• Donald Ashdown

SANS KringleCon Objective 5



This was a neat challenge that taught us about the rubber ducky USB device.

The work flow for this challenge is to discover the mallard.py in the elf folder. This script provided script allows us to decode rubber ducky encoded files (inject.bin). We then follow the instructions to /mnt/USBDEVICE/inject.bin where we find our encoded payload. We call mallard.py (the encoder/decoder) to decode inject.bin. From here we see the malicious commands being injected and one of them is a base 64 command which we decode and learn the attackers name "icymcgoop" tried to inject their SSH key into authorized keys.


Hints Below are the provided hints from the terminal objective elf


we start off with our Terminal where we are informed that a troll has left a USB rubber ducky on a silver platter. We output the information in mallard.py and see we have a key table mapped to hex characters within.

We see the inject.bin file with hold the characters to inject as keyboard commands into the target device here.

So we use the mallard.py script to decode the inject binary.

Here we can see the pre-prescribed commands that on queued up to execute on the target host.

We can see here that base64 encoded data was passed and we focus on this.

We simply just call the command similar to how the attack injected the command.

Removing the bash portions of this command provides us the output.

2 views0 comments