diff --git a/404.html b/404.html index 6db8358..0f686e5 100644 --- a/404.html +++ b/404.html @@ -8,5 +8,5 @@ CancelPostsCategories

The page you're looking for doesn't exist. Sorry.  -

+

\ No newline at end of file diff --git a/categories/index.html b/categories/index.html index 680dbef..f4dfbea 100644 --- a/categories/index.html +++ b/categories/index.html @@ -7,5 +7,5 @@ CancelPostsCategories -

All Categories

 Web3

More >>

 Web2

+

All Categories

 Web3

More >>

 Web2

\ No newline at end of file diff --git a/categories/web2/index.html b/categories/web2/index.html index 3e776fe..635a27c 100644 --- a/categories/web2/index.html +++ b/categories/web2/index.html @@ -9,5 +9,5 @@ CancelPostsCategories

 Web2

2023

+10-15
\ No newline at end of file diff --git a/categories/web3/index.html b/categories/web3/index.html index 2beeebf..f7eb4b3 100644 --- a/categories/web3/index.html +++ b/categories/web3/index.html @@ -14,5 +14,5 @@ 01-26
Writeup 404CTF 2022 - Contracts war 1 (web3) 01-26

2022

Challenge Twitter - EVM Puzzles & selfdestruct 12-30
Paradigm CTF - Rescue -12-01
+12-01
\ No newline at end of file diff --git a/index.html b/index.html index 7fb56b2..c10baab 100644 --- a/index.html +++ b/index.html @@ -7,5 +7,5 @@ CancelPostsCategories -
+
\ No newline at end of file diff --git a/page/2/index.html b/page/2/index.html index eec3b83..edcfba7 100644 --- a/page/2/index.html +++ b/page/2/index.html @@ -7,5 +7,5 @@ CancelPostsCategories -
+
\ No newline at end of file diff --git a/posts/geth-dos-with-graphql/index.html b/posts/geth-dos-with-graphql/index.html index ea00e45..d0c51d0 100644 --- a/posts/geth-dos-with-graphql/index.html +++ b/posts/geth-dos-with-graphql/index.html @@ -376,5 +376,5 @@ for thread in threads: thread.join()

This is not a big number, but those servers might have a validator running using those vulnerable instances. Putting Geth down would cause the stakers financial harm since they could not validate attestations (they would even get penalties) and they could not participate in block proposals.

5. Ethereum response

Geth team was very reactive and professional.

Because the GraphQL feature is an option, it is out of scope of the Ethereum Bug Bounty program. More surprisingly, the team has no intention of fixing the issue.

This seems to be tied to the fact that they consider that RPC port should be blocked in terms of Firewalling.

/posts/geth-dos-with-graphql/7-geth-security-old.png
Firewall Disclamer From Ethereum Foundation

This however does not eliminate the issue and it is not difficult to find and exploit vulnerable servers in the wild.

After discussing with the team, they have decided to update the Security page of Geth to warn users about exposing the GraphQL endpoint :

/posts/geth-dos-with-graphql/8-eth-response.png
Mail from Ethereum Foundation

Since September 5th, the Geth webpage was updated. A special part regarding API Security was added, mentioning GraphQL among other topics :

Updated Security page

Updated on 2023-10-15
 GethDoSGraphQL
Back | Home
-
+
\ No newline at end of file diff --git a/posts/hacktm-dragon-slayer/index.html b/posts/hacktm-dragon-slayer/index.html index d99b2cc..df9ab1b 100644 --- a/posts/hacktm-dragon-slayer/index.html +++ b/posts/hacktm-dragon-slayer/index.html @@ -499,5 +499,5 @@ Health of the Dragon: 0 Health of the knight: 10
Updated on 2023-03-12
 PoCEVMREEANTRANCYERC721FLASHLOAN
Back | Home
-
+
\ No newline at end of file diff --git a/posts/index.html b/posts/index.html index 2f3f1b2..1628c4b 100644 --- a/posts/index.html +++ b/posts/index.html @@ -14,5 +14,5 @@ 03-12
404CTF writeups 01-26

