Misc - USB Exfiltration

Medium | 106 solves | 252 points

Description

Someone stole data from our servers and you need to figure out exactly what they took or you're fired! We know they zipped the files then transferred them via USB somehow so here's a capture of the USB traffic. You should be able to recover the files from that, right?

Downloads

709KB

exfiltration.pcapng

Solution

First, we are presented with a Wireshark packet capture file.

Wireshark packet capture

From the protocol and challenge description itself, we know that these are USB traffic packets.

On further examination, I noticed that there are anomalies in the packet lengths.

While most of the packets were of lengths of < 100, there was a range of packets that have the length 16448. Again, from the initial bytes and challenge description itself, we can confirm that these are bytes of a zip file. To extract the zip file from the packets, we will use the following command:

tshark -r exfiltration.pcapng -T fields -e usb.capdata | sed -r '/^\s*$/d' > data.txt

• The 1st part is to extract only from the Leftover Capture Data

• The 2nd part is to remove all the empty lines

• The last part is to output the data to the file 'data.txt'

Looking at the output data file, we see that there are still some gibberish data not related to the zip file. But since we know the zip file's header signature of 50 4B 03 04 and end signature of 50 4B 03 04, we can accurately extract the necessary bytes and write them out as a new file.

After creating the zip file and extracting it, we are given 2 files:

1. meme.png

2. flag.b64

meme.png

The meme.png is absolutely useless and the other file flag.b64 is obviously the flag that is base64 encoded. Simply base64 decode the string and we get the flag!

Flag: buckeye{why_1snt_7h3r3_4_di55ect0r_4_th1s}