Skip to main content

Sleuthkit Apprentice

  • Description: Download this disk image and find the flag.
  • Difficulty: Medium

🔎 Solution

With the provided disk image, we can begin by analyzing its partition structure using mmls. This reveals 3 main partitions:

  1. First Linux partition (0x83): Start sector 2048
  2. Linux Swap / Solaris partition (0x82): Start sector 206848
  3. Second Linux partition (0x83): Start sector 360448
> mmls disk.flag.img 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000206847   0000204800   Linux (0x83)
003:  000:001   0000206848   0000360447   0000153600   Linux Swap / Solaris x86 (0x82)
004:  000:002   0000360448   0000614399   0000253952   Linux (0x83)

To proceed with exploitation, I mounted each partition individually. Upon mounting the second Linux partition, I was able to access useful data:

sudo mkdir /mnt/disk2
sudo mount -o ro,loop,offset=$((360448*512)) disk.flag.img /mnt/disk2
ls /mnt/disk2

After mounting, I searched recursively for any file named flag within the partition. This led to the discovery of a file named flag.uni.txt.

> sudo find /mnt/disk2 -type f -name "*flag*"
/mnt/disk2/root/my_folder/flag.uni.txt

Viewing the contents of this file revealed the flag.

> sudo cat /mnt/disk2/root/my_folder/flag.uni.txt
picoCTF{by73_5urf3r_3497ae6b}

🚩Flag

picoCTF{by73_5urf3r_3497ae6b}