Description
Can you find the flag in this disk image?Download the disk image here.
🧩 Challenge Description
You are given a file named disko-1.dd.gz.
The goal is to analyze it and find the hidden flag.
Let’s go step-by-step through how to extract the flag from this compressed disk image.
🗜️ Step 1: Unzipping the .gz file
After downloading the file, you’ll see something like this:
$ ls disko-1.dd.gz disko-1.dd.gz:Zone.Identifier
This means you’ve downloaded a gzip-compressed disk image.
To extract it, we use the gunzip command:
$ gunzip disko-1.dd.gz
Now, list the files again:
$ ls disko-1.dd disko-1.dd.gz:Zone.Identifier
✅ Explanation:gunzip decompresses .gz files.
After running it, the .dd file is the raw disk image we’ll analyze next.
🔍 Step 2: Checking the file type with file
Let’s identify what kind of file this .dd really is:
$ file disko-1.dd disko-1.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 32, heads 8, sectors 102400 (volumes > 32 MB), FAT (32 bit), sectors/FAT 788, serial number 0x241a4420, unlabeled
✅ Explanation:
The file command inspects the binary signature of a file and tells you what it contains.
Here, it says the image contains a FAT32 filesystem — commonly used on USB drives or small disks.
That means we can search inside it for readable text.
🔡 Step 3: Searching for readable text with strings
Now we want to see if there are any human-readable strings inside this binary disk image.
$ strings disko-1.dd
✅ Explanation:strings scans a binary file and prints all sequences of printable characters (letters, digits, punctuation).
It’s a common tool in forensics and reverse engineering to spot hidden messages or flags.
However, running it alone prints too much data.
Let’s filter only lines containing “pico” — since all picoCTF flags start with that word.
🔎 Step 4: Filtering results with grep
$ strings disko-1.dd | grep "pico"
:/icons/appicon
# $Id: piconv,v 2.8 2016/08/04 03:15:58 dankogai Exp $
piconv -- iconv(1), reinvented in perl
piconv [-f from_encoding] [-t to_encoding]
piconv -l
piconv -r encoding_alias
piconv -h
B<piconv> is perl version of B<iconv>, a character encoding converter
a technology demonstrator for Perl 5.8.0, but you can use piconv in the
piconv converts the character encoding of either STDIN or files
Therefore, when both -f and -t are omitted, B<piconv> just acts
picoCTF{1t5_ju5t_4_5tr1n9_be6031da}
✅ Explanation:grep searches text output for a specific pattern.
Here, it quickly finds the line containing our flag.
🏁 Step 5: Capture the Flag!
The flag is:
picoCTF{1t5_ju5t_4_5tr1n9_be6031da}
🎉 Challenge solved!
🧠 Summary
| Step | Command | Purpose | Result |
|---|---|---|---|
| 1 | gunzip | Decompress .gz file | Extracted .dd disk image |
| 2 | file | Identify file type | Found FAT32 disk |
| 3 | strings | Find readable text in binary | Detected text patterns |
| 4 | grep | Filter results | Found the flag line |
💡 Beginner Tips
If you see something that looks like random text but starts with picoCTF{, you’ve found your flag!
.dd files are raw disk images — they contain the full filesystem data.
gunzip is for decompressing .gz archives.
strings and grep are your best friends when searching for flags in binary files.