Challenge Description
1
2
3
There is a sysadmin, who has been dumping all the USB events on his Linux host all the year...
Recently, some bad guys managed to steal some data from his machine when they broke into the office.
Can you help him to put a tail on the intruders? Note: once you find it, "crack" it.
SOLUTION
Download the Challenge File. You are provided with a zip file names as USB Ripper.zip.
There are 2 files names as auth.json and syslog in the compressed file.
Decompress those files.
The Serial numbers of Authorized devices are loged in auth.json.
In the file syslog there are the details of devices that are used in office machine
Actually I don’t have any knowledge about any tools used by sys admin to manage the login information.
I have seen the serial numbers that are listed in auth.json file, and found that the serial number matches the serial numbers in syslog file.
ASSUMPTION
As
syslogfile logs the information about devices that are pluged in the machine
then it might also log the serial number of unauthorized devices.If the authorized serial numbers are listed in
auth.jsonfile,
then we can easily compare the serial numbers fromsyslogfile
withauth.jsonfile and identify the serial of un-recognized device.
SCRIPTING
As I am not aware of any inbuilt scripts or softwares for analyzing about these log files,
I started to write my own code in python3.
The Code that is used to solve this challenge is:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# ARIJIT BHOWMICK [sys41x4]
file = open('usb-ripper/auth.json', "r")
file_content = file.read()
file.close()
sys_log_ = open('usb-ripper/syslog', 'r')
sys_log = sys_log_.readlines()
sys_log_.close()
checked_serial = []
def serial_checker(serial):
global checked_serial
global invalid_serials
if (serial not in checked_serial):
checked_serial+=[serial]
if (serial not in file_content):
print(f"Invalid Serial : {serial}")
invalid_serials_file = open("invalid_serials.txt", "a")
invalid_serials_file.write(serial+"\n")
invalid_serials_file.close()
else:
pass
else:
pass
for line in sys_log:
if ("SerialNumber: " in line) == True:
serial_checker(line.split("SerialNumber: ")[1].replace("\n", ""))
else:
pass
print("""Serial Checking Completed
Invalid serials are noted in \'invalid_serials.txt\' file""")
CODE DESCRIPTION :
This Code first read the auth.json file in plain text and store the text in file_content variable.
Then it reads the lines of syslog file and store the list of lines in sys_log variable.
Then a loop runs where it checks the SerialNumber: string in each line of syslog file.
If it finds the matching string, then it get the serial number from that line and pass it to serial_checker()
function where it checks if the serial number is listed in checked_serial list.
If the serial number is not checked earlier then it will add the serial number in the checked_serial list and
check if it is listed inauth.jsonfile.If the serial number is not listed in
auth.jsonfile, then a file namedinvalid_serials.txtwill be created with the un-recognized serial numberIf the serial number is listed in
auth.jsonfile, then it will pass the argument.
If the serial number is checked earlier then it will pass the argument.
This process will continue until all the serial numbers from syslog will be checked.
At last all the un-recognized Serial Numbers will be listed in invalid_serials.txt file.
After Running the script
Cracking
Then I have used crackstation to crack the hash that is listed in invalid_serials.txt file.
At last the Flag of this challenge would be HTB{*****************}
This is how, I solved this challenge.
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.