Writeup – GPN CTF 2025: Honeypot

by danptr - 2025-06-23 - Estimated reading time: 15 minutes

TLDR: Our commands trigger eBPF syscall hooks which each correspond to a move in a labyrinth. Once we beat the labyrinth, the hook decrypts the flag.

Honeypot was a reverse engineering challenge by MisterPine at GPN CTF 2025.

Points: 244/500
Solves: 16

I’ve just bought this property in a very priviledged part of the system.
But there seem to be(e) awfully many bees around. I just hope I can find a way out of this thing the developer has constructed here before I get stung…
First blood price: For this challenge there is a separate first blood prize in form of a topical T-Shirt! Sadly we have to limit this prize to either on-site collection at GPN or shipping within Germany.

Uh, a t-shirt? That’s easy bait for me. So, upon start of the CTF, I jumped right into this.

Challenge Setup

We’re given a few files to work with:

flag contains some non-ASCII bytes, likely the encrypted flag.
Honeypot.jar is a Java application, which seems like our main target.
running.md describes the requirements and instructions to run the challenge.
Interestingly, one of the requirements is libbpf, so it looks like we might expect some eBPF magic.
run.sh is the entrypoint to run the challenge. so, we’ll start with that.

run.sh launches the jar in the background, and waits for a SIGUSR1. This is triggered by the jar once it has finished starting up, as we’ll see later. In an infinite loop, we can enter h, t, c or b to execute head, tail, cat or base64 on the flag file.

But if we actually try this, the results are very different from what we’d expect. Entering one of the letters sometimes results Nope, want to try something else? and other times just Failed, upon which the script terminates.

Something really odd must be happening to our processes, so let’s dive into Honeypot.jar to see what’s going on.

Running Java in the Kernel?

We can throw the jar into jadx to reveal what’s inside. Right away in resources, it’s notable that there is a native extension de.mr_pine.honeypot.scheduler.HoneypotImpl.o.

In the decompiled sources, there are two relevant packages:

de.mr_pine.honeypot, the main challenge logic.
me.bechberger.ebpf appears to be the Hello eBPF library.

This library allows writing eBPF applications in Java which is possible by basically transpiling Java classes into C, which are then compiled into eBPF bytecode. eBPF is a technology that allows running sandboxed Linux kernel extensions, enabling features like syscall hooks and implementing custom kernel components that can be deployed at runtime. So this is likely where the native extension comes from and what could be messing with our processes.

The Main class in de.mr_pine.honeypot is the jar’s entrypoint and mostly just runs the Honeypot class.

That class inherits from BPFProgram, which is the base class for eBPF programs in Hello eBPF. Most functionality here has likely been moved out into the native extension, though there are still some interesting findings here. This includes some array constants C1 and C2 and bindings for variables var1 through var12 which we will rediscover in the eBPF program later.

 1public static Object run(String sleepPid, String[] killCommand) throws NoSuchAlgorithmException, IOException {
 2    boolean has_failed = false;
 3    Honeypot program = (Honeypot) BPFProgram.load(Honeypot.class);
 4    try {
 5        program.autoAttachPrograms();
 6        // ...
 7        program.attachScheduler();
 8        Runtime.getRuntime().exec(new String[]{"kill", "-SIGUSR1", sleepPid});
 9        boolean placedKey = false;
10        // ...
11        while (true) {
12            if (program.var2.get().booleanValue() && !placedKey) {
13                MessageDigest digest = MessageDigest.getInstance("SHA-512");
14                Object[] collectedWrappedBytes = program.var6.get();
15                byte[] collectedBytes = new byte[collectedWrappedBytes.length];
16                for (int i = 0; i < collectedWrappedBytes.length; i++) {
17                    collectedBytes[i] = ((Byte) collectedWrappedBytes[i]).byteValue();
18                }
19                byte[] digestBytes = digest.digest(collectedBytes);
20                Byte[] flagXor = new Byte[64];
21                for (int i2 = 0; i2 < flagXor.length; i2++) {
22                    flagXor[i2] = Byte.valueOf(digestBytes[i2]);
23                }
24                program.var10.set(flagXor);
25                placedKey = true;
26            }
27            if (program.var1.get().booleanValue()) {
28                if (!has_failed) {
29                    System.out.println("Failed");
30                }
31                has_failed = true;
32                Runtime.getRuntime().exec(killCommand);
33            }
34        }
35    } catch (Throwable th) {
36        // ...
37    }
38}

The run method appears to load the eBPF program and attach it to the kernel as a scheduler as well as a hook for syscalls (hinted also by the fact that it implements the interfaces Scheduler and SystemCallHooks). After this, it notifies the shell script that it has started up by sending a SIGUSR1. Finally, it enters an infinite loop waiting for either of the flags var1 or var2 to be set. If var1 is set, we run into a failure condition and all related processes are killed. var2 being set seems a lot more interesting. Values from var6 are collected and hashed into flagXor, before being stored back into var10. This is likely the key to decrypt the flag.

