So this is actually my first USB PCAP analysis challenge. This is one of the most basic challenges and there’s a lot to learn from it if you are new to this. USB pcap analysis is a major trend in the current CTFs.
So let us get on with the challenge.
One of our agents managed to sniff important piece of data transferred transmitted via USB, he told us that this pcap file contains all what we need to recover the data can you find it?
So let us take a casual look at the PCAP.
So we find a lot of protocols associated with USB. For all those who have an understanding of the USB packet analysis, you must know whatever data was sent into the USB is always in “URB_BULK out”. So when we have this basic knowledge, let us dig in.
So you may notice that there are multiple packets of length greater than 1000 bytes. So I thought these packets were really suspicious.
Going through such packets, in the packet number 101, I noticed “.PNG”.
So as we can see in the above image, the highlighted text is nothing but a hex dump of a PNG image. It might be important. So without further digging into the PCAP, let us extract this image.
Select the specific packet and press Ctrl+h. This will help in extracting the packet bytes.
So let us see what is present in this image.