 All right. Hello, everybody. Welcome back to the Pico CTF video. My name is John Hammond, and we're looking at this challenge for 80 points in the forensics category on level two, just keep trying. So it says, here's an interesting capture of some data, but what exactly is this data? Take a look. Data.pcap. We can go ahead and get the link address. Let's make a new directory for this challenge called just keep trying, and let's W get that. Cool. This is another pcap file. That means we can open up in a wire shark that's a packet capture, except interestingly enough, these don't look like normal web or other networking traffic conversations. This looks like USB is the protocol here, and there are a lot of these, I guess, okay, 66 packets, and there's nothing particularly readable in them, but it says they're all URB interrupts in and from some source, whatever, 2.1.1 in the host is in the destination, but there's some kind of data going through this. Apparently, okay, it's USB data. We can check out these frames here, but there's not much that changes other than, oh, sorry, a couple of the frames and the leftover data it says here. Huh, okay. So let's check out what the hint says. What is this? What is it that we're actually looking at right here? Hence, find out what kind of packets these are, okay? It looks like they're, yeah, what does the info column say in wire shark? These are USB packets, right? What changes between packets? What does that data look like? Well, the leftover data changes just a little bit. It looks like every other one is filled with zeros, but every other one that's not that other one has actual data in there, okay? Like some number, or some, it looks like hex, yeah, that's obviously hex, we saw zero F and stuff. So take a look at this, okay? Some link here, PDF document, we can go to that. A universal serial bus, HID usage tables. So HID, reading this a little bit more, HID stands for Human Interface Device, scrolling through this table of contents here and the introduction it says, okay, yeah, this is the device class definition for Human Interface Devices, okay? And those are like anything that you use to interact with, like you as a person interact with, like a mouse or a keyboard or a joystick, and LED stuff, et cetera, et cetera. It looks like there's a lot of documentation on this in this PDF file. So let's go ahead and save this. Let's put it in, just keep trying. Call it like documentation, cool. And I want to open that up to actually Evan's documentation on PDF, sweet. Cause I'm sure that what we're looking at here has to be some input changing over and over again. So maybe they're inputting, maybe they're trying to type out like a flag if this is a USB keyboard or something. So it looks like there is an explanation on how the keyboards work here with page 53. So let's go to that page in our PDF viewer and we've got, okay, keyboard and keypad page. These are the keys that you would see implemented in a USB keyboard. So it looks like hexadecimal values that refer to whatever specific key they're trying to type on the keyboard. So if we looked at this in Wireshark one more time, what is it that particularly changes? That first string up at the top and this byte down here. So let's say they're just, I mean, we normally would want to know like a flag format here for like a capture the flag competition because we want to know what it is that we're actually looking for. So for Pico CTF there hasn't been a pretty static flag format, but it will likely normally just say like flag, right? So if I check that out, what is it for F? What is the key that I'm looking for or the number that I'm looking for for key F is zero nine, okay? So at the very, very start, it looks like zero nine is exactly that. What is L? L is zero F, cool. So the packet right after it, I remember it was just a zero byte that wasn't changing or doing anything, but there's a zero F and A, zero four and hex. What's that packet? Zero four, okay. So G, right? Spelling out the word flag, zero A. Skip a packet, zero A, perfect. So it looks like, okay, that is trying to type out a flag for us. Now we just have to go ahead and scrape out all this information because we don't want to like, well, we could manually determine what this is, but that's not very fun. So let's try and figure out what we can do. I want to introduce you to something called Scapey or S-C-A-P-Y. It is a packet manipulation program. Really it's a tool for Python. So it's a library that if you wanted to use, you totally can. If you want to install it, you can just use PIP. There's a little bit of documentation and stuff online, but I will just kind of be going through the, like objective oriented, here's the tutorial and stuff. Here's to actually go ahead and do it, but they do give a little bit of getting started guide and some usage, et cetera. So totally check this out if you want to get into some really, really cool things for a tutorial and actually how to use Scapey to not only receive packets, if you want to listen for things on the network, send packets if you want to do that or process through a P-CAP, like a file of a bunch of packets. So that's exactly what we can do here. Let's take a look at getting to do that in Python. Oh, I killed my terminal, whoops. All right, so if you, again, if you need to just do a PIP3 install, Scapey, obviously you'll need your password because you're running