Flash CTF – rm -rf flag.png

March 26, 2026
Challenge Writeups
1 min read

Overview

You only get a single file: flash.img.

You are told that a flag was deleted from whatever was stored in that image.

There is no additional source code, no filesystem mount helper, and no hint about where the flag is located. The goal is to recover the deleted data directly from the raw disk image.

Key idea: deleted files are often still recoverable

On many filesystems, “deleting” a file mainly updates metadata (for example, removes the directory entry and marks the clusters as free). The old file bytes are not reliably overwritten immediately. That means remnants can still be present in the image, and tools that “carve” files by signatures can recover them.

For this challenge, the simplest practical approach is to carve images out of the raw disk image and inspect what you find.

Step 1: Carve PNG files from flash.img with foremost

foremost is a file-carving tool that scans a raw input for known file signatures and writes recovered matches into an output directory.

Run:

foremost -i flash.img -o out -t png

The run produced the following audit log details (from out/audit.txt):

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Thu Mar 26 12:04:28 2026
Invocation: foremost -i flash.img -o out -t png 
Output directory: /home/shayden/ctfs/march2026-flashctf/foren_rmrfflagpng/out
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: flash.img
Start: Thu Mar 26 12:04:28 2026
Length: 128 MB (134217728 bytes)
 
Num	 Name (bs=512)	       Size	 File Offset	 Comment 
0:	00126224.png 	     120 KB 	   64626688 	  (1920 x 1080)
Finish: Thu Mar 26 12:04:28 2026

1 FILES EXTRACTED
	
png:= 1
------------------------------------------------------------------

Foremost finished at Thu Mar 26 12:04:28 2026

Important takeaway: there is exactly one recovered PNG:

  • out/png/00126224.png

Step 2: Confirm the carved file is a valid PNG

Run:

file out/png/00126224.png
identify out/png/00126224.png

This produced:

out/png/00126224.png: PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced
out/png/00126224.png PNG 1920x1080 1920x1080+0+0 8-bit sRGB 123400B 0.000u 0:00.000

So the carving was successful and the recovered file is a real, decodable PNG.

Step 3: View the recovered PNG and read the flag

Open out/png/00126224.png in any image viewer, reading the text from the recovered image gives the flag!

You may also like

Sign In

Get Started