Description
A disk image contains multiple partitions. The flag is hidden inside the Linux partition - you need to identify where it starts and extract it before searching.
Setup
Download `disko-2.dd.gz` from the picoGym challenge page.
Decompress the image, then inspect the partition table.
gunzip disko-2.dd.gzfdisk -l disko-2.ddSolution
- Step 1Decompress and read the partition tableRun `gunzip` then `fdisk -l disko-2.dd` to display the partition table. The output shows at least two partitions. The Linux partition starts at sector 2048 and spans 51200 sectors (each sector is 512 bytes).
gunzip disko-2.dd.gzfdisk -l disko-2.ddLearn more
A partition table maps a physical disk into logical regions called partitions, each holding an independent filesystem. The traditional MBR (Master Boot Record) layout stores up to four primary partitions in a 64-byte table at the very start of the disk. Each entry records the starting LBA (Logical Block Address) sector, the size in sectors, and a type byte that identifies the filesystem type (0x83 = Linux ext, 0x0B/0x0C = FAT32, 0x82 = Linux swap).
fdisk -l reads the partition table and displays each partition's start sector, end sector, size, and type. This is the essential first command when you receive any disk image with multiple partitions, because
stringson the whole image would find text from all partitions mixed together - you need to isolate the right partition first.The sector size is almost always 512 bytes for images from CTF challenges. Multiplying the start sector by 512 gives you the byte offset to pass to
dd'sskipoption. Multiplying the sector count by 512 gives you the byte size to pass tocount. - Step 2Extract the Linux partition with ddUse `dd` to carve out just the Linux partition bytes into a new file. Skip the first 2048 sectors (the MBR and any preceding data) and copy 51200 sectors worth of data.
dd if=disko-2.dd of=linux-part.dd bs=512 skip=2048 count=51200Learn more
dd (disk dump) copies raw bytes between files or devices with precise control over block size, offset, and count. The options used here:
if= input file,of= output file,bs=512= block size in bytes (matching the sector size),skip=2048= skip the first 2048 blocks from the input (jumping to the Linux partition start),count=51200= copy exactly 51200 blocks.This technique of extracting a partition with
ddis fundamental in forensics. It produces a new raw image of just that partition, which you can then pass to any filesystem-aware tool. Without the isolation step, searching the whole disk image would return results from the wrong partition or mix data from multiple locations, making it harder to interpret.Alternatively,
mount -o loop,offset=$((512*2048)) disko-2.dd /mnt/partcan mount the partition directly without extracting it, but usingddto isolate it first is cleaner and avoids any risk of the mount modifying timestamps on the filesystem. - Step 3Find the flag with stringsRun `strings linux-part.dd | grep -i pico` on the extracted partition file. The flag is stored as plain text inside the Linux filesystem and appears immediately.
strings linux-part.dd | grep -i picoLearn more
With the Linux partition isolated,
strings | grepsearches only the relevant filesystem. The flag is embedded as plaintext in the ext2/ext3/ext4 inode or file data area, so it appears in thestringsoutput without needing to mount the partition or navigate its directory tree.This challenge teaches the core partition analysis workflow used in real disk forensics: identify the partition layout (
fdisk -lormmls), extract the relevant partition (ddor targeted mount), then apply analysis tools. The same workflow applies whether you are looking for a CTF flag, malware artifacts, or evidence of data exfiltration on a compromised machine.
Flag
picoCTF{4_P4Rt_1t_i5...}
Isolate the Linux partition with dd (skip=2048, count=51200), then `strings linux-part.dd | grep pico` reveals the flag.