2023 Business CTF: I'm gRoot

#htb #ctf #crypto #merkle-tree #blockchain #hash-collision

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryCrypto
ChallengeI’m gRoot
DifficultyEasy

Summary

After uncovering a mole in the government, you discover a backdoor embedded in the blockchain network by the senior blockchain developer. Your task is to detect and exploit this backdoor by forging transaction signatures in a Merkle tree-based blockchain system.

Analysis

The server implements a simple blockchain with:

BlockChain class:

class BlockChain:
    def __init__(self):
        self._mined_blocks = []


    def mine(self, block):
        self.mt = MerkleTree(security=False)  # VULNERABILITY: security=False
        for transaction in block.transactions():
            self.mt.append(transaction.signature())


        root_hash = self.mt.get_state()
        self._mined_blocks.append({
            "number": len(self._mined_blocks),
            "transactions": block.transactions(),
            "hash": root_hash.hex()
        })

The vulnerability is security=False in the MerkleTree initialization, which disables security checks.

Transaction class:

class Transaction:
    def getSignature(self, _from, _to):
        return sha256(_from + _to).digest()

The challenge asks you to provide forged signatures that produce the same Merkle root as the original block.

Solution

The exploit script demonstrates how to reconstruct the Merkle tree and forge alternative transaction signatures:

transactions = [
    'ad8db02cff5116bbad49889f6a78d9f1eafd334947c866d1870aa0fc4e8ce2bb',
    # ... 8 transactions total
]


new_transactions = []
while len(transactions) > 1:
    for i in range(0, len(transactions), 2):
        concat_str = transactions[i] + transactions[i + 1]
        hash_object = hashlib.sha256(concat_str.encode())
        hex_dig = hash_object.hexdigest()
        new_transactions.append(hex_dig)
    transactions = new_transactions

The key steps:

  1. Retrieve the mined blocks from the server (option 1)
  2. Extract transaction signatures from the last block
  3. Rebuild the Merkle tree structure using SHA256 hashing
  4. Provide alternative transaction signatures that hash to the same root
  5. When verified, the server will output the flag

The security=False flag allows the Merkle tree to be manipulated without proper verification.

Key Takeaways

  • Merkle trees are fundamental to blockchain integrity verification
  • Disabling security features in cryptographic code is extremely dangerous
  • Hash collision attacks exploit weaknesses in tree construction
  • Blockchain systems must use properly hardened cryptographic libraries
  • The backdoor demonstrates how subtle code changes can compromise entire systems