← Back to blog

I'm gRoot

July 17, 2023 · Hack The Box / Business CTF 2023 cryptomerkle-treesha256pwntools

Files

Download: crypto_im_groot.zip

Challenge

After decrypting the communication, you uncover the identity of the mole as the senior blockchain developer. Shockingly, the developer had embedded a backdoor in the government’s decentralized blockchain network, originally designed to prevent corruption. You report this critical finding to the government council and are assigned with the task of detecting and fixing the backdoor, ensuring the integrity and security of the network.

Recon

The challenge is a remote crypto service centered on a blockchain. The name “I’m gRoot” is a play on the Merkle root of a Merkle tree, the structure used to commit to a block’s transactions. The service exposes a menu over a TCP connection, where option 1 reveals a block’s transactions and option 2 asks us to reconstruct something derived from them.

Analysis

Interacting with the menu, option 1 prints the transactions belonging to “Block: 2”. These transactions are the leaves of a Merkle tree. In a Merkle tree, each leaf is hashed and adjacent hashes are concatenated and rehashed, repeatedly, until a single root hash remains.

The trick this challenge requires is computing the first level of the tree above the leaves: pair the transactions two at a time, hash each one with SHA-256, and concatenate the two resulting digests. Submitting these intermediate values (option 2) proves we understand the tree’s construction and yields the flag.

Exploitation

The following pwntools script connects to the service, pulls the Block 2 transactions, computes the paired hash(left) + hash(right) values for every adjacent pair, and submits them back as a comma-separated list of hex strings. The final two lines of output contain the flag.

from pwn import process, remote
from hashlib import sha256

def hash(a):
    return sha256(a).digest()
io = remote('IP',PORT)

io.sendlineafter(b"> ", b"1")
io.recvuntil(b"Block: 2")
io.recvuntil(b"Transactions: ")
m = [bytes.fromhex(x) for x in io.recvline().decode().strip("[']\n").split("', '")]
io.sendlineafter(b"> ", b"2")
ft = []
for i in range(0, len(m), 2):
    t = hash(m[i]) + hash(m[i + 1])
    ft.append(t)

io.sendlineafter(b": ", ",".join([x.hex() for x in ft]).encode())
print(io.recvline())
print(io.recvline())
io.close()