---
title: "404CTF 2025: USB51"
excerpt: "Identifying information present in a data leak using a USB packet capture."
tags: [ctf, forensics] 
---

Someone tried to exfiltrate data from our space agency, and we need to know what it was. To do this, we're given a USB packet capture in `pcapng` format. Opening it using Wireshark was my first reflex:

```
1	0.000000	host	2.3.2	USBMS	95	SCSI: Test Unit Ready LUN: 0x00
2	0.000037	2.3.2	host	USB	64	URB_BULK out
3	0.000054	host	2.3.1	USB	64	URB_BULK in
4	0.000150	2.3.1	host	USBMS	77	
5	1.173244	host	1.1.0	USBHUB	64	SET_FEATURE Request    [Port 3: PORT_SUSPEND]
```

As we can see, there is some communication going on between the host and a couple of USB devices. When ordering the packets by Length, we find something interesting:

```
43	3.364572	host	2.3.2	USB	48192	URB_BULK out
73	3.381362	host	2.3.2	USB	576	URB_BULK out
67	3.380135	host	2.3.2	USB	576	URB_BULK out
61	3.378983	host	2.3.2	USB	576	URB_BULK out
```

One packet is clearly standing out from the others; its size is 48192 bytes, whereas the others are usually 576 bytes or less. Let's investigate this one: we can copy its raw information as a hex stream:

```
255044462d312e370a25c3a4c3bcc3b6c39f0a322030206f626a0a3c3c2f4c656e6774682033203020522f46696c7465722f466c6174654465636f64653e3e0a73747265616d0a789c9d5a4d8fe3b811bdf7af30905b0e1ab2f80d180624cb0eb2c81e266920872087ddd9d960379b1964308b24ff3eaf8a12f561aa65ed34bac7966592557cf5
[redacted for simplicity]
```

This hex can then be transcribed to ASCII-printable characters with a tool like CyberChef:

```
@µC*ä.ÿÿS.....-.é©.h....§*	..ÿÿÿ.¼...¼..........................%PDF-1.7
%äüöÃ.
2 0 obj
<</Length 3 0 R/Filter/FlateDecode>>
[redacted for simplicity]
```

Looks like we found a PDF file! Let's look at the hex dump of a sample PDF to see how it's made on the inside:

```
00000000   25 50 44 46  2D 31 2E 37  0A 25 C3 A4  %PDF-1.7.%..
0000000C   C3 BC C3 B6  C3 9F 0A 32  20 30 20 6F  .......2 0 o
00000018   62 6A 0A 3C  3C 2F 4C 65  6E 67 74 68  bj.<</Length
00000024   20 33 20 30  20 52 2F 46  69 6C 74 65   3 0 R/Filte
00000030   72 2F 46 6C  61 74 65 44  65 63 6F 64  r/FlateDecod
0000003C   65 3E 3E 0A  73 74 72 65  61 6D 0A 78  e>>.stream.x
[redacted for simplicity]
00001D08   0A 3E 3E 0A  73 74 61 72  74 78 72 65  .>>.startxre
00001D14   66 0A 36 38  39 34 0A 25  25 45 4F 46  f.6894.%%EOF
00001D20   0A                                     .
```

We can see that a normal PDF file starts with `%PDF-1.7` and ends with `%%EOF`, followed by a newline character (in the dump, byte `0A`). We can now trim our hex dump to these borders, and then dump the whole hex into a fresh PDF, to examine it like a human would do:

```
$ xxd -r -p pdf_hex.txt > extracted.pdf
$ open extracted.pdf
```

When opening that PDF file, we see a report of the space agency, containing a binary piece of information, that we can convert to ASCII easily:

```
00110100 00110000 00110100 01000011 01010100 01000110 01111011 01010111
00110011 01011111 01100011 00110000 01001101 01000101 01011111 01001001
01001110 01011111 01110000 00110011 01100001 01000011 00110011 01111101
```

We have the flag! `404CTF{W3_c0ME_IN_p3aC3}`