<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Ethereum Archives - George Gerontakis</title>
	<atom:link href="https://blog.gerontakis.eu/tag/ethereum/feed/" rel="self" type="application/rss+xml" />
	<link>https://blog.gerontakis.eu/tag/ethereum/</link>
	<description>My personal Blog and more 😎</description>
	<lastBuildDate>Wed, 31 May 2023 17:54:50 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	
	<item>
		<title>Warren Buffer writeup- Forensics &#8211; Hack The Box University CTF 2020 (HTB UNI CTF 2020)</title>
		<link>https://blog.gerontakis.eu/2023/05/31/warren-buffer-writeup-forensics-hack-the-box-university-ctf-2020-htb-uni-ctf-2020/</link>
					<comments>https://blog.gerontakis.eu/2023/05/31/warren-buffer-writeup-forensics-hack-the-box-university-ctf-2020-htb-uni-ctf-2020/#respond</comments>
		
		<dc:creator><![CDATA[g.gerontakis]]></dc:creator>
		<pubDate>Wed, 31 May 2023 16:29:10 +0000</pubDate>
				<category><![CDATA[CTF]]></category>
		<category><![CDATA[Forensics]]></category>
		<category><![CDATA[Hack The Box]]></category>
		<category><![CDATA[Blockchain]]></category>
		<category><![CDATA[Ethereum]]></category>
		<category><![CDATA[exfiltration]]></category>
		<category><![CDATA[htb]]></category>
		<category><![CDATA[pcap]]></category>
		<category><![CDATA[wireshark]]></category>
		<guid isPermaLink="false">https://blog.gerontakis.eu/?p=14</guid>

					<description><![CDATA[<p>This file is given: The challenge gives us a pcap file, so lets analyze it using Wireshark! Searching Protocols we find some HTTP requests. Lets apply a display filter for HTTP requests only! We discover that 2 bytes of every User-Agent header can be different for each request. It could be hex! Lets strip those [&#8230;]</p>
<p>The post <a href="https://blog.gerontakis.eu/2023/05/31/warren-buffer-writeup-forensics-hack-the-box-university-ctf-2020-htb-uni-ctf-2020/">Warren Buffer writeup- Forensics &#8211; Hack The Box University CTF 2020 (HTB UNI CTF 2020)</a> appeared first on <a href="https://blog.gerontakis.eu">George Gerontakis</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="717" height="374" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image.png" alt="" class="wp-image-15" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image.png 717w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-300x156.png 300w" sizes="(max-width: 717px) 100vw, 717px" /></figure>



<span id="more-14"></span>



<p class="wp-block-paragraph">This file is given:</p>



<figure class="wp-block-image size-full"><img decoding="async" width="975" height="116" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-3.png" alt="" class="wp-image-18" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-3.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-3-300x36.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-3-768x91.png 768w" sizes="(max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">The challenge gives us a pcap file, so lets analyze it using Wireshark!</p>



<figure class="wp-block-image size-full"><img decoding="async" width="975" height="246" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-4.png" alt="" class="wp-image-19" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-4.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-4-300x76.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-4-768x194.png 768w" sizes="(max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">Searching Protocols we find some HTTP requests.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="35" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-5.png" alt="" class="wp-image-20" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-5.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-5-300x11.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-5-768x28.png 768w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-5-953x35.png 953w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">Lets apply a display filter for HTTP requests only!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="828" height="150" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-6.png" alt="" class="wp-image-21" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-6.png 828w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-6-300x54.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-6-768x139.png 768w" sizes="auto, (max-width: 828px) 100vw, 828px" /></figure>



<p class="wp-block-paragraph">We discover that 2 bytes of every User-Agent header can be different for each request.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="96" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-7.png" alt="" class="wp-image-22" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-7.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-7-300x30.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-7-768x76.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="96" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-8.png" alt="" class="wp-image-23" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-8.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-8-300x30.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-8-768x76.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="90" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-9.png" alt="" class="wp-image-24" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-9.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-9-300x28.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-9-768x71.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">It could be hex! Lets strip those 2 bytes from User-Agent header of every request and assemble them!</p>



