PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Disk, disk, sleuth! II

PreviousDisk, disk, sleuth!Nextinformation

Last updated 2 years ago

Was this helpful?

Problem

All we know is the file with the flag is named down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz

Solution

  1. Using the website we can find that the fls command can list all files in a directory. We specify the -r, which means recursive so it will scan the entire disk image, and -p, so it prints the full path, flags. The -o flag is the offset of the partition we want to use, which can be dounf by running mmls dds2-alpine.flag.img. Finally, we search the output using grep for the name of the file given in the challenge description. So, the resulting command looks as follows: fls -r -p -o 2048 dds2-alpine.flag.img | grep down-at-the-bottom.txt. The output is: r/r 18291: root/down-at-the-bottom.txt

  2. 18291 is the inode number of the file. We can use icat to list the contents of that inode like so: icat -o 2048 dds2-alpine.flag.img 18291

    The flag is shown in the output (inside of a unique pattern so we couldn't simply search for it):

      _     _     _     _     _     _     _     _     _     _     _     _     _  
 / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \ 
( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n )
 \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/ 
  _     _     _     _     _     _     _     _     _     _     _     _     _  
 / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \ 
( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c )
 \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/ 
  _     _     _     _     _     _     _     _     _     _     _  
 / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \ 
( 3 ) ( _ ) ( 0 ) ( b ) ( a ) ( 8 ) ( d ) ( 0 ) ( 2 ) ( d ) ( } )
 \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/

  3. Alternatively, autopsy can be used to interact with the disk in a GUI, which may be easier. It was easier for me at at first.

Flag

picoCTF{f0r3ns1c4t0r_n0v1c3_0ba8d02d}

dds2-alpine.flag.img.gz
TSK Tool Overview