Description
A compressed disk image is hiding something. Decompress it and search for the flag stored as a plain string inside the FAT32 filesystem.
Setup
Download disko-1.dd.gz from the picoGym challenge page (requires a picoCTF account).
Decompress the image and verify its type.
gunzip disko-1.dd.gzfile disko-1.ddSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Decompress and identify the disk imageObservationI noticed the challenge provides a.dd.gzfile, which indicates a gzip-compressed raw disk image; the.gzextension made it clear that decompression withgunzipwas required before any disk forensics tool could read the raw sector data.Rungunzip disko-1.dd.gzto produce the raw.ddimage. Runningfile disko-1.ddreports a DOS/MBR boot sector with a FAT32 filesystem - a straightforward layout with no hidden partitions.bashgunzip disko-1.dd.gzbashfile disko-1.ddExpected output
disko-1.dd: DOS/MBR boot sector; partition 1 : ID=0xb, start-CHS (0x0,1,1), end-CHS (0x3ff,63,32), startsector 2048, 204800 sectors, extended partition table (last)
What didn't work first
Tried: Trying to mount the image directly with
mount disko-1.dd /mntto browse files before decompressingThe .dd.gz file is still gzip-compressed, so mount sees a gzip stream instead of a FAT32 partition table and returns 'wrong fs type' or 'invalid argument'. Decompression with gunzip must come first to expose the raw sector data that mount and all other disk tools expect.
Tried: Using
fdisk -l disko-1.dd.gzto inspect partition layout before gunzipfdisk reads the file as a raw byte stream and immediately encounters the gzip magic bytes (0x1f 0x8b) instead of an MBR signature (0x55 0xAA at offset 510). It reports 'GPT PMBR size mismatch' or no valid partition table found. Running
fileafter gunzip on the actual .dd file is the correct step.Learn more
Disk images are bit-for-bit copies of storage media stored as regular files. The
.ddformat is a raw binary dump produced by theddutility (or forensic equivalents likedcfldd). Compressing disk images withgzipis standard practice because raw images often contain large regions of zero bytes that compress dramatically. Thegunzipcommand decompresses in place, replacing the.gzarchive with the original file.The file command identifies file formats by reading magic bytes - a fixed byte signature at the start of the file that identifies its type, independent of the filename extension. For disk images,
filereports the partition table type (MBR or GPT) and the filesystem of the first partition. Knowing the filesystem type (FAT32, ext4, NTFS, etc.) tells you which forensic tools can parse it and what kind of metadata structures to expect.Step 2
Search for the flag with stringsObservationI noticed the challenge description says the flag is stored as a plain string inside the FAT32 filesystem, which suggested thatstringspiped throughgrep -i picowould locate it directly in the raw image without needing to mount the disk or use more complex forensic tooling.Runstringson the raw disk image and pipe throughgrep -i pico. The flag is stored as a plain ASCII string directly inside the filesystem and is visible immediately - no mounting or filesystem tools needed.bashstrings disko-1.dd | grep -i picoWhat didn't work first
Tried: Running
strings disko-1.dd | grep picoCTF(case-sensitive, no -i flag)If the flag is embedded in a filesystem metadata field or directory entry with mixed-case or uppercase letters, the case-sensitive grep silently drops it and produces no output. The -i flag is essential because FAT32 stores filenames and attributes in ways that may alter casing. The challenge description confirms the flag is a plain string, but its exact case in the binary is not guaranteed.
Tried: Mounting the image and using
find /mnt -type f -exec grep -r pico {} ;to locate the flag as a fileThis approach assumes the flag is stored inside a named file, but in this challenge the flag is written directly into the disk image as raw bytes - possibly in a file's data area, slack space, or metadata - and is not necessarily accessible as a readable file via a normal mount. The strings pipe finds any printable sequence anywhere in the image, which is faster and does not require root permissions for mount.
Learn more
The strings command scans a binary file for sequences of printable ASCII characters of a minimum length (default 4). It works directly on raw disk images without mounting, making it a fast first-pass tool in forensics. Any file content, filesystem metadata, directory entries, or deleted fragments that contain readable text appear in the output.
In a real forensic investigation,
stringsalone is insufficient because it provides no context about which file contained the text or its location on disk. For deeper analysis, The Sleuth Kit tools -flsto list files by inode,icatto extract a file by inode number, andfsstatfor filesystem statistics - give complete visibility into the file structure. For DISKO 1, the flag is embedded as a plain string with no obfuscation, sostrings | grepis all that is needed.The
-iflag togrepmakes the search case-insensitive. Always use it when searching forpicobecause some challenges embed flags in all-caps metadata or filenames thatpicoCTFalone would miss.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{1t5_ju5t_4_5tr1n9...}
The flag lives as a plain string in the FAT32 image. `strings disko-1.dd | grep -i pico` finds it on the first try.