首页/资讯中心/详情

20250725_QQ_ezusb

20250725_QQ_ezusb
📅 发布时间:2026/6/20 15:42:19

Tags:流量分析,USB,pyshark,Base64,kamasutra,DASCTF

0x00. 题目

附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称:20250725_QQ_ezusb.zip

0x01. WP

1. 分析USB流量

有两个USB设备流量,

1.1.1usb.capdata

1.2.1usb.hiddata

image

2. 使用脚本分别抽取两个流量

# -*- coding: utf-8 -*-
import os
# os.system("tshark -r flag.pcapng -T fields -e usbhid.data > usbhdata.txt")
# os.system("tshark -r flag.pcapng -T fields -e usb.capdata > usbdata.txt")
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n","12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3","21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N","12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#","21":"$", "22":"%","23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}# 常规键盘流量解析脚本
nums = []
keys = open('usbhdata.txt')
for line in keys:# print(len(line))if len(line) != 17:continuenums.append(line[0:2]+line[4:6]) 
# print(nums)
keys.close()output = ""
for n in nums:if n[2:4] == "00" :continueif n[2:4] in normalKeys:if n[0:2] == "02":output += shiftKeys [n[2:4]]else :output += normalKeys [n[2:4]]else:output += '[unknown]'
print('Part1 :' + output)
print('\n')# usb.capdata流量解析脚本
nums = []
keys = open('usbdata.txt')
for line in keys:# print(len(line))if len(line) != 15:continueif line[2:4] == "00":continuenums.append(line[2:4])
keys.close()print('Part2 :',''.join(nums).replace("02","0").replace("01","1"))# Part1 :congratulations,you<SPACE>finlly<SPACE>find<SPACE>me,but<SPACE>what<SPACE>i<SPACE>want<SPACE>to<SPACE>tell<SPACE>you<SPACE>is<SPACE>that<SPACE>roman<SPACE>roland<SPACE>once<SPACE>said<SPACE>thar<SPACE>there<SPACE>is<SPACE>only<SPACE>one<SPACE>kind<SPACE>of<SPACE>heroism<SPACE>in<SPACE>the<SPACE>worlld,that<SPACE>is<SPACE>to<SPACE>know<SPACE>the<SPACE>cruelty<SPACE>of<SPACE>the<SPACE>life<SPACE>but<SPACE>still<SPACE>love<SPACE>it.<CAP><CAP>ok,<CAP><CAP>get<SPACE>to<SPACE>the<SPACE>point;the<SPACE>[]-<SPACE>three<SPACE>symbols<SPACE>were<SPACE>added<SPACE>to<SPACE>the<SPACE>front<SPACE>of<SPACE>the<SPACE>base64<SPACE>table<SPACE>and<SPACE>handed<SPACE>to<SPACE>caesar.if<SPACE>you<SPACE>can<SPACE>decrypto<SPACE>the<SPACE>sercet<SPACE>you<SPACE>can<SPACE>get<SPACE>the<SPACE>half<SPACE>of<SPACE>flag.
#
# Part2 : 010010110110010101111001011000100011000001110010011000010110010001011111010000000110111001100100010111110101010101010011010000100010000101111101
# BIN2CHR=>Keyb0rad_@nd_USB!}

3. 解码secret.txt

E_RBUG}KtruA4ZrxABZ4rZsAZOeAlztrdA{}_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

[]-替换为{}_形成基于Base64的字典,使用随波逐流工具的kamasutra爱经解密得到明文为DASCTF{JUST_3aSY_Ca3SaR_aND_MaUSE_

image