search

Recovery - Blockchain

hashtag
Task

We are The Profits. During a hacking battle our infrastructure was compromised as were the private keys to our Bitcoin wallet that we kept. We managed to track the hacker and were able to get some SSH credentials into one of his personal cloud instances, can you try to recover my Bitcoins?

Username: satoshi Password: L4mb0Pr0j3ct

NOTE: Network is regtest, check connection info in the handler first.

hashtag
Solution

We get SSH credentials satoshi:L4mb0Pr0j3ct and the number of 3 different port numbers 53834, 51098, 24985. We can connect to the first port, which is 53834 using netcat: 

szczygielka@hacks$ nc 94.237.52.22 53834 
Hello fella, help us recover our bitcoins before it's too late.
Return our Bitcoins to the following address: bcrt1qxlxdn5zk02yt255z5pq99pxgqstywxn6jhcm73
CONNECTION INFO: 
  - Network: regtest
  - Electrum server to connect to blockchain: 0.0.0.0:50002:t

NOTE: These options might be useful while connecting to the wallet, e.g --regtest --oneserver -s 0.0.0.0:50002:t
Hacker wallet must have 0 balance to earn your flag. We want back them all.

Options:
1) Get flag
2) Quit
Enter your choice:

According to the information we get to obtain the flag we need to find some way to recover Bitcoins from the hacker and send them to the following wallet address:

The connection information indicates that we need to use Electrum Bitcoin Walletarrow-up-right to send the money. Moreover, this port will be used to get the flag. Let's establish an SSH connection with the attacker machine:

In satoshi user's home directory we can find a directory called wallet which contains the electrum-wallet-seed.txt file. This file contains 10 words:

As the electrum-wallet-seed.txt file name suggests these words are the seed we should use to recover the attacker's wallet. To recover the attacker's wallet, we need to install Electrum.

hashtag
Electrum

Electrum can be downloaded from herearrow-up-right. After installation, we have to run Electrum in regtest mode using as the server the IP of the attacker and the third port which is 24985:

On the Electrum start screen, we can choose which wallet we want to use, in this case, we want like to recover the wallet, so we can continue with the default wallet name:

Leave the Standard wallet option selected and click Next:

Then we select the I already have a seed option and we go to the next window:

Then let's enter the seed, which is the 10 words found in the electrum-wallet-seed.txt file:

Leave the wallet password blank and click Finish:

We successfully recovered the attacker's wallet with 1000 Bitcoins. Now we have to make a transfer. As the transfer amount we have to set 999.835 BTC, due to we have to pay 0.165 BTC as the mining fee:

After sending payment, we should be able to obtain a flag. Let's connect using the netcat as before and select 1 to get the flag:

Flag:

PreviousRussian Roulette - BlockchainNextPrimary Knowledge - Crypto

Last updated