 What's on internet? This is a video right up for the challenge, EXT Super Magic from PicoCT at 2018. My name is John Hammond and let's just dive right in. This challenge does not have a whole lot of solves and I think it was kind of a really struggling point for a lot of people. It's in the forensics category, it says, we salvaged a ruined EXT or EXT Super Magic 2 class mech recently and pulled the file system out of the black box. It looks a bit corrupted, but maybe there's something interesting in there. You can find it at this location on the shell server and we have a download. So you can download it with Wget. I've got it in my file system already. I've downloaded it already. And what do we do with this, right? It's a forensics challenge, so we can run foremost on it. We can see if we've got anything in there. So JPEG, EOG, all these things, but there's nothing good or particularly visible here. You can try and make out some text, but all it's trying to tell you is that your flag is in another file. So this is a rabbit hole and a red herring. It just kind of sucks. It wasn't very good for us. So binwalk, right? Strings or anything we could do to try and get some information out of this. Exit tool, nothing really good here. Flag.JPEG, could I unzip this kind of thing? Like what? I didn't know what to do with it. So I checked the hits, right? You can do that. It's PicoCTF. That's cool. They say, are there any tools for diagnosing corrupted file systems? What do they say if you run them on this one? Sorry for my stutter. Getting all excited here. So this is FSCK, File System Check. And we could run this on it, right? We could just simply run FSCK and try and tab autocomplete. But it would normally just try and want to run it on some of your devices. So if I tried to LS and were to give it simply this, it wouldn't want to work with it. I admittedly didn't know, like, okay, what do I supply here? I don't know anything about this thing. Do I need to give it a superblock or a block size? I don't often use File System Check. But I kind of noticed something in that this was EXT4, FSCK, File System 4. So I tried to see are there any other FSCKs that I could work with? FSCK.EXT2. That seemed to be a thing. So maybe I could run that on EXT Supermagic. It seemed to want to work with it. And it seemed okay. It read it just fine. But it told me everything that I kind of expected. Like, okay, it's corrupt. It's broken. There's something wrong. Bad magic number in superblock. Superblock invalid. Bad magic number in superblock. So this rings a bell, right? Knowing the challenge prompt, knowing what it is that we're actually working with here called EXT Supermagic. Maybe EXT has got to be the File System. Super's got to be the superblock. And magic number has to be the superblock thing. I'll probably say 2 class because it's EXT2. We could have tried EXT3 or whatever we wanted on it, but I knew that one kind of rang a bell. Looks like both would work. Nice. But EXT4 handles it just fine as well. Weirdness. So now we kind of have a little bit more of an objective. We know that the superblock is kind of corrupt. It has a bad magic number. That's why if we were to run File on this, it won't tell us straight up, it's an EXT file system. It won't tell us what kind of file system it is or what kind of file it is. It just thinks it's data. So what I did from there was I tried to kind of Google and look around. I figured EXT2 File System, superblock magic number as you could see in my history already. Superblock magic number. And you can see some research that I did. I went straight to Sack Overflow, the user, whatever the case may be, and I read this thing, this article where they said, okay, they had a corrupt file system. The magic number was broken. And they say the magic number is a sequence of bytes that use in all files in certain formats, usually at a given position, typically at the beginning, that kind of note the signature or the fingerprint of that file. So when we're applying this to a file system format, for example, EXT2, EXT3, EXT4 File System always has the bytes 0x53 and 0xef at positions 1080 and 1081. So good to know, right? Maybe that is something that's wrong. We can go ahead and check that out. If the file command were to run on it and it would be able to recognize the bit by those magic numbers, then it would properly tell us it's an EXT file system. But since it didn't, maybe this is wrong. So let's go ahead and check it out. I don't know if HexEdit will be particularly what we want to use right now because we'll see the position just in Hex. Yeah, that's no good. I want to go ahead and try and run this with like Gex or something, EXT, Supermagic. So now I have a specific one that I can go ahead and go to. So a GUI that I can use and I can hit Ctrl J or from the file menu to go to byte. And we want 1080 and 1081. So let's go to 1080. And now my cursor is there. But you can see that it is not 0x53 and EF. So let's change those. Let's do 0x53 and 0xEF. Great. Now I can save this, save buffer EXT Supermagic image. And now if I go ahead and check this out, if I run file on that, it says it's a Linux file system. Okay, let's try and extract this or not extracted. I'm sorry, but mount it now. I don't know if Foremost will actually work on it any better now. I don't think it will, but we can go ahead and mount it. Let's just create a mount point directory. Mount mount, sorry. Let's correct that just for good sake. And we'll go ahead and mount this file at the mount point right here. And we will need to be root. So let's sudo that. Enter my password here. And now I have mount point. So let's CD there. See what we have. Wow, lots of stuff. Will flag.jpeg actually open for me? It will. You can zoom in here. Interesting picture. Your flag is this. So let's take note of that. I didn't mean for that. That's split. Let's move up in the directory, get in the proper place, and let's run nano for flag.txt. Try and type out our flag. Picoctf a7db29 ecf7db9960f0a19fgge9d00af0. Again, your flag may be very different than mine because of Picoctf's random generation. So keep that in mind. Did I type it right? I really free and hope so. I think I did. Yeah. All right. Cool. So that was that. I struggled on that challenge for a long time, and I think a lot of people did. Like, don't hesitate. Like, don't be ashamed. No worries if you did. Look at how many people solved this challenge. So it took a lot of time, right? But that's the point of a catch of the flag. You bang your head against the wall over and over and over again. Just you don't give up. You're trying offensive securities logo, and eventually you'll track something down. Research is good. Finding different tools are good. Just trying to figure out what you can do to examine this from many different angles and many different perspectives until you get something. So let's mark that challenge as complete. We did it. Before I go, I want to give a quick shout out to the people that support me on Patreon. Thank you guys so much. I cannot say it enough. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 or more will give you early access to everything that are released on YouTube before it goes live. If you did like this video, please do like, comment, and subscribe. Join our Discord server, link in the description. It's a cool community full of CTF players, programmers, and hackers. You can hang out with people just like me or anyone else, or get a hold of me. And they're just super smart people, like guys in the computer science, cybersecurity scene, programmers, and sweet things. We're going to be tackling a lot of catch of the flags as they come up, so it's just a cool place to hang out. Thanks for watching, guys. Hope to see you in the next video. Hope to see you on Patreon. Take it easy.