Recovery Writeup - Cyber Apocalypse 2024
→ 1 Introduction
This writeup covers the Recovery Blockchain challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having an ‘easy’ difficulty. The challenge involved the recovery of an Electrum Bitcoin Wallet from a seed.
The description of the challenge is shown below, which includes ssh
credentials of satoshi:L4mb0Pr0j3ct
.
→ 2 Key techniques
The key techniques employed in this writeup are:
- very basic enumeration of a Linux host ssh session.
- recovery of an Electrum Bitcoin Wallet from a seed.
→ 3 ssh to the target
An ssh session was initiated using the credentials given in the
challenge description. Basic enumeration was conducted until an Electrum Bitcoin Wallet seed was found
in wallet/electrum-wallet-seed.txt
.
$ ssh satoshi@94.237.56.255 -p 52563
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜ ~ id
uid=1000(satoshi) gid=1000(satoshi) groups=1000(satoshi)
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜ ~ pwd
/home/satoshi
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜ ~ ls
wallet
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜ ~ ls -a wallet
. .. electrum-wallet-seed.txt
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜ ~ cat wallet/electrum-wallet-seed.txt
lens garbage upper tent category discover shadow local brush grow wrestle doll
→ 4 Obtaining Electrum command line options
The second port was connected to, which disclosed options needed for
starting Electrum, namely the --regtest
and
--oneserver
options:
$ nc -n -v 94.237.56.255 46066
(UNKNOWN) [94.237.56.255] 46066 (?) open
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qvxethjar5j8rsfaknm7xslychv087whm0e96ns
CONNECTION INFO:
- Network: regtest
- Electrum server to connect to blockchain: 0.0.0.0:50002:t
NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.
Options:
1) Get flag
2) Quit
Enter your choice:
→ 5 Installing Electrum
Electrum was downloaded and the signature verified:
$ gpg --import ThomasV.asc
$ gpg --verify electrum-4.5.3-x86_64.AppImage.asc
→ 6 Recovering the wallet
The application was started using the options previously obtained:
./electrum-4.5.3-x86_64.AppImage --regtest --oneserver -s 94.237.56.255:46305:t
→ 7 Recovering the Bitcoins
→ 8 Obtaining the flag
The flag was obtained by connecting to the management endpoint and selecting the “Get flag” option:
$ nc -n -v 94.237.56.255 46066
(UNKNOWN) [94.237.56.255] 46066 (?) open
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qvxethjar5j8rsfaknm7xslychv087whm0e96ns
CONNECTION INFO:
- Network: regtest
- Electrum server to connect to blockchain: 0.0.0.0:50002:t
NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.
Options:
1) Get flag
2) Quit
Enter your choice: 1
HTB{n0t_y0ur_k3ys_n0t_y0ur_c01n5}
→ 9 Conclusion
The flag was submitted and the challenge was marked as pwned