in pseudo and then let's try and create a script here. I'll call it apep.py. All right, I'm going to be fighting over the pep8 standards again in this. So please forgive me, script to extract keys out of data.pcap. All right, so we import Scapey in an interesting way. You actually can do from Scapey.all import star. Normally you've seen that style from module import all, but Scapey.all has an interesting note. That dot all is kind of not what we're used to when we're just trying to get everything out of a package. So that will load everything into the global namespace, so we won't have to use Scapey.anything, which some people might argue at me against, but whatever, this works. You can correct me in the comments, I know you will. So now we can actually create an object that will hold everything that we are reading out of a pcap. And if you wanted to do this in the documentation, if you wanna try and figure this out, I wanna see reading pcap files, sure. Okay, there's a function rdpcap to read pcap and you can just pass it along. And that will have all of the different files that you wanna work with here. So packets equals rdpcap and then we'll give it the file name, which is data.pcap, perfect. And then I can print packets, just to see what it says here. Why do I, oh, did I forget the, yeah, whatever. I'm fine with that. Now we can run Ape, just like that. Okay, and we have other 66 packets. So if you wanted to, we could run packets.show and you'll get a list of all of the packets that you're seeing here. So 0, 0, 0, 2, 0, 0, 0, 6, 5. And they're all a raw type because they're not TCP or UDP like you would expect to see normally. So we can index them just like any other list here. And if you wanted to run .show on only that, you can just do that. So see, okay, now we're looking at the very first packet here. It is a raw type packet and it has a load or some like the data that it's carrying with it. That just looks like a lot of right now escaped hex. So an interesting thing is that this backslash t is what we're actually looking for. If I were to show you packets 2, you would note that, okay, that is the backslash 0xf that we saw. So that's the letter L. So packets 0 when we're checking that out. 0x9 is a backslash t. I'll show you that. Slash 0x9, that's backslash t. Cool, so that we can determine how many bytes along that is from the very back and go ahead and extract or slice out just that piece of data that we want here. So one, two, three, four, five, six. It looks like it's six from the back. So if we wanted to, we could just slice out from the load variable negative six from the back. And we want to print that out. So we can just play it on screen. Okay, so that is nine because it's seeing it just in hex like that. Let's actually convert that to hex. Okay, great. And now we're seeing that as a string hex just like that. Cool, so now let's actually kind of correspond that with everything that we saw in the PDF file. So that means we're gonna have to try and carve out everything from that PDF file. So open it up again, documentation.pdf. Let's go to that page and let's try and be smart with this. I'm just gonna copy all of this that we may want. So I'm gonna go keyboard A and down. Let's put this in a new file in, or like call it mapping dot text. And then we can cut this up and carve it out to have our Python data work with it in a little bit. But first let's get all that raw data just copy and paste it out of there. So blah, blah, blah, paste that. And maybe not all of these will be working the way we want them to, but we should at least get a general thing. Cause if we carve out what that hex identifier is and then determine the actual key, it is that we would be expecting there. Well, okay, we can print that out and have it be used throughout our script. Paste that. I don't know how far down to particularly go. So I'm just gonna be safe here. Maybe you can do that too if you wanna trust that. But looks like these are just special characters now and keep that stuff. So maybe we don't need all those. I wanted to make sure I got the numbers because you've seen before in other challenges for Pico CTFA have been using like a hash, like hexadecimal characters and numbers to refer to their flag. So, okay, now that we have that mapping dot text document created, let's go ahead and cut this up. We know how to do this from the command line, right? Because let's say this hex character that we're looking for, zero four, zero five, blah, blah, blah. That is the second column when we are denoting it with spaces, right? And then the fourth column will actually be the key that we're looking for, like F, L, A, G, et cetera. So let's cut that out and see what we can get. I want to cat mapping dot text, cut tack deed limiter using the space character. Let's get the hex that we want, cool. Maybe a couple of these aren't working for us, but that's just fine. Let's also grab field four and then that looks like it has a good mapping for us. So let's go ahead and redirect that to new mapping dot text. And I'm gonna open that up in sublime text so I can figure some stuff out with it because I want to make this into a dictionary that Python will be able to handle. So let's say we want everything before the first space. I'm gonna use regular expressions here. If you haven't used regular expressions before, I want to tell you they are awesome, but I'm gonna use that to just cut up this data and process it real quick. It's using a lot of like special weird characters to denote a thing that you want to search for and track down in text and then you can do find and replace like statements a lot better. So I'm gonna say everything, the space in the middle is what I care about as my delimiter. So if I want the notion before it, I'm gonna take in parentheses a period to match anything and then a star to match a multiple of it. So that will return just that input part and I want to put that in hex. So I'm gonna put a zero X and then a dollar sign one. Zero X will know that I want it in hex and dollar sign one will return the original thing that I was in. So that looks like that copied the space with it. So I do want to change that to be a colon following it. So that will put it in the style where Python will consider that a, we can remove those oddities there. Python will consider that a part of the dictionary. So now following that colon as my delimiter, I want everything after it. So I want that specific string that we're checking out. So I will replace that, put the colon back there with dollar sign one, but I'll put it in string, like put it wrapped around in quotes. So it'll be noted as a string and I'll put a comma after it. So that way I can hit control alt enter and it will affect all of them. And then we can put that in curly braces and to note that this is a dictionary that we want Python to be able to handle. So a couple of those are still odd balls we can remove but for the most part, we have all the particular keys that we want and numbers. So let's see if we get any luck with this. Let's say mapping can equal pasted this dictionary here. I'm going to ignore flake over the time being because it's very annoying. If we wanted to, we could remove all these new lines and then just have everything follow. But okay, this backslash is breaking it. That's a good thing to note. Backslash key, we can kill all those new lines if we want, yeah. Select in that selection. So we don't remove all the new lines in our actual web page or in our current script. But now if I were to print mapping, we should have a notation of what is actually referring to what in our pcap data. Ape, make sure I run there. Great, okay. So now I can specify mapping with 0x04 or 09 and get flag out of that or F, cool. So that means that we can for each packet in all of those packets that we're reading, we can say, let's get the packet out first, get that coordinate that we want, that specific byte that we want, special byte. And then we can determine, okay, what is the mapping set to that special byte? I wanna make sure it will actually do this. Okay, no, so key error, looks like it is interpreting that as a string. So we can actually probably just leave this without the hex portion. F, no, zero does not exist. So because we are checking every single packet, those ones that were in between, everyone that had a letter was just nothing, it was just a zero. If we wanted to fix that, kind of an easy hack is to say, okay, zero in our mapping will refer to nothing or we could skip it in our for loop, whichever one you particularly want. So let's just try it. And we are getting some things out here, flag, press, onward, et cetera. So let's now do some list building. So we don't actually have a new line for every part of it. Let's say flag can equal empty list and then we can flag dot append that byte that we're finding and then we can just determine by printing out the flag joined by an empty string. So to put all of those elements of the list together, that should display it out on the screen for us. Flag, press, onwards, and then we have a random C at the end here. Cool, so this is the flag that we want. Let's go ahead and submit this. Don't need that ending curly brace there. Submit, oh, I missed it, okay. Well, it didn't specify whether or not they wanted it all low uppercase or not. So let's just try it in a uppercase, press, onwards, with our string here. Maybe that is what they want. Submit, no. Let's take another look at the mappings, actually. So I wanna know if that hyphened, oh, the and underscore maybe acting, yeah. So maybe that is an underscore. Let's try that. Yes, okay, awesome, awesome. Geez, I'm sorry that took so long. It didn't mean for us to be tripping over that for so long, but that's cool, good for us to note. Taking advantage of actually reading through that documentation, especially for the special characters that all the words seem to make sense. Like the lead speak looked cool. It looked like a legitimate flag, but the underscores were getting us there. So keep that in mind, I suppose. Try everything, don't stop. Just keep trying, get it? All right, hey, I wanna showcase some love to my supporters here. So special shout out to these individuals for all of your help and donations and support on Patreon. You guys are phenomenal. $1 a month on Patreon will give you just a special shout out at the end of every video. $5 a month will give you early access to everything I create on YouTube before it gets released because normally I record in bulk or in mass and I let YouTube gradually slowly day by day release it. So hey, if you did like this video, please do press that like button. Maybe leave me a comment. If you're willing to subscribe and if you wanna support me, check me out on Patreon or my website, www.johnhamman.org. Sweet, see you later.