The other class, HoneypotImpl, extends Honeypot and adds more boilerplate code for variable bindings and other things generated by Hello eBPF. Though in a few annotations and the method getCodeStatic(), we have some really long strings. It turns out that these are pieces of the generated C code for the eBPF program, which we can find in the native extensions. I confirmed this with a quick comparison in Ghidra. As we found out after the CTF, the C sources being present here was not actually intended by the author but certainly made my life a whole lot easier, as at first glance some functionality was seemingly missing from the initial decompiler output.

Playing Labyrinth with my Scheduler

The core C logic is found in getCodeStatic() in HoneypotImpl. It defines a sched-ext scheduler and several syscall hooks: enter_openat, enter_read, and exit_read.

 1s32 BPF_STRUCT_OPS_SLEEPABLE(sched_init) {
 2  var4[0] = (var3[0]) ^ (1L << 63);
 3  s32 result = scx_bpf_create_dsq(C3, -1) + scx_bpf_create_dsq(C4, -1);
 4  return result;
 5  }
 6int BPF_STRUCT_OPS(sched_enqueue, struct task_struct *p, u64 enq_flags) {
 7  bool shouldBeBlocked = ({auto ___pointery__0 = (*(p)).pid; !bpf_map_peek_elem(&var8, &___pointery__0);});
 8  if ((shouldBeBlocked)) {
 9    bool *entry = ({auto ___pointery__0 = (*(p)).pid; bpf_map_lookup_elem(&var9, &___pointery__0);});
10    shouldBeBlocked = (entry != NULL) && (*(entry));
11  }
12  s64 dsqId = (long)(SCX_DSQ_GLOBAL);
13  if ((shouldBeBlocked)) {
14    dsqId = C3;
15  } else {
16    dsqId = C4;
17  }
18  u32 baseSlice = 5000000; …

