BHIS CTF@Shmoocon 2019 - Blockchain Challenge

I had the Blockchain Challenge, or whatever it was actually called, still kicking around even though Shmoocon and the Blackhills Infosec CTF has ended. I thought this was a neat challenge and I really wanted to figure this one out.


Here's the challenge description:

Thanks for joining our team on this one. We are so close to catching the infamous hacktivist known as "gh0st Plague".
We were informed that he is planning another DDoS attack against a major financial institution. gh0st Plague recruits various botnet owners from around the net and always pays in Bitcoin.
We believe that the following Bitcoin address is one of gh0st Plague's wallets. Knowing where and when gP is making payments should help us catch him but we need some solid evidence. This is where you come in. With your expertise in Blockchain analysis it shouldn't be too hard for you to determine if he let his ego get to him and left any clues behind. Good luck! 3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH


I remembered hearing about images and text being saved in the blockchain, and while looking into that I was even able to read the Nelson Mandela easter egg. I just had that feeling that this would be a similar process. 

Here's how I solved it:

[1] I went to www.blockchain.com and searched for the BTC Address: 3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

This gave me 2 results, BCH Address and BTC Address...I followed the link for the BTC Address which can be found here: https://www.blockchain.com/btc/address/3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

[2] I started followed the transactions in this order:
https://www.blockchain.com/btc/address/3GJR5DqZDBJz1GdTpp9MRHX8cpa3yaaBHo
https://www.blockchain.com/btc/address/1EpiECA7DEimuHFUiYaDzTwVUCguH4o7DT

This is where the transactions stop.  I then followed the transaction ID link: e9cefd05a6d3984adf6799eb0730bc321fce1efdfb8955c404613aebb4f9352d

[3] Finally, I clicked the Show scripts & coinbase link which revealed the flag under the Output Scripts section as seen below:

Output Scripts
DUP HASH160 PUSHDATA(20)[979f99afd3093caae8d7c9b902f4119cdc20aaed] EQUALVERIFY CHECKSIG
RETURN PUSHDATA(43)[455720666c61677b5468335f315f265f306e6c795f67683073745f506c616775655f77757a5f683372337d]
(decoded) EW flag{Th3_1_&_0nly_gh0st_Plague_wuz_h3r3}

That was it. My problem during the competition seemed to be that I was hung up on manually decoding transactions and ultimately failed to find the flag.  I'm still not sure how to decode this using blockcypher's decodetx feature, but that's okay. 

-strupo_

Popular posts from this blog

BHIS CTF@Shmoocon 2019 - Feeling Blue?

ArcticCon 2019 CTF

2018 Derbycon CTF - Jenkins