picoCTF Solutions
picoCTF 2022ForensicsMedium

Sleuthkit Intro

Published: July 20, 2023Updated: December 9, 2025

Description

Given a disk image, run `mmls` to determine the Linux partition size. Provide that number to the checker service to receive the flag.

Setup

Download disk.img.gz

Unzip the image and run `mmls disk.img` to display the partition table.

Note the size (in sectors) of the Linux partition.

Connect to the checker (`nc saturn.picoctf.net 52472`) and submit the size when prompted.

gunzip disk.img.gz
mmls disk.img
nc saturn.picoctf.net 52472

Solution

  1. Step 1Use Sleuth Kit’s mmls
    `mmls` prints a partition map showing the start/length of each slice. The challenge specifically asks for the Linux partition length.
  2. Step 2Report the size
    Connect to the provided netcat service and enter the numeric length-if correct, it returns the flag.

Flag

picoCTF{mm15_f...}

Getting comfortable with Sleuth Kit tools is foundational for disk forensics challenges.