picoCTF Forensics Guide

here's how to solve DISKO 1

Back to the Forensics Guides

DISKO 1

Name: DISKO 1
Description: Can you find the flag in this disk image? Download the disk image here.
Author: Darkraicg492
Tags: Easy, Forensics, picoGym Exclusive
Challenge from: picoGym Exclusive
Files: disko-1.dd.gz
Hints:
1. Maybe Strings could help? If only there was a way to do that?

Theory

According to the description, to get the flag we have to look through a disk image file, which judging by the other disk file challenges we've gotten in picoCTF in the past, it's probably gonna be hard, although this is an easy level so let's not judge yet. But back to the challenge, honestly doesn't tell us anything about the challenge, and future me here, we really can't do this challenge without reading the hint, which is to use strings. So, if we need to use strings for something, then this challenge is really easy now, we just need to download uncompress and strings pipe to grep to find the flag. Which basically, we'll just look for all human readable characters with the strings command, and then pipe that output to grep which will find the format of any picoCTF flag, giving us this command:

strings disk_file_idk.dd | grep "picoCTF{"

Solution

Let's download the disk and see what it has:

shukularuni-picoctf@webshell:~$ wget https://artifacts.picoctf.net/c/538/disko-1.dd.gz
--2025-05-17 13:55:50--  https://artifacts.picoctf.net/c/538/disko-1.dd.gz
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.5.71, 3.160.5.93, 3.160.5.42, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.5.71|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20484476 (20M) [application/octet-stream]
Saving to: 'disko-1.dd.gz'

disko-1.dd.gz                                                       100%[=================================================================================================================================================================>]  19.54M  1.82MB/s    in 11s     

2025-05-17 13:56:01 (1.82 MB/s) - 'disko-1.dd.gz' saved [20484476/20484476]

Oh wait, almost forgot, look at that, it's compressed in GZIP compression, so we can use the already integrated command gunzip with the d option to decompress the file:

shukularuni-picoctf@webshell:~$ gunzip -d disko-1.dd.gz

shukularuni-picoctf@webshell:~$ ls
README.txt  disko-1.dd

Now, we can search for the flag for real this time with the command from theory:

shukularuni-picoctf@webshell:~$ strings disko-1.dd | grep "picoCTF{"
picoCTF{1t5_ju5t_4_5tr1n9_e3408eef}

There we go! That's the flag.

Didn't like it because the description could've been done better. The problem is the description says too little, and the hint just spoils you the entire level, although it's probably for beginners and that kind of stuff, could've been done just a little better, I think.

I rated this level as "not good"! :(

https://play.picoctf.org/practice/challenge/505

Explore My Website