This is a really interesting challenge. Hints suggest to enable bittorrrent protocols in wireshark and also to learn more about seeds and leachers , Article.
First of all enable bittorrent protocols in wireshark.
Analyze -> Enabled Protocols
Then i filtered the network with bt-dht. DHT stores peers information. I chose a random packet 53120. It have a hash value.
Simply googled the hash and boom , it was the infohash of torrent. Infohash is used to check the integrity of files.
picoCTF{ubuntu-19.10-desktop-amd64.iso}
mmls - Display the partition layout of a volume system (partition tables).
fls - List file and directory names in a disk image.
icat - Output the contents of a file based on its inode number.
Learn more sleuthkit commands here
mmls disk.flag.img
Found starting sector of linux partition : 360448
List directories : fls -o 360448 disk.flag.img
Get the file content of flag.uni.txt : icat -o 360448 disk.flag.img 2371
It have the flag.
mmls disk.img
Sector : 206848
List /root/.ssh : fls -o 206848 disk.img 3916
Get contents of ssh key : icat -o 206848 disk.img 2345 > key_file
chmod 600 key_file
ssh -i key_file -p {instance_port} ctf-player@saturn.picoctf.net
cat flag.txt
mmls disk.flag.img
Found 2 Linux Partitions :-
Partition 1 offset : 2048 Partition 2 offset : 411648
Partition 1 is boot parition , it doesn’t have any user files
On partition 2 :
inode of /root/ = 472
List files :-
fls -o 411648 disk.flag.img 472
r/r 1875: .bash_history
r/r * 1876(realloc): flag.txt
r/r 1782: flag.txt.encSave files :-
icat -o 411648 disk.flag.img 1782 > flag.enc
icat -o 411648 disk.flag.img 1876 > flag
icat -o 411648 disk.flag.img 1875 > bash_historyflag.enc is encrypted and flag have no useful text
what left is bash_history , it have this interesting command
openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
Well thats it , we just need to add -d to it
openssl aes256 -d -salt -in flag.enc -out flag.txt -k unbreakablepassword1234567
cat flag.txt