picoCTF 2020 Pitter, Patter, Platters Writeup

Pitter, Patter, Platters is a forensics challenge worth 200 points.

The description of this puzzle is:

'Suspicious' is written all over this disk image. Download suspicious.dd.sda1

This puzzle provides a disk image suspicious.dd.sda1:

 % file suspicious.dd.sda1
suspicious.dd.sda1: Linux rev 1.0 ext3 filesystem data, UUID=fc168af0-183b-4e53-bdf3-9c1055413b40

First, I tried mounting this image and poking around on the filesystem:

sudo mount -o ro suspicious.dd.sda1 /mnt

Poking around on the filesystem, there is a file suspicious-file.txt in the root directory with the following content:

Nothing to see here! But you may want to look here -->

There is also a directory tce which includes a tarball mydata.tgz. This archive contained a user’s shell history, some packages, and other stuff that didn’t end up being useful. I wasted a good hour or so reviewing files on this disk and didn’t end up finding anything resembling a flag.

I was kind of at a loss at this point, but thinking about what clues I do have and the type of puzzle this is, I think that the flag may be hidden in slack space or stuffed into some other unused area on the disk that isn’t showing up normally. It is also odd that the clue has an arrow pointing to nothing.

Next, I opened this disk with Active@ Disk Editor and searched for Nothing to see here. This revealed the flag:

Active@ Disk Editor revealing the flag.
The flag is visible with Active@ Disk Editor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s