BHIS CTF@Shmoocon 2019 - Blockchain Challenge

-
I had the Blockchain Challenge, or whatever it was actually called, still kicking around even though Shmoocon and the Blackhills Infosec CTF has ended. I thought this was a neat challenge and I really wanted to figure this one out.


Here's the challenge description:

Thanks for joining our team on this one. We are so close to catching the infamous hacktivist known as "gh0st Plague".
We were informed that he is planning another DDoS attack against a major financial institution. gh0st Plague recruits various botnet owners from around the net and always pays in Bitcoin.
We believe that the following Bitcoin address is one of gh0st Plague's wallets. Knowing where and when gP is making payments should help us catch him but we need some solid evidence. This is where you come in. With your expertise in Blockchain analysis it shouldn't be too hard for you to determine if he let his ego get to him and left any clues behind. Good luck! 3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

I remembered hearing about images and text being saved in the blockchain, and while looking into that I was even able to read the Nelson Mandela easter egg. I just had that feeling that this would be a similar process. 

Here's how I solved it:

[1] I went to www.blockchain.com and searched for the BTC Address: 3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

This gave me 2 results, BCH Address and BTC Address...I followed the link for the BTC Address which can be found here: https://www.blockchain.com/btc/address/3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

[2] I started followed the transactions in this order:
https://www.blockchain.com/btc/address/3GJR5DqZDBJz1GdTpp9MRHX8cpa3yaaBHo
https://www.blockchain.com/btc/address/1EpiECA7DEimuHFUiYaDzTwVUCguH4o7DT

This is where the transactions stop.  I then followed the transaction ID link: e9cefd05a6d3984adf6799eb0730bc321fce1efdfb8955c404613aebb4f9352d

[3] Finally, I clicked the Show scripts & coinbase link which revealed the flag under the Output Scripts section as seen below:

Output Scripts
DUP HASH160 PUSHDATA(20)[979f99afd3093caae8d7c9b902f4119cdc20aaed] EQUALVERIFY CHECKSIG
RETURN PUSHDATA(43)[455720666c61677b5468335f315f265f306e6c795f67683073745f506c616775655f77757a5f683372337d]
(decoded) EW flag{Th3_1_&_0nly_gh0st_Plague_wuz_h3r3}

That was it. My problem during the competition seemed to be that I was hung up on manually decoding transactions and ultimately failed to find the flag.  I'm still not sure how to decode this using blockcypher's decodetx feature, but that's okay. 

-strupo_

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more