Les chatons ont la réponse

Les chatons ont la réponse – FCSC 2020 // Petite frappe 1

Explication

Angry Scream GIF by Rabbids - Find & Share on GIPHY

Oh mon dieu, un vilain keylogger a enregistré les frappes sur le clavier ! A nous de retrouver ce qui a été capturé !

La solution classe et technique

La solution la plus propre serait de rejouer l’enregistrement avec evemu-play, mais comme je suis un technicien lambda, je suis sous WINDOWS (je sais, c’est honteux de faire des CTF sous windows, mais c’est la vie).

La solution crétine et mains dans le cambouis

Bon, je tourne quand même sous WSL (Windows Subsystem for Linux) je ne suis pas si maso que cela, ce qui me donne accès au commande linux de base. Nous allons donc analyser le fichier et regarder comment nous allons pouvoir nous en tirer.

Event: time 1584656705.424839, -------------- SYN_REPORT ------------
Event: time 1584656706.404214, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16
Event: time 1584656706.404214, type 1 (EV_KEY), code 22 (KEY_U), value 1
Event: time 1584656706.404214, -------------- SYN_REPORT ------------
Event: time 1584656706.508350, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16
Event: time 1584656706.508350, type 1 (EV_KEY), code 22 (KEY_U), value 0
Event: time 1584656706.508350, -------------- SYN_REPORT ------------
Event: time 1584656706.674591, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656706.674591, type 1 (EV_KEY), code 49 (KEY_N), value 1
Event: time 1584656706.674591, -------------- SYN_REPORT ------------
Event: time 1584656706.774463, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656706.774463, type 1 (EV_KEY), code 49 (KEY_N), value 0
Event: time 1584656706.774463, -------------- SYN_REPORT ------------
Event: time 1584656706.926206, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656706.926206, type 1 (EV_KEY), code 18 (KEY_E), value 1
Event: time 1584656706.926206, -------------- SYN_REPORT ------------
Event: time 1584656707.023728, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656707.023728, type 1 (EV_KEY), code 18 (KEY_E), value 0
Event: time 1584656707.023728, -------------- SYN_REPORT ------------
Event: time 1584656707.262381, type 4 (EV_MSC), code 4 (MSC_SCAN), value 22
Event: time 1584656707.262381, type 1 (EV_KEY), code 34 (KEY_G), value 1
Event: time 1584656707.262381, -------------- SYN_REPORT ------------
Event: time 1584656707.358058, type 4 (EV_MSC), code 4 (MSC_SCAN), value 22
Event: time 1584656707.358058, type 1 (EV_KEY), code 34 (KEY_G), value 0
Event: time 1584656707.358058, -------------- SYN_REPORT ------------
Event: time 1584656707.490764, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656707.490764, type 1 (EV_KEY), code 18 (KEY_E), value 1
Event: time 1584656707.490764, -------------- SYN_REPORT ------------
Event: time 1584656707.574470, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656707.574470, type 1 (EV_KEY), code 18 (KEY_E), value 0
Event: time 1584656707.574470, -------------- SYN_REPORT ------------
Event: time 1584656707.608236, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656707.608236, type 1 (EV_KEY), code 49 (KEY_N), value 1
Event: time 1584656707.608236, -------------- SYN_REPORT ------------
Event: time 1584656707.707004, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656707.707004, type 1 (EV_KEY), code 49 (KEY_N), value 0
Event: time 1584656707.707004, -------------- SYN_REPORT ------------
Event: time 1584656707.759770, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656707.759770, type 1 (EV_KEY), code 20 (KEY_T), value 1
Event: time 1584656707.759770, -------------- SYN_REPORT ------------
Event: time 1584656707.840425, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656707.840425, type 1 (EV_KEY), code 20 (KEY_T), value 0
Event: time 1584656707.840425, -------------- SYN_REPORT ------------
