Tags: filesystem 

Rating: 5.0

You get one file, `strcmp.fat32`.

$ file strcmp.fat32
strcmp.fat32: DOS/MBR boot sector, code offset 0xfe+2, OEM-ID "strcmp ", reserved sectors 8, FAT 1, Media descriptor 0xf8, sectors/track 1, heads 1, sectors 66057 (volumes > 32 MB), FAT (32 bit), sectors/FAT 513, reserved 0x1, dos < 4.0 BootSector (0x0)
Cool it’s what you'd expect from the name - a FAT32 filesystem image.
What can we do with that?
I don't have any tools for working with FAT32 filesystems… apart from, y'know, my kernel and its filesystem support.
That'll do.

$ mv strcmp.fat32 strcmp.fat32.img
$ open strcmp.fat32.img

(I'm too lazy to look up how to use `diskutil` or `mount` to mount a disk image, having the Finder do it is easy)

![macOS dialog box with title "strcmp.fat32.img" and text "There may be a problem with this disk image. Are you sure you want to open it? Opening this disk image may make your computer less secure or cause other problems." and options "Open" and "Don't Open"](http://www.johnfren.ch/assets/macos-filesystem-error.png)

My computer asks: "are you sure you want me to mount this sketchy filesystem you found on the Internet which is full of errors and stuff? I think that might be a bad idea…"
I overrule it.

$ ls /Volumes/Untitled
! % ( 0 3 6 9 B E H K N Q SORRY U X ^ {
# & ) 1 4 7 @ C F I L O R SPACE V Y _ }
$ ' - 2 5 8 A D G J M P S T W Z `
$ find /Volumes/Untitled

OK, what's going on here?
It looks like each directory contains a bunch of subdirectories with one-character names, and a single file with a name like `SORRY` or `TROLLOL` or `NOFLAG4U`.
They seem to go on forever - you can go pretty deep.
Presumably if you have the flag, you can choose directories based on the characters in the flag and get to the end.
What would the end look like?
Maybe a file with a positive name like `FLAG` or something?
Let's see what we have:

$ strings strcmp.fat32.img | sort | uniq
Scroll down…

Aha! `MATCH` looks promising.

$ find /Volumes/Untitled -name MATCH

>> NOOOOOOOOO!!! You can't expect `find` to search this broken filesystem full of loops and with a crazy branching factor and expect it to actually find the one file you're looking for

> haha find go brrr

Looks like there's a flag in there somewhere.
Quickly clean it up with `sed`:

$ sed 's/\///g'

We know the flag format is `PCTF{...}` so it must be `PCTF{WHAT_IN_TARNATION_IS_TH1S_FILESYSTEM!}`.

I still have some questions about why this works.
It looks like the filesystem contains loops: the directory at `/P/C/T/F/{/W/H/A/P` seems to be the same directory as `/P`.
I'm guessing that's why my operating system complained when I mounted it.
What I don't understand is why `find` was then able to find `MATCH` so quickly and easily without just getting stuck in a loop!
`find` must be smarter than I realized.