{"id":126,"date":"2020-05-05T12:45:13","date_gmt":"2020-05-05T10:45:13","guid":{"rendered":"https:\/\/blog.caturday-lovers.fr.nf\/?p=126"},"modified":"2020-05-05T20:48:23","modified_gmt":"2020-05-05T18:48:23","slug":"les-chatons-ont-la-reponse-fcsc-2020-petite-frappe-1","status":"publish","type":"post","link":"https:\/\/blog.caturday-lovers.fr.nf\/?p=126","title":{"rendered":"Les chatons ont la r\u00e9ponse \u2013 FCSC 2020 \/\/ Petite frappe  1"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"501\" height=\"824\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-04_17h26_55.png\" alt=\"\" class=\"wp-image-127\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-04_17h26_55.png 501w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-04_17h26_55-182x300.png 182w\" sizes=\"auto, (max-width: 501px) 100vw, 501px\" \/><\/figure><\/div>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Explication<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-photo is-provider-giphy\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/giphy.com\/gifs\/angry-scream-rabbids-lapinscretins-3o6Zt0WMG2Lhi8aloI\n<\/div><\/figure>\n\n\n\n<p>Oh mon dieu, un vilain keylogger a enregistr\u00e9 les frappes sur le clavier ! A nous de retrouver ce qui a \u00e9t\u00e9 captur\u00e9 !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">La solution classe et technique<\/h2>\n\n\n\n<p>La solution la plus propre serait de rejouer l&rsquo;enregistrement avec <strong>evemu-play<\/strong>, mais comme je suis un technicien lambda, je suis sous <strong>WINDOWS <\/strong>(je sais, c&rsquo;est honteux de faire des CTF sous windows, mais c&rsquo;est la vie).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">La solution cr\u00e9tine et mains dans le cambouis<\/h2>\n\n\n\n<p>Bon, je tourne quand m\u00eame sous WSL (<a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/fr-fr\/windows\/wsl\/install-win10\" target=\"_blank\">Windows Subsystem for Linux<\/a>) je ne suis pas si maso que cela, ce qui me  donne acc\u00e8s au commande linux de base. Nous allons donc analyser le fichier et regarder comment nous allons pouvoir nous en tirer.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Event: time 1584656705.424839, -------------- SYN_REPORT ------------\nEvent: time 1584656706.404214, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16\nEvent: time 1584656706.404214, type 1 (EV_KEY), code 22 (KEY_U), value 1\nEvent: time 1584656706.404214, -------------- SYN_REPORT ------------\nEvent: time 1584656706.508350, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16\nEvent: time 1584656706.508350, type 1 (EV_KEY), code 22 (KEY_U), value 0\nEvent: time 1584656706.508350, -------------- SYN_REPORT ------------\nEvent: time 1584656706.674591, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656706.674591, type 1 (EV_KEY), code 49 (KEY_N), value 1\nEvent: time 1584656706.674591, -------------- SYN_REPORT ------------\nEvent: time 1584656706.774463, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656706.774463, type 1 (EV_KEY), code 49 (KEY_N), value 0\nEvent: time 1584656706.774463, -------------- SYN_REPORT ------------\nEvent: time 1584656706.926206, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656706.926206, type 1 (EV_KEY), code 18 (KEY_E), value 1\nEvent: time 1584656706.926206, -------------- SYN_REPORT ------------\nEvent: time 1584656707.023728, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656707.023728, type 1 (EV_KEY), code 18 (KEY_E), value 0\nEvent: time 1584656707.023728, -------------- SYN_REPORT ------------\nEvent: time 1584656707.262381, type 4 (EV_MSC), code 4 (MSC_SCAN), value 22\nEvent: time 1584656707.262381, type 1 (EV_KEY), code 34 (KEY_G), value 1\nEvent: time 1584656707.262381, -------------- SYN_REPORT ------------\nEvent: time 1584656707.358058, type 4 (EV_MSC), code 4 (MSC_SCAN), value 22\nEvent: time 1584656707.358058, type 1 (EV_KEY), code 34 (KEY_G), value 0\nEvent: time 1584656707.358058, -------------- SYN_REPORT ------------\nEvent: time 1584656707.490764, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656707.490764, type 1 (EV_KEY), code 18 (KEY_E), value 1\nEvent: time 1584656707.490764, -------------- SYN_REPORT ------------\nEvent: time 1584656707.574470, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656707.574470, type 1 (EV_KEY), code 18 (KEY_E), value 0\nEvent: time 1584656707.574470, -------------- SYN_REPORT ------------\nEvent: time 1584656707.608236, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656707.608236, type 1 (EV_KEY), code 49 (KEY_N), value 1\nEvent: time 1584656707.608236, -------------- SYN_REPORT ------------\nEvent: time 1584656707.707004, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656707.707004, type 1 (EV_KEY), code 49 (KEY_N), value 0\nEvent: time 1584656707.707004, -------------- SYN_REPORT ------------\nEvent: time 1584656707.759770, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656707.759770, type 1 (EV_KEY), code 20 (KEY_T), value 1\nEvent: time 1584656707.759770, -------------- SYN_REPORT ------------\nEvent: time 1584656707.840425, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656707.840425, type 1 (EV_KEY), code 20 (KEY_T), value 0\nEvent: time 1584656707.840425, -------------- SYN_REPORT ------------\nEvent: time 1584656707.923631, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656707.923631, type 1 (EV_KEY), code 23 (KEY_I), value 1\nEvent: time 1584656707.923631, -------------- SYN_REPORT ------------\nEvent: time 1584656708.029116, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656708.029116, type 1 (EV_KEY), code 23 (KEY_I), value 0\nEvent: time 1584656708.029116, -------------- SYN_REPORT ------------\nEvent: time 1584656708.207446, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26\nEvent: time 1584656708.207446, type 1 (EV_KEY), code 38 (KEY_L), value 1\nEvent: time 1584656708.207446, -------------- SYN_REPORT ------------\nEvent: time 1584656708.273697, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26\nEvent: time 1584656708.273697, type 1 (EV_KEY), code 38 (KEY_L), value 0\nEvent: time 1584656708.273697, -------------- SYN_REPORT ------------\nEvent: time 1584656708.390800, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26\nEvent: time 1584656708.390800, type 1 (EV_KEY), code 38 (KEY_L), value 1\nEvent: time 1584656708.390800, -------------- SYN_REPORT ------------\nEvent: time 1584656708.458067, type 4 (EV_MSC), code 4 (MSC_SCAN), value 26\nEvent: time 1584656708.458067, type 1 (EV_KEY), code 38 (KEY_L), value 0\nEvent: time 1584656708.458067, -------------- SYN_REPORT ------------\nEvent: time 1584656708.540949, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656708.540949, type 1 (EV_KEY), code 18 (KEY_E), value 1\nEvent: time 1584656708.540949, -------------- SYN_REPORT ------------\nEvent: time 1584656708.624457, type 4 (EV_MSC), code 4 (MSC_SCAN), value 12\nEvent: time 1584656708.624457, type 1 (EV_KEY), code 18 (KEY_E), value 0\nEvent: time 1584656708.624457, -------------- SYN_REPORT ------------\nEvent: time 1584656709.244644, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656709.244644, type 1 (EV_KEY), code 23 (KEY_I), value 1\nEvent: time 1584656709.244644, -------------- SYN_REPORT ------------\nEvent: time 1584656709.340086, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656709.340086, type 1 (EV_KEY), code 