picoCTF - Forensics in CTF's II

Created on July 25, 2025

2025   ·   write-up,   dfir,   picoCTF,   sleuthkit   ·   cybersecurity

Sleuthkit

The Sleuthkit binaries are available for most platforms, including most Linux distributions and Windows (I’ve only tested it on 10 and 11).

For Windows users they can just install the entire pre-compiled binaries at www.sleuthkit.org and for Linux users they can check their package manager to see if it’s in their main repositories through their search function.

Since I’m on Fedora Linux, I can install it through the DNF package manager with:

% sudo dnf install sleuthkit -y

We also REALLY need to know the commands for Sleuthkit, all of the commands for Sleuthkit can be found

On their websites wiki page

Challenge 1: Sleuthkit Intro

🟧 Medium challenge

In the challenge, we are told to use the mmls tool found in Sleuthkit to find the total size of the Linux partition.

After unzipping the image file and parsing it into the mmls tool, we get the output:

% gzip -d disk.img.gz

% mmls disk.img -B
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Size    Description
000:  Meta      0000000000   0000000000   0000000001   0512B   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   1024K   Unallocated
002:  000:000   0000002048   0000204799   0000202752   0099M   Linux (0x83)

We can see a partition named Linux with a Size of 0099M or 99 Megabytes and a length of 0000202752.

The Length attribute is the partition sectors.

After logging into picoCTF’s validation server and putting it the size of the Length attribute for the Linux partition, we get the flag

nc saturn.picoctf.net 56661
What is the size of the Linux partition in the given disk image?
Length in sectors: 0000202752
0000202752
Great work!
picoCTF{mm15_f7w!}

picoCTF{mm15_f7w!}

Challenge 2: Disk, disk, sleuth!

🟧 Medium challenge

In this challenge, they want us to use the srch_strings tool in sleuthkit to find the flag.

We know that picoCTF likes to format their flags in a picoCTF{whatever} format, so if we use the srch_strings functions to grab all the strings in the image file, then we can pipe that output into grep to find any line with pico in it.

% srch_strings dds1-alpine.flag.img | grep pico
ffffffff81399ccf t pirq_pico_get
ffffffff81399cee t pirq_pico_set
ffffffff820adb46 t pico_router_probe
  SAY picoCTF{f0r3ns1c4t0r_n30phyt3_a69a712c}

picoCTF{f0r3ns1c4t0r_n30phyt3_a69a712c}

Challenge 3: Disk, disk, sleuth! II

🟧 Medium challenge

In this challenge, we want to extract the file down-at-the-bottom.txt.

First step is finding out where the file is, we can view where the file might be with the fls tool. First, we get the partition offset so the fls tool can start reading files from the right section with mmls.

mmls dds2-alpine.flag.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000262143   0000260096   Linux (0x83)

After typing in the offset, which will be the start section in the Linux partition 2048, we get the root directory contents.

% fls -o 2048 dds2-alpine.flag.img
d/d 26417:	home
d/d 11:	lost+found
r/r 12:	.dockerenv
d/d 20321:	bin
d/d 4065:	boot
d/d 6097:	dev
d/d 2033:	etc
d/d 8129:	lib
d/d 14225:	media
d/d 16257:	mnt
d/d 18289:	opt
d/d 16258:	proc
d/d 18290:	root
d/d 16259:	run
d/d 18292:	sbin
d/d 12222:	srv
d/d 16260:	sys
d/d 18369:	tmp
d/d 12223:	usr
d/d 14229:	var
V/V 32513:	$OrphanFiles

The numbers on the left are the inodes and we want to use those to traverse into the directories to find the files we want, after a brief look we stumble across the root’s directory to find the file.

% fls -o 2048 dds2-alpine.flag.img 18290
r/r 18291:  down-at-the-bottom.txt

Now we know the file is located in /root/down-at-the-bottom.txt. Let’s extract it using the icat tool. The icat tool “cat’s” a file’s contents using its inode number. If we supply it with the offset, the image and the file inote which is 18291 we get the contents of the file

% icat -o 2048 dds2-alpine.flag.img 18291
   _     _     _     _     _     _     _     _     _     _     _     _     _
  / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \
 ( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n )
  \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/
   _     _     _     _     _     _     _     _     _     _     _     _     _
  / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \
 ( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c )
  \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/
   _     _     _     _     _     _     _     _     _     _     _
  / \   / \   / \   / \   / \   / \   / \   / \   / \   / \   / \
 ( 3 ) ( _ ) ( f ) ( 5 ) ( 5 ) ( 6 ) ( 5 ) ( e ) ( 7 ) ( b ) ( } )
  \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/   \_/

Now because I’m lazy and don’t want to manually delete every bracket, underscore etc by and I’m just going to go into kwrite and regex delete it to get the flag:

picoCTF{f0r3ns1c4t0rn0v1c3f5565e7b}

Challenge 4: Sleuthkit Apprentice

🟧 Medium challenge

In challenge 4 they decide to throw us in the deep end with no hints or nothing. So we’ll download the image file and get to work finding the flag.

First thing we’ll do is get some information on the system with mmls

mmls disk.flag.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000206847   0000204800   Linux (0x83)
003:  000:001   0000206848   0000360447   0000153600   Linux Swap / Solaris x86 (0x82)
004:  000:002   0000360448   0000614399   0000253952   Linux (0x83)

If we take a look at the contents of the first Linux partition with fls we get the output:

fls -o 2048 disk.flag.img
d/d 11:	lost+found
r/r 12:	ldlinux.sys
r/r 13:	ldlinux.c32
r/r 15:	config-virt
r/r 16:	vmlinuz-virt
r/r 17:	initramfs-virt
l/l 18:	boot
r/r 20:	libutil.c32
r/r 19:	extlinux.conf
r/r 21:	libcom32.c32
r/r 22:	mboot.c32
r/r 23:	menu.c32
r/r 14:	System.map-virt
r/r 24:	vesamenu.c32
V/V 25585:	$OrphanFiles

Ok, so this partition is the boot partition, there won’t be anything interesting here. We can also skip the Linix Swap partition as that won’t have anything interesting either.

So lets scan the final Linux partition with

fls -o 360448 disk.flag.img
d/d 451:	home
d/d 11:	lost+found
d/d 12:	boot
d/d 1985:	etc
d/d 1986:	proc
d/d 1987:	dev
d/d 1988:	tmp
d/d 1989:	lib
d/d 1990:	var
d/d 3969:	usr
d/d 3970:	bin
d/d 1991:	sbin
d/d 1992:	media
d/d 1993:	mnt
d/d 1994:	opt
d/d 1995:	root
d/d 1996:	run
d/d 1997:	srv
d/d 1998:	sys
d/d 2358:	swap
V/V 31745:	$OrphanFiles

Cool, we got the root of the file system. Lets go digging for the flag.

fls -o 360448 disk.flag.img 1995
r/r 2363:	.ash_history
d/d 3981:	my_folder

Hmm, my_folder looks suspicious.

fls -o 360448 disk.flag.img 3981
r/r * 2082(realloc):	flag.txt
r/r 2371:	flag.uni.txt

Yesss, flag.uni.txt looks like what we want. Lets cat it with icat

icat -o 360448 disk.flag.img 2371
picoCTF{by73_5urf3r_2f22df38}

Easy, now we have our flag

picoCTF{by73_5urf3r_2f22df38}



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • picoCTF - DISKO
  • picoCTF - Forensics in CTF's IV
  • picoCTF - Forensics in CTF's III