This weekend, I particpated for a short while in the Securityfest CTF. During the time available, I was able to solve a few challenges – I will present the writeups for two of them here.
This challenge was presented as a binary file, which you can download here (note – this is a ~35MB file).
Strangely enough, binwalk shows nothing meaningful, but “file” identifies it as an NTFS filesystem. Running “strings” didn’t extract anything immediately meaningful. A bit of Google led to a freely available tool called “RecuperaBit” – this allowed us to recover the filesystem by ignoring an incorrect partition:
We immediately note several text files which have been deleted, which we can recover – but this does not reveal anything meaningful. Trawling through the filesystem, we see some more deleted files in EFSTMPWP/:
Each of these file parts contains 13 bytes of something that looks like base64 data. A quick Python script to brute force which order the chunks come in, quickly reveals the flag (or close enough to it):
This challenge was presented as a Linux kernel and kernel module, which you can download here.
Running the package as suggested reveals a simple busybox-based system, with one curious entry about bluepill in the dmesg output. We continue our investigation with bluepill.ko:
Thankfully, symbols are left in the binary, making our adventure a bit easier. We start by noting that the kernel object, upon loading, creates the /proc/bluepill object, and installs a write handler via proc_create – whenever we write to /proc/bluepill, pill_choice is called.
The pill_choice function then calls a function called “calc”, and memcmps the result to some hard-coded strings:
The astute reader will notice this isn’t 100% accurate, but we’ll come back to this later. The “calc” function looks complex at first, but we quickly find some magic numbers:
This tells us that the function is effectively an MD5 function, and the structure of the function checks out with a basic description of MD5.
At this point, I looked up the checksums above in crackstation.net, but this turned up nothing, indicating some manner of pre or post-processing on the source data. Going back to the “pill_choice” function, a closer inspection reveals that the MD5sum is xor’ed with the first few characters of /proc/version, which we know from the binary.
A quick Python script reveals the key we need to type into /proc/bluepill for the flag: unfortunately, this was completed after the end of the CTF event, too late to score any points.
Overall, this was an enjoyable CTF – my only regret is starting late on Friday, instead of on Thursday when it actually began in local time. See you all in Viettel Mates CTF in two weeks time.