2022

Challenge Twitter - EVM Puzzles & selfdestruct 12-30
Paradigm CTF - Rescue -12-01
+12-01
\ No newline at end of file diff --git a/posts/mevsec-introduction/index.html b/posts/mevsec-introduction/index.html index eb02327..3319677 100644 --- a/posts/mevsec-introduction/index.html +++ b/posts/mevsec-introduction/index.html @@ -86,5 +86,5 @@

We can clearly see that the function withdraw() will transfer all the funds (the 100 ether inside in the contract). However, this function is protected by the modifier onlyOwner() meaning only the owner of the contract can call this function…

Here, this our lucky day because the contract implement a function setOwner() not protected.. Meaning anyone can call the function and take the owner of the current contract.

So to exploit the contract we can do the following steps:

  1. Become owner by calling the function SetOwner() .

  2. Steal the ALL the ether from the contract by calling the function withdraw() .

Now how to do it using the infrastructure of MevSec and flag the challenge?

To start the challenge we need to use curl :

1
 
curl 'http://5.196.27.132:8080/create_challenge?challenge_number=0'

/posts/mevsec-introduction/Untitled%202.png
Curl to create a instances of the challenge.

Then, we will all the necessary informations to solve the challenge.

Parameters
RPC link created for the challenges.http://ctf.mevsec.com:50323/
Setup Address contractThe address of the Setup contract, if you need the address of the real challenge contract just check the storage or call the variable vci() (we will do later on this demo)
Contract Address Ethereum (20 bytes) of the challenger0x133756e1688E475c401d1569565e8E16E65B1337
Private key of the challenger to sign transaction and discuss with the blockchain0xedbc6d1a8360d0c02d4063cdd0a23b55c469c90d3cfbc2c88a015f9dd92d22b3
UniqueID The unique instance that will be created for you and will be running for 20 minutes.d3e87459ba9a4e54b6b74b2946dfb3f133fafdc4dcd715ebd2024642117e076a

3. Process to flag.

  1. Using cast we can get the contract vci by using the RPC and the Contract Address using the signature vci() .

/posts/mevsec-introduction/Untitled%203.png
Cast call to get the address of vci contract.

  1. Using cast we get the balance using the using the RPC and the address of the challenge.

/posts/mevsec-introduction/Untitled%204.png
cast balance to get the balance of the current challenge.

  1. Using cast we can send a transaction to the address of the challenge and calling the function setOwner() using RPC and the Private Key

/posts/mevsec-introduction/Untitled%205.png
cast send to send transaction with the function `setOwner()`

  1. Using cast we can send a transaction to the address of the challenge and calling the function withdraw() using RPC and the Private Key

/posts/mevsec-introduction/Untitled%206.png
cast send to send transaction with the function `withdraw()`

  1. Using the curl on the curl 'http://5.196.27.132:8080/ we can see all the possible options.

/posts/mevsec-introduction/Untitled%207.png
CURL to see all the options available including `get_flag`.

  1. To flag the challenge because we have call withdraw() and we steal all the funds we need to use curl with the /get_flag on our UniqueID.

Reminder the instances will be destroy after 20 minutes, don’t hesitate to recreate a instance.

/posts/mevsec-introduction/Untitled%208.png
CURL the get_flag with the UniqueID to flag the challenge.

Voila! Now You got the flag! 😎 Now it’s your turn starting to flag challenge the others to join us and also create new challenges for the new comers! 🔥
Good luck!

