Disko 2 - Forensics Challenge Writeup (picoCTF)

Naresh SNaresh S
2 min read

Link to the challenge

Category: Forensics
Author: Darkraicg492
Flag Format: picoCTF{FLAG}

Challenge Description: Given a disk image file (disko-2.dd.gz) we are tasked to find the hidden flag within it. The right one is Linux! One wrong step and its all gone!

Hint: How can you extract/isolate a partition?

I started of by decompressing the gzip file (.gz) :

gunzip -d disko-2.dd.gz

This gives disko-2.dd.

Then upon inspecting the file, it’s clear that it is a partition file.

file disko.dd

So went ahead with mmls(Media Management Listing) to analyze how the disk is partitioned and help understand the storage medium, partition type, starting sectors and sizes.

mmls disko-2.dd

This revealed four partitions in the disk, of which one of them is a linux partition which is the file to lookup as mentioned in the challenge description.

Now that I found a linux partition I tried copying the data in it using the dd command, which is a forensics technique to carve out embedded embedded filesystems or partitions from a disk image.

dd if=disko-2.dd of=flag bs=512 skip=2048 count=51200

This command skips the first 1MB of the disk image and extracts the next 25MB into a new file called flag. Then used the strings command to extract the flag from the file.

strings flag | grep -i picoCTF

Correct Flag
picoCTF{4_P4Rt_1t_i5_90a3f3d1}

Happy Hacking!!

10
Subscribe to my newsletter

Read articles from Naresh S directly inside your inbox. Subscribe to the newsletter, and don't miss out.

picoCTFforensics

Written by

Naresh S
Naresh S

CyberSecurity Enthusiast diving into OSINT, Forensics, Crypto and CTFs | Learning One challenge at a time | Vice-President bi0s AVV Nagercoil Campus | President IKS AVV Nagercoil Campus | Sharing my journey, writeups & beginner-friendly insights