forbytten blogs

Recovery Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Recovery Blockchain challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having an ‘easy’ difficulty. The challenge involved the recovery of an Electrum Bitcoin Wallet from a seed.

The description of the challenge is shown below, which includes ssh credentials of satoshi:L4mb0Pr0j3ct.

Recovery description

2 Key techniques

The key techniques employed in this writeup are:

3 ssh to the target

An ssh session was initiated using the credentials given in the challenge description. Basic enumeration was conducted until an Electrum Bitcoin Wallet seed was found in wallet/electrum-wallet-seed.txt.

$ ssh satoshi@94.237.56.255 -p 52563
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜  ~ id
uid=1000(satoshi) gid=1000(satoshi) groups=1000(satoshi)
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜  ~ pwd
/home/satoshi
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜  ~ ls
wallet
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜  ~ ls -a wallet
.  ..  electrum-wallet-seed.txt
satoshi@ng-team-116045-blockchainrecoveryca2024-nvpyf-54f7c7dc47-k45zf ➜  ~ cat wallet/electrum-wallet-seed.txt
lens garbage upper tent category discover shadow local brush grow wrestle doll

4 Obtaining Electrum command line options

The second port was connected to, which disclosed options needed for starting Electrum, namely the --regtest and --oneserver options:

$ nc -n -v 94.237.56.255 46066
(UNKNOWN) [94.237.56.255] 46066 (?) open
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qvxethjar5j8rsfaknm7xslychv087whm0e96ns
CONNECTION INFO:
  - Network: regtest
  - Electrum server to connect to blockchain: 0.0.0.0:50002:t

NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.

Options:
1) Get flag
2) Quit
Enter your choice:

5 Installing Electrum

Electrum was downloaded and the signature verified:

$ gpg --import ThomasV.asc
$ gpg --verify electrum-4.5.3-x86_64.AppImage.asc

6 Recovering the wallet

The application was started using the options previously obtained:

./electrum-4.5.3-x86_64.AppImage --regtest --oneserver -s 94.237.56.255:46305:t
Electrum start screen, with the default wallet name accepted
Create a new standard wallet
Create a wallet from an existing seed
Entering the existing seed from the ssh session
Leaving the wallet password blank for the purposes of the challenge
Wallet successfully recovered with a balance of 1000. Bitcoins

7 Recovering the Bitcoins

Sending the maximum Bitcoins to the target address, minus a mining fee
Confirming the transaction
Transaction successful

8 Obtaining the flag

The flag was obtained by connecting to the management endpoint and selecting the “Get flag” option:

$ nc -n -v 94.237.56.255 46066
(UNKNOWN) [94.237.56.255] 46066 (?) open
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qvxethjar5j8rsfaknm7xslychv087whm0e96ns
CONNECTION INFO:
  - Network: regtest
  - Electrum server to connect to blockchain: 0.0.0.0:50002:t

NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.

Options:
1) Get flag
2) Quit
Enter your choice: 1
HTB{n0t_y0ur_k3ys_n0t_y0ur_c01n5}

9 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned