Description
A full disk image hides the flag in `/root/my_folder/flag.uni.txt`. Load the image in Autopsy (or another forensic suite), locate the file, and read its contents.
Decompress the image and add it to Autopsy (New Case → Add Host → Add Image File).
Navigate to `/root/my_folder/flag.uni.txt` via File Analysis.
Export or view the file; the flag appears at the bottom of the Unicode text.
gunzip disk.flag.img.gz
sudo autopsy & # load disk.flag.img via the web UI
Solution
- Step 1Index the imageAutopsy (or Sleuth Kit) lets you explore the entire filesystem. Expanding the root directory reveals a suspicious `my_folder` containing `flag.uni.txt`.
- Step 2Read the Unicode fileOpen or export `flag.uni.txt`-despite the extension, it’s plain text with the picoCTF flag embedded near the end.
Flag
picoCTF{by73_5urf3r_3497...}
Even without Autopsy, you could mount the image read-only and inspect the same path via standard Linux utilities.