(Forensics - CTF Root-Me 10k) Wack
In this challenge, we are given a network capture of some USB traffic.
We need then to find what kind of device is sending the data captured. We can remark that the length of the data packets transmitted is exactly 10.
First (obvious) ideas : it is a mouse, or a keyboard. But… it is too obvious to be true (: indeed, packets emitted by a mouse are 4 bytes long, and packets emitted by a keyboard are 8 bytes long.
Reminder: we found the capture on the computer of a graphic designer… after some research, I found this link. The packets are probably sent by a graphic tablet.
We can extract the data with the following command:
tshark -r wack.pcapng -T fields -e usb.capdata -Y usb.capdata | sed 's/../:&/g2' > data.txt
The additional sed is here to separate the bytes with colons, so as to be able to treat them more easily.
The packets match the following pattern to describe the move of the pen:
- 02 ??: some header
- XX XX: X coordinate
- YY YY: Y coordinate
- ZZ: Pressure Z of the pen. If Z > 0 then we are actually drawing something!
- 00: Probably some padding.
The following command separate the X,Y and Z coordinates, discarding the header and the last byte.
awk -F: '{x=$3$4;y=$5$6}{z=$7}$1=="02"{print x,y,z}' data.txt > data.awk
Then, we can use the following python script, similar to the one given here, which converts the hexadecimal coordinates to decimal so as to plot them using gnuplot. We filter the points to keep only those with Z > 0 (where the user is actually drawing).
#!/usr/bin/python
from pwn import *
for line in open('data.awk').readlines():
coord = line.strip().split(' ')
x = int(coord[0],16)
y = int(coord[1],16)
z = int(coord[2],16)
if z > 0:
print u16(struct.pack(">H",x)),u16(struct.pack(">H",y))
which we can run with python2 wack_solve.py > plot.txt
Then, we can provide the resulting plot.txt file to gnuplot:
And… Hurray!!! The image is reverted though, I was lazy so I just made a screenshot and flipped it vertically with Ristretto.
FLAG: RM{capture_all_the_things!}