BSidesCBR 2017 CTF Write-Up: Boge Coin Simple

This is a write-up of “Boge Coin” Simple (100 points) from the BSides Canberra CTF.

If you want to try the challenge for yourself, it can be found here: https://github.com/OJ/bsides-2017-ctf-docker/tree/master/misc-bogecoin

Now, let’s get on to the challenge

Boge Coin was probably my favourite challenge. The concept was fairly simple — mine one Boge Coin. Upon accessing the Boge Coin server, we were greeted with this screen:

The first logical step was to select “Earn BOGE”.

It’s then explained that to earn one BOGE, you need to find a string, starting with a selected nonce that begins with, in the example above, seven 0’s when hashed with SHA1.

Immediately, we decided to write a hashing program in Javascript. We looked up a SHA1 implementation, and found one that worked straight away.

Bing worked pretty well

With the SHA1 hashing out of the way we wrote a small script to do the mining.

What this does is fairly clear, with one contentious point on the day being the choice of Math.random() rather than a variable that increased every time the while loop iterated. This wouldn’t have been as good of a choice however, because it was important that we could easily multithread, and astronomically unlikely we’d do the same number twice randomly (1 in 10¹⁷ or so). In the future though, it may be good to generate a seed using Math.random(), then increase it by 1 every loop in order to cut down on CPU cost.

Boge coin mining with Javascript is very CPU intensive

Either way, this generated a string which could then be entered into the Boge Coin market, earning one BOGE.

Boge Acquired

We traded the BOGE for a flag, and thus finished the challenge.

Things I’d do differently

In the future, it would be more efficient tackling a challenge like this in a lower-level language to take advantage of greater speed. It’d be worthwhile learning how to do this kind of thing in C.

Well, this is my last write up from the BSides CTF. As such, I’d like to sincerely thank the organizers. The CTF was great fun, while being immensely educational for me. It was the first time I opened IDA, the first legitimate use I found for CheatEngine, and a nice introduction to CTFs and IT security in general.

In particular, I’d especially like to thank OJ and sw1tch, for all the help they provided on the day. I look forward to BSides Canberra 2018, and all the challenges and learning I will no doubt find there!