Google CTF 2016 – Forensic “For2” Write-up

The Google Capture The Flag (CTF) was run on the 29th and 30th of April 2016, this is my solution to the forensics challenge “For2” which was worth 200 points.

In this challenge the file capture.pcapng was provided with no other instructions other than to find the flag.

The original file can be found here if you want to follow along: https://rootusers.com/wp-content/uploads/2016/05/capture.pcapng

After opening the file in Wireshark, it looked like a USB capture. The majority of the file shows “URB_INTERRUPT in” from the source of 3.1, upon checking the first instance of source 3.0 appearing we can see that it appears to be a Logitech Optical Mouse, as shown below.

Wireshark USB capture

Click to enlarge

I noticed that the only field changing other than the IRP ID, was the Leftover Capture Data field, which appeared to be a 4 byte hex string. After some research I found that this represents mouse movement. This makes sense as the value is continually changing. The second byte measures the X movement, while the third byte measures the Y movement between +255 and -256 values.

Working on the assumption that these values are indeed mouse movements, I export this data with tshark as shown below.

what@kali:/tmp$ tshark -r capture.pcapng -T fields -e usb.capdata > data2.txt
what@kali:/tmp$ tail -n 20 data.txt
00:ff:00:00
00:ff:00:00
00:ff:00:00
00:fd:00:00
00:ff:00:00
00:ff:00:00
00:fe:ff:00
00:fd:00:00
00:fb:00:00
00:fc:00:00
00:fb:00:00
00:fc:00:00
00:fc:ff:00
00:fe:00:00
00:fe:ff:00
00:fe:00:00
00:ff:00:00
00:fe:ff:00
00:ff:ff:00
01:00:00:00

From here we need to turn the second and third bytes into coordinates. I found one instance of this being done before here, and made use of their awk command.

awk -F: 'function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum("0x"$2));y+=comp(strtonum("0x"$3))}$1=="01"{print x,y}' data2.txt > data3.txt

As shown this has correctly created my coordinates, the full file is 3167 lines long at this point which should give us this many points to plot.

root@kali:~# awk -F: 'function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum("0x"$2));y+=comp(strtonum("0x"$3))}$1=="01"{print x,y}' data.txt > data3.txt
root@kali:~# tail -n 20 data3.txt
-49 96
-47 98
-47 99
-46 101
-45 101
-43 100
-42 100
-41 100
-40 99
-39 98
-38 98
-37 97
-37 96
-37 95
-38 94
-39 93
-40 92
-41 92
293 -417
-576 -370

I’ll also note that you need to install the ‘gawk’ package in Kali if you with to use ‘strtonum’, otherwise you’ll receive the error “awk: line 2: function strtonum never defined”.

From here we simply plot the data into Gnuplot.

root@kali:~# gnuplot

	G N U P L O T
	Version 4.6 patchlevel 6    last modified September 2014
	Build System: Linux x86_64

	Copyright (C) 1986-1993, 1998, 2004, 2007-2014
	Thomas Williams, Colin Kelley and many others

	gnuplot home:     http://www.gnuplot.info
	faq, bugs, etc:   type "help FAQ"
	immediate help:   type "help"  (plot window: hit 'h')

Terminal type set to 'qt'
gnuplot> plot "data3.txt"
gnuplot> 

As shown once run, the Gnuplot window opens with our flag, albeit upside down.

Mouse coordinates Gnuplot

At this point I simply put the image into Photoshop and flipped it vertically to make it more readable, the final result is shown below.

flag

The flag is shown as CTF{tHE_cAT_iS_the_cULpRiT} with what appears to be the face of the cat.

I did originally attempt to use this USB Reverse Engineering tool which in theory would take a pcap file and draw the movement out automatically, however when I ran this with my pcap I simply got a blank graph output.

  1. I am getting output as simple points plotted in the graph. How did you join them as to form some text?

    • That’s just how it appeared in Gnuplot for me, it’s actually a series of ‘+’ symbols close together for each point, so not sure if you can change how it displays.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>