Pitter, Patter, Platters (picoCTF2020)

Image for post
Image for post

The challenge is categorized in Digital Forensics , as said “Suspicious” is written all over this disk image. This might be a big hint according to how the challenge title is and how the description is!

The first thing was to download the file and followed by investigating on the file, coming back to the challenge the hint says “It may help to analyze this image in multiple ways: as a blob, and as an actual mounted disk.” According to the hint given the only tool I could think of would be Autopsy ! know more about Autopsy.

Image for post
Image for post
create a case in autopsy, in that case I have already created one and I’ve named it “suspicious”

Then after creating the case and the host , which is the first steps of setting up a case in autopsy , then you will have to open the case ,After opening the case, I clicked on Analyze then I clicked on File Analysis which allowed me to observe the directories which were in the partition! and at the directory list there is a file written “suspicious-file.txt” and its inode number is 12 , I went to meta data option from the top panel and inserted the inode number, after observing it for a few seconds I saw a Direct block with Fragment number 2049

Image for post
Image for post
suspicious-file.txt with inode number — 12
Image for post
Image for post
MetaData analysis from Inode number 12 of file (suspicious-file.txt) as seen there is a Direct Block with fragment number 2049 , so I clicked on it as I said and gave me the result below
Image for post
Image for post
Fascinating flag-like, seen as an output.

There is a fascinating ASCII text that appeared after I chose to view on the display block:

ASCII Contents of Fragment 2049 in suspicious.dd.sda1-0-0


Nothing to see here! But you may want to look here -->
}.6.f.a.0.9.2.5.f._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

It looks like a flag from the following string “}.6.f.a.0.9.2.5.f._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p” but it’s reversed so what is to be done here is basically simple and easy ,as I am pretty sure it is the flag so I am going to reverse it by typing it backward which is an easy simple methodology ……..

Image for post
Image for post
Flag captured!

Just like that and the flag was captured !

NOTE: The Flag Changes , tho the steps and methodologies used here can also be used to obtain the flag!

Cyber Security Researcher & Programmer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store