Description
Given a disk image, run mmls to determine the Linux partition size. Provide that number to the checker service to receive the flag.
Setup
Unzip the image and run mmls disk.img to display the partition table.
Note the size (in sectors) of the Linux partition.
Connect to the checker (nc saturn.picoctf.net 52472) and submit the size when prompted.
gunzip disk.img.gzmmls disk.imgnc saturn.picoctf.net 52472Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Use Sleuth Kit's mmlsObservationI noticed the challenge provided a disk image and asked for the Linux partition size in sectors, which suggested usingmmlsfrom The Sleuth Kit since it reads the partition table directly and reports each partition's start, end, and length in raw sectors.mmlsprints a partition map showing the start/length of each slice. The challenge specifically asks for the Linux partition length.What didn't work first
Tried: Running
fdisk -l disk.imginstead ofmmls disk.imgto read the partition table.fdisk can display partition info but its output format differs - it shows sizes in bytes or MiB rather than raw sectors, and may require sudo or special flags on some systems. The checker service expects the raw sector count exactly as reported by mmls, so using fdisk risks submitting a unit-converted or rounded number that won't match.
Tried: Submitting the Start sector value instead of the Length (size in sectors) of the Linux partition.
mmls output has several numeric columns: Description, Start, End, Length, and Slot. Beginners often read the wrong column because 'Start' and 'Length' look similar in the tabular output. The checker asks for the partition size (length in sectors), not where it begins on disk.
Learn more
The Sleuth Kit (TSK) is a collection of open-source command-line tools for forensic analysis of disk images and filesystems. The name prefix
mmstands for "media management" - these tools operate at the partition layer, below the filesystem.mmlsreads the partition table and lists each partition with its start sector, end sector, and length.A partition table (MBR or GPT) lives at the very start of a disk and describes how storage is divided. Each partition entry records the starting sector, size in sectors, and partition type. Common Linux partition types:
0x83(Linux filesystem),0x82(Linux swap),0x8e(Linux LVM). Sectors are typically 512 bytes each on traditional drives.Understanding partition layout is foundational for disk forensics: to mount a specific partition from an image, you need its byte offset (
start_sector × 512). For example:sudo mount -o loop,offset=1048576 disk.img /mnt/part. Themmlsoutput provides exactly the information needed to calculate this offset.Step 2
Report the sizeObservationI noticed the setup instructed connecting to a netcat checker service after runningmmls, which suggested that once the Linux partition length in sectors was identified from themmlsoutput, the only remaining action was to submit that exact number to the remote service to receive the flag.Connect to the provided netcat service and enter the numeric length-if correct, it returns the flag.What didn't work first
Tried: Entering the partition size in bytes (sectors multiplied by 512) instead of the raw sector count.
The netcat service asks for the length in sectors as shown directly by mmls, not the byte-equivalent. Multiplying by 512 produces a much larger number that the checker will reject. Always submit the value in the same unit mmls displays - sectors.
Tried: Submitting the size of the wrong partition - for example, the DOS partition or unallocated space instead of the Linux partition.
mmls typically lists multiple rows including unallocated regions, a DOS partition table descriptor, and the actual Linux partition. The Linux partition is identified by the type label in the Description column (often 'Linux' or type code 0x83). Submitting the size of an unallocated block or the metadata entry will be rejected.
Learn more
This challenge pattern - where you must submit a forensic finding to a remote verification service - simulates the evidence-gathering workflow in real investigations. You analyze an artifact (disk image), extract a specific piece of information (partition size), and report it accurately.
Partition sizes are measured in sectors (logical blocks, typically 512 bytes). The total size in bytes is
length_sectors × sector_size. Modern drives use 4096-byte physical sectors (4K sectors or "Advanced Format"), but still present 512-byte logical sectors for compatibility - this distinction is important for alignment calculations in forensic mounting.The Sleuth Kit tool family includes:
mmls(partition listing),fsstat(filesystem statistics),fls(file listing including deleted files),icat(extract file by inode number), andblkcat(read raw blocks). Together they provide complete filesystem analysis without needing to mount the image, which is important when preserving evidence integrity.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{mm15_f...}
Getting comfortable with Sleuth Kit tools is foundational for disk forensics challenges.