Sleuthkit Intro picoCTF 2022 Solution

Published: July 20, 2023

Description

Given a disk image, run mmls to determine the Linux partition size. Provide that number to the checker service to receive the flag.

Unzip the image and run mmls disk.img to display the partition table.

Note the size (in sectors) of the Linux partition.

Connect to the checker (nc saturn.picoctf.net 52472) and submit the size when prompted.

bash
gunzip disk.img.gz
bash
mmls disk.img
bash
nc saturn.picoctf.net 52472

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Use Sleuth Kit's mmls
    Observation
    I noticed the challenge provided a disk image and asked for the Linux partition size in sectors, which suggested using mmls from The Sleuth Kit since it reads the partition table directly and reports each partition's start, end, and length in raw sectors.
    mmls prints a partition map showing the start/length of each slice. The challenge specifically asks for the Linux partition length.
    What didn't work first

    Tried: Running fdisk -l disk.img instead of mmls disk.img to read the partition table.

    fdisk can display partition info but its output format differs - it shows sizes in bytes or MiB rather than raw sectors, and may require sudo or special flags on some systems. The checker service expects the raw sector count exactly as reported by mmls, so using fdisk risks submitting a unit-converted or rounded number that won't match.

    Tried: Submitting the Start sector value instead of the Length (size in sectors) of the Linux partition.

    mmls output has several numeric columns: Description, Start, End, Length, and Slot. Beginners often read the wrong column because 'Start' and 'Length' look similar in the tabular output. The checker asks for the partition size (length in sectors), not where it begins on disk.

    Learn more

    The Sleuth Kit (TSK) is a collection of open-source command-line tools for forensic analysis of disk images and filesystems. The name prefix mm stands for "media management" - these tools operate at the partition layer, below the filesystem. mmls reads the partition table and lists each partition with its start sector, end sector, and length.

    A partition table (MBR or GPT) lives at the very start of a disk and describes how storage is divided. Each partition entry records the starting sector, size in sectors, and partition type. Common Linux partition types: 0x83 (Linux filesystem), 0x82 (Linux swap), 0x8e (Linux LVM). Sectors are typically 512 bytes each on traditional drives.

    Understanding partition layout is foundational for disk forensics: to mount a specific partition from an image, you need its byte offset (start_sector × 512). For example: sudo mount -o loop,offset=1048576 disk.img /mnt/part. The mmls output provides exactly the information needed to calculate this offset.

  2. Step 2
    Report the size
    Observation
    I noticed the setup instructed connecting to a netcat checker service after running mmls, which suggested that once the Linux partition length in sectors was identified from the mmls output, the only remaining action was to submit that exact number to the remote service to receive the flag.
    Connect to the provided netcat service and enter the numeric length-if correct, it returns the flag.
    What didn't work first

    Tried: Entering the partition size in bytes (sectors multiplied by 512) instead of the raw sector count.

    The netcat service asks for the length in sectors as shown directly by mmls, not the byte-equivalent. Multiplying by 512 produces a much larger number that the checker will reject. Always submit the value in the same unit mmls displays - sectors.

    Tried: Submitting the size of the wrong partition - for example, the DOS partition or unallocated space instead of the Linux partition.

    mmls typically lists multiple rows including unallocated regions, a DOS partition table descriptor, and the actual Linux partition. The Linux partition is identified by the type label in the Description column (often 'Linux' or type code 0x83). Submitting the size of an unallocated block or the metadata entry will be rejected.

    Learn more

    This challenge pattern - where you must submit a forensic finding to a remote verification service - simulates the evidence-gathering workflow in real investigations. You analyze an artifact (disk image), extract a specific piece of information (partition size), and report it accurately.

    Partition sizes are measured in sectors (logical blocks, typically 512 bytes). The total size in bytes is length_sectors × sector_size. Modern drives use 4096-byte physical sectors (4K sectors or "Advanced Format"), but still present 512-byte logical sectors for compatibility - this distinction is important for alignment calculations in forensic mounting.

    The Sleuth Kit tool family includes: mmls (partition listing), fsstat (filesystem statistics), fls (file listing including deleted files), icat (extract file by inode number), and blkcat (read raw blocks). Together they provide complete filesystem analysis without needing to mount the image, which is important when preserving evidence integrity.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{mm15_f...}

Getting comfortable with Sleuth Kit tools is foundational for disk forensics challenges.

Key takeaway

Disk forensics begins at the partition layer, one level below the filesystem. Tools like mmls read the raw partition table to reveal how storage is divided into slices, each identified by type code, start sector, and length. This pre-filesystem metadata is essential for mounting specific partitions from a disk image, recovering deleted data, and establishing timeline evidence in real incident response investigations.

Related reading

Want more picoCTF 2022 writeups?

Useful tools for Forensics

Do these first

What to try next