4. Socials.

Discord (Join us!)GithubTwitter
https://discord.gg/54Q9pnpQcVhttps://github.com/Ethnical/Swek3https://twitter.com/EthnicalInfo
Updated on 2023-04-01
 FoundryMevSecCastWeb3
Back | Home
-
+
\ No newline at end of file diff --git a/posts/paradigmctf-/index.html b/posts/paradigmctf-/index.html index fb358f0..6aea753 100644 --- a/posts/paradigmctf-/index.html +++ b/posts/paradigmctf-/index.html @@ -401,5 +401,5 @@ fallback() external payable {} } -
Updated on 2022-12-01
 CTFDEFIUNISWAP
Back | Home
+
Updated on 2022-12-01
 CTFDEFIUNISWAP
Back | Home
\ No newline at end of file diff --git a/posts/twitterchallenge-puzzle-bytecode-f31ba85c800f4c42a469490f9c2378c0/index.html b/posts/twitterchallenge-puzzle-bytecode-f31ba85c800f4c42a469490f9c2378c0/index.html index 5c4709c..b2083a3 100644 --- a/posts/twitterchallenge-puzzle-bytecode-f31ba85c800f4c42a469490f9c2378c0/index.html +++ b/posts/twitterchallenge-puzzle-bytecode-f31ba85c800f4c42a469490f9c2378c0/index.html @@ -253,5 +253,5 @@

Challenge Code EVM codes for retrying the challenge!

1
 
**0x4861707079204e65772059656172204576657279626f647921212121212121346100ab573354803d1090421116610034573d3dfd5b69414e65f7405358584fd360801b1860801c60b01b3660e81b016000525a600a3601363d600a373360a01b331760206001360304600101805b808203602002600a01805184189052600190038061006d575050503d3df03d808080936100a0566920434f4e475241545a205b636861645d95f43d3df35b426363b0beef036469696969690234116100c3573d3dfd5b42610fff0133553d3df3**
Updated on 2022-12-30
 PoCEVMLOW-LEVELREVERSE ENGINEERINGSELFDESTRUCT
Back | Home
-
+
\ No newline at end of file diff --git a/posts/wormhole-ccq-rest-api-dos/index.html b/posts/wormhole-ccq-rest-api-dos/index.html index 3f9fe0f..5005a1d 100644 --- a/posts/wormhole-ccq-rest-api-dos/index.html +++ b/posts/wormhole-ccq-rest-api-dos/index.html @@ -78,5 +78,5 @@ 
const MAX_BODY_SIZE = 5 * 1024 * 1024
 (...)
 err := json.NewDecoder(http.MaxBytesReader(w, r.Body, MAX_BODY_SIZE)).Decode(&q)
-

5. Wormhole response

CCQ service exists outside of the Guardians, on different servers.
This is by design to ensure minimal running services are on the node that contains the guardian signing and identity (p2p) keys.
Therefore, impacting CCQ could have not caused a Denial of Service on the Guardians.
Also, it is expected that Guardians operators will protect the CCQ feature behind a reverse-proxy and other security equipments.

With that being said, Wormhole has been very proactive and has fixed the issue on the same day of the report, through the PR 3443.

Updated on 2023-10-24
 WormholeCCQDoSimmunefi
Back | Home
+

5. Wormhole response

CCQ service exists outside of the Guardians, on different servers.
This is by design to ensure minimal running services are on the node that contains the guardian signing and identity (p2p) keys.
Therefore, impacting CCQ could have not caused a Denial of Service on the Guardians.
Also, it is expected that Guardians operators will protect the CCQ feature behind a reverse-proxy and other security equipments.

With that being said, Wormhole has been very proactive and has fixed the issue on the same day of the report, through the PR 3443.

