Tags: filesystem

Rating: 5.0

You get one file, strcmp.fat32.


$file strcmp.fat32 strcmp.fat32: DOS/MBR boot sector, code offset 0xfe+2, OEM-ID "strcmp ", reserved sectors 8, FAT 1, Media descriptor 0xf8, sectors/track 1, heads 1, sectors 66057 (volumes > 32 MB), FAT (32 bit), sectors/FAT 513, reserved 0x1, dos < 4.0 BootSector (0x0)  Cool it’s what you'd expect from the name - a FAT32 filesystem image. What can we do with that? I don't have any tools for working with FAT32 filesystems… apart from, y'know, my kernel and its filesystem support. That'll do. $ mv strcmp.fat32 strcmp.fat32.img
$open strcmp.fat32.img  (I'm too lazy to look up how to use diskutil or mount to mount a disk image, having the Finder do it is easy) ![macOS dialog box with title "strcmp.fat32.img" and text "There may be a problem with this disk image. Are you sure you want to open it? Opening this disk image may make your computer less secure or cause other problems." and options "Open" and "Don't Open"](http://www.johnfren.ch/assets/macos-filesystem-error.png) My computer asks: "are you sure you want me to mount this sketchy filesystem you found on the Internet which is full of errors and stuff? I think that might be a bad idea…" I overrule it. $ ls /Volumes/Untitled
! % ( 0 3 6 9 B E H K N Q SORRY U X ^ {
# & ) 1 4 7 @ C F I L O R SPACE V Y _ }
$' - 2 5 8 A D G J M P S T W Z $ find /Volumes/Untitled
/Volumes/Untitled
/Volumes/Untitled/SPACE
/Volumes/Untitled/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/!
/Volumes/Untitled/SPACE/SPACE/!/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/!
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/SPACE
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/!
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/#
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/$/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/% /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/& /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/' /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/( /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/) /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/- /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/0 /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/1 /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/2 /Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/3 ...  OK, what's going on here? It looks like each directory contains a bunch of subdirectories with one-character names, and a single file with a name like SORRY or TROLLOL or NOFLAG4U. They seem to go on forever - you can go pretty deep. Presumably if you have the flag, you can choose directories based on the characters in the flag and get to the end. What would the end look like? Maybe a file with a positive name like FLAG or something? Let's see what we have: $ strings strcmp.fat32.img | sort | uniq
!
#
$% & ' ( ) - 0  Scroll down…  LOLNOPE M MATCH N NEGATORY  Aha! MATCH looks promising. $ find /Volumes/Untitled -name MATCH
/Volumes/Untitled/SPACE/SPACE/!/SPACE/!/SPACE/SPACE/SPACE/!/#/P/C/P/C/T/P/C/P/C/P/C/T/F/{/P/C/P/C/T/F/{/P/C/T/F/{/W/H/A/T/_/I/N/_/T/A/R/N/A/T/I/O/N/_/I/S/_/T/H/1/S/_/F/I/L/E/S/Y/S/T/E/M/!/}/SPACE/SPACE/SPACE/!/SPACE/&/$/}/MATCH  >> NOOOOOOOOO!!! You can't expect find to search this broken filesystem full of loops and with a crazy branching factor and expect it to actually find the one file you're looking for > haha find go brrr Looks like there's a flag in there somewhere. Quickly clean it up with sed: $ sed 's/\///g'
P/C/T/F/{/W/H/A/P/C/T/F/{/W/H/A/T/_/I/N/_/T/A/R/N/A/T/I/O/N/_/I/S/_/T/H/1/S/_/F/I/L/E/S/Y/S/T/E/M/!/}/SPACE/SPACE/SPACE/!/SPACE/&/$/} PCTF{WHAPCTF{WHAT_IN_TARNATION_IS_TH1S_FILESYSTEM!}SPACESPACESPACE!SPACE&$}


We know the flag format is PCTF{...} so it must be PCTF{WHAT_IN_TARNATION_IS_TH1S_FILESYSTEM!}.

I still have some questions about why this works.
It looks like the filesystem contains loops: the directory at /P/C/T/F/{/W/H/A/P seems to be the same directory as /P.
I'm guessing that's why my operating system complained when I mounted it.
What I don't understand is why find was then able to find MATCH so quickly and easily without just getting stuck in a loop!
find` must be smarter than I realized.