Forensics - St3g0 - writeup description Download this featuredImage and find the flag.
Download featuredImage
writeup Ok so let’s download the file first …
1 wget https://artifacts.picoctf.net/c/427/pico.flag.png Let’s check the file type just to make sure we actually have a .png file here …
1 2 3 file pico.flag.png pico.flag.png: PNG featuredImage data, 585 x 172, 8-bit/color RGBA, non-interlaced Ok so it is in fact a PNG file.
Let’s check for any steganography using stegdetectForensics - Sleuthkit Apprentice - writeup description Download this disk featuredImage and find the flag. Note: if you are using the webshell, download and extract the disk featuredImage into /tmp not your home directory.
Download compressed disk featuredImage
writeup So we a got a file ‘disk.flag.img’.
I will try to create a folder and mount the disk featuredImage into that folder first.
1 2 3 4 mkdir mnt mount ./disk.flag.img mnt mount: mnt: failed to setup loop device for /home/pascal/Pentesting/picoCTF_2022/Forensics/Sleuthkit Apprentice/disk.Forensics - Packets Primer - writeup description Download the packet capture file and use packet analysis software to find the flag.
Download packet capture
writeup Ok so we got a .pcap file as a download:
1 network-dump.flag.pcap Lets look at the content using wireshark.
1 wireshark -r network-dump.flag.pcap I found some interesting traffic:
1 4 0.001225 10.0.2.15 10.0.2.4 TCP 126 48750 → 9000 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=60 TSval=2379213157 TSecr=1760620995 Looking at the hex dump of that transaction I can see the following:Forensics - Redaction gone wrong - writeup description Now you DON’T see me. This report has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly?
writeup By simply opening the pdf file in LibreOffice Draw I was able to move the black boxes to uncover the flag!
The flag is:
1 picoCTF{C4n_Y0u_S33_m3_fully}Forensics - Operation Orchid - writeup description Download this disk featuredImage and find the flag.
Note: if you are using the webshell, download and extract the disk featuredImage into /tmp not your home directory.
https://artifacts.picoctf.net/c/242/disk.flag.img.gz
writeup Ok let’s download the featuredImage first!
1 wget https://artifacts.picoctf.net/c/242/disk.flag.img.gz Next I will extract it.
1 gunzip disk.flag.img.gz 1 2 3 file disk.flag.img disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x82, start-CHS (0xc,223,20), end-CHS (0x19,159,6), startsector 206848, 204800 sectors; partition 3 : ID=0x83, start-CHS (0x19,159,7), end-CHS (0x32,253,11), startsector 411648, 407552 sectors That is a dos / mbr boot partitionForensics - Operation Oni - writeup description Download this disk featuredImage, find the key and log into the remote machine.
Note: if you are using the webshell, download and extract the disk featuredImage into /tmp not your home directory.
writeup So I went ahead, fired up the remote machine and downloaded the disk featuredImage.
1 wget https://artifacts.picoctf.net/c/372/disk.img.gz It is gzip compressed so I first had to decompress it
1 gunzip disk. 
