Tags: wireshark python keylogger
Rating:
# Abstract
For the detailed version see the [Github page](https://github.com/KamilPacanek/writeups/blob/master/ctf/HTB.CA2021/keymission.md).
## ToE
We are given the `key_mission.pcap` file. This is a USB keyboard keylogger dump.
## Parsing the packet file
I have opened the file with the Wireshark and seek for the keystrokes interruption packets.
With the great support of the AliBawazeEer's writeup from Kaizen CTF 2018 (check *Additional readings* section in the original writeup) I've parsed the packets with `frame.len == 72`. I'm also using the script provided by the AliBawazeEer to map the hex codes to actual key inputs.
Afterward I did my trial and error to write the Python script to truncate redundant characters and apply `shift` keys, which finally results in the final message.
## Output
```
I am sending secretarys location over this totally encrypted channel to make sure no one else will be able to read it except of us This information is confidential and must not be shared with anyone else The secretarys hidden location is CHTB[A-plac3-fAr-fAr-away-fr0m-eaedelrth]
```
Parser got wrong the first `A` character so the correct flag is
> `CHTB{a_plac3_fAr_fAr_away_fr0m_earth}`