  1s32 BPF_STRUCT_OPS_SLEEPABLE(sched_init) {
  2  var4[0] = (var3[0]) ^ (1L << 63);
  3  s32 result = scx_bpf_create_dsq(C3, -1) + scx_bpf_create_dsq(C4, -1);
  4  return result;
  5  }
  6int BPF_STRUCT_OPS(sched_enqueue, struct task_struct *p, u64 enq_flags) {
  7  bool shouldBeBlocked = ({auto ___pointery__0 = (*(p)).pid; !bpf_map_peek_elem(&var8, &___pointery__0);});
  8  if ((shouldBeBlocked)) {
  9    bool *entry = ({auto ___pointery__0 = (*(p)).pid; bpf_map_lookup_elem(&var9, &___pointery__0);});
 10    shouldBeBlocked = (entry != NULL) && (*(entry));
 11  }
 12  s64 dsqId = (long)(SCX_DSQ_GLOBAL);
 13  if ((shouldBeBlocked)) {
 14    dsqId = C3;
 15  } else {
 16    dsqId = C4;
 17  }
 18  u32 baseSlice = 5000000;
 19  scx_bpf_dispatch(p, dsqId, baseSlice / scx_bpf_dsq_nr_queued(dsqId), enq_flags);
 20  return 0;
 21  }
 22s32 BPF_STRUCT_OPS(sched_select_cpu, struct task_struct *p, s32 prev_cpu, u64 wake_flags) {
 23  if ((!bpf_cpumask_full((const struct cpumask*)(*(p)).cpus_ptr))) {
 24    return bpf_cpumask_first((const struct cpumask*)(*(p)).cpus_ptr);
 25  }
 26  return 0;
 27  }
 28enum T1 f1(struct task_struct *p) {
 29  u8 taskName[16] = "";
 30  bpf_probe_read_kernel_str(taskName, sizeof(taskName), (*((*(p)).group_leader)).comm);
 31  enum T1 result = T1_E1;
 32  if ((bpf_strncmp((const u8*)taskName, C5, (const u8*)"cat") == 0)) {
 33    result = T1_E4;
 34  } else if ((bpf_strncmp((const u8*)taskName, C5, (const u8*)"head") == 0)) {
 35    result = T1_E2;
 36  } else if ((bpf_strncmp((const u8*)taskName, C5, (const u8*)"tail") == 0)) {
 37    result = T1_E3;
 38  } else if ((bpf_strncmp((const u8*)taskName, C5, (const u8*)"base64") == 0)) {
 39    result = T1_E5;
 40  }
 41  return result;
 42  }
 43s32 f2(enum T1 t) {
 44  if ((t == T1_E1)) {
 45    return 0;
 46  }
 47  s32 row = f4();
 48  s32 placed_row = row;
 49  u64 character = (var4[row]) & (~(var3[row]));
 50  s32 col = f5(character);
 51  s8 value = var5[(row * 64) + col];
 52  u32 currentStep = var7;
 53  if ((currentStep >= 500)) {
 54    var1 = 1;
 55    return 1;
 56  }
 57  var6[currentStep] = value;
 58  var7 = currentStep + 1;
 59  if ((t == T1_E2)) {
 60    if ((((row > 0) && (row < 64)))) {
 61      placed_row = row - 1;
 62      var3[row] = var4[row];
 63      var4[placed_row] |= character;
 64    } else {
 65      var4[placed_row] = var3[placed_row];
 66    }
 67  } else if ((t == T1_E3)) {
 68    if ((row < 63)) {
 69      placed_row = row + 1;
 70      var3[row] = var4[row];
 71      var4[placed_row] |= character;
 72    } else {
 73      var4[placed_row] = var3[placed_row];
 74    }
 75  } else if ((t == T1_E4)) {
 76    var3[row] = var4[row];
 77    var4[placed_row] = (var3[row]) | (character << 1);
 78  } else if ((t == T1_E5)) {
 79    var3[row] = var4[row];
 80    var4[placed_row] = (var3[row]) | (character >> 1);
 81  }
 82  if (((row == 63) && (character == 1L))) {
 83    var2 = 1;
 84  } else if (((var4[placed_row]) == ((s64)var3[placed_row]))) {
 85    var1 = 1;
 86  }
 87  return 0;
 88  }
 89s32 f4() {
 90  for (s32 row_index = 0; row_index < 64; row_index++) {
 91    if (((var3[row_index]) != ((s64)var4[row_index]))) {
 92      return row_index;
 93    }
 94  }
 95  return 0;
 96  }
 97s32 f5(s64 characterInRow) {
 98  s64 current = characterInRow;
 99  u32 colIndex;
100  for (colIndex = 0; (colIndex < 64) && (current != MIN_VALUE); colIndex++) {
101    current = current << 1;
102  }
103  if ((colIndex >= 64)) {
104    colIndex = 0;
105  }
106  return colIndex;
107  }
108SEC("tp/syscalls/sys_enter_openat") int f6(struct OpenAtCtx *ctx) {
109  u8 path[16] = "";
110  BPF_SNPRINTF(path, sizeof(path), "%s", (*(ctx)).openAt.filename);
111  if ((bpf_strncmp((const u8*)path, 4, (const u8*)"flag") != 0)) {
112    return 0;
113  }
114  struct task_struct *task = bpf_get_current_task_btf();
115  ({auto ___pointery__0 = (*(task)).pid; !bpf_map_push_elem(&var8, &___pointery__0, BPF_ANY);});
116  ({auto ___pointery__0 = (*(task)).pid; auto ___pointery__1 = 1; !bpf_map_update_elem(&var9, &___pointery__0, &___pointery__1, BPF_ANY);});
117  s32 cpu = scx_bpf_task_cpu((const struct task_struct*)task);
118  scx_bpf_kick_cpu(cpu, (long)(SCX_KICK_PREEMPT));
119  enum T1 blockDirectionResult = f1(task);
120  f2(blockDirectionResult);
121  if ((!var2)) {
122    s32 row = f4();
123    bpf_trace_printk("Nope, want to try something else?", sizeof("Nope, want to try something else?"), row, var4[row]);
124  }
125  return 1;
126  }
127SEC("tp/syscalls/sys_enter_read") int f7(struct ReadCtx *ctx) {
128  struct task_struct *task = bpf_get_current_task_btf();
129  s32 pid = (*(task)).pid;
130  bool interesting = !bpf_map_peek_elem(&var8, &pid);
131  if ((interesting)) {
132    bool *entry = bpf_map_lookup_elem(&var9, &pid);
133    interesting = (entry != NULL) && (*(entry));
134  }
135  if ((!interesting)) {
136    return 0;
137  }
138  ({auto ___pointery__0 = (*(ctx)).read.buf; !bpf_map_update_elem(&var12, &pid, &___pointery__0, BPF_ANY);});
139  return 0;
140  }
141SEC("tp/syscalls/sys_exit_read") int f8(struct ExitCtx *ctx) {
142  struct task_struct *task = bpf_get_current_task_btf();
143  s32 pid = (*(task)).pid;
144  s8 **bufPtr = bpf_map_lookup_elem(&var12, &pid);
145  if ((bufPtr == NULL)) {
146    return 0;
147  }
148  s8 *buf = (*(bufPtr));
149  u8 flag[64];
150  bpf_probe_read_user_str(flag, sizeof(flag), (u8*)(buf));
151  s32 i;
152  for (i = 0; i < 64; i++) {
153    if (((flag[i]) == 0)) {
154      break;
155    }
156    flag[i] = (u8)((flag[i]) ^ (var10[i]));
157  }
158  if ((i <= 0)) {
159    return 1;
160  }
161  bpf_probe_write_user(buf, (const void*)(flag), i);
162  return 0;
163}

