hexionCTF 2020 Miscellaneous


We are given jerry.pcapng, which is a pcap of USB mouse movement. (This took my team and I way longer to figure out than it should have, given that Jerry from Tom and Jerry is a mouse.)

My team found a script at which I used. The script had to be ported from python2 to python3, and my version of tshark functions differently that the original script expected. I also changed some other small things to make the script more like my style.

Once that was out of the way, I ran the code but got a bunch of scribbles.

A flag?

My teammates noticed that it did look a little like a flag, and by shrinking the marker size and widening the image we got this:

A flag!?

The writing was still messed up, since the script logged every movement, not just when the mouse was pressed. (Actually, here two of our teammates were able to read the flag! Yay for bad handwriting) After that was changed, we got the flag.

Here is the code:

import os
import matplotlib.pyplot as plt
pcapFilePath = "jerry.pcapng"
DataFileName = "usb.dat"
data = []
def main():
    X = []
    Y = []
    mouseX = 0
    mouseY = 0
    # get data of pcap
    command = "tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName)
    # read data
    with open(DataFileName, "r") as f:
        for line in f:
            # depending on what tshark you have, the output may be separated by ":" instead
    # print(data)
    # handle each movement
    for dat in data:
        capture_data = [dat[i:i + 2] for i in range(len(dat))]
        if len(capture_data) == 8:
            horizontal = 2  # -
            vertical = 4  # |
        elif len(capture_data) == 4:
            horizontal = 1  # -
            vertical = 2  # |
        offsetX = int(capture_data[horizontal], 16)
        offsetY = int(capture_data[vertical], 16)
        if offsetX > 127:
            offsetX -= 256
        if offsetY > 127:
            offsetY -= 256
        mouseX += offsetX
        mouseY += offsetY
        # don't record the movement if the mouse is not pressed down
        if capture_data[0] == "00":
    fig = plt.figure()
    ax1 = fig.add_subplot(111)
    # print(X)
    # print(Y)
    ax1.set_title("File " + pcapFilePath)
    ax1.scatter(X[:-10], Y[:-10], s=1, c='r', marker='o')
    # show the plot
    # clean temp data
    os.system("rm ./%s" % (DataFileName))
if __name__ == "__main__":

Leave a Reply

Your email address will not be published. Required fields are marked *