We start out with a pcap. Opening it up we can see a lot of USB data
If we filter down to URB_INTERUPRTS (usb.transfer_type == 0x01) coming from 1.9.1 to the host (usb.src == “1.9.1”), we can see the details of the keystrokes.
To make this easier to read, I applied the Leftover Capture Data as a new column.
After that, I filtered out the 0ed columns (!(usb.capdata == 00:00:00:00:00:00:00:00))
We are left with a list of responses, which we can look up against the HID usage table to see the keystrokes
To make this even easier, I stripped out a lot of the unnecessary data using some regex
We are now left with the Usage ID, which we just compare to the
And once we are done with this (you can make a script to convert everything for you but I just did this manually) you will have the flag.
flag{f7733e0093b7d281dd0a30fcf34a9634}
Killian Sherer 