Event: time 1584656707.923631, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656707.923631, type 1 (EV_KEY), code 23 (KEY_I), value 1
Event: time 1584656707.923631, -------------- SYN_REPORT ------------
Event: time 1584656708.029116, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656708.029116, type 1 (EV_KEY), code 23 (KEY_I), value 0
Event: time 1584656708.029116, -------------- SYN_REPORT ------------
Event: time 1584656708.207446, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26
Event: time 1584656708.207446, type 1 (EV_KEY), code 38 (KEY_L), value 1
Event: time 1584656708.207446, -------------- SYN_REPORT ------------
Event: time 1584656708.273697, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26
Event: time 1584656708.273697, type 1 (EV_KEY), code 38 (KEY_L), value 0
Event: time 1584656708.273697, -------------- SYN_REPORT ------------
Event: time 1584656708.390800, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26
Event: time 1584656708.390800, type 1 (EV_KEY), code 38 (KEY_L), value 1
Event: time 1584656708.390800, -------------- SYN_REPORT ------------
Event: time 1584656708.458067, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26
Event: time 1584656708.458067, type 1 (EV_KEY), code 38 (KEY_L), value 0
Event: time 1584656708.458067, -------------- SYN_REPORT ------------
Event: time 1584656708.540949, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656708.540949, type 1 (EV_KEY), code 18 (KEY_E), value 1
Event: time 1584656708.540949, -------------- SYN_REPORT ------------
Event: time 1584656708.624457, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12
Event: time 1584656708.624457, type 1 (EV_KEY), code 18 (KEY_E), value 0
Event: time 1584656708.624457, -------------- SYN_REPORT ------------
Event: time 1584656709.244644, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656709.244644, type 1 (EV_KEY), code 23 (KEY_I), value 1
Event: time 1584656709.244644, -------------- SYN_REPORT ------------
Event: time 1584656709.340086, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656709.340086, type 1 (EV_KEY), code 23 (KEY_I), value 0
Event: time 1584656709.340086, -------------- SYN_REPORT ------------
Event: time 1584656709.474963, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656709.474963, type 1 (EV_KEY), code 49 (KEY_N), value 1
Event: time 1584656709.474963, -------------- SYN_REPORT ------------
Event: time 1584656709.590218, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656709.590218, type 1 (EV_KEY), code 49 (KEY_N), value 0
Event: time 1584656709.590218, -------------- SYN_REPORT ------------
Event: time 1584656709.590407, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656709.590407, type 1 (EV_KEY), code 20 (KEY_T), value 1
Event: time 1584656709.590407, -------------- SYN_REPORT ------------
Event: time 1584656709.692163, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656709.692163, type 1 (EV_KEY), code 20 (KEY_T), value 0
Event: time 1584656709.692163, -------------- SYN_REPORT ------------
Event: time 1584656709.775366, type 4 (EV_MSC), code 4 (MSC_SCAN), value 13
Event: time 1584656709.775366, type 1 (EV_KEY), code 19 (KEY_R), value 1
Event: time 1584656709.775366, -------------- SYN_REPORT ------------
Event: time 1584656709.858065, type 4 (EV_MSC), code 4 (MSC_SCAN), value 13
Event: time 1584656709.858065, type 1 (EV_KEY), code 19 (KEY_R), value 0
Event: time 1584656709.858065, -------------- SYN_REPORT ------------
Event: time 1584656709.890584, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18
Event: time 1584656709.890584, type 1 (EV_KEY), code 24 (KEY_O), value 1
Event: time 1584656709.890584, -------------- SYN_REPORT ------------
Event: time 1584656709.991261, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18
Event: time 1584656709.991261, type 1 (EV_KEY), code 24 (KEY_O), value 0
Event: time 1584656709.991261, -------------- SYN_REPORT ------------
