zodiac

OSCN 2025

Info	Details
Category	Forensics / Network

Challenge Overview

In this challenge we should find the location of Zodiac Killer using a .pcap file. I firstly see some weird values in a UDP packet in this format – Timestamp:Coordinates:Left clicked:Right clicked. Since we're talking about USB Mouse connection, I assumed that the coordinates represent the current mouse position.

discovering weird values

Then I used data exfiltration in order to get all the packets which contain that type of values.

data exfil

I extracted all coordinates with the Left Click set on True using the following script:

import re

with open("sample.pcap", "rb") as f:
    data = f.read()

pattern = re.compile(rb"(\d+\.\d+),(\d+),(\d+),True,False")

# Extract coordinates only when left click is True
matches = pattern.findall(data)

with open("left_click_coordinates.txt", "w") as out:
    for match in matches:
        x = match[1].decode()
        y = match[2].decode()
        out.write(f"{x},{y}\n")

Using the extracted coordinates and the PIL library, I reconstructed the image drawn by the Zodiac Killer:

from PIL import Image, ImageDraw
import pandas as pd

# Load the coordinates
df = pd.read_csv("left_click_coordinates.txt", header=None, names=["x", "y"])

# Set canvas size
width, height = 1200, 800
image = Image.new("RGB", (width, height), "white")
draw = ImageDraw.Draw(image)

# Draw points
for x, y in df.values:
    draw.point((x, y), fill="black")

image.save("output.png")
image.show()

Final Flag

ctf{secretplacewukong'sden}

made by k0d