Cashmere makes perfect better BTW I USE ARCH

HTB - USB Ripper

Categories: Forensics | Tags: Hackthebox

Original description

There is a sysadmin, who has been dumping all the USB events on his Linux host all the year… Recently, some bad guys managed to steal some data from his machine when they broke into the office. Can you help him to put a tail on the intruders? Note: once you find it, “crack” it.

The archive consists of two files: “auth.json” and “syslog”. The first one appears to be a list of all authorized USB devices while the second is the system log of all USB events from the sysadmins’ host.

Looking at the “syslog” file you can see that each USB device has three numbers associated: product, manufacturer and serial number. To find the unauthorized USB device that was connected to the host, it is necessary to find all events associated with identifiers that are not listed in the “auth.json” file. It is reasonable to assume that the product and manufacturer numbers are repeatable and search only by the serial number.

Use jq to extract serial numbers from the “auth.json” file.

$ jq -r '.serial[]' auth.json > auth

Filter out all authorized serial numbers from the “syslog” file.

$ grep -v -Ff auth syslog | grep SerialNumber:
Aug  3 07:18:01 kali kernel: [ 7364.305854] usb 1-1: SerialNumber: 71DF5A33EFFDEA5B1882C9FBDC1240C6

Only one unauthorized device was logged. As stated in the challenge description: once you find it, “crack” it. Identify the SerialNumber hash using hashtag tool.

$ hashtag -sh 71DF5A33EFFDEA5B1882C9FBDC1240C6 | head

Hash: 71DF5A33EFFDEA5B1882C9FBDC1240C6

[*] MD5 - Hashcat Mode 0
[*] NTLM - Hashcat Mode 1000
[*] MD4 - Hashcat Mode 900
[*] LM - Hashcat Mode 3000
[*] RAdmin v2.x
[*] Haval-128
[*] MD2

The most probable algorithm is MD5. Use hashcat with rockyou.txt wordlist to crack the hash.

$ hashcat -m 0 -a 0 hash.txt rockyou.txt --force

Alternatively use the usbrip tool to find the violation event.

$ sudo usbrip events violations auth.json -f syslog
Connected:      ????-08-03 07:18:01
Host:           kali
VID:            3993
PID:            9324
Product:        1F8ADAEE73D993944FC7C7783
Manufacturer:   884CCC9A3DF08F49C621373E
Serial Number:  71DF5A33EFFDEA5B1882C9FBDC1240C6
Bus-Port:       1-1
Disconnected:   ????-08-03 07:18:10