Table of Contents

Junior Black Teaming ISTS: Blockchain Explorer

Ryan Cheevers-Brown: Photo of 2022 ISTS competition by RITSEC, used on post about blockchain smart contracts.

Introduction

This post is about my experience on the 2022 Information Security Talent Search (ISTS) Junior Black Team. My Black Team mentor was Max Fusco (RITSEC Techlead ‘21 and Vice President ‘22), and my project was to create a blockchain explorer. This post does not detail how to make a blockchain explorer, but it does cover a bit about blockchain smart contracts. Instead, it highlights my experience being on the Junior Black Team.

What is Black Teaming?

The Black Team develops, builds, and maintains the competition and its infrastructure. Black teaming is typical in the security competition space but is not as common in overall security culture as red, blue, and purple teaming.

by Mindsight

What is ISTS?

ISTS is an annual three-day competition hosted in the early spring at the Rochester Institute of Technology (RIT) by RITSEC. Competitors from around the country face security challenges, including topics like defensive and offensive capabilities, system administration, software security, networking, and programming. Challenges and activities include a thematic game, Capture the Flag, King-of-the-Hill, policy writing, incident response, and code review—all while defending a completely student-built infrastructure.

Initial reconnaissance

First, Max assigned two video series on Blockchain and Ethereum: Blockchain For Beginners by Tech With Tim and Ethereum Tutorials by thenewboston. 

During this stage, I learned three critical pieces of blockchain: cryptographic functions, private keys, and public keys.

Cryptographic hash functions

Complex algorithms known as cryptographic hash functions are applied to data, making the data unreadable to humans. The functions do not have an inverse, and their return value is uncorrelated to the input; this makes the return value very hard to decrypt. Additionally, the functions create a unique return value. Furthermore, many modern-day algorithms are so diverse that it is difficult to find collisions (when two input values have the same return value).


🌸👋🏻 Let’s take this to your inbox. You’ll receive occasional emails about whatever’s on my mind—offensive security, open source, academics, boats, software freedom, you get the idea.


Private keys

An account’s private key is derived from a given master password or “seed phrase.” Private keys are required to send money and access other sensitive account information. Furthermore, private keys sign all valid transactions to ensure non-repudiation of transactions. The key is never stored in plain text.

Public key

Public keys are paired with private keys and can be shared. All public keys are derived from a private key. However, you cannot use the public key to calculate back to the private key. In other words, public keys do not reveal anything about the private key.

User accounts’ addresses are simplified versions of the public key.

What is a blockchain explorer?

A blockchain explorer allows users to peruse through translations and transaction details on the blockchain like addresses, hashes, time, and wallets. Each type of cryptocurrency has its own blockchain explorer. My explorer works on a chain of the Ethereum network.

Etherscan is a blockchain explorer where users can search an address, view that address’ transactions, and see each transition’s details. For example, the miner, gas price, fees, dates, and time.

Test network

I downloaded the chromium Metamask extension to use the Goerli Test Network. The test network allowed me to simulate an Ethereum environment. 

Connecting to the alternate chain

Max created an alternate chain where he owned all the ETH. He also made the Remote Procedure Call endpoint publicly accessible, allowing me to connect to the chain from Metamask. The goal of the alternate chain was to allow ISTS participants to have tons of fake ETH. The participants would use my blockchain explorer on this network. 

Programming

Once the VPN was configured, I created smart contracts using the tutorials. I made around fifteen contracts for the blockchain explorer. I used Remix, an Ethereum IDE, to test them.

Creating and running smart contracts

Smart contracts are bits of code that sit on the blockchain; they are similar to state machines [if x, if y]. Users can view or change the contract by deploying a translation, a byte code signal that connects to the Ethereum network. Additionally, blockchain smart contracts need to be manually triggered (“calling”) to do something; in other words, they are not always running.

“Calling” a smart contract refers to when you send code over to the Ethereum network to request an operation be performed on the contract. 

