Keyboard Junkie Writeup | Huntress CTF 2024

My friend wouldn’t shut up about his new keyboard, so…

Keyboard Junkie was a Forensics challenge released on Day #14 of the Huntress Labs Capture the Flag (CTF) competition. We were provided a PCAP file, keyboard_junkie, containing a the communication of a keyboard via USB and tasked with extracting the keys pressed.

Wireshark: Snapshot of the USB communication packets

$ file keyboard_junkie.pcap
keyboard_junkie.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Memory-mapped Linux USB, capture length 245824)

This is a fairly common CTF challenge, so there are good tools and documentation to help solve it [1]. The encoded keystrokes correspond to the data shown in table 12 within the USB HID Usage Tables:

USB HID Usage Tables: Table 12 showing key to hex mapping

To solve this, I first used tshark to extract the keypresses to a file, keystrokes.txt and then used ctf-usb-keyboard-parser by TeamRocketIst on GitHub to decode the keypresses from hex:

tshark and ctf-usb-keyboard-parser to get the flag

flag{f7733e0093b7d281dd0a30fcf34a9634}

References

[1] HackTricks. USB Keystrokes. https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes

[2] Universal Serial Bus (USB) Hid Usage Tables. https://usb.org/sites/default/files/documents/hut1_12v2.pdf

[3] TeamRocketIst — GitHub. ctf-usb-keyboard-parser. https://github.com/TeamRocketIst/ctf-usb-keyboard-parser