Forensics — Ext Super Magic
I found this to be among the most difficult of the picoCTF challenges in the Forensics section. The first thing I puzzled over is how to fix the corrupted file provided to us: ext-super-magic.img. There were quite a few links provided in the hints, some of which turned out to be red herrings (for example, the page on file signatures that while useful in solving some other challenges, is not so useful here). After poring over these links for a while, I seemed to come no closer to figuring out how to repair this corrupted disk image file and then get to work retrieving the flag. Did I need to use/install software that would automatically repair it for me? Could I write a Python script that would identify the problem?
I started by using the fsck tool to try to repair the file. When you run fsck with the file name (as shown below), all you get is a menu of fsck options:
Maybe it doesn’t know what file system for the image file is supposed to be, I thought. One of the hint links was all about the Second Extended File System or ext2. So I ran a version of fsck that is specific to ext2 called e2fsck. All this could tell me, however, I already knew: the file is corrupt.
I tried running e2fsck with the alternate superblocks suggested above, but to no avail. All I got were these messages:
Then I hit upon it: the ultimate hint is in the name of the challenge. “Ext” refers to the file system type. “Super” refers to “superblock”, which as the ext2 resource mentioned above tells us, is the part of the disk image that “contains all the information about the configuration of the filesystem.” That leaves “magic”? What is that about? I scrolled down a bit on the ext2 table of contents and noticed a component of the superblock called “s_magic”. I clicked on it and discovered that this is the “16bit value identifying the file system as Ext2. The value is currently fixed to
EXT2_SUPER_MAGIC of value 0xEF53.”
Since we are now dealing at the level of bits, a hex editor will be needed (this will allow you to view the file at a granular level, comparing hexadecimal values to ASCII characters). I downloaded one called Ghex and installed it on my Ubuntu machine. You can either change the values yourself or if you prefer not to muck around in the hex editor, there is a Python script I found that will write in the correct hex values at the correct offset.
Now that the image is fixed, it will be possible to read files off it. You can either do this with debugfs, as suggested in the hints, or just by mounting the file as we did in the previous CTF exercise. Either way, you will find a long list of files, among which will be one called flag.jpg. Open it and capture the flag!