All we know is the file with the flag is named
down-at-the-bottom.txt... Disk image: dds2-alpine.flag.img.gz
-
Using the TSK Tool Overview website we can find that the
flscommand can list all files in a directory. We specify the-r, which means recursive so it will scan the entire disk image, and-p, so it prints the full path, flags. The-oflag is the offset of the partition we want to use, which can be dounf by runningmmls dds2-alpine.flag.img. Finally, we search the output usinggrepfor the name of the file given in the challenge description. So, the resulting command looks as follows:fls -r -p -o 2048 dds2-alpine.flag.img | grep down-at-the-bottom.txt. The output is:r/r 18291: root/down-at-the-bottom.txt -
18291is the inode number of the file. We can useicatto list the contents of that inode like so:icat -o 2048 dds2-alpine.flag.img 18291The flag is shown in the output (inside of a unique pattern so we couldn't simply search for it):
_ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( p ) ( i ) ( c ) ( o ) ( C ) ( T ) ( F ) ( { ) ( f ) ( 0 ) ( r ) ( 3 ) ( n ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( s ) ( 1 ) ( c ) ( 4 ) ( t ) ( 0 ) ( r ) ( _ ) ( n ) ( 0 ) ( v ) ( 1 ) ( c ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( 3 ) ( _ ) ( 0 ) ( b ) ( a ) ( 8 ) ( d ) ( 0 ) ( 2 ) ( d ) ( } ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ -
Alternatively,
autopsycan be used to interact with the disk in a GUI, which may be easier. It was easier for me at at first.
picoCTF{f0r3ns1c4t0r_n0v1c3_0ba8d02d}