23 (KEY_I), value 0\nEvent: time 1584656709.340086, -------------- SYN_REPORT ------------\nEvent: time 1584656709.474963, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656709.474963, type 1 (EV_KEY), code 49 (KEY_N), value 1\nEvent: time 1584656709.474963, -------------- SYN_REPORT ------------\nEvent: time 1584656709.590218, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656709.590218, type 1 (EV_KEY), code 49 (KEY_N), value 0\nEvent: time 1584656709.590218, -------------- SYN_REPORT ------------\nEvent: time 1584656709.590407, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656709.590407, type 1 (EV_KEY), code 20 (KEY_T), value 1\nEvent: time 1584656709.590407, -------------- SYN_REPORT ------------\nEvent: time 1584656709.692163, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656709.692163, type 1 (EV_KEY), code 20 (KEY_T), value 0\nEvent: time 1584656709.692163, -------------- SYN_REPORT ------------\nEvent: time 1584656709.775366, type 4 (EV_MSC), code 4 (MSC_SCAN), value 13\nEvent: time 1584656709.775366, type 1 (EV_KEY), code 19 (KEY_R), value 1\nEvent: time 1584656709.775366, -------------- SYN_REPORT ------------\nEvent: time 1584656709.858065, type 4 (EV_MSC), code 4 (MSC_SCAN), value 13\nEvent: time 1584656709.858065, type 1 (EV_KEY), code 19 (KEY_R), value 0\nEvent: time 1584656709.858065, -------------- SYN_REPORT ------------\nEvent: time 1584656709.890584, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18\nEvent: time 1584656709.890584, type 1 (EV_KEY), code 24 (KEY_O), value 1\nEvent: time 1584656709.890584, -------------- SYN_REPORT ------------\nEvent: time 1584656709.991261, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18\nEvent: time 1584656709.991261, type 1 (EV_KEY), code 24 (KEY_O), value 0\nEvent: time 1584656709.991261, -------------- SYN_REPORT ------------\nEvent: time 1584656710.071776, type 4 (EV_MSC), code 4 (MSC_SCAN), value 20\nEvent: time 1584656710.071776, type 1 (EV_KEY), code 32 (KEY_D), value 1\nEvent: time 1584656710.071776, -------------- SYN_REPORT ------------\nEvent: time 1584656710.140715, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16\nEvent: time 1584656710.140715, type 1 (EV_KEY), code 22 (KEY_U), value 1\nEvent: time 1584656710.140715, -------------- SYN_REPORT ------------\nEvent: time 1584656710.140908, type 4 (EV_MSC), code 4 (MSC_SCAN), value 20\nEvent: time 1584656710.140908, type 1 (EV_KEY), code 32 (KEY_D), value 0\nEvent: time 1584656710.140908, -------------- SYN_REPORT ------------\nEvent: time 1584656710.241554, type 4 (EV_MSC), code 4 (MSC_SCAN), value 16\nEvent: time 1584656710.241554, type 1 (EV_KEY), code 22 (KEY_U), value 0\nEvent: time 1584656710.241554, -------------- SYN_REPORT ------------\nEvent: time 1584656710.292262, type 4 (EV_MSC), code 4 (MSC_SCAN), value 2e\nEvent: time 1584656710.292262, type 1 (EV_KEY), code 46 (KEY_C), value 1\nEvent: time 1584656710.292262, -------------- SYN_REPORT ------------\nEvent: time 1584656710.376851, type 4 (EV_MSC), code 4 (MSC_SCAN), value 2e\nEvent: time 1584656710.376851, type 1 (EV_KEY), code 46 (KEY_C), value 0\nEvent: time 1584656710.376851, -------------- SYN_REPORT ------------\nEvent: time 1584656710.591074, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656710.591074, type 1 (EV_KEY), code 20 (KEY_T), value 1\nEvent: time 1584656710.591074, -------------- SYN_REPORT ------------\nEvent: time 1584656710.640977, type 4 (EV_MSC), code 4 (MSC_SCAN), value 14\nEvent: time 1584656710.640977, type 1 (EV_KEY), code 20 (KEY_T), value 0\nEvent: time 1584656710.640977, -------------- SYN_REPORT ------------\nEvent: time 1584656710.674514, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656710.674514, type 