Burning Ring of Fire - Exploit a Smart Contract Walkthrough

-

Exploit a Smart Contract

Exploit flaws in a smart contract after completing Blockchain Divination, to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels.

Difficulty Level 5/5

Next we are being asked to exploit a smart contract and buy ourselves a Bored sporc NFT from boredsporc gallery.

But to be able to make the purchase we will have to be part of the Pre-Sale list and we will have to add ourselves into it.

"Earlier, I overheard that disgruntled customer in the office saying he wanted in on the “rug pull”.If our suspicions are correct, that’s why the sporcs want an invite to the presale so badly. Once the “Bored Sporc Rowboat Society” NFTs officially go on sale, the sporcs will upsell them.After most of the NFTs are purchased by unwitting victims, the Sporcs are going to take the money and abandon the project. Mission #1 is to find a way to get on that presale list to confirm our suspicions and thwart their dastardly scheme! We also think there’s a Ring hidden there, so drop Mission #2 on them and rescue that ring!"

Hint: You’re going to need a Merkle Tree of your own. Math is hard. Professor Petabyte can help you out.

You can change something that you shouldn’t be allowed to change. This repo might help!

Merkle Tree - https://decentralizedthoughts.github.io/2020-12-22-what-is-a-merkle-tree/

Professor Petabyte - https://youtu.be/Qt_RWBq63S8, https://www.youtube.com/watch?v=r3zj9DPC8VY

repo - https://github.com/QPetabyte/Merkle_Trees

After reading about Merkle Trees, we understand that we use merkle trees to add ourselves to the pre-sales list. 

As per the QPetabytes GitHub article, as long we have one leaf node value and other neighbouring tree hash values that allows us to calculate the root value. Then when compared with the pre-known root value, if the calculated value matches, that means that the leaf node belongs to that tree and its Integrity is not tampered.

So then considering wallet addresses as leaf nodes in the merkle tree, by providing our wallet address and with other wallet addresses, we can hash towards the final root value and if the final root value matches to that of the system, then it means that my wallet address is part of the merkle tree providing that exact root (hash value) – means we should be accepted as being part of the pre-sales list. 

But what is the root value of the pre-sales list? – where if we download the Bored Sporc entire webpage within which there is a JavaScript file named “bsrs.js” containing the root value. Is this only client side?

Using the following GitHub link https://github.com/QPetabyte/Merkle_Trees,  lets combine my wallet address and a few other addresses already on the presales list using the provided python script “merkle_tree.py”.

>> git clone https://github.com/QPetabyte/Merkle_Trees.git  

In the merkle_tree.py script, add your wallet address and 2 other wallet address that are already on the gallery page. Then increment the allowlist to 2 to match the number of wallet addresses we have added. Note: allowlist is an array and starting position is 0


If you are facing any package issues with python, follow the below command before execution of python script. Or you can choose to use the merkle_tree docker instance

>> pip install hexbytes web3 eth_typing

>> ./merkle_tree.py

Output:

Root: 0x98871eb564a93c5a15dbacc2e8710facaf451233f2a48cb001b650d7b27f925c

Proof: ['0x3ca7b0f306be105d5e5b040af0e2bc35fb95026afcd89f726e8e94994c312f79', '0xbad43ecb1c06545e8bce7adf738567ea8e2e51e1850960a8b96abbcd3b65bd10']

Now we will have to submit the proof value to pre-sales page along with our wallet address to validate if we are part of the pre-sale list. But before hit the “Go” button. Let’s intercept with Burp and modify the root value from default to our root value generated in our merkle_tree.py output.

Now since we are able to validate ourselves that we are on the pre-sales list by modifying root value, as instructed in the pre-sales page we head down to the nearby KTM, transfer 100 kringlecoin to the Bored Sporc wallet address and come back to collect our Sporc NFT

Now as instructed in the Pre-sales page, we go back to the Bored Sporc website pre-sales page and this time untick the “validate-only” option, enter your wallet address and Proof values generated as before by merkle_tree.py and before you hit “GO” make sure to intercept with Burp. 

In the intercepted traffic, make sure we modify the Root value again from default to the generated root value from merkle_tree.py script and forward the request

Now if you navigate to the URL in the response, provides us with our First bored Sporc NFT that we Hacked ;)

Extra Mile:

After buying your bored Sporc NFT, you can now go back to the blockchain explorer and find your transaction, with mine at Block id 104022. As highlighted in the input translation field we can see our input with our modified root value recorded in the transaction block. Hopefully no one investigates ;)


Full Map

Burning Ring of Fire

Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more