Download this disk image and find the flag.
Note: if you are using the webshell, download and extract the
disk image into /tmp not your home directory.
- Download compressed disk image
Start with getting the file:
wget https://artifacts.picoctf.net/c/136/disk.flag.img.gz
Then unzipping it (since it's a large file it might take some time):
gunzip disk.flag.img.gz
Then opening it in autopsy. Also a note that this process is asumming you are using the linux version of autopsy and not other versions (windows).
sudo autopsy
Open the link provided: http://localhost:9999/autopsy
Click "New Case".
Then fill in the "Case Name" and "Investigator Name" and click "New Case" again.
Then click "add host" with the default investigator name.
No need to change any of the defualts, just click "add host" again.
Then click "add image"
Then "add image file".
To find the Location (full path) of the file run this command: realpath disk.flag.img
It will give you the full path of that file. Alterantivly you can use pwd and then just append the file name to the end manually. Once you put the full path of the file in press "next".
Now just click "add", again with just the defualts.
Then "Ok".
I then selected "3" as it was the largest image, then clicked analyze.
Then click "File Analysis".
I then clicked "Expand Directories" for convenience when going through the disk image.
I first went to keyword search.
I tested for, "pico", "picoctf", "flag", and "flag.txt". From searching for flag.txt I got this file.
Based on this the flag is likely in my_folder. When going back to file analysis, and expand directories you can see my_folder at the very bottom.
It is inside the root folder which I could have checked at the begining as it is an obvious place to put the flag. The file that was found in the search was the .ash_history in the root folder that captured the commands that they wrote. Before removing flag.txt they moved the file contents to flag.uni.txt with modifications.
This is flag.uni.txt -
At the bottom of the file you can see in the contents of the file is the flag. So now I exported flag.uni.txt into downloads and then moved the txt file into my working directory.
I thought I might have had to delete charaters, but by downloading the file and then using cat to display the contents it just gives the flag.
Flag: picoCTF{by73_5urf3r_3497...}