Click here to expand

In the sys_enter_openat hook, if the opened file is flag, the PID of the process is pushed into var8 and var9. Also, as long as var2 is not set, we get the output we recognized from earlier. It also calls f2 with the result of f1, which checks the name of the process and returns an enum value corresponding to the command we entered.

The sys_enter_read looks only at processes that have been stored in var8 and var9, and stores their read buffer.

Finally, the sys_exit_read hook XORs the read buffer with the key stored in var10 and writes it back to the buffer. var10 is the key injected by the Java code once var2 is set to true.

Clearly, the key to the whole thing is getting var2 to be true, which happens in f2.

f2 implements bit-level logic on var3 and var4. Back in the Java code, we saw that these variables are both initialized with C1, which is an array of 64 longs. We will treat them here as 2D bit arrays.

First, row and col are determined by the lowest indices where var3 and var4 differ. Then, in all four cases, var3 is initially set to the current state of var4. Then, depending on the command we entered, the bit either above, below, left, or right of the current position is set to 1 in var4. Finally, there’s a check to see if var3 and var4 are equal in the current row. If they are, var1 is set to true, which will trigger the failure condition in the Java code.

Thinking about this for a minute, we can notice that this is a labyrinth, where a 1 in var3 indicates a wall and a 0 indicates a path, and it’s controlled by our commands back in the shell script.

If we have reached the final row, var2 is set to true, which will then trigger the Java code to derive the key flag.

Also, var5[row * 64 + col] is appended to var6. var5 is the large array of bytes C2 found back in the Java code. Remember that var6 is used to derive the flag XOR key, so ultimately the key is derived from the path we take through the labyrinth.

The scheduling functions do not really add much that would help us solve the challenge. They just block processes stored in var8 and var9 until var2 has been set, meaning they are held up until the labyrinth has been solved.

To solve the labyrinth, I extracted C1 as a bit array and had an LLM implement breadth-first search.

 1[...]
 2def bfs(maze, start, goal):
 3    visited = np.full(maze.shape, False)
 4    prev = np.full(maze.shape, None)
 5    queue = deque([start])
 6    visited[start] = True
 7    
 8    while queue:
 9        current = queue.popleft()
10        if current == goal:
11            break
12        for d in directions:
13            ni, nj = current[0] + d[0], current[1] + d[1]
14            if 0 <= ni < maze.shape[0] and 0 <= nj < maze.shape[1]:
15                if not visited[ni, nj] and maze[ni, nj] == 0:
16                    visited[ni, nj] = True
17                    prev[ni, nj] = current
18                    queue.append((ni, nj))
19    
20    # Reconstruct path
21    path = []
22    cell = goal
23    while cell != start:
24        path.append(cell)
25        cell = prev[cell]
26        if cell is None:
27            return None  # No path
28    path.append(start)
29    path.reverse()
30    return path
31
32# Find path from top-left to bottom-right
33start = (0, 0)
34goal = (maze_size - 1, maze_size - 1)
35path = bfs(maze, start, goal)
36
37
38def path_to_directions(path):
39    dir_map = {
40        (-1, 0): 'h',
41        (1, 0): 't',
42        (0, -1): 'c',
43        (0, 1): 'b'
44    }
45    directions = []
46    for i in range(1, len(path)):
47        delta = (path[i][0] - path[i - 1][0], path[i][1] - path[i - 1][1])
48        directions.append(dir_map.get(delta, 'UNKNOWN'))
49    return directions
50
51directions_list = path_to_directions(path)
52"\n".join(directions_list)

