Hack The Box Money Flowz Writeup

Hack The Box Money Flowz

Money Flowz is an easy Opensource Intelligence (OSINT) gathering exercise created by Sm4rtK1dz on Hack The Box. Hello world, welcome to Haxez. in this post I’m going to track down where Frank Vitalik’s money flows. Notably, I assume that this is an Ethereum blockchain-based challenge as Ethereum was created by Vitalik Buterin. I wanted to do this challenge because I’m taking part in the 2023 CTF and there are blockchain challenges. Sadly, this didn’t help.

The Challenge Money Flowz

Navigating to the challenge, we aren’t given much information. In fact, all we are given is the following “Frank Vitalik is a hustler, can you figure out where the money flows?”. indeed, the first thing I did was perform a basic google dork for the name Frank Vitalik. As can be seen, there are a lot of results. Obviously, some of these results are even for walkthroughs of the challenge. We need to be careful not to click those.

Google Dork

The Freecoinz Scam

After stalking through his Reddit user’s post history I stumbled upon a link to a scam. The scam claims to give you free crypto if you send crypto. Sadly this was (and potentially still is) a popular crypto scam. Twitter used to be full of bots impersonating Elon Musk claiming that he would give you free crypto. Anyway, the page gives you an Ethereum address. Furthermore, there is also a comment that suggests what network we should investigate.

Wow! I can't believe they are giving free coins into the ropsten net!
The Scam

RIP Ropsten and Proof Of Work

Ropsten was a test network for Ethereum, one of the largest and most popular blockchain networks. It was designed to provide developers with a way for testing their smart contracts. Ropsten was a “testnet” that mimiced the main Ethereum network. It had the same functionality, but the key difference was that its native currency had no real-world value. Ropsten Ether (Ropsten ETH or “test ETH”) couldbe obtained for free from certain faucets or could be mined using specialized software.

Using Ropsten, developers can deploy and test their smart contracts and dApps in a sandbox environment. This meant that they could deploy contracts without worrying about potentially expensive mistakes. Once the testing is complete and any bugs or issues are resolved, the code can then be deployed on the main Ethereum network with greater confidence.

As you may be aware, Ethereum deployed a massive change to the way in which its blockchain works. BitCoin uses a model called proof of work. Miners solve complicated maths puzzles and are rewarded with BitCoin. Without going too deep, this verifies the integrity of the blockchain. Ethereum used to be based on this model too. However, you may also be aware that mining for cryptocurrency uses a lot of energy. Therefore, environmentalists have spoken out against crypto mining.

Ethereum and Proof Of Stake

Ethereum changed the model from proof of work to proof of stake. Proof of Stake (PoS) is a consensus algorithm used to secure and validate transactions on the network. Additionally, validators are chosen to create new blocks and validate transactions based on the amount of cryptocurrency they “stake”.

Instead of relying on computational power (as in Proof of Work) to secure the network, PoS systems rely on validators. Furthermore, these validators are incentivized to act honestly because they stand to lose their staked cryptocurrency.

The process of staking involves locking up a certain amount of cryptocurrency as collateral. Then, it is used to participate in the consensus process. Validators are then randomly selected to create and validate blocks based on the amount of cryptocurrency they have staked. Validators earn transaction fees and newly minted cryptocurrency as a reward for their work.

PoS is considered to be more energy-efficient than Proof of Work. To explain, it does not require large amounts of computational power to validate transactions. Furthermore, It is also generally considered to be more secure. It is more difficult and expensive to acquire a large amount of cryptocurrency to manipulate the network.

Solving Money Flowz

If you’ve tried to solve this challenge recently then you may have noticed that the blockchain explorer is no longer available. To my knowledge, there is no way to solve this challenge via the intended method. As you can no longer query the chain, you can no longer find the transaction containing the flag. Unfortunately, this means I can’t demonstrate how to do it but I will leave the flag below. I do wonder whether it’s possible to retrieve the blockchain somehow. Like a wayback machine for blockchains. Granted, most blockchains don’t need one.