HTB - USB Ripper
Categories: Forensics | Tags: Hackthebox
There is a sysadmin, who has been dumping all the USB events on his Linux host all the year… Recently, some bad guys managed to steal some data from his machine when they broke into the office. Can you help him to put a tail on the intruders? Note: once you find it, “crack” it.
The archive consists of two files: “auth.json” and “syslog”. The first one appears to be a list of all authorized USB devices while the second is the system log of all USB events from the sysadmins’ host.
Looking at the “syslog” file you can see that each USB device has three numbers associated: product, manufacturer and serial number. To find the unauthorized USB device that was connected to the host, it is necessary to find all events associated with identifiers that are not listed in the “auth.json” file. It is reasonable to assume that the product and manufacturer numbers are repeatable and search only by the serial number.
Use jq to extract serial numbers from the “auth.json” file.
$ jq -r '.serial' auth.json > auth
Filter out all authorized serial numbers from the “syslog” file.
$ grep -v -Ff auth syslog | grep SerialNumber: Aug 3 07:18:01 kali kernel: [ 7364.305854] usb 1-1: SerialNumber: 71DF5A33EFFDEA5B1882C9FBDC1240C6
Only one unauthorized device was logged. As stated in the challenge description: once you find it, “crack” it. Identify the SerialNumber hash using hashtag tool.
$ hashtag -sh 71DF5A33EFFDEA5B1882C9FBDC1240C6 | head Hash: 71DF5A33EFFDEA5B1882C9FBDC1240C6 [*] MD5 - Hashcat Mode 0 [*] NTLM - Hashcat Mode 1000 [*] MD4 - Hashcat Mode 900 [*] LM - Hashcat Mode 3000 [*] RAdmin v2.x [*] Haval-128 [*] MD2
The most probable algorithm is MD5. Use hashcat with rockyou.txt wordlist to crack the hash.
$ hashcat -m 0 -a 0 hash.txt rockyou.txt --force
Alternatively use the usbrip tool to find the violation event.
$ sudo usbrip events violations auth.json -f syslog USB-Violation-Events −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Connected: ????-08-03 07:18:01 Host: kali VID: 3993 PID: 9324 Product: 1F8ADAEE73D993944FC7C7783 Manufacturer: 884CCC9A3DF08F49C621373E Serial Number: 71DF5A33EFFDEA5B1882C9FBDC1240C6 Bus-Port: 1-1 Disconnected: ????-08-03 07:18:10 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−