Forensics
Medium
120 points

Mouse Cap

Recuite 2025 - HCMUS
6 tháng 10, 2025
USB
PCAP
Mouse Movements
HID
Recuite 2025 - HCMUS
Forensics

Mouse Cap - Writeup

Challenge Information

  • Category: Forensics
  • Difficulty: Medium
  • Files: capture.pcapng
  • Hint: "Did you know you can capture USB traffic?"

Analysis

USB HID Mouse Protocol

USB mouse movement data is transmitted as a 4-byte packet:

  • Byte 0: Button status (0=none, 1=left, 2=right)
  • Byte 1: X displacement (signed byte, -127 to 127)
  • Byte 2: Y displacement (signed byte, -127 to 127)

PCAPNG Structure

USB packets in pcapng:

  • Header: 28 bytes (0x1c) metadata
  • Leftover Capture Data: Actual USB data (part after header)

Solution

Extract USB Mouse Data

from scapy.all import *

packets = rdpcap('capture.pcapng')
mouse_movements = []

for packet in packets:
    if packet.haslayer(Raw):
        raw_data = bytes(packet[Raw].load)
        
        if len(raw_data) > 28:
            leftover = raw_data[27:]
            
            if len(leftover) in [4,5,6,7,8]:  # Mouse data
                button = leftover[0]
                x = leftover[1] if leftover[1] < 128 else leftover[1] - 256
                y = leftover[2] if leftover[2] < 128 else leftover[2] - 256
                mouse_movements.append({'button': button, 'x': x, 'y': y})

Reconstruct Path

x, y = 0, 0
path = [(0, 0)]

for move in mouse_movements:
    x += move['x']
    y += move['y']
    path.append((x, y))

Visualize

import matplotlib.pyplot as plt

x_coords = [p[0] for p in path]
y_coords = [p[1] for p in path]

plt.plot(x_coords, y_coords, 'b-')
plt.gca().invert_yaxis()  # Screen coordinates: invert Y axis
plt.savefig('mouse_path.png', dpi=300)

Results

  • Total packets: 29,040
  • Mouse movements: 14,399
  • Path range: X=[-133, 1714], Y=[-902, 339]
  • Flag visible when plotting mouse path!

Flag

BPCTF{usb_mouse_is_so_ez}

Key Takeaways

Technical Lessons

  1. USB HID uses simple 4-byte packets for mouse.
  2. PCAPNG for USB often has ~28 byte header before USB data.
  3. Signed byte conversion: x if x < 128 else x - 256.
  4. Mouse movement is relative — need to accumulate to reconstruct path.

Security Implications

  • USB traffic can be captured and analyzed.
  • Mouse movements can reveal user behavior.
  • HID devices can be used for covert channels.
  • USB keylogger / mouse logger is a serious threat.

Defense

  • Monitor unusual USB connections.
  • Whitelist allowed USB devices.
  • Endpoint detection systems tracking USB activity.
120
Points
Medium
Difficulty
Forensics
Category

More Forensics Challenges

Painted

Hard
500 pts

Cropped

Medium
250 pts

Leak

Medium
180 pts