Google CTF ’16 – For2

The challenge was to find the flag from the given pcapng file. Then we convert the file into a pcap file using this site.

Initially, when we open the file using wireshark we can get to know that its the packet capture of some kind of USB device. On further investigation we found out what kind of USB device it was from the frame 84 of the pcap. Its a Logitech USB mouse. So we understand that the data must be the mouse movements and its clicks.

To get the flag we modified a python code which we got from the Boston Key Party CTF 2015: Riverside. The buf[0x13] in device_id is the address of the mouse which we get frm the pcap file.


import struct
import Image
import dpkt
INIT_X, INIT_Y = 100, 400

def print_data(pcap,device):
 picture ="RGB",(2000, 2000),"white")
 pixels = picture.load()

 x, y = INIT_X, INIT_Y
 for ts, buf in pcap:
 device_id = struct.unpack("b", buf[0x13])

 if device_id[0] != device :

 data = struct.unpack("bbbb",buf[-4:])

 status = data[0]
 x = max(x + data[1], 5)
 y = max(y + data[2], 5)

 if (status == 1):
 for i in range(-5, 5):
 for j in range(-5, 5):
 pixels[x + i , y + j] = (0, 0, 0, 0)
 print "x,y" , x, y
 pixels[x, y] = (255, 0, 0, 0)"usbimage.png", "PNG")

if __name__== "__main__":
 r = open("capture.s0i0.pcap", 'rb')
 pcap = dpkt.pcap.Reader(f)


Then we get the flag in a usbimage.png file. And the image is :







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

Up ↑

%d bloggers like this: