Strange PCAP
[forensics]
Strange PCAP
We managed to get all the data to incriminate our CEO for selling company secrets. Can you please help us and give us the secret data that he has leaked?
- Download: hacktm2020_strangepcap.pcap
USB
Looks like USB capture
- Packet 1090 contains a reference to secret.zip
- Packet 1224 contains a PK header and Flag.txt reference
Exported ZIP file:
50 4B 03 04 14 00 01 00 08 00 AF 73 22 50 65 C0
45 33 4D 00 00 00 48 00 00 00 08 00 00 00 46 6C
61 67 2E 74 78 74 0A 28 49 02 BA B4 CA EB 0D 39
F3 5A 12 90 C2 CF F6 08 B4 5A 95 E3 F7 41 23 E0
21 6B 19 02 55 BD 20 CB 9C 62 69 64 C2 53 FD BE
D9 C8 8E 38 DC 34 29 F4 4A CA 0A 8A 73 7B 61 7D
2C 2B B4 98 5C 49 C8 69 42 48 06 A9 CD F4 69 F4
61 2E 2E 50 4B 01 02 3F 00 14 00 01 00 08 00 AF
73 22 50 65 C0 45 33 4D 00 00 00 48 00 00 00 08
00 24 00 00 00 00 00 00 00 20 00 00 00 00 00 00
00 46 6C 61 67 2E 74 78 74 0A 00 20 00 00 00 00
00 01 00 18 00 C8 52 16 47 68 C1 D5 01 C8 52 16
47 68 C1 D5 01 D3 65 46 26 68 C1 D5 01 50 4B 05
06 00 00 00 00 01 00 01 00 5A 00 00 00 73 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ZIP file needs a password. File is a ZIP 2.0 file.
Keycodes
The keypresses are in the pcap file as well:
Key codes from Leftover Capture Data (x is shift):
24 19 0A 0D 21 x16 x16 x0f 26 x11 x0b x19 18 x0e 27 x07 23 07 20 x09 28
Translated keycodes with this table: USB_Hex.py
Flag
- ZIP password:
7vgj4SSL9NHVuK0D6d3F
HackTM{88f1005c6b308c2713993af1218d8ad2ffaf3eb927a3f73dad3654dc1d00d4ae}