Alsavaudomila

mount in CTF: Disk Image Mounting and Common Challenge Patterns

author:

rudy_candy

category:

What Is the mount Command?

The mount command in Linux attaches a filesystem—such as ext4, NTFS, FAT32, or ISO images—to a directory so that its contents can be accessed. In CTF forensics challenges, mount is used to analyze:

  • Disk images (.img, .dd, .raw)
  • Virtual machine disks (.vmdk, .qcow2)
  • Extracted partitions
  • Encrypted containers

It is a fundamental tool for accessing hidden files, flags, or unusual filesystem structures.

Basic Usage

1. Mount a Disk Image

sudo mount -o loop disk.img /mnt
  • -o loop treats the file as a block device
  • /mnt is the mount point

2. Mount a Partition From an Image

Use fdisk -l or mmls to find the partition offset.

sudo mount -o loop,offset=$((2048*512)) disk.img /mnt
  • Multiply the start sector by the sector size (usually 512 bytes)
  • Read-only mode is recommended:
sudo mount -o loop,ro,offset=$((2048*512)) disk.img /mnt

3. Mount ISO or Virtual Disk Files

sudo mount -o loop disk.iso /mnt
qemu-img convert -O raw disk.vmdk disk.img
sudo mount -o loop disk.img /mnt

4. Mount Encrypted Containers

sudo cryptsetup luksOpen image.img luksdev
sudo mount /dev/mapper/luksdev /mnt
  • Passwords may be hidden in the challenge or recovered from other artifacts.

Common Patterns in CTF Challenges

  1. Hidden Partition or Offset
    • Requires finding correct partition offset with fdisk or mmls.
    • Flags often reside in non-zero offsets.
  2. Corrupted Partition Table
    • Manual extraction needed when mounting fails.
    • Challenges may involve recovering filesystem signatures.
  3. Deleted Files
    • Mount the filesystem to access /lost+found or user directories.
    • Flags may appear in deleted text files, logs, or caches.
  4. VM Disk Analysis
    • .vmdk or .qcow2 images require conversion to raw format before mounting.
  5. Encrypted Partitions
    • Use cryptsetup or similar tools to unlock and mount containers.
  6. Incorrect Filesystem Type
    • Mount errors hint at the need for offset adjustments, recovery, or filesystem identification.
  7. ISO Image Challenges
    • Flags may hide in boot configs, autorun scripts, or file metadata.

Recommended Workflow in CTFs

  1. Identify partitions and offsets:
fdisk -l disk.img
  1. Mount the image or partition in read-only mode:
mount -o loop,ro,offset=<calculated_offset> disk.img /mnt
  1. Browse the filesystem for flags:
  • User directories (/home/user/, /root/)
  • Deleted or hidden files
  • Browser cache or downloads
  • Metadata and configuration files
  1. Use other tools for deeper analysis:
  • strings for hidden text
  • binwalk or foremost for embedded files
  • Autopsy for GUI-based exploration

Leave a Reply

Your email address will not be published. Required fields are marked *

audacity autopsy Base64 binwalk Burp Suite Cookie dd exiftool FactorDB fdisk ffmpeg file foremost frida grep HEX hexdump hexedit jiff jpg Letter Number Code Low Public Exponent Attack mount netcat path traversal PDF pdfdumper pdfinfo pikazip PNG pngcheck PostgreSQL psql QR code ROT13 RSA SHA-256 sox SQL ssh steghide strings Substitution cipher volatility Wireshark zbarimg zip2john zipinfo zsteg

Load more posts