Description
A disk image holds a flag that `strings` alone cannot find - it is compressed inside a `.gz` file buried in a subdirectory. Mount the image and decompress the hidden file to read it.
Setup
Download `disko-3.dd.gz` from the picoGym challenge page.
Decompress the outer archive, then prepare a mount point.
gunzip disko-3.dd.gzfile disko-3.ddsudo mkdir -p /mnt/disko3Solution
- Step 1Decompress and attempt stringsRun `gunzip` then try `strings disko-3.dd | grep -i pico`. This time nothing useful appears - the flag is not stored as plain text. The image is FAT32 like DISKO 1, but the flag is hidden inside a compressed file.
gunzip disko-3.dd.gzfile disko-3.ddstrings disko-3.dd | grep -i picoLearn more
When
strings | grepreturns nothing, the flag is not stored as raw ASCII in the disk image. It may be compressed (gzip, bzip2, xz), encoded (base64, hex), encrypted, or stored in a format that produces non-printable bytes. This is the moment to mount the image and inspect the actual file structure instead of searching raw bytes.A compressed file stored inside a filesystem appears to
stringsas a burst of random-looking bytes (the compressed data) bookended by a few readable bytes from the gzip header (the magic bytes1f 8band the original filename, if stored). The flag content itself is invisible until decompressed. - Step 2Mount the image and navigate the filesystemMount the disk image with `mount -o loop` to browse it as a live filesystem. Navigate to the `/log/` directory where `flag.gz` is located.
sudo mount -o loop disko-3.dd /mnt/disko3ls /mnt/disko3/ls /mnt/disko3/log/Learn more
The
-o loopoption tells the Linux kernel to use a loop device - a virtual block device that maps a regular file as if it were a physical disk. This lets you mount a disk image file exactly like a real drive. The kernel reads the FAT32 superblock from the image and makes the filesystem accessible at the mount point.In professional forensics, images are mounted read-only (add
-o ro,loop) to preserve evidence integrity. A write-enabled mount could update access timestamps, modify journal entries, or trigger filesystem repair operations that alter the evidence. For CTF purposes, a read-only mount is still good practice even though there is no legal chain-of-custody requirement.Once mounted, standard Unix commands (
ls,find,cat) work normally against the filesystem. This is often the most convenient way to browse a disk image when the flag is buried in a directory tree rather than scattered as raw bytes. - Step 3Extract and decompress the flag fileCopy `flag.gz` from the mounted image to a writable location, then decompress it with `gunzip` and read it with `cat`. The flag appears as plain text.
cp /mnt/disko3/log/flag.gz /tmp/flag.gzgunzip /tmp/flag.gzcat /tmp/flagsudo umount /mnt/disko3Learn more
Copying the compressed file out of the mounted image before decompressing it is cleaner than decompressing in place on the mounted filesystem - it avoids any risk of writing to the image and keeps the analysis tidy. The
gunzipcommand decompressesflag.gzin place, producing a file namedflag, whichcatthen displays.This challenge pattern - a flag compressed and hidden in a non-obvious subdirectory - is common in CTF forensics. The key skill is knowing when raw-byte techniques like
stringswill not work and switching to filesystem-level exploration. The lesson from the DISKO series as a whole: try the quick approach first (strings | grep), but be ready to mount, navigate, and decompress when the flag is not plaintext.Always unmount (
sudo umount) after analysis. Leaving a loop-mounted image open can cause issues if you later try to delete or move the disk image file, and on some systems the loop device will remain reserved until explicitly released.
Flag
picoCTF{n3v3r_z1p_2_h1d3...}
Mount the image with `mount -o loop`, find `flag.gz` in the `/log/` directory, gunzip it, and cat the result.