(usb鍵盤隱寫)buuctf:USB

下載附件，解壓

繼續解壓233.rar，發現里面有一個文檔，但是哪有這么容易

編輯器查看壓縮包，分析RAR文件結構，發現文件塊的位置應該是74並不是7A，修改為74后保存.

保存后，再次解壓得到一張圖片

圖片隱寫，日常工具處理一遍，在利用工具stegsolve時，發現在bule的0通道有個二維碼

掃一下得到ci{v3erf_0tygidv2_fc0}

不知道有啥用，再看看解壓出來的另一個文件key.ftm，發現里面有壓縮包

先把壓縮包提取出來
的到key.pacp文件，果然對應題目usb隱寫。

使用命令提取鍵盤的數據 tshark -r key.pcap -T fields -e usb.capdata > usbdata.txt
然后得到usbdata.txt

使用腳本
`#!/usr/bin/env python

import sys
import os

DataFileName = "usb.dat"

presses = []

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":" ","29":" ","2a":" ", "2b":"\t","2c":" ","2d":"-","2e":"=","2f":"[","30":"]","31":"\","32":" ","33":";","34":"'","35":" ","36":",","37":".","38":"/","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27"😊","28":" ","29":" ","2a":" ", "2b":"\t","2c":" ","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":" ","33":""","34":":","35":" ","36":"<","37":">","38":"?","39":" ","3a":" ","3b":" ", "3c":" ","3d":" ","3e":" ","3f":" ","40":" ","41":" ","42":" ","43":" ","44":" ","45":" "}

def main():
# check argv
if len(sys.argv) != 2:
print("Usage : ")
print(" python UsbKeyboardHacker.py data.pcap")
print("Tips : ")
print(" To use this python script , you must install the tshark first.")
print(" You can use sudo apt-get install tshark to install it")
print("Author : ")
print(" WangYihang wangyihanger@gmail.com")
print(" If you have any questions , please contact me by email.")
print(" Thank you for using.")
exit(1)

# get argv
pcapFilePath = sys.argv[1]

# get data of pcap
os.system("tshark -r %s -T fields -e usb.capdata 'usb.data_len == 8' > %s" % (pcapFilePath, DataFileName))

# read data
with open(DataFileName, "r") as f:
    for line in f:
        presses.append(line[0:-1])
# handle
result = ""
for press in presses:
    if press == '':
        continue
    if ':' in press:
        Bytes = press.split(":")
    else:
        Bytes = [press[i:i+2] for i in range(0, len(press), 2)]
    if Bytes[0] == "00":
        if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
            result += normalKeys[Bytes[2]]
    elif int(Bytes[0],16) & 0b10 or int(Bytes[0],16) & 0b100000: # shift key is pressed.
        if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
            result += shiftKeys[Bytes[2]]
    else:
        print("[-] Unknow Key : %s" % (Bytes[0]))
print("[+] Found : %s" % (result))

# clean the temp data
os.system("rm ./%s" % (DataFileName))

if name == "main":
main()
`
提取數據得到{xinan}

猜測是維吉尼亞密碼，在線解密

https://www.qqxiuzi.cn/bianma/zhalanmima.php

得到的並不是flag，像是柵欄密碼加密過，再次嘗試解密，柵欄解密網址
https://www.qqxiuzi.cn/bianma/zhalanmima.php

得到flag
flag{vig3ne2e_is_c00l}