还是从第一个 URB向后看
发现 同时 存在 2.8.1 2.10.1 2.4.1
但是显然 2.4.1 是7个字节 不满足 usb流量要求
只考虑 2.8.1 和 2.10.1
tshark -r ez_usb.pcapng -T json -Y "usb.src == \"2.8.1\"" -e usbhid.data > 281.json
正常取数据即可
import json
with open('281.json') as f:data = json.load(f)a=[]
for i in data:try:a.append(i['_source']['layers']['usbhid.data'][0])except:continue
#键盘流量
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}nums = []
for line in a:if len(line)!=16: # 鼠标流量的话len改为8continuenums.append(line[0:2]+line[4:6]) #????????×???
print(nums)output = []
for n in nums:if n[2:4] == "00" :continueif n[2:4] in normalKeys:if n[0:2]=="02":output.append(shiftKeys[n[2:4]])else :output.append(normalKeys[n[2:4]])else:output += '[unknown]'
print(output)flag=0
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:pass
print ('output :' + "".join(output))
可以发现数据流是rar文件
将16进制流写入文件
import base64
data="526172211a0700Cf907300000d00000000000000c4527424943500300000002A00000002b9f9b0530778b5541d33080020000000666c61672E747874B9Ba013242f3aFC000b092c229d6e994167c05A78708b271fFC042ae3d251e65536F9Ada87c77406b67d0E6316684766a86e844dC81AA2c72c71348d10c43D7B00400700e0"
with open("flag.rar","wb") as f:f.write(base64.b16decode(data.upper()))
发现存在压缩包密码
接着提取 2.10.1的数据
一模一样的操作
tshark -r ez_usb.pcapng -T json -Y "usb.src == \"2.10.1\"" -e usbhid.data > 2101.json
import json
with open('2101.json') as f:data = json.load(f)a=[]
for i in data:try:a.append(i['_source']['layers']['usbhid.data'][0])except:continue
#键盘流量
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}nums = []
for line in a:if len(line)!=16: # 鼠标流量的话len改为8continuenums.append(line[0:2]+line[4:6]) #????????×???
print(nums)output = []
for n in nums:if n[2:4] == "00" :continueif n[2:4] in normalKeys:if n[0:2]=="02":output.append(shiftKeys[n[2:4]])else :output.append(normalKeys[n[2:4]])else:output += '[unknown]'
print(output)flag=0
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:pass
print ('output :' + "".join(output))
可以拿到字符串 35c535765e50074a
打开压缩包就是flag
flag{20de17cc-d2c1-4b61-bebd-41159ed7172d}
 统一异常处理)
)
)
)
