V1 with content

writeups/2025-06-12-USB51.md

@@ -0,0 +1,73 @@
+---
+title: "404CTF 2025: USB51"
+excerpt: "Identifying information present in a data leak using a USB packet capture."
+tags: [ctf, forensics] 
+---
+
+Someone tried to exfiltrate data from our space agency, and we need to know what it was. To do this, we're given a USB packet capture in `pcapng` format. Opening it using Wireshark was my first reflex:
+
+```
+1	0.000000	host	2.3.2	USBMS	95	SCSI: Test Unit Ready LUN: 0x00
+2	0.000037	2.3.2	host	USB	64	URB_BULK out
+3	0.000054	host	2.3.1	USB	64	URB_BULK in
+4	0.000150	2.3.1	host	USBMS	77	
+5	1.173244	host	1.1.0	USBHUB	64	SET_FEATURE Request    [Port 3: PORT_SUSPEND]
+```
+
+As we can see, there is some communication going on between the host and a couple of USB devices. When ordering the packets by Length, we find something interesting:
+
+```
+43	3.364572	host	2.3.2	USB	48192	URB_BULK out
+73	3.381362	host	2.3.2	USB	576	URB_BULK out
+67	3.380135	host	2.3.2	USB	576	URB_BULK out
+61	3.378983	host	2.3.2	USB	576	URB_BULK out
+```
+
+One packet is clearly standing out from the others; its size is 48192 bytes, whereas the others are usually 576 bytes or less. Let's investigate this one: we can copy its raw information as a hex stream:
+
+```
+255044462d312e370a25c3a4c3bcc3b6c39f0a322030206f626a0a3c3c2f4c656e6774682033203020522f46696c7465722f466c6174654465636f64653e3e0a73747265616d0a789c9d5a4d8fe3b811bdf7af30905b0e1ab2f80d180624cb0eb2c81e266920872087ddd9d960379b1964308b24ff3eaf8a12f561aa65ed34bac7966592557cf5
+[redacted for simplicity]
+```
+
+This hex can then be transcribed to ASCII-printable characters with a tool like CyberChef:
+
+```
+@µC*ä.ÿÿS.....-.é©.h....§*	..ÿÿÿ.¼...¼..........................%PDF-1.7
+%äüöÃ.
+2 0 obj
+<</Length 3 0 R/Filter/FlateDecode>>
+[redacted for simplicity]
+```
+
+Looks like we found a PDF file! Let's look at the hex dump of a sample PDF to see how it's made on the inside:
+
+```
+00000000   25 50 44 46  2D 31 2E 37  0A 25 C3 A4  %PDF-1.7.%..
+0000000C   C3 BC C3 B6  C3 9F 0A 32  20 30 20 6F  .......2 0 o
+00000018   62 6A 0A 3C  3C 2F 4C 65  6E 67 74 68  bj.<</Length
+00000024   20 33 20 30  20 52 2F 46  69 6C 74 65   3 0 R/Filte
+00000030   72 2F 46 6C  61 74 65 44  65 63 6F 64  r/FlateDecod
+0000003C   65 3E 3E 0A  73 74 72 65  61 6D 0A 78  e>>.stream.x
+[redacted for simplicity]
+00001D08   0A 3E 3E 0A  73 74 61 72  74 78 72 65  .>>.startxre
+00001D14   66 0A 36 38  39 34 0A 25  25 45 4F 46  f.6894.%%EOF
+00001D20   0A                                     .
+```
+
+We can see that a normal PDF file starts with `%PDF-1.7` and ends with `%%EOF`, followed by a newline character (in the dump, byte `0A`). We can now trim our hex dump to these borders, and then dump the whole hex into a fresh PDF, to examine it like a human would do:
+
+```
+$ xxd -r -p pdf_hex.txt > extracted.pdf
+$ open extracted.pdf
+```
+
+When opening that PDF file, we see a report of the space agency, containing a binary piece of information, that we can convert to ASCII easily:
+
+```
+00110100 00110000 00110100 01000011 01010100 01000110 01111011 01010111
+00110011 01011111 01100011 00110000 01001101 01000101 01011111 01001001
+01001110 01011111 01110000 00110011 01100001 01000011 00110011 01111101
+```
+
+We have the flag! `404CTF{W3_c0ME_IN_p3aC3}`