picoCTF - DISKO

Created on July 25, 2025

2025   ·   write-up,   dfir,   picoCTF,   sleuthkit   ·   cybersecurity

DISKO 1

🟩 Easy challenge

In the hints, we get the hint

Maybe Strings could help? If only there was a way to do that?

If we use the srch_strings utility from sleuthkit we can then grep for picoCTF, and get the flag.

% srch_strings disko-1.dd | grep picoCTF

Or you could just use the strings binary found on most Linux and Unix distros.

% strings disko-1.dd | grep picoCTF

picoCTF{1t5_ju5t_4_5tr1n9_be6031da}

DISKO 2

🟧 Medium challenge

Using mmls from sleuthkit we can get the following partions on the disk file.

% mmls disko-2.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000053247   0000051200   Linux (0x83)
003:  000:001   0000053248   0000118783   0000065536   Win95 FAT32 (0x0b)
004:  -------   0000118784   0000204799   0000086016   Unallocated

If we try to use srch_strings on the disk file it will give us lots of junk and fake flags.

srch_strings disko-2.dd | grep picoCTF
picoCTF{4_P4Rt_1t_i5_5d70d515}
picoCTF{4_P4Rt_1t_i5_17d555d0}
picoCTF{4_P4Rt_1t_i5_157d50d5}
picoCTF{4_P4Rt_1t_i5_5dd07515}
picoCTF{4_P4Rt_1t_i5_d055d175}
picoCTF{4_P4Rt_1t_i5_dd150575}
picoCTF{4_P4Rt_1t_i5_5d570d51}
picoCTF{4_P4Rt_1t_i5_55175dd0}
picoCTF{4_P4Rt_1t_i5_75505d1d}
picoCTF{4_P4Rt_1t_i5_70d1555d}
picoCTF{4_P4Rt_1t_i5_1507dd55}
. . .

None of these seem to be our flag, so looking at the hints we can see

How can you extract/isolate a partition?

We can do this by using the dd utility found in most Unix and Linux operating systems.

First we specify the input file with the flag if=, then we specify the output file with the flag of=. We can then specify the partition we want to extract from the .dd file using the skip and count flags.

The skip flag we fill in from the information from start in the mmls output, and the for the count flag we fill in the end information from the mmls command. Effectively seperating the linux partition from the entire file.

% dd if=disko-2.dd of=linux_partition skip=2048 count=51200
51200+0 records in
51200+0 records out
26214400 bytes (26 MB, 25 MiB) copied, 0.170412 s, 154 MB/s

Now we can just extract the flag from the partition with

srch_strings linux_partition | grep picoCTF
picoCTF{4_P4Rt_1t_i5_055dd175}

picoCTF{4_P4Rt_1t_i5_055dd175}

DISKO 3

🟧 Medium challenge

Intended way

Using the file command in linux we can see that the image file we are given isa boot sector partiton, meaning that there are no other partitions we need to worry about.

% file disko-3.dd
disko-3.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", . . .

When lsing the disk file we get the directory log

% fls disko-3.dd
d/d 4:	log
v/v 3225859:	$MBR
v/v 3225860:	$FAT1
v/v 3225861:	$FAT2
V/V 3225862:	$OrphanFiles

When we look into the log directory using its inode number we can see a bunch of child directories and files.

% fls disko-3.dd 4
d/d 22:	private
d/d 24:	sysstat
d/d 26:	stunnel4
d/d 28:	mysql
d/d 30:	inetsim
d/d 32:	installer
r/r 519123:	vmware-vmsvc-root.2.log
r/r 519125:	kern.log.4.gz
r/r 519127:	Xorg.0.log
r/r 519130:	vmware-network.4.log
r/r 519132:	boot.log
. . .

If we grep for the keyword flag then we get a file named flag.gz

% fls disko-3.dd 4 | grep flag
r/r 522628:	flag.gz

Since the file is compressed with GZip, we cant view the contents without having to download the file and unzipping it manualy. To do this we can simply cat the file and redirect stout to a file on our local system using the > operator, we can just name it flag.gz.

Once the file is on our system we can use the gzip utility to unzip it and get the flag.

% icat disko-3.dd 522628 > flag.gz

% gzip -d flag.gz

% cat flag
Here is your flag
picoCTF{n3v3r_z1p_2_h1d3_7e0a17da}

picoCTF{n3v3r_z1p_2_h1d3_7e0a17da}

Alternative method

Open up Autopsy, and create a new case with the disko-3.dd file.

Then go to Tools –> Run Ingest Modules –> disko-3.dd.

This will create an Index of all of the files on the disk image, allowing you to filter for what keywords you want to search for.

Go to the top right and click Keyword search, the search for flag. flag.gz will be highlighted and Autopsy will automaticaly decompress the gzip file and the flag will be visible.



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • picoCTF - Forensics in CTF's IV
  • picoCTF - Forensics in CTF's III
  • picoCTF - Forensics in CTF's II