Updated on 2023-10-24
 WormholeCCQDoSimmunefi
Back | Home
\ No newline at end of file diff --git a/posts/writeup-404ctf-22/contractswar1/index.html b/posts/writeup-404ctf-22/contractswar1/index.html index 8073b2a..d0b9991 100644 --- a/posts/writeup-404ctf-22/contractswar1/index.html +++ b/posts/writeup-404ctf-22/contractswar1/index.html @@ -465,5 +465,5 @@ Bonjour membre, voici la preuve définitive que vous faites partie de Hallebarde : 404CTF{5M4r7_C0N7r4C7_1NC3P710N_37_UND3rF10W_QU01_D3_P1U5_F4C113} Faites attention, elle ne vous sera délivrée qu'une fois, ne la perdez pas ! -

The golang part was not necessary, but I wanted to show you how to use golang to interact with the contract.

Recommendation

To avoid such vulnerabilities, the safeMath library or the 0.8 branch of the solidity compiler should be used and the transfer() function should implement the appropriate require function.

Updated on 2023-01-26
 FoundrysoliditygolangWeb3CTF404CTF
Back | Home
+

The golang part was not necessary, but I wanted to show you how to use golang to interact with the contract.

Recommendation

To avoid such vulnerabilities, the safeMath library or the 0.8 branch of the solidity compiler should be used and the transfer() function should implement the appropriate require function.

Updated on 2023-01-26
 FoundrysoliditygolangWeb3CTF404CTF
Back | Home
\ No newline at end of file diff --git a/posts/writeup-404ctf-22/contractswar2/index.html b/posts/writeup-404ctf-22/contractswar2/index.html index 31f7f1b..649fb65 100644 --- a/posts/writeup-404ctf-22/contractswar2/index.html +++ b/posts/writeup-404ctf-22/contractswar2/index.html @@ -635,5 +635,5 @@ 42ea2bd ...

/posts/writeup-404ctf-22/contractswar2/reentrancy-attack.png
reetrancy attack

The attack is successful and the seniority variable has been updated multiple times before the lastWithdrawTime got updated.

We can now validate the challenge by specifying our contract address.

Updated on 2023-01-26
 FoundrysoliditygolangWeb3CTF404CTF
Back | Home
-
+
\ No newline at end of file diff --git a/posts/writeup-404ctf-22/index.html b/posts/writeup-404ctf-22/index.html index be98bee..8babd4c 100644 --- a/posts/writeup-404ctf-22/index.html +++ b/posts/writeup-404ctf-22/index.html @@ -10,5 +10,5 @@

All 404CTF writeups

2023

+01-26
\ No newline at end of file diff --git a/posts/writeup-404ctf-22/publickey/index.html b/posts/writeup-404ctf-22/publickey/index.html index ef20332..4651135 100644 --- a/posts/writeup-404ctf-22/publickey/index.html +++ b/posts/writeup-404ctf-22/publickey/index.html @@ -319,5 +319,5 @@ Calculated sender address => 0xcF9A54585b20041aC1265Ad64cE21d09fD4b1324

You can notice, that to convert the public key to an address, the first bytes (two characters) are ignored. This is because the 04 is a tag bytes for the ASN.1 OCTET String structure.

We can check the public key by sending it the contract with the cast command of the foundry binaries.

1
 
cast send 0x9Eb8F52b22024003C1312ea1569cf14208f3c30A "isPublicKey(bytes)" "0313073748ea0af8e0782adae7c15f2bd46b5179dab5a200307a41868b9dade1fd7eebc17da98c8d2065e429b1fd05e7651e08bda5b279254530f5b00f4487f2" --rpc-url http://localhost:8545  --private-key 0x.....
-
Updated on 2023-01-26
 FoundrysoliditygolangWeb3CTF404CTF
Back | Home
+
Updated on 2023-01-26
 FoundrysoliditygolangWeb3CTF404CTF
Back | Home
\ No newline at end of file diff --git a/tags/404ctf/index.html b/tags/404ctf/index.html index 07e4074..42b1294 100644 --- a/tags/404ctf/index.html +++ b/tags/404ctf/index.html @@ -10,5 +10,5 @@

 404CTF

2023

+01-26
\ No newline at end of file diff --git a/tags/cast/index.html b/tags/cast/index.html index 02b00be..833fdb1 100644 --- a/tags/cast/index.html +++ b/tags/cast/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 Cast

