TFCCTF2021 — UH, SUSSY BAKKA [Forensic]
Description : Walter is back at it again! He hid underneath my desk before I came in to work and something feels off! He sent me this file. Can you tell me what’s up with it?
Solves : 126
Download pcap file attached
First, open chall.pcapng and check the protocol, its usb pcap

then, i checking the Leftover Capture Data using tshark

ok, we have all leftover capture data, just put the hex data and decrypt it using mapping with usb hid, you can read here (https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf)
Here is my solver :

run the solver using python3 and we got the flag, but its not the right flag, need to fix flag format, underscores, and guessing some char :(

flag : TFCCTF{w4lt3r_y0u_su55y_b4k4!Why_ar3_y0u_h1d1ing_und3rn34th_my_d3sk}
Thanks for read my writeups, follow me for some update!