Tags: tshark forensics 

Rating: 0

```
root@1v4n:~/CTF/b002root19/Forensics# mkdir key_me_baby
root@1v4n:~/CTF/b002root19/Forensics# cd key_me_baby
root@1v4n:~/CTF/b002root19/Forensics/key_me_baby# gdown
oot@1v4n:~/CTF/b002root19/Forensics/key_me_baby# gdown https://drive.google.com/uc?id=1yO4j-7CEr2lvl3n7kkqGLSBNqsZlhmL_
Downloading...
From: https://drive.google.com/uc?id=1yO4j-7CEr2lvl3n7kkqGLSBNqsZlhmL_
To: /root/CTF/b002root19/Forensics/key_me_baby_GRANTED/data.pcapng
100%|█████████████████████████████████████████████████████████████| 36.7k/36.7k [00:00<00:00, 4.14MB/s]
root@1v4n:~/CTF/b002root19/Forensics/key_me_baby_GRANTED# file data.pcapng
data.pcapng: pcap-ng capture file - version 1.0
root@1v4n:~/CTF/b002root19/Forensics/key_me_baby_GRANTED# tshark -r data.pcapng -Y "usb.bus_id == 1 && usb.device_address == 71 && usb.transfer_type == 0x01" -T fields -e usb.capdata
Running as user "root" and group "root". This could be dangerous.

00:00:00:00:00:00:00:00

00:00:00:00

00:00:05:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:27:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:27:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:17:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:1f:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:15:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:12:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:12:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:17:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:2f:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:06:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:04:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:13:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:17:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:18:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:15:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:08:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:17:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:0b:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:08:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:0e:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:08:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:1c:00:00:00:00:00

00:00:00:00:00:00:00:00

00:00:30:00:00:00:00:00

00:00:00:00:00:00:00:00

root@1v4n:~/CTF/b002root19/Forensics/key_me_baby# nano get_flag.sh

#! /bin/bash

tshark -r data.pcapng -Y "usb.bus_id == 1 && usb.device_address == 71 && usb.transfer_type == 0x01" -T fields -e usb.capdata | sed '/^$/d;s/[[:blank:]]//g' > captured.txt && python2 bkeymap20.py > flag

root@1v4n:~/CTF/b002root19/Forensics/key_me_baby# chmod +x get_flag.sh
root@1v4n:~/CTF/b002root19/Forensics/key_me_baby# cat flag
b00t2root[capturethekey]
```

Original writeup (https://github.com/1r0dm480/CTF-Wr1T3uPs/tree/master/b00t2root19/Forensics/key_me_baby).