Description
A disk image hides an SSH key in a .ssh directory. Use Sleuth Kit to find its inode, extract the key with icat, fix permissions, and use it to log into the remote box and read flag.txt.
Setup
Decompress the image and use mmls to find the partition offset for the main Linux partition.
Run fls -r -o <offset> disk.img and search recursively for .ssh to locate the private key's inode number.
Extract the key with icat -o <offset> disk.img <inode> > key_file.
Set restrictive permissions (chmod 600 key_file) and SSH in using the challenge-provided port.
gunzip disk.img.gzmmls disk.imgfls -r -o <offset> disk.img | grep -i sshicat -o <offset> disk.img <inode> > key_filechmod 600 key_filessh -i key_file -p <PORT_FROM_INSTANCE> ctf-player@saturn.picoctf.netcat flag.txtSolution
Walk me through it- Step 1Locate the SSH key with Sleuth KitRun
mmls disk.imgto find the last (and largest) partition's starting offset, then usefls -r -o <offset> disk.imgto list files recursively. Search the output for.sshto find the directory and the private key's inode number.bashmmls disk.imgbashfls -r -o <OFFSET> disk.img | grep -i sshbashicat -o <OFFSET> disk.img <INODE_OF_PRIVATE_KEY> > key_fileLearn more
The Sleuth Kit is a suite of command-line forensics tools.
mmlslists partition offsets,flslists filesystem entries (including deleted files), andicatextracts a file by its inode number - all without mounting the image. On the picoCTF web shell these tools are preinstalled.SSH key files in
/root/.ssh/or a user's~/.ssh/are some of the most sensitive files on a Linux system. The private key allows authentication as that user to any server that has the corresponding public key in itsauthorized_keysfile.In real forensics investigations, recovering SSH private keys from a disk image is a significant finding - it means the attacker may have had (or still have) access to other systems. The investigation would expand to identify which servers have the corresponding public key in their
authorized_keysfiles. - Step 2SSH into the boxFix permissions (
chmod 600 key_file) and connect with the provided port. Once logged in,lsreveals flag.txt.Learn more
SSH enforces strict permissions on private key files: if the key file is readable by anyone other than the owner, SSH refuses to use it and displays a "Permissions too open" error.
chmod 600sets read/write for owner only (rw-------), satisfying this requirement. This is a security measure - it prevents other local users from reading your private key.The
-i key_fileflag tells SSH to use a specific identity file instead of searching the default locations (~/.ssh/id_rsa,~/.ssh/id_ed25519, etc.). The-p 53918flag specifies a non-standard port - running SSH on a non-default port is a common practice to reduce automated scanning noise, though it provides minimal actual security since port scanners like nmap find it easily.This challenge combines two skills: disk forensics (extracting artifacts from an image) and SSH authentication (using a key to log in). Both appear together in real incident response scenarios where an attacker left behind persistence mechanisms like authorized SSH keys, and the investigator needs to understand what access was established.
Flag
picoCTF{k3y_5l3u7h_3396...}
This exercise reinforces basic SSH hygiene and disk forensics simultaneously.