2023

+04-01
\ No newline at end of file diff --git a/tags/ccq/index.html b/tags/ccq/index.html index 3ca46e1..1b46a0c 100644 --- a/tags/ccq/index.html +++ b/tags/ccq/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 CCQ

2023

+10-24
\ No newline at end of file diff --git a/tags/ctf/index.html b/tags/ctf/index.html index db39816..37804a2 100644 --- a/tags/ctf/index.html +++ b/tags/ctf/index.html @@ -11,5 +11,5 @@ 01-26
Writeup 404CTF 2022 - Contracts war 2 (web3) 01-26
Writeup 404CTF 2022 - Contracts war 1 (web3) 01-26

2022

Paradigm CTF - Rescue -12-01
+12-01
\ No newline at end of file diff --git a/tags/defi/index.html b/tags/defi/index.html index d5b0add..5eda05c 100644 --- a/tags/defi/index.html +++ b/tags/defi/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 DEFI

2022

+12-01
\ No newline at end of file diff --git a/tags/dos/index.html b/tags/dos/index.html index ec8ca68..d496036 100644 --- a/tags/dos/index.html +++ b/tags/dos/index.html @@ -9,5 +9,5 @@ CancelPostsCategories

 DoS

2023

+10-15
\ No newline at end of file diff --git a/tags/erc721/index.html b/tags/erc721/index.html index c669a77..fe577d9 100644 --- a/tags/erc721/index.html +++ b/tags/erc721/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 ERC721

2023

+03-12
\ No newline at end of file diff --git a/tags/evm/index.html b/tags/evm/index.html index 08fdb77..55f9844 100644 --- a/tags/evm/index.html +++ b/tags/evm/index.html @@ -9,5 +9,5 @@ CancelPostsCategories

 EVM

2023

2022

+12-30
\ No newline at end of file diff --git a/tags/flashloan/index.html b/tags/flashloan/index.html index 61b4cf6..1f48ebb 100644 --- a/tags/flashloan/index.html +++ b/tags/flashloan/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 FLASHLOAN

2023

+03-12
\ No newline at end of file diff --git a/tags/foundry/index.html b/tags/foundry/index.html index c9e634e..173fa56 100644 --- a/tags/foundry/index.html +++ b/tags/foundry/index.html @@ -11,5 +11,5 @@ 04-01
Writeup 404CTF 2022 - public key (web3) 01-26
Writeup 404CTF 2022 - Contracts war 2 (web3) 01-26
Writeup 404CTF 2022 - Contracts war 1 (web3) -01-26
+01-26
\ No newline at end of file diff --git a/tags/geth/index.html b/tags/geth/index.html index 79e1e57..b1733ef 100644 --- a/tags/geth/index.html +++ b/tags/geth/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 Geth

2023

+10-15
\ No newline at end of file diff --git a/tags/golang/index.html b/tags/golang/index.html index a36c4cd..9584e82 100644 --- a/tags/golang/index.html +++ b/tags/golang/index.html @@ -10,5 +10,5 @@

 golang

2023

+01-26
\ No newline at end of file diff --git a/tags/graphql/index.html b/tags/graphql/index.html index 9010381..d5bd96a 100644 --- a/tags/graphql/index.html +++ b/tags/graphql/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 GraphQL

2023

+10-15
\ No newline at end of file diff --git a/tags/immunefi/index.html b/tags/immunefi/index.html index b3d3e5a..63ea0c4 100644 --- a/tags/immunefi/index.html +++ b/tags/immunefi/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 immunefi

2023

+10-24
\ No newline at end of file diff --git a/tags/index.html b/tags/index.html index 6dfb964..709c276 100644 --- a/tags/index.html +++ b/tags/index.html @@ -7,5 +7,5 @@ CancelPostsCategories -

