Tags: buckeyectf usb-exfiltration
Rating:
## USB Exfiltration
We are given the traffic of a usb transfer and there has been a transfer of `zip` file.
[pcapng file](https://github.com/cscosu/buckeyectf-2021/raw/master/misc/usb_exfiltration/dist/exfiltration.pcapng)
Opening this in wireshark shows a lot of (644) packets. Most of them are small, but some of them standout in size. Examining the first of them (in time order) showed that it started with `PK...` which told me it is the bytes of a zip file.
I observed that this data was in the packet numbers - `415,417,.....497`
So I used `scapy` in python to extract and join them together
```python
from scapy.all import *
packets = rdpcap('./exfiltration.pcapng')
data = b""
i = 414 # 0 indexed
while i<=496:
data += raw(packets[i])[64:]
i+=2
f = open("zipfile", "wb")
f.write(data)
```
unzipping the file we get two files :
`meme.png`
`flag.b64`
```python
YnVja2V5ZXt3aHlfMXNudF83aDNyM180X2RpNTVlY3Qwcl80X3RoMXN9Cg==
```
decoding this base64 data
```python
>>> import base64
>>> base64.b64decode("YnVja2V5ZXt3aHlfMXNudF83aDNyM180X2RpNTVlY3Qwcl80X3RoMXN9Cg==")
b'buckeye{why_1snt_7h3r3_4_di55ect0r_4_th1s}\n'
```
