Break the Syntax 2025 - Forencis

# Monkey see > 🙈 > File: “[monkey-see.pcapng](https://drive.google.com/file/d/1f5_VTn7AKye-fEieUD2LwCH39l8NI1Qu/view?usp=sharing)” ![image](https://hackmd.io/_uploads/SJ0-txy-eg.png) So there’s some USB packets given, upon a lil research on this, u can find some helpful stuff like [usb HID](https://wiki.osdev.org/USB_Human_Interface_Devices) I figured out that the leftover capture data is what we need to look into, extract the information bits and transform it into readable format. ```bash tshark -r monkey-see.pcapng -Tfields -Eseparator=, -e usb.capdata -Y 'usb.transfer_type == 0x01 && usb.dst == "host" && !(usb.capdata == 00:00:00:00:00:00:00:00)' | sed 's/://g' > monkey-see-data.txt ``` with some headscratching and tries, this is the one liner I used to extract the usb capture data which looks like this ![image](https://hackmd.io/_uploads/S1v3Yeybgg.png) now, as I mentioned the links above, i made a small script for this ```python! #!/usr/bin/python # -*- coding: utf-8 -*- import sys KEY_CODES = { 0x04:['a', 'A'], 0x05:['b', 'B'], 0x06:['c', 'C'], 0x07:['d', 'D'], 0x08:['e', 'E'], 0x09:['f', 'F'], 0x0A:['g', 'G'], 0x0B:['h', 'H'], 0x0C:['i', 'I'], 0x0D:['j', 'J'], 0x0E:['k', 'K'], 0x0F:['l', 'L'], 0x10:['m', 'M'], 0x11:['n', 'N'], 0x12:['o', 'O'], 0x13:['p', 'P'], 0x14:['q', 'Q'], 0x15:['r', 'R'], 0x16:['s', 'S'], 0x17:['t', 'T'], 0x18:['u', 'U'], 0x19:['v', 'V'], 0x1A:['w', 'W'], 0x1B:['x', 'X'], 0x1C:['y', 'Y'], 0x1D:['z', 'Z'], 0x1E:['1', '!'], 0x1F:['2', '@'], 0x20:['3', '#'], 0x21:['4', '$'], 0x22:['5', '%'], 0x23:['6', '^'], 0x24:['7', '&'], 0x25:['8', '*'], 0x26:['9', '('], 0x27:['0', ')'], 0x28:['\n','\n'], 0x29:['[ESC]','[ESC]'], 0x2a:['[BACKSPACE]', '[BACKSPACE]'], 0x2C:[' ', ' '], 0x2D:['-', '_'], 0x2E:['=', '+'], 0x2F:['[', '{'], 0x30:[']', '}'], 0x32:['#','~'], 0x33:[';', ':'], 0x34:['\'', '"'], 0x36:[',', '<'], 0x37:['.', '>'], 0x38:['/', '?'], 0x39:['[CAPSLOCK]','[CAPSLOCK]'], 0x2b:['\t','\t'], 0x4f:[u'→',u'→'], 0x50:[u'←',u'←'], 0x51:[u'↓',u'↓'], 0x52:[u'↑',u'↑'] } def read_usb_pcap(file): lines = [] output = '' cursor_x = 0 cursor_y = 0 lines.append("") last_keys = set() with open(file, 'r') as f: datas = f.read().splitlines() datas = [d.strip() for d in datas if d] for data in datas: if not all(c in "0123456789abcdefABCDEF" for c in data): continue if len(data) < 16: continue report = [int(data[i:i+2], 16) for i in range(0, len(data), 2)] modifier = report[0] keys = report[2:8] shift = 1 if (modifier & 0x22) else 0 current_keys = set([k for k in keys if k != 0]) pressed = current_keys - last_keys last_keys = current_keys for key in pressed: if key not in KEY_CODES: continue char = KEY_CODES[key][shift] if char == '\n': lines.append("") lines[cursor_y] += output cursor_x = 0 cursor_y += 1 output = '' elif char == '[BACKSPACE]': output = output[:-1] cursor_x -= 1 else: output += char cursor_x += 1 if lines == [""]: lines[0] = output if output != '' and output not in lines: lines[cursor_y] += output return '\n'.join(lines) def read_use(file): with open(file, 'r') as f: datas = f.read().splitlines() datas = [d.strip() for d in datas if d] cursor_x = 0 cursor_y = 0 lines = [] output = '' skip_next = False lines.append("") for data in datas: split_data = data.split(':') if len(split_data) != 4: continue shift = int(split_data[0], 16) key = int(split_data[2], 16) if skip_next: skip_next = False continue if key == 0 or int(split_data[3], 16) > 0: continue if shift != 0: shift=1 skip_next = True if KEY_CODES[key][shift] == u'↑': lines[cursor_y] += output output = '' cursor_y -= 1 elif KEY_CODES[key][shift] == u'↓': lines[cursor_y] += output output = '' cursor_y += 1 elif KEY_CODES[key][shift] == u'→': cursor_x += 1 elif KEY_CODES[key][shift] == u'←': cursor_x -= 1 elif KEY_CODES[key][shift] == '\n': lines.append("") lines[cursor_y] += output cursor_x = 0 cursor_y += 1 output = '' elif KEY_CODES[key][shift] == '[BACKSPACE]': output = output[:-1] cursor_x -= 1 else: output += KEY_CODES[key][shift] cursor_x += 1 if lines == [""]: lines[0] = output if output != '' and output not in lines: lines[cursor_y] += output return '\n'.join(lines) if __name__ == '__main__': if len(sys.argv) < 2: print('Missing file to read...') exit(-1) filename = sys.argv[1] with open(filename, 'r') as f: first_line = f.readline().strip() # FINAL FIX: bỏ kiểm tra độ dài, chỉ cần hex if all(c in "0123456789abcdefABCDEF" for c in first_line): print(read_usb_pcap(filename)) else: print(read_use(filename)) ``` running this script we got a HUGE plain text wall, and in that the flag was present ! ![image](https://hackmd.io/_uploads/ryB49gJ-ee.png) **Flag: BtSCTF{m0nk3y_tYpE!!1!!oneone!