Skip to content
docs.asbedb.com

Do you even grep? Disko 1 picoCTF

“In the Microsoft eco-system, the people are not represented by two separate, yet equally important, groups: those who grep, investigating file content using simple commands; and those with beautiful window managers, effortlessly floating between screens rarely touching the mouse.”

This all started with a CTF (Capture The Flag) challenge over at picoctf.

For those who are interested in trying the challenge on their own.

  1. Sorry but the title of this piece might be a major clue.
  2. Stop reading this RIGHT NOW - Go try it first (and if you can be bothered) try figuring it out on windows.

For the uninitiated a CTF is a technical challenge trying to find a hidden string by completing either some digital forensic examination, real vulnerability exploits (on fake and intentionally vulnerable products), and sometimes even fake social engineering. They are really fun and a good way to get the neurons firing. The skills you gain from them are practical and can make you a better technology professional.

I don’t want to be one of those people but…

I’ve been daily driving Linux on my laptop and every time I want to do a Linux thing on my windows machine - A little bit of me cries.

Disko 1

Section titled “Disko 1”

This CTF is meant to be a digital forensic exercise analysing a dump of a disk (dd File) trying to find a hidden string. So really we need to do two things.

  1. Get all the strings from the dd File
  2. Search that string to find a pattern that will match our CTF Flag.

Thankfully we know what the CTF Flag looks like with this handy greyed out input box showing us what we are probably looking for.

ctf-flag

and if you are on Linux - well you can do this with one line.

strings disko-1.dd | grep "picoCTF{"

the strings command displays all listable strings inside our disko-1.dd the pipe | redirects our output to a second command feeding the output directly into grep "<search term>" which effectively searches our output for the search term.

If you did this CTF with Linux - congrats. You did it in 5 minutes.

But what about Windows?

Is it winning if it’s not WIN-dows?

Section titled “Is it winning if it’s not WIN-dows?”

This really bugged me. I started this CTF in Windows. Why can’t I do it with one line in Windows. Surely its not that bad is it?

The first challenge I had was dealing with a .dd file - the file size wasn’t overly large (50mb), maybe I could just open this in notepad and ctrl+f the string?

Sounds silly but isn’t that what the grep command is doing in a neat little CLI anyway? That was not a good move, notepad my good friend for many years had been checkmated into a “not responding”. This of course was due to the strings command in Linux extracting all printable strings restricting our search and return to the correct type we were looking for.

There’s something hallmark about that signature grey/white UI with emboldened black text and data being presented in tabular format. It screams .NET core, those who win-amped remember aero styling, those who used Visual Basic remember grey square buttons.

osf_screenshot

I say all this because the first popular choice that came up to open and display content from a .dd file was a tool from PassMark called OSFMount a software company I used in high school to prove my computer could run the Age of Empires disc that came with my cereal. Credit where credit is due - once I had OSFMount installed and opening the .dd file I could now peak into the structure and contents of the folder. I was no closer to the one liner; however now that I had a “Folder” maybe our good friend PowerShell could come in to save the day.

PowerShell had it’s own comic-book.

Section titled “PowerShell had it’s own comic-book.”

I spoke about daily driving Linux earlier (I use Arch btw). I think every Linux user at one point or another has used a command similar to sudo apt-get, after slowly realising how easy it is to install update and manage packages from the command line interface (CLI) not only do these commands become second nature but the CLI itself becomes a “friendly(er)” to the user.

To be fair I think most Windows users have seen Command Prompt - or so I hope. PowerShell on the other hand actually needed its own brand mascot.

ps_mascot.png

Anyway I digress - I’ve been trying to slot in showing people the PowerShell mascot without being too obnoxious about it.

So can we “grep” now? To review I have a mounted drive full of files a file path to be able to search contents of said files, granted the files are also nondescript and might have the same issues perhaps breaking down the operations to per file will yield results as my direct attempts on the .dd file had mostly failed

(The direct attempts below)

This one timed out

Terminal window
$fileContent = Get-Content -Path "C:\disko-1.dd"
Select-String -InputObject $fileContent -Pattern "picoCTF"

and this one returned something however the output was not correct

Terminal window
Get-ChildItem -Path "*" | Select-String -Pattern "pico"

no-child-output

I felt the last command was close - It was at this moment I realised something - perhaps i was doing this all wrong and there was a simple way. It wasn’t going to be as pretty as a strings command but maybe - if I just passed my .dd file as a variable and piped a Select-String it would work. and so:

Terminal window
$fileContent = Get-Content -Path "c:\disko-1.dd"
$fileContent | Select-String "picoCTF"

I couldn’t believe my eyes - after quite a long journey the answer was lying there - now formatting wasn’t nice and i got some garble with it. But we did it. we finally “won” on windows.

picoCTF{1t5_ju5t_4_5tr1n9_be6031da}

ctf-disko-one-done

Interestingly - if you tried this command as a single lined pipe declaring the Get-Content on the left you would have a blank result.

Something that if I knew early on might have stopped me exploring OSFMount - but where’s the fun in that.