# StarCTF
## Blogger
![](https://i.imgur.com/SiAthll.png)
The second challenge was to analyze a pcap.
We can quickly identify the protocol to exploit. A little google search and we find exactly what to do.
https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4
So I followed the tutorial :D little filter, frame len ...
![](https://i.imgur.com/VetfGMp.png)
Add the useful column (LeftoverCaptureData) and extract in csv from wireshark
```
head OUTUSB.csv
"No.","Time","Source","Destination","Protocol","Length","Info","Leftover Capture Data"
"15","0.712182","1.7.1","host","USB","35","URB_INTERRUPT in","0400000000000000"
"17","0.856194","1.7.1","host","USB","35","URB_INTERRUPT in","04002b0000000000"
"19","0.896180","1.7.1","host","USB","35","URB_INTERRUPT in","00002b0000000000"
"23","3.000525","1.7.1","host","USB","35","URB_INTERRUPT in","0200000000000000"
"25","4.128879","1.7.1","host","USB","35","URB_INTERRUPT in","0200160000000000"
"27","4.232664","1.7.1","host","USB","35","URB_INTERRUPT in","0200000000000000"
"31","4.472557","1.7.1","host","USB","35","URB_INTERRUPT in","00000b0000000000"
"35","4.736597","1.7.1","host","USB","35","URB_INTERRUPT in","0000080000000000"
"39","5.928841","1.7.1","host","USB","35","URB_INTERRUPT in","0000150000000000"
```
A small tour in the mill, salty sweet refined, the flag is ready!
```
cat OUTUSB.csv | cut -d "," -f 8 | sed ':a;N;$!ba;s/"//g' > HEXDUMP.txt
```
```
cat HEXDUMP.txt
0000000000000000
0400000000000000
04002b0000000000
[...]
0000070000000000
0000000000000000
0000370000000000
0000000000000000
00002c0000000000
0000000000000000
0200000000000000
02000d0000000000
0200000000000000
0000000000000000
0000120000000000
0000000000000000
00000b0000000000
0000000000000000
04002b0000000000
00002b0000000000
0000000000000000
0100000000000000
0100080000000000
```
```
python map.py | sed ':a;N;$!ba;s/\n/ /g'
a tab tab s h e r l o c k No map found for this value: 54 space j o h n No map found for this value: 54 space a n d space h e n r y space t h e n space v i s i t space t h e space h o l l o w space i n space t h e space h o p e space o f space f i n d i n g space t h e space h o u n d No map found for this value: 55 space o n space t h e space w a y No map found for this value: 54 space j o h n space n o t i c e s space w h a t space s e e m s space t o space b e space f l a g [ l i k e - a - b 1 0 0 d h 0 u n d ] a tab tab No map found for this value: 1 e
```
**flag{l i k e_a_b 1 0 0 d h 0 u n d}**
Pyhon Code used :+1:
```
# coding: utf-8
newmap={
2: "PostFail",
4: "a",
5: "b",
6: "c",
7: "d",
8: "e",
9: "f",
10: "g",
11: "h",
12: "i",
13: "j",
14: "k",
15: "l",
16: "m",
17: "n",
18: "o",
19: "p",
20: "q",
21: "r",
22: "s",
23: "t",
24: "u",
25: "v",
26: "w",
27: "x",
28: "y",
29: "z",
30: "1",
31: "2",
32: "3",
33: "4",
34: "5",
35: "6",
36: "7",
37: "8",
38: "9",
39: "0",
40: "Enter",
41: "esc",
42: "del",
43: "tab",
44: "space",
45: "-",
47: "[",
48: "]",
56: "/",
57: "CapsLock",
79: "RightArrow",
80: "LetfArrow"
}
myKeys = open('HEXDUMP.txt')
i = 1
keyVal = int(00000000)
for line in myKeys:
bytesArray = bytearray.fromhex(line.strip())
#print "Line Number: " + str(i)
for byte in bytesArray:
if byte != 0:
keyVal = int(byte)
if keyVal in newmap:
#print "Value map : " + str(keyVal) + " — -> " + newmap[keyVal]
print newmap[keyVal]
else:
print "No map found for this value: " + str(keyVal)
#print format(byte, ‘02X’)
i+=1
```