Recover the Burning Ring of Fire
5.3 Exploit a Smart Contract
Exploit flaws in a smart contract to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels.
Hint(s)
Solve
ANSWER:
WalletID: 0x40d9F41e7a951C301FD7eBCB31E6A96f6C61992e
Root: 0x5a657105c493a1213c976c653e929218bb4a516bca307dce5861ec23fffa4e58
Proof: 0x5a657105c493a1213c976c653e929218bb4a516bca307dce5861ec23fffa4e
Terminal answers
1.- See the source code of webapp and the arguments provided.
Arguments to Modify:
WalletID:
Root:
Proof:
2.- Read a bit theory for best understanding regarding the "Merkle Trees".
https://decentralizedthoughts.github.io/2020-12-22-what-is-a-merkle-tree/
3.- The big hint provided was through the talks "Professor Pentabyte", there is a docker with a python ready to be used.
$ git clone https://github.com/QPetabyte/Merkle_Trees.git
$ cd Merkle_Trees
$ sudo docker build -t merkletrees .
$ sudo docker run -it --rm --name=merkletrees merkletrees
4.- Once undertanding the "Merkle Trees", we can use the python code and create a basic tree with any number of "leaf" nodes. 5.- Read the chall in depth, we need know our "proof" and our own "root" as well, based in our own Wallet ID. 6.- Observe in depth comments of python code a lot of hints, the important piece is the array with two "leaf" nodes. 7.- My first attemps was extract at least eight wallets ID valids (from some other players) and see what's happends if I put my walletID, suppose I am into same blockchain of players? 8.- Wrong!, python generated a valid proof and root but is not the correct way. 9.- Reading more in depth the code, after experiments some nites with a lot of theories, finally just we need a simple proof and root from my Walley ID , right? 10.- Modify the current array only with two "leaf" nodes, that's means add your walletID and a "null" value, that could be enought to know your proof and root from my WalletID
11.- Run again the python script with the new values generated:
mt_user@a59aca8cc3d9:~$ python3 merkle_tree.py
Root: 0xd53bb3cb4648f394794570f7ce6d91b5f111fdc6806dffed36eacdea9e8d666a
Proof: ['0x5a657105c493a1213c976c653e929218bb4a516bca307dce5861ec23fffa4e58']
mt_user@a59aca8cc3d9:~$
12.- Now use burp to modify the arguments and send the correct data:
WalletID: 0x40d9F41e7a951C301FD7eBCB31E6A96f6C61992e
Root: 0x5a657105c493a1213c976c653e929218bb4a516bca307dce5861ec23fffa4e58
Proof: 0x5a657105c493a1213c976c653e929218bb4a516bca307dce5861ec23fffa4e
13.- Voila!, FLAG! see your new BoredSporc (avatar)