Santa, Santa, where are you? Are you hidden in the private and the public too? Riddle, riddle, what am I? Find me and I'll give you what is mine.
-
We are given a PCAP, so let's open it in Wireshark.
-
If we sort to only see HTTP traffic by applying the
httpfilter, we see that several requests are made to the/yDENnwqMdkhG9yjj9bJNendpoint with a parameter equal to a single byte in the form/yDENnwqMdkhG9yjj9bJN?=D5. -
If we append all those parameters in the URL we get
D5476E6849AEF8A8c568BD7E47cF6647C8C98485. This looks like hexadecimal, but strangely it is formatted with nearly all capital letters except twocs. -
This is an Ethereum address on the Ropsten test network. For this challenge, I believe you just have to recognize this since there are no other hints. We can look it up on ropsten.etherscan.io.
-
If we look at one of the transactions that were made involving this address, we see that there is content in the "Input Data" field, which is commonly used as a message associated with a transaction. We can see all the transactions on the transactions page and filter by outbound transactions.
-
Going through all 59 transactions and viewing the input data as "UTF-8" reveals the following message (4 characters per transaction):
We are going to get exposed! You should wipe all evidence and enable the ransom killswitch: HTB{54nt4_c4nn0t_tr4c3_th3_m0n3y_r1ght??!}. They hired those technerds to find us but they didn't know that we are better cypherpunks than them!. The message has the flag within it. -
It is possible to script the act of getting the input data for all 59 transactions, either by using an API to a blockchain explorer that supports the Ropsten test network, by actually downloading part of the blockchain, or by automating a web browser to visit the transaction pages on ropsten.etherscan.io and copy the input data. However, writing a script to do this would have taken longer than doing it manually.
HTB{54nt4_c4nn0t_tr4c3_th3_m0n3y_r1ght??!}