}** # Chiroptera Timida >Shall pass this childish brainrot and get the flag! >File: “[Bat_Song.wav](https://drive.google.com/file/d/14Rc49pMG2D2K1ukuvE5NOBCq-MOEwQ8m/view?usp=drive_link)” This is a quick one using audacity: * Open file in audacity * View in Spectrogram * Zoom in and see the flag ![image](https://hackmd.io/_uploads/BJbgTe1Zeg.png) **Flag: BtSCTF{I_am_batman_I_can_hear_it}** # monkey paint? >It seems like our monkey has got some new special abilities 🐵 >File: “[monkey-paint.pcapng](https://drive.google.com/file/d/1z-ZxdB0RGxP1mgHEzlH-52O6Hea5zJbp/view?usp=drive_link)” This is another USB data file, so I ran the same logic and got some thing ![image](https://hackmd.io/_uploads/ByNO--y-lx.png) Took me a while to figure out, but again [usb HID](https://wiki.osdev.org/USB_Human_Interface_Devices) helped in figuring out that it’s usb mouse capture data and i make a script for this ```python! from PIL import Image # Đọc dữ liệu hex with open("monkey-paint-data.txt", "r") as f: lines = f.readlines() # Tạo canvas trắng img_size = 1000 img = Image.new('RGB', (img_size, img_size), color='white') canvas = img.load() mouse_x, mouse_y = img_size // 2, img_size // 2 # Xử lý từng dòng for line in lines: line = line.strip() if len(line) < 16: data = bytes(int(line[i:i+2], 16) for i in range(0, len(line), 2)) button = data[0] x_offset = int.from_bytes(data[1:2], "big", signed=True) y_offset = int.from_bytes(data[2:3], "big", signed=True) mouse_x += x_offset mouse_y += y_offset # Kiểm tra từng button colors = [] if button & 0b00000001: # Left button colors.append((0, 0, 0)) # Black if button & 0b00000010: # Right button colors.append((255, 0, 0)) # Red if button & 0b00000100: # Middle button colors.append((0, 0, 255)) # Blue # Vẽ nếu có button nhấn for color in colors: for i in range(5): for j in range(5): xi = mouse_x + i yj = mouse_y + j if 0 <= xi < img_size and 0 <= yj < img_size: canvas[xi, yj] = color img.save("monkey_paint_fixed.png") ``` run this script and we will got this ![monkey_paint_fixed](https://hackmd.io/_uploads/rkqtuWkZex.png) **Flag: BtSCTF{yeah_it_does!11!}** # copypasta >I was moving one of the most relatable copypastas to me to a pendrive, but I think something went wrong during copying and pasting (hehe) and I can’t open the file. To make matters worse, I forgot the password, but it should be one of those in a wordlist. Can you help me recover my favourite copypasta? >Files: “[copypasta.pdf](https://drive.google.com/file/d/1weS2vkFhNSaKOloL0_vzMErkBOzKVoWL/view?usp=drive_link)” “[wordlist.txt](https://drive.google.com/file/d/1jxAKF4za8KoJb9Ge-Zj17fvxiSXjOHVP/view?usp=drive_link)” So we have a pdf file this time, firstly i cracked the password using `pdfcrack` and using the given wordlist ```shell pdfcrack -w wordlist.txt copypasta.pdf ``` and we got this ![image](https://hackmd.io/_uploads/rJzE_G1-gl.png) we got password is `pumpkin` but that file is damaged so we need fix it ![image](https://hackmd.io/_uploads/B1yV9Gk-le.png) i found a website [pdf repair](https://www.freepdfconvert.com/vi/repair-pdf) can fix this ![image](https://hackmd.io/_uploads/H12kiMJZgl.png) **Flag: BtSCTF{we_have_to_censor_that_one_and_another_one_and_finally_that_one}** # Sus data >We caught the suspect, but his pendrive contained only this data. What could it be? >File: “[Sus_data](https://drive.google.com/file/d/13yLda80ji-OUC3GcQc7UZtBiv5yJYYLf/view?usp=sharing)” i open it in `hexedit` and found the headers it look like png header but error ![image](https://hackmd.io/_uploads/SJX6IXkZxl.png) this is before and after i fix it but we still cant open it so check more and found issue is the IEND chunk’s CRC ended up inside the IDAT chunk by mistake. This made the IDAT chunk 4 bytes longer than it should’ve been. Once we removed the misplaced IEND CRC from the IDAT chunk, the image should load correctly. i made a script to fix it too u can use this ```python! def remove_hex_pattern(file_path, hex_pattern): pattern_bytes = bytes.fromhex(hex_pattern) with open(file_path, 'rb') as f: content = f.read() modified_content = content.replace(pattern_bytes, b'') with open(file_path, 'wb') as f: f.write(modified_content) print(f"Pattern {hex_pattern} removed from {file_path}") remove_hex_pattern('Sus_data', 'AE426082') ``` and we got this ![Sus_data](https://hackmd.io/_uploads/Skl3wXJbll.png) **Flag: BtSCTF{Hecker_Picasso_3175624}**