the cyber heist

problem

(also, see pcapng file)

solution

The pcapng file is a Wireshark USB sniffer dump, obviously.

We see that there are four USB devices, each with their own address.

In the device descriptor of each, we can see the manufacturer and product.

There are four devices:

• 1.1.0 is a high speed USB hub of some sort
• 1.2.0 has an unknown product id but is made by holtek semiconductor, inc
• 1.3.0 is a razer deathadder 2013 (mouse)
• 1.4.0 is unknown all around, but is later revealed to be a drawing tablet

I know that whoever made this challenge definitely plays the game called osu!, where you need a tablet to be good.

We use the https://the-sz.com/products/usbid/ to lookup the idVendor of the unknown device and products and such.

1.4.0 is a drawing tablet

At first I tried collecting mouse data that may spell out a flag with mouse motions, but I just got this instead:

For a while, I was stumped, but then I saw this:

Holtek semiconductor makes various office computer equipment, like keyboards and mice.

So, I pulled up the HID 1.11 spec here

I found some keyboard HID examples:

and then did a google search for HID keycodes and found this list here I then decoded the flag using the HID data.

One helpful thing was finding this github thing on HID decoding tips

I used the usb.addr matches "^1.2" filter

I also added the HID data column

Then, it was pretty easy to decode by hand