Objective

The challenge story states:

I attached my friend’s USB drive to my laptop and accidentally copied a private file, which I immediately deleted. But my friend still somehow got the file from looking at the USB message their drive recorded…

The goal is to analyze the given USB capture file and recover the flag hidden inside.

Attachments

Approach

We are given a packet capture (.pcapng) related to USB traffic. Since USB storage protocols can transfer raw file data, it is possible that the deleted file is still present in the capture.

Step 1: Extract the provided file

gunzip usbstorage.pcapng.gz
ls
# usbstorage.pcapng

Purpose: Decompress the provided .gz file to get the raw usbstorage.pcapng.

Step 2: Inspect with binwalk

binwalk usbstorage.pcapng

Output:

1343984       0x1481F0        gzip compressed data, from Unix, last modified: 1970-01-01 00:00:00 (null date)

Purpose: Check the .pcapng for hidden or embedded files. We find a gzip-compressed data stream inside.

Step 3: Extract the embedded file

binwalk -e usbstorage.pcapng
cd _usbstorage.pcapng.extracted
ls
# 1481F0

Purpose: Use binwalk -e to automatically extract the hidden data. This creates a directory with the extracted file.

Step 4: Identify the extracted file

file 1481F0
# POSIX tar archive (GNU)

Purpose: Verify the file type. The extracted file is actually a tar archive.

Step 5: Unpack the tar archive

tar -xvf 1481F0
# flag.gz

Purpose: Extract the contents of the tar archive, revealing a compressed file named flag.gz.

Step 6: Decompress the flag

gunzip flag.gz
ls
# flag

file flag
# ASCII text

cat flag
ENO{USB_STORAGE_SHOW_ME_THE_FLAG_PLS}

Purpose: Decompress flag.gz to get the final flag file, then read its contents to recover the CTF flag.

✅ Flag successfully recovered.

Flag

ENO{USB_STORAGE_SHOW_ME_THE_FLAG_PLS}