# Solution to nc3 FragFS

FragFS

programing

n/a

#### Writeup

The next problem in the danish police CTF was named named FragFS and we got a small filesystem image and a manual

Looking at the manual the filesystem consisted of four parts.

• First part was only a name, 512 bytes long.
• Second part was a lookup table that mapped path + filename to a md5sum. Table was located from byte 512 to 10935.
• Third part was another lookup table, from md5sum to a list of sectors where the file content is located, each sector is 4096 bytes large. Table was located from byte 10940 to 23037.
• Fourth and last part is the actual file content, located from byte 81920 to the end of the image.

We wrote a small program to read the file content from the filesystem and write them out to disc.

#!/usr/bin/python

import os

file = open("three.dd", "r")

table = r[512:10935]

md5tofile = {}
for x in r[512:10935].split(chr(0) + chr(255) + chr(255)):
k = x.split(chr(0))
md5tofile[k[0]] = k[1]

for x in r[10940:23037].split(chr(0) + chr(255)):
parts = x.split(chr(0))
filename = md5tofile[parts[0]]
pathn = filename[0:filename.rfind("/")]
if not os.path.exists(pathn):
os.makedirs(pathn)
f = open(filename, "w")
out = "";
for y in parts[1].split(" "):
out += r[(4096*int(y)):(4096*(int(y)+1))]
f.write(out)
f.close()

Running that gave us this filesystem content

└── filsystem
├── docs
│   └── stack_smashing.pdf
├── gits
│   ├── gef
│   │   ├── binja_gef.py
│   │   ├── docs
│   │   │   ├── api.md
│   │   │   ├── commands
│   │   │   │   ├── aliases.md
│   │   │   │   ├── aslr.md
│   │   │   │   ├── assemble.md
│   │   │   │   ├── canary.md
│   │   │   │   ├── capstone-disassemble.md
│   │   │   │   ├── checksec.md
│   │   │   │   ├── config.md
│   │   │   │   ├── context.md
│   │   │   │   ├── dereference.md
│   │   │   │   ├── edit-flags.md
│   │   │   │   ├── elf-info.md
│   │   │   │   ├── entry-break.md
│   │   │   │   ├── eval.md
│   │   │   │   ├── format-string-helper.md
│   │   │   │   ├── gef-remote.md
│   │   │   │   ├── heap-analysis-helper.md
│   │   │   │   ├── heap.md
│   │   │   │   ├── help.md
│   │   │   │   ├── hexdump.md
│   │   │   │   ├── hijack-fd.md
│   │   │   │   ├── ida-interact.md
│   │   │   │   ├── ksymaddr.md
│   │   │   │   ├── memory.md
│   │   │   │   ├── nop.md
│   │   │   │   ├── patch.md
│   │   │   │   ├── pattern.md
│   │   │   │   ├── pcustom.md
│   │   │   │   ├── process-search.md
│   │   │   │   ├── process-status.md
│   │   │   │   ├── registers.md
│   │   │   │   ├── reset-cache.md
│   │   │   │   ├── retdec.md
│   │   │   │   ├── ropper.md
│   │   │   │   ├── search-pattern.md
│   │   │   │   ├── set-permission.md
│   │   │   │   ├── shellcode.md
│   │   │   │   ├── stub.md
│   │   │   │   ├── theme.md
│   │   │   │   ├── tmux-setup.md
│   │   │   │   ├── trace-run.md
│   │   │   │   ├── unicorn-emulate.md
│   │   │   │   ├── vmmap.md
│   │   │   │   ├── xfiles.md
│   │   │   │   ├── xinfo.md
│   │   │   │   └── xor-memory.md
│   │   │   ├── commands.md
│   │   │   ├── config.md
│   │   │   ├── faq.md
│   │   │   └── index.md
│   │   ├── gef.py
│   │   ├── gef.sh
│   │   ├── ida_gef.py
│   │   ├── mkdocs.yml
│   │   └── tests
│   │       ├── helpers.py
│   │       ├── pylintrc
│   │       └── test-runner.py
│   └── iponmap
│       ├── index.js
│       ├── package.json
│       └── screenshot.png
├── pics
│   ├── 20h-2012-s.png
│   ├── 20h.png
│   ├── dwm-20070930s.png
│   ├── dwm-20080717s.png
│   ├── dwm-20090620s.png
│   ├── dwm-20090709s.png
│   ├── dwm-20100318s.png
│   ├── dwm-20101101s.png
│   ├── dwm-20110720s.png
│   ├── dwm-20120806.png
│   ├── frign-2016-s.png
│   ├── hendry-s.png
│   ├── poster36.jpg
│   └── putain-ouais-s.png
└── src
├── dwm-6.1.tar.gz
└── st-0.7.tar.gz

Looking through the images in the pics catalog, we found the flag in the file dwm-20120806.png.

 flag was: B@KE_H M-AWAY_TOYS