By Dr Tristan Jenkinson

The CSI Linux CTF – Shake the Cobwebs

As anyone following my updates will have seen, I took part in the CSI Linux CTF over Christmas. The CTF required writing up a report of findings, and I thought that it might be helpful to share the content of my report.

Part One covered the introduction and the first puzzle which related to the analysis of
an audio file… as part of that analysis, some data apparently in Morse
code was found.

Part Two dealt with the Morse code found in part one, and some related further
investigation work from the CTF, including information from Die Hard
(unquestionably a Christmas movie!).

Part Three covered death dates, geolocation, and the investigation of an online article about RisePro malware.

This final section digs into the blockchain behind Bitcoin. The investigation is linked to the article discussed in part three, so if you haven’t read that, I would recommend going back to catch up.

I hope you enjoy, and thank you for following along!

Exploring the Blockchain (Q10, Q11)

Q10: Finding the correct address

Upon submission of the above, I received the below response:

At the bottom of the article, there are a list of IoC’s (Indicators of Compromise). The last item listed is a Bitcoin wallet, as shown in the screen capture below:

Note, however, that this bitcoin address is inconsistent with the section of the article where the Bitcoin wallet is addressed, where the article (translated in Firefox) states:

The two wallets differ (for example with the 4^th character in the second entry being a ‘q’) several other characters are also included in one, but not the other.

Both of the above are also inconsistent with the Bitcoin address reported in the screenshot which is included in the article in this section:

The screenshot is most likely to be correct, as it appears to come from an online Blockchain explorer (specifically Blockchain.com/explorer), and would be more complex to alter than just typed addresses. Further, it could be that the others were mistyped. The addresses can all be checked to see if they are valid using a Blockchain explorer. By design, the Blockchain is publically available. This means that there are sites that have logged all the wallets, transactions etc. that are stored on the Blockchain. One such example is the Blockchain explorer found at Blockchain.com/explorer.

Using the above Blockchain explorer address, I put in each of the addresses from the article. In order mentioned in this report, these are:

bc1h55m8erwupc60jzmumhek43c9anwe3qllnq
bc1qh55m5m8erwc60jzmumhk43c9anwe3qllnq
bc1qh55m8erwupc60j73zmeuumhk43c9anwe3qllnq

The first two resulted in errors:

and

Whereas the third (from the screenshot in the article) results in a Bitcoin address being located:

This suggests that the first two addresses are incorrect. The response is therefore the third address – bc1qh55m8erwupc60j73zmeuumhk43c9anwe3qllnq.

Q11: Bitcoin calculations

Upon submission of the above, I received the below response:

As noted earlier, by design, all Bitcoin transactions are publically recorded. I therefore used a Blockchain explorer tool to search for the relevant transactions on the public Blockchain.

Using blockchain.com/explorer (as before), I searched for the wallet of interest: bc1qh55m8erwupc60j73zmeuumhk43c9anwe3qllnq. As before, one result was found

Clicking on the BTC address brings up the details relating to that wallet. This includes the balance and the various transactions – see the screen capture below:

The transactions are listed in reverse chronological order (i.e. the most recent first). The capture above therefore shows that there were two transactions on 19 November, the date that of interest.

One of these is listed as occurring at 18:45:55, and the other at 18:31:44. The first of these matches on minutes and seconds, but differs on the hour of the time reported in the information provided (12:45:55). This is likely because of time differences. I am based in the UK. If the time reported (12:45:55) was local time in Houston, Texas (or anywhere set to Central Standard Time), this is 6 hours behind UK time and the same local time in the UK (Greenwich Mean Time) would report 18:45:55, as seen here.

I note that there are no other possible matching times, further the only other transaction on the date in question, is actually in relation to an incoming transaction. On this basis, it is the 18:45:55 entry of interest.

Clicking on the transaction, displays further information, as shown below:

Note that while the website reports dollar values, these are based on the current exchange rate, so do not reflect the value at the time of the transaction, which is what is being sought.

Recall that the request stated “On 11/19/2023 @ 12:45:55 there was a transaction for $318.10. What was the total amount withdrawn from the wallet?” and it is a dollar amount that is being sought.

On the “To” (right) side of the transaction shows in section 6.2.8, the main payment appears in the top entry, and money flowing back into the wallet of interest is in the bottom entry. At a high level, this is not dissimilar to making a payment to a vendor in cash and receiving change back.

The top right entry is the value of the payment being made. Looking at the value in BTC, this is 0.0082 BTC exactly.

Note that the information provided tells us that the transaction was for $318.10. This means that at the time, 0.0082 BTC was worth $318.10.

This information can be used to calculate the exchange rate in place, using the calculation 318.1/0.0082 = 38,792.68. This means that 1 BTC is worth $38,792.68.

Looking at the left hand side of the above details on the transaction, the full amount taken out of the wallet is 0.01088371 BTC.

Using the above exchange rate, the calculation 0.01088371 * 38,792.68 = 422.21 can be used to convert the Bitcoin value to a dollar value. This means that the total amount withdrawn from the wallet (0.01088371 BTC) was $422.21. The response is therefore 422.21.