PicoCTF Writeup – Pitter, Patter, Platters
# Information:
CTF Name: PicoCTF
CTF Challenge: Pitter, Patter, Platters
Challenge Category: Forensics
Challenge Points: 200
PicoCTF 2020 Mini-Competition.
# Challenge Description
‘Suspicious’ is written all over this disk image. Download suspicious.dd.sda1. Relevant hints: It may help to analyze this image in multiple ways: as a blob, and as an actual mounted disk. Have you heard of slack space? There is a certain set of tools that now come with Ubuntu that I’d recommend for examining that disk space phenomenon…
# Writeup
When I saw this challenge I did not know how to tackle it. By looking at the hints I was more hopeful! So it seems that there is some kind of tool that comes with Ubuntu, or that is compatible with Linux. I started to search online and for a while, I did not find any particular tool.
However, I manage to come across this tool Autopsy. After finding this tool I installed it on my computer, I used Windows for this one because Autopsy is compatible with Windows, macOS, and Linux.
After installation, I launched the tool. Once launched I tried to open the disk image provided in the description. To do so I did the following:
As you can see, in the final seconds of the video above I clicked on a file named: “suscpicious-file.txt“. Below you can see the contents of the file:
To advance from here I went back to read the description and the hints. And I found something I believe is relevant! “Have you heard of slack space?“. Slack space?!? This is the key to solve the challenge!! The flag must be in the slack space of some file.
But before moving on what is the slack space?
Slack space is the space of the file cluster that is not necessary to store the file itself because its contents do not occupy the entire cluster. The remaining space is the slack space. (Reference: Computer Hope: Slack Space)
Knowing this, I decided to perform a forensic analysis on the disk, in particular on the file “suscpicious-file.txt” to see the contents of the slack space of this file.
However, before progressing to the process of finding the slack space of the file I searched online to try to find how does Autopsy represents the file’s slack space. I found this URL in which I discovered that “Autopsy creates slack files (with the “-slack” extension) from any extra space at the end of a file.“. I also found out that the slack space of the files is hidden by default, therefore I needed a way to make it visible.
The actual walkthrough:
Below there is a video with the steps I followed to find the slack space of the file.
The video above provides two ways to find the file, one in which we search for the string “-slack” in the disk, and the other way in which we reveal all the -slack files that are hidden by default. By looking at the contents of the file’s slack space it is easy to see that the flag is reversed. To fix this I found this online tool. This online tool reverts the string provided.
And the flag is:
Thank you very much for reading!
Cheers,
MRegra
