picoCTF Solutions
picoCTF 2022ForensicsMedium

Operation Oni

Published: July 20, 2023Updated: December 9, 2025

Description

A disk image hides an SSH key in /root/.ssh/id_ed25519. Export the key, fix its permissions, and use it to log into the remote box and read flag.txt.

Setup

Download disk.img.gz

Mount or load the disk in Autopsy and navigate to /root/.ssh/id_ed25519.

Export the private key, rename it (e.g., key_file), and run `chmod 600 key_file`.

ssh -i key_file -p 53918 ctf-player@saturn.picoctf.net, then read flag.txt.

chmod 600 key_file
ssh -i key_file -p 53918 ctf-player@saturn.picoctf.net
cat flag.txt

Solution

  1. Step 1Recover the key
    Inside /root/.ssh is id_ed25519. Export it, and rename to match the sample command from the prompt (key_file).
  2. Step 2SSH into the box
    Fix permissions (`chmod 600 key_file`) and connect with the provided port. Once logged in, `ls` reveals flag.txt.

Flag

picoCTF{k3y_5l3u7h_3396...}

This exercise reinforces basic SSH hygiene and disk forensics simultaneously.