CTFtime.org / HTB University CTF 2020 Quals / Warren Buffer / Writeup

# Warren Buffer

In WarrenBuffer.pcap we saw some HTTP-requests. Examined those requests in HTTP-streams and we saw that those requests differ from each other by last 2 symbols in User-Agent header. On the Figure 1 example of HTTP-stream can be seen, and the Figure 31 reveals the difference between every User-Agent,

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-20.png)

Figure 1 – Example of HTTP-stream

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-25.png)

Figure 2 – Difference between every User-Agent

These symbols are hex bytes. We converted it to ASCII text and get the following link: https://ghostbin.co/paste/yqtsek93, but this web-resource requires a password. A password is in last HTTP-stream. This stream can be seen on the Figure 3.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-30.png)

Figure 3 – HTTP-stream that contains password

Enter password and get a paste content, which is base64 encoded data. This data can be converted to JPEG image. The decoded picture is shown on the Figure 4.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-36.png)

Figure 4 – Base64-decode picture

The interesting part on this picture is a block with text “My bytes are washed by 7d76830dDDBBA391F542cCbc3E598Df392a3F274”.
7d76830dDDBBA391F542cCbc3E598Df392a3F274 – looks like an address in Ethereum blockchain. There is no such address in real Ethereum network, but there is in a test network Ropsten. Blockchain explorer is shown on the Figure 5.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-41.png)

Figure 5 – Blockchain explorer
One of the transactions has an interesting content, which can be seen on the Figure 6.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-46.png)

Figure 6 – Interesting input date in the transaction

In the receiver’s account (0x0f9ede1bc4cb11e614fa739df6e303f9ab19335d) transactions we can see a smart contract creation. The receivers’ transactions can be seen on the Figure 7 and the smart-contract creation is shown on the Figure 8.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-50.png)

Figure 7 – Receivers’ transactions

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-25-55.png)

Figure 8 – Smart-contract creation

Field “input data” contains compiled smart contract. We use online decompiler https://ethervm.io/decompile and get disassembly of the contract. The disassembly is shown on the Figure 9.

![](https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/pictures/2021-03-07-23-26-00.png)

Figure 9 – The smart-contract code

3 underlined strings on the figure above are hex values of the flag. After converting hex to ASCII, we got the flag.
Flag: HTB{1a4b20ec17323f20909c224614308f09}.

Original writeup (https://raw.githubusercontent.com/kukuxumushi/HTBxUNI-CTF-quals-writeups/master/Warren.md).

Warren Buffer

Comments

Sign in with