  1import numpy as np
  2import matplotlib.pyplot as plt
  3from collections import deque
  4
  5# Binary maze string
  6binary_string = (
  7    "1001000100000001000000000001000000000001000001000001000000000101"
  8    "0101010101111101011111110101111101111101010101110101110101110101"
  9    "0100010101000100000001010100000100010101010100000100010101010001"
 10    "0111011101010111111101010111110111010101110111111111011101011101"
 11    "0100010001010000010000010000010100010000010000010000010001000101"
 12    "0111110111011111010111111111010101111111010111010111110111010101"
 13    "0000010001010100010100000000010001000001010100010100000100010101"
 14    "0111010111010101111101111101111101011101011101110101011111110101"
 15    "0100010100010001000001000001000101010001000001010101000000010001"
 16    "1101010101110111110111111111010111010111111111010111011111010111"
 17    "0001010101000100000100000000010000010100000001010001000001010001"
 18    "0101110101110101111101111111111111110101111101011101011111011101"
 19    "0101000100010100000100010000000100010001000001000101010001010001"
 20    "0101011111010111010111010111110101111111011111110101110101010111"
 21    "0101010000010001010001000001000100000000010000000100010100010001"
 22    "0111010111111101111101111111011101111111110111011111010111111101"
 23    "0000010001000100000001010000010101000100000100010000010001000101"
 24    "0111110101010111111101010111110101010101111101110111110101110101"
 25    "0100010101010100000101010100000101010101000100000100010100010101"
 26    "1101011101110101011101010101111101010101110111111101011111010101"
 27    "0001000101000101010000010100000001010100010000010001010001010101"
 28    "0111110101011101010111110101111111011111011101110101010101010101"
 29    "0001000001010001000001000101000100000001000100010101000101010001"
 30    "1101111111010111011111011101011101111101110101010101111101010111"
 31    "0001000100000101010000010001000001000100000101000100010001010001"
 32    "0111010111111101010111110111110111010111111111110111010111011101"
 33    "0100010000000101010100000100010100010100000000010001010000010001"
 34    "0101111111110101110101111101010101110101011111011111011111110111"
 35    "0100010000010100000101000001010100010101010001010001000100000001"
 36    "0111010101010111111101011111010101011101011101010101110111111101"
 37    "0000010101010000000100010001010101000001000100000101000100010101"
 38    "0111111101110111011111110111010111011111110111111101011101010101"
 39    "0000000001000101010000000000010001010100010000010101000001010001"
 40    "1111111111011101010111111111111101010101010111010101011111011111"
 41    "0000000000010001010100000001000101000101010100010101010001000001"
 42    "0111111111110111010101110101010101111101011101110101010101111101"
 43    "0000010000000000010101000100010100000101010001010001010101000001"
 44    "1111011111111111110111011111110111110101010111010111011101011101"
 45    "0000010000010000010001010000010001010001010100000101000001010101"
 46    "0111010111010111011101010111011101011111010101111101011111010101"
 47    "0100010100010001000100010001000101000001000100010001010000010001"
 48    "0111110101011101010111111101110101011101111111010111010111110111"
 49    "0000010101010001010000010000010101010100000000010000010001010001"
 50    "0111010101110111010111110111110101010111111111110111111101011101"
 51    "0001010100010101010100000101000101010000000001010100010001000001"
 52    "1111010111010101010101111101010101010111111101010101010111011111"
 53    "0000010001000001010101000001010101010100000101000101010001010001"
 54    "0101111101111111011101011101011101010101011101011101011101110101"
 55    "0101000100000100010001010101000001000101000101010001000100000101"
 56    "0111010111110101110111010101111111111101110101010111110111110101"
 57    "0100010000000100000100010000000000000101000101010000010000010101"
 58    "0101111111111111111101110111111111110101011101011111011111011101"
 59    "0101000100000000000001000100000100010101000001010001000001000001"
 60    "0101010101111111110111111101110101010101111111011101111101111101"
 61    "0100010100000100010000010001010001010100010000010000010100000101"
 62    "0111110111110111011111010111011111011111011111010111010111110101"
 63    "0000010001010001010000010000000100010001000001000100010000010101"
 64    "1111011101011101010111011101111101110101111101111101110111110111"
 65    "0001000101000001010001010001000001000100000101000101000100010001"
 66    "0101010101011111011101110111011111011111011101010101110101011101"
 67    "0100010101000100000101000101000100010001000001010100000101000001"
 68    "0111111101110111110101011101110101111101111111010111111101111101"
 69    "0000000001000000000100000000010000000000000000010000000001000000"
 70    "1111111111111111111111111111111111111111111111111111111111111110"
 71)
 72
 73# Convert binary string to 2D numpy array
 74maze_size = 64
 75maze = np.array(list(binary_string), dtype=int).reshape((maze_size, maze_size))
 76
 77# Directions: up, down, left, right
 78directions = [(-1,0), (1,0), (0,-1), (0,1)]
 79
 80# BFS to find path
 81def bfs(maze, start, goal):
 82    visited = np.full(maze.shape, False)
 83    prev = np.full(maze.shape, None)
 84    queue = deque([start])
 85    visited[start] = True
 86    
 87    while queue:
 88        current = queue.popleft()
 89        if current == goal:
 90            break
 91        for d in directions:
 92            ni, nj = current[0] + d[0], current[1] + d[1]
 93            if 0 <= ni < maze.shape[0] and 0 <= nj < maze.shape[1]:
 94                if not visited[ni, nj] and maze[ni, nj] == 0:
 95                    visited[ni, nj] = True
 96                    prev[ni, nj] = current
 97                    queue.append((ni, nj))
 98    
 99    # Reconstruct path
100    path = []
101    cell = goal
102    while cell != start:
103        path.append(cell)
104        cell = prev[cell]
105        if cell is None:
106            return None  # No path
107    path.append(start)
108    path.reverse()
109    return path
110
111# Find path from top-left to bottom-right
112start = (0, 0)
113goal = (maze_size - 1, maze_size - 1)
114path = bfs(maze, start, goal)
115
116
117def path_to_directions(path):
118    dir_map = {
119        (-1, 0): 'h',
120        (1, 0): 't',
121        (0, -1): 'c',
122        (0, 1): 'b'
123    }
124    directions = []
125    for i in range(1, len(path)):
126        delta = (path[i][0] - path[i - 1][0], path[i][1] - path[i - 1][1])
127        directions.append(dir_map.get(delta, 'UNKNOWN'))
128    return directions
129
130directions_list = path_to_directions(path)
131"\n".join(directions_list)

