R·D Intel

DISKO 4… picoCTF | by Configx - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original DISKO 4… picoCTF Hello everyone , Configx Follow ~2 min read · April 6, 2026 (Updated: April 6, 2026) · Free: Yes this challenge was fairly easy like the other ones so let's start. First we a .gz file which is disko-4.dd.gz then we use the tool gunzip to decompress it with the command: gunzip disko-4.dd.gz we get disko-4.dd . first we need to see what type of file this is with the command file disko-4.dd we get disko-4.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 32, heads 8, sectors 204800 (volumes > 32 MB), FAT (32 bit), sectors/FAT 1576, serial number 0x49838d0b, unlabeled which shows us that this is a FAT32 filesystem then we run the command fls -r disko-4.dd we use the -r to go through the folders and subfolders we get this output which was a very large output but what matters is this part: + r/r 603184: vmware-network.log + r/r 603186: dpkg.log.2.gz + r/r * 532021: dont-delete.gz v/v 3225859: $MBR v/v 3225860: $FAT1 v/v 3225861: $FAT2 V/V 3225862: $OrphanFiles So we notice the file + r/r * 532021: dont-delete.gz and it caught my attention because this is the only deleted file by the * icon which means a deleted file. so to extract it we use this command icat disko-4.dd 532021 > dont-delete.gz then we get the file compressed as .gz then we unzip it with gunzip , and we get the file dont-delete if we read what inside cat dont-delete we get the flag picoCTF{d3l_d0n7_h1d3_w3ll_fe34c2cb} thank you . #ctf #dfir #forensics #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).