[Hack The Box] HTB—Challenges—forensics—USB Ripper writeup
附件:auth.json syslog
DESCRIPTION:
There is a sysadmin, who has been dumping all the USB events on his Linux host all the year… Recently, some bad guys managed to steal some data from his machine when they broke into the office. Can you help him to put a tail on the intruders? Note: once you find it, “crack” it.
auth.json的这种格式和一个Linux中的Usbrip工具一样,该工具记录USB设备事件历史。
在Linux中使用Usbrip显示USB设备事件历史记录
auth.json存储授权或受信任的USB设备列表,该文件可用于调查连接了哪些USB设备以及它们是否为授权设备。 这样,可以找出是否某些用户未经许可从系统复制了某些内容。
1.安装Usbrip
安装依赖:
python3-venv
p7zip
sudo apt install python3-venv p7zip-full
安装Usbrip
git clone https://github.com/snovvcrash/usbrip.git
cd usbrip
chmod +x ./installers/install.sh
sudo -H ./installers/install.sh -s
2.分析
检查是否有未经授权的USB访问
sudo usbrip events violations ~/auth.json -f syslog
viol.json
把序列号MD5解密
71DF5A33EFFDEA5B1882C9FBDC1240C6
flag:HTB{mychemicalromance}
参考wp:
https://securitybyexpert.com/usb-ripper-forensics-challenges-hackthebox/