> For the complete documentation index, see [llms.txt](https://arne-ctf.gitbook.io/ctf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://arne-ctf.gitbook.io/ctf/2021/buckeyectf-2021/misc-usb-exfiltration.md).

# Misc - USB Exfiltration

## Description

Someone stole data from our servers and you need to figure out exactly what they took or you're fired! We know they zipped the files then transferred them via USB somehow so here's a capture of the USB traffic. You should be able to recover the files from that, right?

## Downloads

{% file src="/files/WgKgnYcuHPSpvnF6iwJ1" %}

## Solution

First, we are presented with a Wireshark packet capture file.

![Wireshark packet capture](/files/uU8Nipm1aKrN0tUPsSQi)

From the protocol and challenge description itself, we know that these are USB traffic packets.&#x20;

On further examination, I noticed that there are anomalies in the packet lengths.

&#x20;

![](/files/BXpY6lEG9Idd9dHgHzAa)

While most of the packets were of lengths of < 100, there was a range of packets that have the length 16448. Again, from the initial bytes and challenge description itself, we can confirm that these are bytes of a zip file. To extract the zip file from the packets, we will use the following command:

```bash
tshark -r exfiltration.pcapng -T fields -e usb.capdata | sed -r '/^\s*$/d' > data.txt
```

* The 1st part is to extract only from the `Leftover Capture Data`
* The 2nd part is to remove all the empty lines
* The last part is to output the data to the file 'data.txt'

![](/files/GdLBOv1K3eHEPnCAQGYE)

Looking at the output data file, we see that there are still some gibberish data not related to the zip file. But since we know the zip file's header signature of `50 4B 03 04` and end signature of `50 4B 03 04`, we can accurately extract the necessary bytes and write them out as a new file.

After creating the zip file and extracting it, we are given 2 files:

1. `meme.png`
2. `flag.b64`

![meme.png](/files/nSutzn9THTLsaQoaZdGW)

The `meme.png` is absolutely useless and the other file `flag.b64` is obviously the flag that is base64 encoded. Simply base64 decode the string and we get the flag!

![](/files/wcC4QuCBeWI5pDoFoE8J)

Flag: `buckeye{why_1snt_7h3r3_4_di55ect0r_4_th1s}`

##


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://arne-ctf.gitbook.io/ctf/2021/buckeyectf-2021/misc-usb-exfiltration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
