I was spinning my wheels on this
Ugly Duck challenge for a while trying to figure out what the downloaded file.bin is. When running the file command against it all it comes back with is data. Binwalk returned nothing. All the signatures came back with no match. When opening up the file in a hex editor I got the following:
Eventually I yielded and did some google fu and found that others encountered a similar challenge/file on other CTF. They just were able to take the hint that eluded me. They were able to assume that the Duck in the challenge name referred to Hack5's Rubber Ducky. You can then use
The Duck Toolkit to decode the file to get ducky_code.txt and the inject.bin files.
But I wanted to know if there is a way to identify that this file is a rubber ducky script without guessing. So I generated a couple more payloads via the duck toolkit to see how they would display in a hex editor. I thought that it would have as many 00FF bytes as my original sample.
Nope. There are a couple of 00FFs though but not nearly as many.
So in my search to figure out what that is I happened upon
this gem. Apparently every of the 0x00FF translates to a 255 ms delay. Which corresponds with the DELAY commands in the ducky_code.txt file.
The more you know!
