GoogleCTF 2016 -for2 - Forensics Challenge

Reading time ~1 minute

Really quick writeup while I remember. The clue consists of a pcap only. The pcap contains USB packet captures.


We identify the type of USB device by using the vendor ID and the product ID which are announced in one of the types of USB packets.

root@kali:~/google/for/for2# tshark -r usb.pcap -T fields -e usb.bus_id -e usb.device_address -e usb.idVendor -e usb.idProduct "usb.idVendor > 0" 2>/dev/null
1   3   1133    0x0000c05a

We lookup this number online to find it is a Logitech M90/M100 mouse. Ok so mouse movement packets. We also note the second field here which is the USB device_address field.

We know these kinds of packets contain basically x,y and mouse button data in a field called “usb.capdata”. Using tshark we can extract it:

root@kali:~/google/for/for2# tshark -r capture.pcapng -T fields -e usb.capdata usb.capdata and usb.device_address==3 2> /dev/null | head -5

The coordinates (bytes 2 and 3) are signed integer relative offsets from some initial X,Y position. So values > 127 are negative. The first byte indicates whether the left mouse button is down or not.

We write quick python code to extract the coordinates and draw us a picture of every pixel where the mouse button is down.


from PIL import Image, ImageDraw
from subprocess import check_output

print "[*] Extracting data from pcap"
with open('/dev/null') as DN:
    md = [x.strip() for x in check_output(['tshark','-r','capture.pcapng','-Tfields','-e','usb.capdata','usb.capdata','and','usb.device_address==3'],stderr=DN).splitlines()]

x = 1000    # origin coords
y = 300

img ="RGB",(1200,800),"white")
dr = ImageDraw.Draw(img)

print "[*] Drawing you a picture!"
for line in md:
    coords = [j if j<128 else (j-256) for j in [int(k,16) for k in line.split(':')]]
    x += coords[1]
    y += coords[2]
    if coords[0] != 0:
        dr.rectangle(((x - 2, y - 2), (x + 2, y + 2)), fill="black")

Which shows us the flag and a cool kitty cat!


A fun problem and a quick solve!

niteCTF - CBC-Jail

A unique combination of Python jailbreak and crypto flaw that had me learning a lot about AES-CBC mode. Super fun for me to get this solu...… Continue reading

niteCTF - Rabin to the Rescue

Published on December 12, 2021

HTB CyberSanta 2021 - Crypto Writeups

Published on December 04, 2021