1 (EV_KEY), code 23 (KEY_I), value 1\nEvent: time 1584656710.674514, -------------- SYN_REPORT ------------\nEvent: time 1584656710.773591, type 4 (EV_MSC), code 4 (MSC_SCAN), value 17\nEvent: time 1584656710.773591, type 1 (EV_KEY), code 23 (KEY_I), value 0\nEvent: time 1584656710.773591, -------------- SYN_REPORT ------------\nEvent: time 1584656710.857087, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18\nEvent: time 1584656710.857087, type 1 (EV_KEY), code 24 (KEY_O), value 1\nEvent: time 1584656710.857087, -------------- SYN_REPORT ------------\nEvent: time 1584656710.976040, type 4 (EV_MSC), code 4 (MSC_SCAN), value 18\nEvent: time 1584656710.976040, type 1 (EV_KEY), code 24 (KEY_O), value 0\nEvent: time 1584656710.976040, -------------- SYN_REPORT ------------\nEvent: time 1584656711.026258, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656711.026258, type 1 (EV_KEY), code 49 (KEY_N), value 1\nEvent: time 1584656711.026258, -------------- SYN_REPORT ------------\nEvent: time 1584656711.107580, type 4 (EV_MSC), code 4 (MSC_SCAN), value 31\nEvent: time 1584656711.107580, type 1 (EV_KEY), code 49 (KEY_N), value 0<\/code><\/pre>\n\n\n\n<p>Nous avons ici un beau bloc, mais il n&rsquo;est pas si impressionnant que cela en fait, c&rsquo;est juste qu&rsquo;il enregistre quand on appuie sur une touche \u00ab\u00a0value 1\u00a0\u00bb et quand on la rel\u00e2che \u00ab\u00a0value 0\u00a0\u00bb. Ayant compris cela, nous allons pouvoir faire un premier filtre avec grep. <br><br><em><strong>grep \u00ab\u00a0value 1\u00a0\u00bb petite_frappe.txt<\/strong><\/em><br><br>C&rsquo;est encore imbuvable, je l&rsquo;avoue, mais finalement ce qui nous int\u00e9resse, ce sont les touches, donc nous allons ajouter un nouveau filtre :<br><br><strong><em>grep \u00ab\u00a0value 1\u00a0\u00bb petite_frappe.txt | grep \u00ab\u00a0KEY_.\u00a0\u00bb &#8211;only-matching<\/em><\/strong><br><br>C&rsquo;est mieux, mais ce n&rsquo;est pas encore \u00e7a. On commence \u00e0 apercevoir quelque chose. Finissons la commande comme ceci :<br><br><strong><em>grep \u00ab\u00a0value 1\u00a0\u00bb petite_frappe.txt | grep \u00ab\u00a0KEY_.\u00a0\u00bb &#8211;only-matching | cut -d \u00ab\u00a0_\u00a0\u00bb -f 2<\/em><\/strong>  <strong><em> | tr -d &lsquo;\\n&rsquo; <\/em><\/strong>   <br><br>Nous trouvons donc le flag suivant :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42-1024x555.png\" alt=\"\" class=\"wp-image-135\" srcset=\"https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42-1024x555.png 1024w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42-300x163.png 300w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42-768x416.png 768w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42-1536x832.png 1536w, https:\/\/blog.caturday-lovers.fr.nf\/wp-content\/uploads\/2020\/05\/2020-05-05_13h10_42.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>FCSC{UNEGENTILLEINTRODUCTION}<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":13,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[60,80,61,82,79,78,81],"class_list":["post-126","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kitensgotanswer","tag-ctf","tag-evemu-play","tag-fcsc","tag-flag","tag-keylogger","tag-petite-frappe-1","tag-wsl"],"_links":{"self":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=126"}],"version-history":[{"count":4,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/posts\/126\/revisions\/166"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=\/wp\/v2\/media\/13"}],"wp:attachment":[{"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.caturday-lovers.fr.nf\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}