Level 1: Disk Archaeology (foren)

We are given a disk image:

➜ file challenge.img 
challenge.img: Linux rev 1.0 ext4 filesystem data, UUID=2b4fee55-fd5f-483c-a85f-856944731f0f (extents) (64bit) (large files) (huge files)

Let's run a quick strings + grep to see if there's anything interesting

➜ strings challenge.img | grep TISC          
TISC{w4s_th3r3_s0m3th1ng_l3ft_%s}

Part of the flag was revealed, but it is clear that there is more to it due to the presence of %s, which is used in format strings to include another string. Given the lack of other strings resembling C source code, it is likely that the flag string is contained within some compiled binary.

Next, I used grep to determine the offset of the flag string in the disk image and extracted the data surrounding the flag string:

➜ grep TISC challenge.img -b  --text
673788749: <data>

➜ dd if=challenge.img of=dump skip=673778749 bs=1 count=400K
409600+0 records in
409600+0 records out
409600 bytes (410 kB, 400 KiB) copied, 0.52979 s, 773 kB/s
➜ binwalk dump                                              

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
9155          0x23C3          ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
23087         0x5A2F          Unix path: /home/buildozer/aports/main/musl/src/1.2.4

Indeed, the flag string was in an ELF. Extracting and running the binary yields the flag:

➜  ./binary 
TISC{w4s_th3r3_s0m3th1ng_l3ft_ubrekeslydsqdpotohujsgpzqiojwzfq}

Note: mounting the disk image and searching for the binary won't work because the memory location the binary is stored in doesn't seem to map to any file.