Gas, a form of money, is needed every time someone interacts with a contract on the Ethereum network. As a result, we have to set a limit for the maximum amount of gas we can allocate to run the contract. Users call contracts from their block account; however, contracts can call other contracts, too.

Reconnaissance

I read Blockchain Explorer Tutorial: What Is A Blockchain Explorer? by Software Testing Help and What does it take to make your own blockchain explorer? by Boris Savic. I also watched How to Build an Ethereum Blockchain Explorer Dapp by Blockgeeks.

Check-in: the first roadblock

Unfortunately, I misunderstood the assignment. I thought I was supposed to be creating a blockchain explorer using smart contracts. However, I was supposed to learn about the blockchain, find a blockchain explorer, dockerize it, and deploy it. Thus, I needed to find a blockchain explorer.

Expedition

I found a few Ethereum blockchain explorers, but Expedition seemed to be the closest to what I wanted. You can view a demo of Expedition here.

History of Expedition

Xops forked the Expedition from etclabscore after they abandoned the project. As of May 2022, xops maintains Expedition, but updates are few and far between.

Alternatives

I also looked at BlockScout, but it was a bit complex for what we wanted. Furthermore, it did not work with Docker properly. In all fairness, it developed to run on Ansible.

Installing Expedition

Following mostly the README.

Create folder for the project, and change your current working directory to the folder:

$ mkdir explorer 
$ cd explorer

Clone the project and install dependencies:

$ git clone https://github.com/xops/expedition.git && cd expedition && npm install

Start explorer:

$ npm start 

It will load on localhost (port 3000), but make sure to give it around a minute or so to load. The terminal will update you when the browser loads it too. 

Docker

What is it?

“Docker is an open source containerization platform. It enables developers to package applications into containers—standardized executable components combining application source code with the operating system (OS) libraries and dependencies required to run that code in any environment. Containers simplify the delivery of distributed applications” (IBM). It hosts containers on the Docker Engine. 

Why are we using Docker?

We used it for the ability to test our work in a safe space; for example, if there was a bug in our code, we could stop the docker instance, modify our code, and redeploy it. In other words, I was using this to run, test, and debug my implementation of Expedition. 

Install Docker on Ubuntu

All information in this section was obtained from: Install Docker Engine on Ubuntu. This part just condenses it.

Uninstall old versions of Docker (in case you have it and do not know about it):

$ sudo apt-get remove docker docker-engine docker.io containerd runc 

Prepare environment:

$ sudo apt-get update
$ sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

Add Docker’s official GPG key:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg 

Set up stable repository:

$ echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install latest version of Docker:

$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io

Verify that Docker Engine is installed correctly by running the hello-world image:

$ sudo docker run hello-world

Deploy night: the second roadblock

I was able to set up Expedition and run it on multiple networks, including the ISTS Ethereum network. Unfortunately, whenever the user switched pages in the user interface, it would disconnect from the ISTS network, and the user had to log in again. This was extremely inconvenient. I was figuring this stuff out on Deploy Night (the date the tools are deployed, usually the night before a competition), so there was limited time to fix it. Both Max and I spent a lot of time debugging, but nothing worked. By the end of deploy night, we decided that it was best not to deploy my project.

Conclusion

I know this is an abrupt ending to the blog post, but sometimes, things do not work out. Roadblocks occur, bugs persist, and time constraints close in. As a result, some tools and projects are not deployed. This is what happened in my case! However, I learned a lot and hope my documented experience is valuable for future Junior Black Teamers. I hope you enjoyed reading about my experience on RITSEC’s Junior Black Team and my limited knowledge of blockchain smart contracts.

Huge thanks to my mentor, Max Fusco, for constructing a thoughtful and creative project and ensuring this experience provided educational growth regardless of the deployment outcome.

If you enjoyed this post, checkout my articles on hacking, cybersecurity competitions, and RITSEC.

Portrait of Olivia Gallucci in garden, used in LNP article.

Written by Olivia Gallucci

Olivia is an honors student at the Rochester Institute of Technology. She writes about security, open source software, and professional development.