Writeups – Mr Reagan, Bluepill (Securityfest CTF)

This weekend, I particpated for a short while in the Securityfest CTF. During the time available, I was able to solve a few challenges – I will present the writeups for two of them here.

Mr Reagan

This challenge was presented as a binary file, which you can download here (note – this is a ~35MB file).

Strangely enough, binwalk shows nothing meaningful, but “file” identifies it as an NTFS filesystem. Running “strings” didn’t extract anything immediately meaningful. A bit of Google led to a freely available tool called “RecuperaBit” – this allowed us to recover the filesystem by ignoring an incorrect partition:

We immediately note several text files which have been deleted, which we can recover – but this does not reveal anything meaningful. Trawling through the filesystem, we see some more deleted files in EFSTMPWP/:

Each of these file parts contains 13 bytes of something that looks like base64 data. A quick Python script to brute force which order the chunks come in, quickly reveals the flag (or close enough to it):


This challenge was presented as a Linux kernel and kernel module, which you can download here.

Running the package as suggested reveals a simple busybox-based system, with one curious entry about bluepill in the dmesg output. We continue our investigation with bluepill.ko:

Thankfully, symbols are left in the binary, making our adventure a bit easier. We start by noting that the kernel object, upon loading, creates the /proc/bluepill object, and installs a write handler via proc_create – whenever we write to /proc/bluepill, pill_choice is called.

The pill_choice function then calls a function called “calc”, and memcmps the result to some hard-coded strings:

The astute reader will notice this isn’t 100% accurate, but we’ll come back to this later. The “calc” function looks complex at first, but we quickly find some magic numbers:

This tells us that the function is effectively an MD5 function, and the structure of the function checks out with a basic description of MD5.

At this point, I looked up the checksums above in crackstation.net, but this turned up nothing, indicating some manner of pre or post-processing on the source data. Going back to the “pill_choice” function, a closer inspection reveals that the MD5sum is xor’ed with the first few characters of /proc/version, which we know from the binary.

A quick Python script reveals the key we need to type into /proc/bluepill for the flag: unfortunately, this was completed after the end of the CTF event, too late to score any points.

Overall, this was an enjoyable CTF – my only regret is starting late on Friday, instead of on Thursday when it actually began in local time. See you all in Viettel Mates CTF in two weeks time.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.