strange-pcap

Info

Details

Challenge Overview

This challenge is about analyzing carefully a .pcapng file.

My usual approach when analyzing a .pcapng file is to start with basic file inspection commands:

file Strange.pcapng
exiftool Strange.pcapng
binwalk Strange.pcapng

It seems that binwalk found a protected zip archive named flag which contains flag.txt. Unfortunately it cannot be cracked with tools like John or Hashcat so it must be a way to unzip it.

I retrieved the archive using:

binwalk -e Strange.pcapng

Traffic Analysis

Opening the file using wireshark we see that we've got a lot of USB captures. I tried some exfiltration combinations and one of them was usbhid.data.

Note: HID (Human Interface Device) is a device-class protocol used over USB or Bluetooth that standardizes communication between human-interface devices (e.g., keyboards and mice) and a host computer.

The moment that I saw HID I was thinking directly about the password that we need to extract the flag.

I extracted all those packets using:

tshark -r Strange.pcapng -Y "usbhid.data" -T fields -e usbhid.data > data.txt
awk 'length($0) >= 16' data.txt | sed 's/../&:/g; s/:$//' > data_final.txt

(This command filters out short (noise) entries and formats the remaining USB HID data into xx:yy byte notation, preparing it for script-based analysis).

HID Decoding

I used the following script to convert the captured HID data into plaintext.

https://github.com/TeamRocketIst/ctf-usb-keyboard-parser

┌──(razvanttn㉿Centru)-[~/ctf-usb-keyboard-parser]
└─$ python3 usbkeyboard.py ../ctf/data_clean.txt
7vgj4SSL9NHVuK0D6d3F

With this password we can extract the content of the archive (flag.txt).

made by k0d

PreviousRR Nextt3am_vi3w3r

Last updated 15 days ago

hashtagChallenge Overview

hashtagTraffic Analysis

hashtagHID Decoding

Challenge Overview

Traffic Analysis

HID Decoding