Capture the Flag (Shut up and take my money)

[nothingismagick]

In case you didn't see the blog post, here is a verbatim copy of the text:

Shut up and take my money

It's never a good thing to be too confident, but at the same time we have to gain your trust by asking you to verify our faith in Stronghold. This is why, alongside the "Attack-a-thon", we are going to be running a Capture the Flag (CTF) challenge until Chrysalis (April 21st, 2021).

Somewhere, hidden in the blog page you can discover a flag (clue) that will help you to find a Stronghold Snapshot. This snapshot was created using the Stronghold CLI at git revision 93d1dfa12235f4c769a714a1cf39a4222b4ecc27 . Once you find it, the rest of the CTF is 100% self-contained in that snapshot. In other words, there are no external resources available anywhere to help you, so really, do not waste your time trying to break into any other systems.

In the snapshot's store, there is a flag to prove you got inside. The vault, however, contains a current IOTA Mainnet seed in a secret vault/path that is another flag. This seed holds 3.78 GIOTA. At the time of this writing, that has a value of ~5000 USD. The only prize is the Seed.

Rules

• Only "normal" requests may be made to remote servers / devices (no hacking needed).
• No contacting members of the IOTA Foundation for help / social engineering.
• Working together is ok, but please only submit flags as a team.
• If you have worked on the CTF, please do not submit flags.

Flags

1. In blog hint
2. Snapshot checksum shasum -a 256
3. Store key:value
4. Vault path holding the seed

Hints, help, tips?

Nope. You are on your own here. Not going to happen. Questions asking for help will be deleted.

Submitting Flags

In order to claim a flag, please write an email to [email protected] that includes the following:

1. Your nickname / teams nickname
2. Proof of flag

If it is accepted, you will receive a response and the Leaderboard will be updated.

Leaderboard

As people find flags, they will be posted here.

Nickname	Array of Flags [1,2,3,4]
tsangares	[1,2]
Metz & Aconitin	[1,2]
Jeroen van den Hout	[1,2]
h.mavrodiev	[1,2]
rck#3810	[1]
IotaCanScale	[1]

Postpartum

At the conclusion of the CTF, we will be publishing a write-up on how we set it all up (without disclosing actual secrets).

[felsweg-iota]

Dear Community,

after some internal discussion regarding this challenge on Stronghold, we want to make sure that everyone understands the initial intent, what the achievable goals were, and how we are dealing with the remaining tokens that have not been released to anyone.

One major issue some people had with this challenge was that without knowing the key of the snapshot to decrypt it, it is almost impossible to access any stored information inside it. Or is it? That is what we wanted to find out; Stronghold being an open source project shows how a snapshot is being written to disk - namely the snapshot protocol - and how it adds an additional layer of security to protect the underlying data. We wanted to know, if some of you would be able to circumvent the encryption somehow. Definitely something we haven't thought of. The intention of the challenge wasn't to fool any of you, but to improve our confidence to deliver a truly secure open source product.

We are also very grateful for all the effort that got into trying to solve the challenge, and wanted to say thank you for your support and participation!

Last but not least, the tokens attached to the seed ( and hence to a wallet ) will be transferred to the community treasury. We thought this might be the best solution for all of us.