TFCCTF2021 — UH, SUSSY BAKKA [Forensic]

Description : Walter is back at it again! He hid underneath my desk before I came in to work and something feels off! He sent me this file. Can you tell me what’s up with it?

Solves : 126

Download pcap file attached

First, open chall.pcapng and check the protocol, its usb pcap

then, i checking the Leftover Capture Data using tshark

ok, we have all leftover capture data, just put the hex data and decrypt it using mapping with usb hid, you can read here (https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf)

Here is my solver :

run the solver using python3 and we got the flag, but its not the right flag, need to fix flag format, underscores, and guessing some char :(

flag : TFCCTF{w4lt3r_y0u_su55y_b4k4!Why_ar3_y0u_h1d1ing_und3rn34th_my_d3sk}

Thanks for read my writeups, follow me for some update!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store