<p class="wp-block-paragraph">We can write a python script to parse those bytes from every request or we can just use tshark and extract only those 2 bytes from each request.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="67" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-10.png" alt="" class="wp-image-25" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-10.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-10-300x21.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-10-768x53.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">We convert from hex.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="549" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-11.png" alt="" class="wp-image-26" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-11.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-11-300x169.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-11-768x432.png 768w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-11-953x536.png 953w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">And we get a link.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="693" height="340" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-12.png" alt="" class="wp-image-27" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-12.png 693w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-12-300x147.png 300w" sizes="auto, (max-width: 693px) 100vw, 693px" /></figure>



<p class="wp-block-paragraph">But we need a password.. So lets better search pcap.</p>



<p class="wp-block-paragraph">On the last http GET request we find a password!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="142" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-13.png" alt="" class="wp-image-28" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-13.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-13-300x44.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-13-768x112.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">So lets try with this one as the password for ghostbin.</p>



<p class="wp-block-paragraph">BINGO!!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="65" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-14.png" alt="" class="wp-image-29" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-14.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-14-300x20.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-14-768x51.png 768w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-14-953x65.png 953w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">Password was correct and we get a large string that looks like a base64. Lets try to decode from b64!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="897" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-15.png" alt="" class="wp-image-30" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-15.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-15-300x276.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-15-768x707.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="65" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-16.png" alt="" class="wp-image-31" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-16.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-16-300x20.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-16-768x51.png 768w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-16-953x65.png 953w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">Those are the magic bytes of a jpeg file! Lets convert this base64 into an image.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="226" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-17.png" alt="" class="wp-image-32" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-17.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-17-300x70.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-17-768x178.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">And we get this image.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="531" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-18.png" alt="" class="wp-image-33" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-18.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-18-300x163.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-18-768x418.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">We can clearly see a hash!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="339" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-19.png" alt="" class="wp-image-34" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-19.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-19-300x104.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-19-768x267.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">It is an Ethereum address of Ropsten Testnet Network!</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="377" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-20.png" alt="" class="wp-image-35" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-20.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-20-300x116.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-20-768x297.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">Lets see the last transaction.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="155" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-21.png" alt="" class="wp-image-36" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-21.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-21-300x48.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-21-768x122.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="348" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-22.png" alt="" class="wp-image-37" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-22.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-22-300x107.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-22-768x274.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph">We can get the flag by viewing Input data of Contract Creation Transaction.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="975" height="637" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-23.png" alt="" class="wp-image-38" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-23.png 975w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-23-300x196.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-23-768x502.png 768w" sizes="auto, (max-width: 975px) 100vw, 975px" /></figure>



<p class="wp-block-paragraph"><strong>HTB{1a4b20ec17323f20909c224614308f09}</strong></p>



<p class="wp-block-paragraph">A more elegant way to find the flag would be to decompile the bytecode of the contract.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="820" height="310" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-24.png" alt="" class="wp-image-39" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-24.png 820w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-24-300x113.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-24-768x290.png 768w" sizes="auto, (max-width: 820px) 100vw, 820px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="910" height="608" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-25.png" alt="" class="wp-image-40" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-25.png 910w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-25-300x200.png 300w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-25-768x513.png 768w" sizes="auto, (max-width: 910px) 100vw, 910px" /></figure>



<p class="wp-block-paragraph">We see those three variables!</p>



<p class="wp-block-paragraph">Lets convert them to string from hex..</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="498" height="368" src="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-26.png" alt="" class="wp-image-41" srcset="https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-26.png 498w, https://blog.gerontakis.eu/wp-content/uploads/2023/05/image-26-300x222.png 300w" sizes="auto, (max-width: 498px) 100vw, 498px" /></figure>



<p class="wp-block-paragraph"><strong>HTB{1a4b20ec17323f20909c224614308f09}</strong></p>
<p>The post <a href="https://blog.gerontakis.eu/2023/05/31/warren-buffer-writeup-forensics-hack-the-box-university-ctf-2020-htb-uni-ctf-2020/">Warren Buffer writeup- Forensics &#8211; Hack The Box University CTF 2020 (HTB UNI CTF 2020)</a> appeared first on <a href="https://blog.gerontakis.eu">George Gerontakis</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://blog.gerontakis.eu/2023/05/31/warren-buffer-writeup-forensics-hack-the-box-university-ctf-2020-htb-uni-ctf-2020/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