Click here to expand

As backtracking is prevented, there is only one solution which you can see below.

With a small script, we can replay the path to win

 1from pwn import *
 2
 3p = process('./run.sh ./honeypot.jar', shell=True)
 4
 5with open('path.txt', 'rb') as f:
 6    steps = f.readlines()
 7
 8p.recvuntil(b'Enter your favourite way of printing your flag\n')
 9
10for step in steps:
11    p.send(step.strip())
12    if i < len(steps) - 1 :
13        p.recvuntil(b'Nope, want to try something else?\n')
14p.interactive()

Since the processes are all blocked until the labyrinth has been solved, once we reach the end we get the flag printed out to our terminal nearly 500 times.

So, to summarize everything:

When we run a command through the shell script, it makes a syscall to open the encrypted flag file.
The eBPF extension intercepts this and makes a move in the bitmap labyrinth based on the name of the process. From that point on, the process is blocked from being scheduled until the labyrinth has been solved.
Once we reach the bottom right corner of the labyrinth, the XOR key is derived from the path we took. All the blocked processes are resumed, and the buffers into which the encrypted flag file has been read are decrypted with the key.
We get a wall of flags printed to our terminal.

While I was just a few minutes short of first blood, I still got to explore quite an impressive project bridging Java and eBPF. If you’re interested in more fun with schedulers, I can recommend the author’s talk at GPN23.

Pwn-la-Chapelle

Popping Shells and Stealing Flags at RWTH Aachen University