Hack The Box Writeup — USBRipper

In this challenge, I want to tell you about the importance of coding and the importance of learning how to code. This challenge is easy when you can create an algorithm and express it to a program. Let’s start!

Challenge Introduction

Challenge Introduction

There is a sysadmin, who has been dumping all the USB events on his Linux host all year… Recently, some bad guys managed to steal some data from his machine when they broke into the office. Can you help him to put a tail on the intruders? Note: once you find it, “crack” it.

This challenge requires us to find the intruders. Inside the downloadable zip, there 2 files, auth.json and syslog.

Solution

We can safely assume that syslog is the dumped USB events. There are 900.000 lines of log inside. auth.json is like a pack of numbers, we do not know yet but, referring to the name, it most likely is the authenticated numbers. Based on that analysis, I made a hypothesis, maybe I need to crosscheck any number in the syslog and see which number does not exist in the auth file.

If we look at the pattern, the auth.json contains hexadecimal numbers. You can check it by using the Find function in any text editor and look for character “G”. If it does not exist then we know its character set is in the range of 0–9 and A-F regardless of the case.

From all these logs, only 3 pieces of information will be useful which are, product, manufacturer, and serial number. I made another assumption. I assume that products and manufacture are repeatable since we know that everybody can own the same product or different product with the same manufacture. Therefore, I assume the only possible unique number is the serial number. It will occur multiple times but if it is authorized, that device is surely authorized.

Now we understand the problem and the resources, now it is the time to use them. This is my strategy.

  1. First, the program opens the syslog file.
  2. Iterate every line and check whether the “SerialNumber” exists.
  3. If not exists, continue to the next iteration. If exists, get the hex number using string slice
  4. Crosscheck the number to auth.json, if exists, continue to next iterate, else write the serial number to a file.
  5. Continue iteration for all lines.

And this is my code

Checking Unauthorized Serial Number

If you notice, the first for expression was to loop all the syslog files that I had split beforehand into 10 files so it will be easier to be opened. The slice expression is used because I see a repetitive expression that every serial number for each log is started at character 67 to the end of the line. To optimize the code, I added the authorized serial number to an array in order to avoid repetitive checking. I did not add the unauthorized serial number to the array because I want to know every occurrence of this number (because I thought it was important)

After I executed the script, I opened the related file and this is what I got.

Not Found Result

So this is the serial number that is not authorized, we can look for more information in syslog file, but it is not important (I did check, but I found it is not related to the challenge).

If we examine the number, it contains 32 characters in hexadecimal. The challenge asks us to “crack” when you find it. The first thing that popped into my mind was “md5”. md5 has 32 characters in the hexadecimal character set. At first, I tried several md5 crackers but no result. Desperately, I just copied the serial number and googled it.

Google Search for Related Hexadecimals

And there you go, find the answer inside one of the blogs. To submit the flag, add HTB{} and place your answer inside the brackets.

Mistakes

  1. Before I crosscheck the serial number to auth, I do the reverse process, I crosscheck the auth.json numbers to the syslog serial numbers. Of course some of the numbers in auth.json is not listed in syslog because not every device has to be used on that machine.

Conclusion

In this challenge, we learn that programming is helpful when it comes to repetitive and finding information inside a large dataset. Even more, it is important to evaluate the logic before we create the program. That’s all! To GOD be all the glory.

A humble learner of everything around IT especially in IT implementation, governance, risk management, and cybersecurity.