Description
A forensic disk image contains chat logs, gallery files, and clues for layered stego/crypto. Mount the image, follow the breadcrumbs, and decrypt the embedded data.
Setup
Download and gunzip the disk image, then ingest it in Autopsy (or The Sleuth Kit) for browsing.
Review IRC logs at /3/home/yone/irclogs/... to learn the steghide password plus AES parameters.
Export the BMP files from /3/home/yone/gallery and run steghide extract -sf <image> -p <password> on each.
wget https://artifacts.picoctf.net/c/485/disk.flag.img.gz
gunzip disk.flag.img.gz
sudo autopsy &
steghide extract -sf 1.bmp -p akalibardzyratrundle
openssl enc -aes-256-cbc -d -in secret.bin -out flag.txt -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 -iv 7a12fd4dc1898efcd997a1b9496e7591 -S 0f3fa17eeacd53a9
Solution
- Step 1Ingest the diskUse Autopsy to explore the /home/yone directory. The IRC logs reveal the steghide password and AES parameters needed later.
- Step 2Extract from BMPsExport 1.bmp, 2.bmp, 3.bmp, 7.bmp, then run steghide with the shared password to recover encrypted payloads.
- Step 3Decrypt with OpenSSLCombine the provided salt/key/iv from the logs with openssl enc -aes-256-cbc -d to decrypt the hidden data and read the final flag.
Flag
picoCTF{f473_53413d_de...}
Every clue comes from the disk itself-pay attention to chat logs for steghide credentials and AES material.