Disk, disk, sleuth! II
All we know is the file with the flag is nameddown-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz
- 1.Using the TSK Tool Overview website we can find that the
flscommand can list all files in a directory. We specify the-r, which means recursive so it will scan the entire disk image, and-p, so it prints the full path, flags. The-oflag is the offset of the partition we want to use, which can be dounf by runningmmls dds2-alpine.flag.img. Finally, we search the output usinggrepfor the name of the file given in the challenge description. So, the resulting command looks as follows:fls -r -p -o 2048 dds2-alpine.flag.img | grep down-at-the-bottom.txt. The output is:r/r 18291: root/down-at-the-bottom.txt - 2.
18291is the inode number of the file. We can useicatto list the contents of that inode like so:icat -o 2048 dds2-alpine.flag.img 18291The flag is shown in the output (inside of a unique pattern so we couldn't simply search for it):_ _ _ _ _ _ _ _ _ _ _ _ _/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n )\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/_ _ _ _ _ _ _ _ _ _ _ _ _/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c )\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/_ _ _ _ _ _ _ _ _ _ _/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \( 3 ) ( _ ) ( 0 ) ( b ) ( a ) ( 8 ) ( d ) ( 0 ) ( 2 ) ( d ) ( } )\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ - 3.Alternatively,
autopsycan be used to interact with the disk in a GUI, which may be easier. It was easier for me at at first.
picoCTF{f0r3ns1c4t0r_n0v1c3_0ba8d02d}Last modified 6mo ago