Disk Golf

Posted on Mon 05 August 2024 in ctf

This is a writeup of the forensics challenge Disk Golf in the n00bz CTF 2024.

We start by unpacking the attached tarball disk.img.tar.gz:

tar xvf disk.img.tar.gz

If we try to mount the disk image it fails becuase the image is broken.

Instead we try to fix the image with the following commands:

e2fsck disk.img
resize2fs disk.img

Afterwards we're able to mount the image:

mkdir mnt
sudo mount -t ext4 disk.img mnt -o loop

Then inside the mount directory we find two interesting files:

cat mnt/home/johnhackerdoe/flag2.txt mnt/home/johnhackerdoe/flag.txt

This flag was added after the memory dump was created! I wish there was a way to access the current file system ;)
156 60 60 142 172 173 67 150 63 137 154 60 156 147 137 64 167 64 61 164 63 144 137 144 61 65 153 137 146 60 162 63 156 163 61 143 65 175

It seems that the flag is encoded as ascii octal numbers. We can decode this with the following python code:

flag = "156 60 60 142 172 173 67 150 63 137 154 60 156 147 137 64 167 64 61 164 63 144 137 144 61 65 153 137 146 60 162 63 156 163 61 143 65 175"
dec_flag = ''.join([chr(int(x,8)) for x in flag.split()])
print(dec_flag)

This gives us the flag:

n00bz{7h3_l0ng_4w41t3d_d15k_f0r3ns1c5}