All Tags

CTF 4Foundry 4Web3 4404CTF 3golang 3solidity 3DoS 2EVM 2PoC 2Cast 1CCQ 1DEFI 1ERC721 1FLASHLOAN 1Geth 1GraphQL 1immunefi 1LOW-LEVEL 1MevSec 1REEANTRANCY 1REVERSE ENGINEERING 1SELFDESTRUCT 1UNISWAP 1Wormhole 1
+

All Tags

CTF 4Foundry 4Web3 4404CTF 3golang 3solidity 3DoS 2EVM 2PoC 2Cast 1CCQ 1DEFI 1ERC721 1FLASHLOAN 1Geth 1GraphQL 1immunefi 1LOW-LEVEL 1MevSec 1REEANTRANCY 1REVERSE ENGINEERING 1SELFDESTRUCT 1UNISWAP 1Wormhole 1
\ No newline at end of file diff --git a/tags/low-level/index.html b/tags/low-level/index.html index bd22f70..a9b4337 100644 --- a/tags/low-level/index.html +++ b/tags/low-level/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 LOW-LEVEL

2022

+12-30
\ No newline at end of file diff --git a/tags/mevsec/index.html b/tags/mevsec/index.html index a5e85ec..cb98191 100644 --- a/tags/mevsec/index.html +++ b/tags/mevsec/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 MevSec

2023

+04-01
\ No newline at end of file diff --git a/tags/poc/index.html b/tags/poc/index.html index ed5eb31..6e60716 100644 --- a/tags/poc/index.html +++ b/tags/poc/index.html @@ -9,5 +9,5 @@ CancelPostsCategories

 PoC

2023

2022

+12-30
\ No newline at end of file diff --git a/tags/reeantrancy/index.html b/tags/reeantrancy/index.html index 624c309..5d6dcb0 100644 --- a/tags/reeantrancy/index.html +++ b/tags/reeantrancy/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 REEANTRANCY

2023

+03-12
\ No newline at end of file diff --git a/tags/reverse-engineering/index.html b/tags/reverse-engineering/index.html index e7d99df..f3d4cdc 100644 --- a/tags/reverse-engineering/index.html +++ b/tags/reverse-engineering/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 REVERSE ENGINEERING

2022

+12-30
\ No newline at end of file diff --git a/tags/selfdestruct/index.html b/tags/selfdestruct/index.html index 264441a..b84bea2 100644 --- a/tags/selfdestruct/index.html +++ b/tags/selfdestruct/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 SELFDESTRUCT

2022

+12-30
\ No newline at end of file diff --git a/tags/solidity/index.html b/tags/solidity/index.html index b8f9036..9067b58 100644 --- a/tags/solidity/index.html +++ b/tags/solidity/index.html @@ -10,5 +10,5 @@

 solidity

2023

+01-26
\ No newline at end of file diff --git a/tags/uniswap/index.html b/tags/uniswap/index.html index 354f197..ec10801 100644 --- a/tags/uniswap/index.html +++ b/tags/uniswap/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 UNISWAP

2022

+12-01
\ No newline at end of file diff --git a/tags/web3/index.html b/tags/web3/index.html index d02e69f..6a3a16f 100644 --- a/tags/web3/index.html +++ b/tags/web3/index.html @@ -11,5 +11,5 @@ 04-01
Writeup 404CTF 2022 - public key (web3) 01-26
Writeup 404CTF 2022 - Contracts war 2 (web3) 01-26
Writeup 404CTF 2022 - Contracts war 1 (web3) -01-26
+01-26
\ No newline at end of file diff --git a/tags/wormhole/index.html b/tags/wormhole/index.html index 320915c..03d3fab 100644 --- a/tags/wormhole/index.html +++ b/tags/wormhole/index.html @@ -8,5 +8,5 @@ CancelPostsCategories

 Wormhole

2023

+10-24
\ No newline at end of file