Recovery - Blockchain

Task

We are The Profits. During a hacking battle our infrastructure was compromised as were the private keys to our Bitcoin wallet that we kept. We managed to track the hacker and were able to get some SSH credentials into one of his personal cloud instances, can you try to recover my Bitcoins?

Username: satoshi Password: L4mb0Pr0j3ct

NOTE: Network is regtest, check connection info in the handler first.

Solution

We get SSH credentials satoshi:L4mb0Pr0j3ct and the number of 3 different port numbers 53834, 51098, 24985. We can connect to the first port, which is 53834 using netcat:

szczygielka@hacks$ nc 94.237.52.22 53834 
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qxlxdn5zk02yt255z5pq99pxgqstywxn6jhcm73
CONNECTION INFO: 
  - Network: regtest
  - Electrum server to connect to blockchain: 0.0.0.0:50002:t

NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.

Options:
1) Get flag
2) Quit
Enter your choice:

According to the information we get to obtain the flag we need to find some way to recover Bitcoins from the hacker and send them to the following wallet address:

bcrt1qxlxdn5zk02yt255z5pq99pxgqstywxn6jhcm73

The connection information indicates that we need to use Electrum Bitcoin Wallet to send the money. Moreover, this port will be used to get the flag. Let's establish an SSH connection with the attacker machine:

szczygielka@hacks$ ssh satoshi@94.237.52.22 -p 51098
satoshi@94.237.52.22's password: 
Linux ng-team-12027-blockchainrecoveryca2024-tnfqf-7d9659fff4-n782h 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
satoshi@ng-team-12027-blockchainrecoveryca2024-tnfqf-7d9659fff4-n782h ➜  ~

In satoshi user's home directory we can find a directory called wallet which contains the electrum-wallet-seed.txt file. This file contains 10 words:

satoshi@ng-team-12027-blockchainrecoveryca2024-tnfqf-7d9659fff4-n782h ➜  ~ cat wallet/electrum-wallet-seed.txt
leisure reunion situate visual grief skate long genius loyal box barely survey

As the electrum-wallet-seed.txt file name suggests these words are the seed we should use to recover the attacker's wallet. To recover the attacker's wallet, we need to install Electrum.

Electrum

Electrum can be downloaded from here. After installation, we have to run Electrum in regtest mode using as the server the IP of the attacker and the third port which is 24985:

electrum --regtest --oneserver -s 94.237.52.22:24985:t

On the Electrum start screen, we can choose which wallet we want to use, in this case, we want like to recover the wallet, so we can continue with the default wallet name:

Leave the Standard wallet option selected and click Next:

Then we select the I already have a seed option and we go to the next window:

Then let's enter the seed, which is the 10 words found in the electrum-wallet-seed.txt file:

Leave the wallet password blank and click Finish:

We successfully recovered the attacker's wallet with 1000 Bitcoins. Now we have to make a transfer. As the transfer amount we have to set 999.835 BTC, due to we have to pay 0.165 BTC as the mining fee:

After sending payment, we should be able to obtain a flag. Let's connect using the netcat as before and select 1 to get the flag:

szczygielka@hacks$ nc 94.237.52.22 53834 
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qxlxdn5zk02yt255z5pq99pxgqstywxn6jhcm73
CONNECTION INFO: 
  - Network: regtest
  - Electrum server to connect to blockchain: 0.0.0.0:50002:t

NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.

Options:
1) Get flag
2) Quit
Enter your choice: 1
HTB{n0t_y0ur_k3ys_n0t_y0ur_c01n5}

Flag:

HTB{n0t_y0ur_k3ys_n0t_y0ur_c01n5}