Exploit a Smart Contract
|
|
|
|
|
|
|
Hints :
|
|
Burning
Ring of fire
Luigi
|
|
|
|
Challenge is : Exploit flaws in a smart contract to buy yourself a Bored Sporc NFT. |
|
|
If we look at the BSRS (The Bored Sporc Rowboat Society https://boredsporcrowboatsociety.com/, there are two sections : Gallery and Presale |
|
|
The presale has some very important notes : The presale is only available to those select individuals who have earned a place on our exclusive presale list. you're gonna want to make sure that your wallet address is on the approved list. To check if you're on the list, enter your wallet address and the string of proof values that we gave you when we told you that you were on the pre-approved list. Before you do anything else, it's always good to be sure you're doing everything right and your address is validated as being on the list (it's actually something called a Merkle Tree... very high-techy-techy stuff) |
Based on above notes, we can conclude there is a list of pre-approved wallet addresses based on Merkle Tree maintained by the website. When we enter our wallet address on this page and some "proof" values ( we need to understand what they are), they are going to be checked if they are in the list. |
|
As a first step, let us try putting our wallet address which is 0xBC94c917D66B2eB6b4209ccEEe58297D63512CE5 and some test hex values. On repeated tests, we see an interesting root value [0x52cfdfdcba8efebabd9ecc2c60e6f482ab30bdc6acf8f9bd0600de83701e15f1] hardcoded in in the bsrs.js which always being sent in the payload request as if being hardcoded. This may of interest later. |
|
|
|
|
|
|
|
|
Then we watch the below talk by Prof. Qwerty Petabyte as noted in the hint Prof. Qwerty Petabyte, You Can Still Have Fun With Non-Fungible Tokens | KringleCon 2022 |
|
|
This talk notes that Merkle tree are data structures that is used in various purposes in NFT contracts and cites "creating pre-sale allow-list" as an example. So, we need to understand Merkle tree first because the BSRS challenge is about a pre-sale list and this is the relevant section from the talk which explains it very well. |
|
|
|
|
|
|
|
|
But its the section "why Merkle trees are interesting" of the talk which is very useful for this challenge. We note what Prof Petabyte says in the talk : If we are trying to verify/prove the leaf node belongs to our tree we need :
|
|
|
Prof Petabyte also notes that they would make some code available in Github. Which GitHub repo is it? |
|
|
Googling QwertyPetabyte reveals their twitter handle https://twitter.com/qpetabyte?lang=en One of the tweets [https://twitter.com/QPetabyte/status/1602315534049153024] notes the Github repo : |
|
|
The Github
repo has a python script to build our own Merkle tree. All It needs is a list
of hex values and it will build a Merkle tree. |
|
|
|
|
So, we will build our own Merkle tree using supplying our own wallet address and a null hex value |
|
|
|
|
|
Now executing the changed script |
|
|
It has generated a Merkle tree with a its own root and proof values. |
|
|
|
|
|
As we know the BSRS pre-sale page is checking the entered wallet address in its Merkle tree and of course It won't exist. BUT what if we pass our own Merkel tree to the Pre-sale page. How do we do that? What if we send root value of our Merkle tree instead of their original root value and send our proof values along with our wallet address. |
|
|
First intercept the traffic by keeping the "Validate" checkbox checked using Burpsuite and send the traffic to repeater. Then change the request payload with below values |
|
|
|
|
|
Root: 0x5c0f93e7858ad6f8aead855b1d145d416cb5051e3560142c8c34b53849e60447 Proof: 0x5380c7b7ae81a58eb98d9c78de4a1fd7fd9535fc953ed2be602daaa41767312a Wallet Address : 0xBC94c917D66B2eB6b4209ccEEe58297D63512CE5 |
|
|
And looks like we are in the list as the response is : |
|
|
|
|
|
Next we uncheck the "Validate" checkbox and then send the transaction |
|
|
|
This time we see below response : There was some sort of issue with us getting the 100 KC. Please make sure you have all the information correct. |
|
|
|
The transaction is valid but cannot complete because of insufficient funds. So, I need to pay 100KC to the wallet address of BSRS with below information : My key : 0x463686edf52a3d812412ee1abbaadf64ea440fbc788dfb06ead3700371122ef7 To Address : 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a Amount (KC) 100 |
|
|
|
Now that we have paid 100KC. We go back to burp suite and submit the transaction with validate set to "true" We immediately see the below success message in the response and web app shows objective completed. |
|
"Success! You are now the proud owner of BSRS Token #000286. You can find more information at https://boredsporcrowboatsociety.com/TOKENS/BSRS286, or check it out in the gallery!<br>Transaction: 0x93a2a4544d514398ccc44b4b3d58414bfb2b3670aee1e630dd244f39164f5cca, Block: 78709<br><br>Remember: Just like we planned, tell everyone you know to <u><em>BUY A BoredSporc</em></u>.<br>When general sales start, and the humans start buying them up, the prices will skyrocket, and we all sell at once!<br><br>The market will tank, but we'll all be rich!!!" |
|
|
|
The achivement is now unlocked and we get 100 coins as well. |
|
|
|
Going to the URL https://boredsporcrowboatsociety.com/TOKENS/BSRS286 noted in the response message shows below. |
|
|
|
Going to the above link shows my first ever NFT |
|
|
|
At this point we have recovered the burning ring of fire! |
|
|
