ctfwriteup
  • āœ…/home/ret2basic.eth
  • Game Hacking
    • šŸ‘‘Pwn Adventure 3: Pwnie Island
      • āœ…Prep: Speed Hack
      • āœ…Prep: Infinite Health and Mana (Offline)
      • āœ…Prep: Analyze Network Packets with Wireshark
      • Prep: Build a Proxy in Python
      • āœ…Until the Cows Come Home
      • Unbearable Revenge
      • Pirate's Treasure
    • Cheat Engine Tutorial
      • āœ…Step 1: Setup
      • āœ…Step 2: Scan for "Exact Value"
      • āœ…Step 3: Scan for "Unknown initial value"
      • āœ…Step 4: Scan for float and double
      • āœ…Step 5: Replace instruction
      • Step 6: Pointer scanning
      • Step 7: Code injection
      • Step 8: Multilevel pointers
      • Step 9: Shared code
  • Web3 CTF
    • šŸ‘‘Remedy CTF 2025 (Todo)
      • Diamond Heist
      • R vs Q
      • Rich Man's Bet
      • Casino Avengers
      • Frozen Voting
      • Lockdown
      • Proof of Thought
      • Maybe it's unnecessary?
      • Et tu, Permit2?
      • Not a very LUCKY TOKEN
      • risc4
      • HealthCheck as a Service
      • Restricted Proxy
      • Unstable Pool
      • Opaze Whisperer
      • "memorable" onlyOwner
      • World of Memecraft
      • Copy/Paste/Deploy
      • Peer-to-peer-to-me
      • Joe's Lending Mirage
      • Tokemak
      • OFAC Executive Order 13337
    • šŸ‘‘Paradigm CTF 2023 (Todo)
      • Oven
      • Dragon Tyrant
    • Damn Vulnerable DeFi
      • āœ…Unstoppable
      • āœ…Naive Receiver
      • āœ…Truster
      • āœ…Side Entrance
      • āœ…The Rewarder
      • āœ…Selfie
      • āœ…Compromised
      • āœ…Puppet
      • āœ…Puppet V2
      • āœ…Free Rider
      • Backdoor
      • