picoCTF Solutions
PathPart of the Digital Forensics path · Step 4 of 5: Disk and File System Forensics
picoCTF 2022ForensicsMedium

Sleuthkit Apprentice picoCTF 2022 Solution

Published: July 20, 2023

Description

A full disk image hides the flag in a text file inside /root/. Use Sleuth Kit command-line tools (mmls, fls, icat) to find the file by inode and extract its contents.

Setup

Download disk.flag.img.gz

Decompress the image and use mmls disk.flag.img to find the largest partition's start sector.

Run fls -r -o <offset> disk.flag.img to list all files recursively, then grep for flag to find the relevant inode.

Use icat -o <offset> disk.flag.img <inode> to extract the file and read the flag.

bash
gunzip disk.flag.img.gz
bash
mmls disk.flag.img
bash
fls -r -o <OFFSET> disk.flag.img | grep flag
bash
icat -o <OFFSET> disk.flag.img <INODE>

Solution

Walk me through it
  1. Step 1Find the flag file with Sleuth Kit
    Run mmls disk.flag.img to find the largest partition's start sector. Use that as the offset for fls -r -o <offset> disk.flag.img to list all files. Search the output for flag to find the inode numbers of the interesting files.
    bash
    mmls disk.flag.img
    bash
    fls -r -o <OFFSET> disk.flag.img | grep flag
    Learn more

    The Sleuth Kit is a collection of open-source command-line tools for forensic analysis. mmls reads the partition table, fls lists filesystem entries (including deleted files), and icat extracts a file by its inode. All three are preinstalled on the picoCTF web shell.

    A disk image is a sector-by-sector copy of a storage device. It captures not just the visible files but also filesystem metadata, slack space, and deleted file remnants. Working with an image rather than the live device preserves evidence integrity and allows repeated analysis.

    The fls output may show two entries for the flag - one could be a deleted version. Try both inode numbers with icat to see which one contains the flag text.

  2. Step 2Extract the flag file with icat
    Run icat -o <offset> disk.flag.img <inode> to extract the file. The output contains the flag directly. If the file appears garbled, it may be UTF-16 encoded - try the other inode first, or pipe through strings.
    bash
    icat -o <OFFSET> disk.flag.img <INODE>
    bash
    icat -o <OFFSET> disk.flag.img <INODE> | strings
    Learn more

    icat (inode cat) extracts the data blocks of a file given its inode number, writing the raw bytes to stdout. This works even on deleted files whose directory entries have been removed, as long as the data blocks haven't been overwritten. The -o flag specifies the partition offset in sectors as returned by mmls.

    If the file is encoded as UTF-16 (two bytes per character), the raw output will look like every character has a null byte between it. Piping through strings filters out non-printable bytes and shows the readable flag text.

Flag

picoCTF{by73_5urf3r_3497...}

Even without Autopsy, you could mount the image read-only and inspect the same path via standard Linux utilities.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

Do these first

What to try next