PicoCTF 2018 - Ext Super Magic

Information

Points	Category	Level
250	Forensics	Medium

Challenge

We salvaged a ruined Ext SuperMagic II-class mech recently and pulled the filesystem out of the black box. It looks a bit corrupted, but maybe there’s something interesting in there. You can also find it in /problems/ext-super-magic_1_c544657e659accef770d3f2bc8384a8c on the shell server.

Hint

Are there any tools for diagnosing corrupted filesystems? What do they say if you run them on this one?

How does a linux machine know what type of file a file is?

You might find this doc helpful.

Be careful with endianness when making edits.

Once you’ve fixed the corruption, you can use /sbin/debugfs to pull the flag file out.

Solution

I tried to use the command file in order to check what file we have but it just return “data”… not very helpful…

By the name of the challenge I undertood that this image is of an ext filesystem, there is an a command in UNIX to check those images, so I wrote:

debufs ext-super-magic.img

Debugfs

and its return an error because “Bad magic number in super-block”. So i googled after magic number in suplerblock and found the answer here So basiclly it’s just a sequence of numbers in spesific posiiton in each file that tell allow us to recognize the format of the file. (and this is how the file command works) Also in the answer the user added

“For example, an ext2/ext3/ext4 filesystem always has the bytes 0x53 0xEF at positions 1080–1081.”

So in order to fix the image file we need to overwrite in those ofsets those values. Let’s write a little python script to fix this:

with open("ext-super-magic.img", "r+b") as ext:
    ext.seek(0x438)  #Seek to the needed offset (0x438 in hex = 1080)
    ext.write(b"\x53\xef")  #Write the magic number
print("Magic numbers fixed")