Posts Categories Tags About Contact Me

Contents

/featuredImages/picoCTF_logo.png

picoCTF - Forensics - Sleuthkit Apprentice

 published in forensics picoctf
   667 words   4 minutes 

Forensics - Sleuthkit Apprentice - writeup

description

Download this disk featuredImage and find the flag. Note: if you are using the webshell, download and extract the disk featuredImage into /tmp not your home directory.

Download compressed disk featuredImage

writeup

So we a got a file ‘disk.flag.img’.

I will try to create a folder and mount the disk featuredImage into that folder first.

1
2
3
4

mkdir mnt

mount ./disk.flag.img mnt 
mount: mnt: failed to setup loop device for /home/pascal/Pentesting/picoCTF_2022/Forensics/Sleuthkit Apprentice/disk.flag.img.

Ok so that did not work.

If I check using the file command what that file actually is I see that it is a ‘DOS/MBR boot sector’ So it is using a dos (MBR) partition table

1
2
3

file disk.flag.img  

disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x82, start-CHS (0xc,223,20), end-CHS (0x16,111,25), startsector 206848, 153600 sectors; partition 3 : ID=0x83, start-CHS (0x16,111,26), end-CHS (0x26,62,24), startsector 360448, 253952 sectors

Let’s check with fdisk what partitions are there. We already saw 3 partitions inside that partition table.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

fdisk -l disk.flag.img      
                                                                     
Disk disk.flag.img: 300 MiB, 314572800 bytes, 614400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7389e82d

Device         Boot  Start    End Sectors  Size Id Type
disk.flag.img1 *      2048 206847  204800  100M 83 Linux
disk.flag.img2      206848 360447  153600   75M 82 Linux swap / Solaris
disk.flag.img3      360448 614399  253952  124M 83 Linux

The first partition ‘disk.flag.img1’ is a boot partition. We can see that because of the fact that the boot flag is activated. Also the start of 2048 and the size of 100 Megabytes indicates that this might be a boot partition.

The second partition ‘disk.flag.img2’ is a swap partition. That is indicated by the partition type ‘Linux swap / Solaris’.

The third partition ‘disk.flag.img3’ is most probably a root partition. With a size of 124 Megabytes this is the biggest partition and the type is ‘Linux’. So it is probbaly EXT4.

After running parted I tried to find the start sector of the third partition:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

parted disk.flag.img

WARNING: You are not superuser.  Watch out for permissions.
GNU Parted 3.4
Using /home/pascal/Pentesting/picoCTF_2022/Forensics/Sleuthkit Apprentice/disk.flag.img
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) u                                                                
Unit?  [compact]? B                                                       
(parted) print                                                            
Model:  (file)
Disk /home/pascal/Pentesting/picoCTF_2022/Forensics/Sleuthkit Apprentice/disk.flag.img: 314572800B
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start       End         Size        Type     File system     Flags
 1      1048576B    105906175B  104857600B  primary  ext4            boot
 2      105906176B  184549375B  78643200B   primary  linux-swap(v1)
 3      184549376B  314572799B  130023424B  primary  ext4

Then I tried to mount the third partition using an offset of 184549376

1

mount -t ext4 -o loop,offset=184549376 disk.flag.img ./mnt

But that fails

1

mount: ./mnt: failed to setup loop device for /home/pascal/Pentesting/picoCTF_2022/Forensics/Sleuthkit Apprentice/disk.flag.img

I ended up with a simple bash script to mount the loop device:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

#!/usr/bin/bash

img="disk.flag.img"

dev="$(sudo losetup --show -f -P "$img")"

echo "$dev"

for part in "$dev"?*; do
  if [ "$part" = "${dev}p*" ]; then
    part="${dev}"
  fi
  dst="mnt/$(basename "$part")"
  echo "$dst"
  mkdir -p "$dst"
  sudo mount -o loop "$part" "$dst"
done

Running that script I was able to mount the filesystems into my local ‘mnt’ folder.

1
2
3

ls

loop11p1  loop11p2  loop11p3

loop11p3 is the root partition.

Let’s see what we can find here….

1

cd loop11p3

Maybe there is something in the home directory of the root user …

1
2
3

ls root

my_folder

That folder seems interesting ….

Let’s see what is in there….

1
2
3

ls root/my_folder

flag.uni.txt

Could that be our flag?

Let’s cat it out!

1
2

cat root/my_folder/flag.uni.txt
picoCTF{by73_5urf3r_25b0d0c0}

Gotcha!

So the flag is

1

picoCTF{by73_5urf3r_25b0d0c0}
forensics picoctf
Updated on 2022-04-06