Bitkoff Bank - Cybrics Quals 2019


This challenge is a web based challenge, here is the registration/login page: Web

After the registration we are provided with a simple web interface for mining coins: UI

We immediately see that we need 1 USD to buy the flag, we can mine 0.0000000001 BTCs with a click and we can convert BTC into USD and viceversa.

The thing that immediately came to my mind is to use curl to automate the BTC mining, so this is the command I used:

for i in {0..10000000}; do
curl -i -s -k  -X $'POST' -H $'Cookie: name=samir; password=samir' \
    -b $'name=samir; password=samir' \
    --data-binary $'mine=1' $'' 2>&1 &

I’ve done the request appending & to the command so that it forks in the backround, making the mining process much faster. I know it could have been done better, probably with python and async requests, but there were 12+ hours.

After less than one hour the amount of BTCs allowed us to buy the flag.



Note: buying the auto-miner was not a good idea because you could have bought as many as you want but they were doing only one click a second. And even then, the page would refresh every second, making the page containing the flag disappear. Luckily, I had burp intercepting the traffic.