Nuit du hack quals 2016 - Catch me if you can
The task is a usb pcap where two files were transfered. The trick was to take each odd packet number and take 0x708 of each to create the first file, use the even for the 2nd file. We were left with two Libreoffice ods file. In the 2nd one, we found a table and a weird alphabetic suite which used against the table give us the flag.
We managed to infect the computer of a target. We recorded all packets transferred over the USB port, but there is something unusual. We need them to be sorted to get the juicy secret.
We were given a file called usb.pcap. After digging around the file for a while it appears that it’s a USB transfer of several files.
We wrote a simple python script to extract the different blob with scapy.
#!/usr/bin/env python2 from scapy.all import * pcap = rdpcap("usb.pcap") for i,p in enumerate(pcap): if len(p) > 100: open(str(i),"wb").write(p.load[27:])
After analyzing those files, we found that there is two files in the transfer. To reconstruct the two files, we simply use odd and even files for each. Here is the python script to do it:
After running our script we were left with two files:
file files1.ods files1.ods: OpenDocument Spreadsheet
After opening the first file with Libreoffice we were greeted by:
Fun isn’t it…
Digging in the 2nd file is more profitable, it show us a sort of table with alphabetic and letter:
if you scroll to the 1048576 line vertical and to the top right most, yes there are serious… you’ll found a “code”:
Using this code with the weird alphbetical table give us the flag: ndh[wh3re1sw@lly].
Challenges resources are available in the resources folder