Description
If you can find the flag on this disk image, we can close the case for good! Download the disk image here.
Setup
Download and decompress the 1 GB disk image.
No GUI forensics tool is required; strings and grep work directly on the raw image.
wget https://artifacts.picoctf.net/c_titan/63/disk.flag.img.gz && \
gunzip disk.flag.img.gzSolution
Walk me through it- Step 1Explore the image (optional orientation)Mounting or using a forensics tool reveals files named force-wait.sh, innocuous-file.txt, and a file literally named its-all-in-the-name. That last filename is the hint: the flag is embedded in the name of the innocuous-file.txt entries scattered throughout the disk.
Learn more
A disk image (
.img) is a sector-by-sector copy of a storage device. The.gzextension means it is gzip-compressed;gunzipdecompresses it before analysis. Disk images preserve everything: file contents, metadata, slack space, deleted file remnants, and data in unallocated sectors.For orientation you can mount the image (
sudo mount -o loop disk.flag.img /mnt) or load it into Autopsy. For the actual flag extraction, neither is needed:stringsandgrepwork directly on the raw image file. - Step 2Search the raw image for the flagRun strings with the -a flag (scan every byte, not just initialized sections) on the raw disk image and grep for innocuous to find all the file-name occurrences. The flag characters appear adjacent to those strings. Piping through grep -a ensures binary-safe matching.bash
strings -a disk.flag.img | grep innocuousbashgrep -a innocuous disk.flag.imgEach hit shows a variant of the filename with flag characters embedded around it. Collect the unique flag segments from adjacent runs and assemble the full
picoCTF{...}.Learn more
stringsextracts sequences of printable ASCII characters from any binary file. The-aflag tells it to scan the entire file rather than just the initialized data sections of an ELF. On a raw disk image this is essential: file-system metadata, directory entries, and deleted file names all live in non-ELF regions that the default mode skips.grep -atreats the input as text even when binary bytes are present, preventing grep from silently ignoring matches in binary data. The two commands above are equivalent for this purpose; both scan the entire image for occurrences of the stringinnocuous.This technique works because directory entries in ext2/ext3/ext4 file systems store file names as plain ASCII in fixed-size blocks. Deleted entries are not zeroed; the name bytes remain on disk until the block is reused. That is why the flag fragments appear multiple times: each time the file was created, modified, and deleted, the inode was reused but the old directory blocks were left in place.
Flag
picoCTF{1_533_n4m35_80d2...}
The flag characters appear embedded in the innocuous-file.txt name strings scattered across the raw disk image.