We managed to infect the computer of a target. We recorded all packets transferred over the USB port, but there is something unusual. We need them to be sorted to get the juicy secret.
The provided pcap file contains 22 USB packets, as shown in the Wireshark screenshot below
By dumping those packets into the files part01, part02, …, part22, we can see that the first two packets pertain to OpenDocument spreadsheet files
A rough manual inspection of the dumped parts suggets that the sniffed USB pcap contains only two ODS documents. Moreover, the last two parts are likely to be the last blocks of the ODS files, given that both packets contain the string META-INF/manifest.xml.
To reconstruct the ODS files, we bruteforce all the possible combinations of the dumped parts under the hypotesis that the packets appear ordered with respect to each file in the pcap dump. Working with these assumptions, the number of all the possible packet sequences is 2**19 == 524288. The following Python script explores the whole combination space and for each packet sequence it checks whether the assembled file is a valid zip archive (which is the underlying file format used by ODS). If so, the sequence of the first file is correct and we can dump both files.
The first ODS does not appear to be relevant to the solution, whilst result_b.ods provides the string g6d5g5f2b6g5d3e in the lower right cell of the spreadsheet. This string is just a sequence of coordinates for the table provided in the same file.
By mapping each coordinate to the correct character we retrieve the flag: ndh[wh3re1sw@lly]