Skip to main content

DISKO 3

  • Description: Can you find the flag in this disk image? This time, its not as plain as you think it is!
  • Difficulty: Medium

🔎 Solution

Following DISKO 1 and DISKO 2, we now arrive at the next challenge in the series: DISKO 3.

Upon extracting the archive, we're given a FAT32 - formatted disk image - bootable via MBR, created with mkfs.fat. It's around 100MB in size, uses the classic CHS layout, and notably lacks a volume label.

disko-3.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 32, heads 8, sectors 204800 (volumes > 32 MB), FAT (32 bit), sectors/FAT 1576, serial number 0x49838d0b, unlabeled

Mounting the image using conventional methods didn't yield anything useful at first. However, after digging deeper, I turned to binwalk - and that's when things clicked. Using it to extract embedded files, I successfully uncovered the contents hidden within.

┌──(kali㉿kali)-[~/Desktop/pico-ctf]
└─$ binwalk -e disko-3.dd 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
18246144      0x1166A00       gzip compressed data, from Unix, last modified: 2025-02-25 23:11:02
18287104      0x1170A00       gzip compressed data, from Unix, last modified: 2025-03-09 05:50:00
18654208      0x11CA400       gzip compressed data, has original file name: "flag", from Unix, last modified: 2025-07-17 15:06:53
19358720      0x1276400       gzip compressed data, from Unix, last modified: 2024-12-26 17:47:07
19439104      0x1289E00       gzip compressed data, from Unix, last modified: 2025-01-22 16:03:08
19440128      0x128A200       xz compressed data
19536896      0x12A1C00       gzip compressed data, from Unix, last modified: 2025-01-11 15:19:52
19543552      0x12A3600       gzip compressed data, from Unix, last modified: 2023-09-14 09:53:42
19600384      0x12B1400       gzip compressed data, from Unix, last modified: 2025-03-09 23:58:25
19601408      0x12B1800       gzip compressed data, from Unix, last modified: 2025-03-09 23:58:25
19601920      0x12B1A00       gzip compressed data, from Unix, last modified: 2025-01-11 15:19:52
19603456      0x12B2000       gzip compressed data, from Unix, last modified: 2023-09-14 09:53:42
19788288      0x12DF200       gzip compressed data, from Unix, last modified: 2024-12-26 07:48:38
19903488      0x12FB400       gzip compressed data, from Unix, last modified: 2024-12-26 07:48:38
19940352      0x1304400       gzip compressed data, from Unix, last modified: 2024-12-27 06:01:55
19949056      0x1306600       gzip compressed data, from Unix, last modified: 2024-12-27 06:01:55
20048896      0x131EC00       gzip compressed data, from Unix, last modified: 2023-09-14 09:53:42
20601856      0x13A5C00       gzip compressed data, from Unix, last modified: 2025-03-02 05:49:40
20932096      0x13F6600       gzip compressed data, from Unix, last modified: 2025-03-10 00:03:24
20951040      0x13FB000       gzip compressed data, from Unix, last modified: 2024-12-26 07:48:38

Among the extracted files was one named flag. A quick inspection of its contents revealed exactly what I was looking for - the flag. Simple as that.

┌──(kali㉿kali)-[~/Desktop/pico-ctf/_disko-3.dd.extracted]
└─$ cat flag                
Here is your flag
picoCTF{n3v3r_z1p_2_h1d3_26d4f233}

Bonus: I tackled this challenge right after it dropped and ended up being the fourth person to capture the flag, hehe

🚩Flag

picoCTF{n3v3r_z1p_2_h1d3_26d4f233}