USB100 (Forensics)
For a challenge file, I had a Wireshark capture (pcapng) of USB traffic. First, I used the following command to dump the raw USB data transferred between devices:
1
tshark -r send.pcapng -2 -e "usb.capdata" -Tfields > dump.txt
After obtaining all the data, I converted it from hex data. I then proceeded to separate each file. I uploaded dump.txt to CyberChef and applied the “from hex” recipe, downloading the result as download.dat.
Next, I used binwalk to extract all the files from download.dat:
1
binwalk --dd=".*" download.dat
Most of the extracted files were anime images, along with 2 unknown files and a Windows executable file.
I utilized Wine to run the executable and easily obtained the flag!
Show some support by following me on Github
This post is licensed under CC BY 4.0 by the author.