The challenge was to find the flag from the given pcapng file. Then we convert the file into a pcap file using this site.
Initially, when we open the file using wireshark we can get to know that its the packet capture of some kind of USB device. On further investigation we found out what kind of USB device it was from the frame 84 of the pcap. Its a Logitech USB mouse. So we understand that the data must be the mouse movements and its clicks.
To get the flag we modified a python code which we got from the Boston Key Party CTF 2015: Riverside. The buf[0x13] in device_id is the address of the mouse which we get frm the pcap file.
import struct
import Image
import dpkt
INIT_X, INIT_Y = 100, 400
def print_data(pcap,device):
picture = Image.new("RGB",(2000, 2000),"white")
pixels = picture.load()
x, y = INIT_X, INIT_Y
for ts, buf in pcap:
device_id = struct.unpack("b", buf[0x13])
if device_id[0] != device :
continue
data = struct.unpack("bbbb",buf[-4:])
status = data[0]
x = max(x + data[1], 5)
y = max(y + data[2], 5)
if (status == 1):
for i in range(-5, 5):
for j in range(-5, 5):
pixels[x + i , y + j] = (0, 0, 0, 0)
else:
print "x,y" , x, y
pixels[x, y] = (255, 0, 0, 0)
picture.save("usbimage.png", "PNG")
if __name__== "__main__":
r = open("capture.s0i0.pcap", 'rb')
pcap = dpkt.pcap.Reader(f)
print_data(pcap,3)
f.close
Then we get the flag in a usbimage.png file. And the image is :
bi0s 
Leave a Reply