023 1:28 AM
q10 is harder to figure out what to do, paleontology is just so deep
Avatar
sahuang 05/20/2023 1:28 AM
ye
01:28
figured
Exported 152 message(s)