Skip to content

Latest commit

 

History

History
100 lines (52 loc) · 4.26 KB

SleuthkitApprentice.md

File metadata and controls

100 lines (52 loc) · 4.26 KB
Raw

Description

Download this disk image and find the flag.
Note: if you are using the webshell, download and extract the
disk image into /tmp not your home directory.

  • Download compressed disk image

Solution

Start with getting the file:

wget https://artifacts.picoctf.net/c/136/disk.flag.img.gz

Then unzipping it (since it's a large file it might take some time):

gunzip disk.flag.img.gz

Then opening it in autopsy. Also a note that this process is asumming you are using the linux version of autopsy and not other versions (windows).

Getting the disk into Autopsy

sudo autopsy

Open the link provided: http://localhost:9999/autopsy

Click "New Case".

image

Then fill in the "Case Name" and "Investigator Name" and click "New Case" again.

image

Then click "add host" with the default investigator name.

image

No need to change any of the defualts, just click "add host" again.

image

Then click "add image"

image

Then "add image file".

image

To find the Location (full path) of the file run this command: realpath disk.flag.img

image

It will give you the full path of that file. Alterantivly you can use pwd and then just append the file name to the end manually. Once you put the full path of the file in press "next".

Now just click "add", again with just the defualts.

image

Then "Ok".

image

I then selected "3" as it was the largest image, then clicked analyze.

image

Then click "File Analysis".

image

I then clicked "Expand Directories" for convenience when going through the disk image.

image

Findings

I first went to keyword search.

image

I tested for, "pico", "picoctf", "flag", and "flag.txt". From searching for flag.txt I got this file.

image

Based on this the flag is likely in my_folder. When going back to file analysis, and expand directories you can see my_folder at the very bottom.

image

It is inside the root folder which I could have checked at the begining as it is an obvious place to put the flag. The file that was found in the search was the .ash_history in the root folder that captured the commands that they wrote. Before removing flag.txt they moved the file contents to flag.uni.txt with modifications.

This is flag.uni.txt -

image

At the bottom of the file you can see in the contents of the file is the flag. So now I exported flag.uni.txt into downloads and then moved the txt file into my working directory.

I thought I might have had to delete charaters, but by downloading the file and then using cat to display the contents it just gives the flag.

Flag: picoCTF{by73_5urf3r_3497...}