Bunch of sec. enthusiasts who sometimes play CTF

Nuit du hack quals 2016 - Catch me if you can

The task is a usb pcap where two files were transfered. The trick was to take each odd packet number and take 0x708 of each to create the first file, use the even for the 2nd file. We were left with two Libreoffice ods file. In the 2nd one, we found a table and a weird alphabetic suite which used against the table give us the flag.


We managed to infect the computer of a target. We recorded all packets transferred over the USB port, but there is something unusual. We need them to be sorted to get the juicy secret.


Points: 100

Category: forensic

Validations: 50


We were given a file called usb.pcap. After digging around the file for a while it appears that it’s a USB transfer of several files.

We wrote a simple python script to extract the different blob with scapy.

#!/usr/bin/env python2

from scapy.all import *

pcap = rdpcap("usb.pcap")
for i,p in enumerate(pcap):
	if len(p) > 100:

After analyzing those files, we found that there is two files in the transfer. To reconstruct the two files, we simply use odd and even files for each. Here is the python script to do it:

 #!/usr/bin/env python2
from os.path import join
from os import listdir

working_dir = "working"

folder = []
files1 = []
files2 = []
for i in listdir(working_dir):

for i in folder:
    if int(i) % 2:

#reorder the blob

# create the files1
with open("files1.ods", "wb") as final_files1:

    # clean the sample
    for i in files1:
        final_files1.write(open(join(working_dir, i)).read(0x708))

# create the files2
with open("files2.ods", "wb") as final_files2:

    # clean the sample
    for i in files2:
        final_files2.write(open(join(working_dir, i)).read(0x708)) 

After running our script we were left with two files:

file files1.ods 
files1.ods: OpenDocument Spreadsheet

After opening the first file with Libreoffice we were greeted by:

Fun isn’t it…

Digging in the 2nd file is more profitable, it show us a sort of table with alphabetic and letter:

if you scroll to the 1048576 line vertical and to the top right most, yes there are serious… you’ll found a “code”:


Using this code with the weird alphbetical table give us the flag: ndh[wh3re1sw@lly].

Challenges resources are available in the resources folder

Written on April 4, 2016