Blogger

Recently, John's keys began to be pressed by themselves when he runs his blog. You need to figure out what's the matter.

Download: sar2020_usb_here.pcapng

Recon

You get a PCAP with usb keyboard traffic in it.

Used someone else's decoder (lol) + a tshark oneliner:

Code

$ tshark -r usb_here.pcapng -T fields -e usb.capdata | tr -d : | egrep -v '^$' > dd
$ python decode.py dd
tabtabSherlock,spaceJohn,spaceandspaceHenryspacethenspacevisitspacethespacehollowspaceinspacethespacehopespaceofspacefindingspacethespacehound.spaceOnspacethespaceway,spaceJohnspacenoticesspacewhatspaceseemsspacetospacebespaceFLAG{like_a_b100dh0und}tabtabe%

Flag

FLAG{like_a_b100dh0und}