Event: time 1584656710.071776, type 4 (EV_MSC), code 4 (MSC_SCAN), value 20
Event: time 1584656710.071776, type 1 (EV_KEY), code 32 (KEY_D), value 1
Event: time 1584656710.071776, -------------- SYN_REPORT ------------
Event: time 1584656710.140715, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16
Event: time 1584656710.140715, type 1 (EV_KEY), code 22 (KEY_U), value 1
Event: time 1584656710.140715, -------------- SYN_REPORT ------------
Event: time 1584656710.140908, type 4 (EV_MSC), code 4 (MSC_SCAN), value 20
Event: time 1584656710.140908, type 1 (EV_KEY), code 32 (KEY_D), value 0
Event: time 1584656710.140908, -------------- SYN_REPORT ------------
Event: time 1584656710.241554, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16
Event: time 1584656710.241554, type 1 (EV_KEY), code 22 (KEY_U), value 0
Event: time 1584656710.241554, -------------- SYN_REPORT ------------
Event: time 1584656710.292262, type 4 (EV_MSC), code 4 (MSC_SCAN), value 2e
Event: time 1584656710.292262, type 1 (EV_KEY), code 46 (KEY_C), value 1
Event: time 1584656710.292262, -------------- SYN_REPORT ------------
Event: time 1584656710.376851, type 4 (EV_MSC), code 4 (MSC_SCAN), value 2e
Event: time 1584656710.376851, type 1 (EV_KEY), code 46 (KEY_C), value 0
Event: time 1584656710.376851, -------------- SYN_REPORT ------------
Event: time 1584656710.591074, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656710.591074, type 1 (EV_KEY), code 20 (KEY_T), value 1
Event: time 1584656710.591074, -------------- SYN_REPORT ------------
Event: time 1584656710.640977, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14
Event: time 1584656710.640977, type 1 (EV_KEY), code 20 (KEY_T), value 0
Event: time 1584656710.640977, -------------- SYN_REPORT ------------
Event: time 1584656710.674514, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656710.674514, type 1 (EV_KEY), code 23 (KEY_I), value 1
Event: time 1584656710.674514, -------------- SYN_REPORT ------------
Event: time 1584656710.773591, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17
Event: time 1584656710.773591, type 1 (EV_KEY), code 23 (KEY_I), value 0
Event: time 1584656710.773591, -------------- SYN_REPORT ------------
Event: time 1584656710.857087, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18
Event: time 1584656710.857087, type 1 (EV_KEY), code 24 (KEY_O), value 1
Event: time 1584656710.857087, -------------- SYN_REPORT ------------
Event: time 1584656710.976040, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18
Event: time 1584656710.976040, type 1 (EV_KEY), code 24 (KEY_O), value 0
Event: time 1584656710.976040, -------------- SYN_REPORT ------------
Event: time 1584656711.026258, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656711.026258, type 1 (EV_KEY), code 49 (KEY_N), value 1
Event: time 1584656711.026258, -------------- SYN_REPORT ------------
Event: time 1584656711.107580, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31
Event: time 1584656711.107580, type 1 (EV_KEY), code 49 (KEY_N), value 0

Nous avons ici un beau bloc, mais il n’est pas si impressionnant que cela en fait, c’est juste qu’il enregistre quand on appuie sur une touche “value 1” et quand on la relâche “value 0”. Ayant compris cela, nous allons pouvoir faire un premier filtre avec grep.

grep “value 1” petite_frappe.txt

C’est encore imbuvable, je l’avoue, mais finalement ce qui nous intéresse, ce sont les touches, donc nous allons ajouter un nouveau filtre :

grep “value 1” petite_frappe.txt | grep “KEY_.” –only-matching

C’est mieux, mais ce n’est pas encore ça. On commence à apercevoir quelque chose. Finissons la commande comme ceci :

grep “value 1” petite_frappe.txt | grep “KEY_.” –only-matching | cut -d “_” -f 2 | tr -d ‘\n’

Nous trouvons donc le flag suivant :

FCSC{UNEGENTILLEINTRODUCTION}

tiphergane

, , , , , ,

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.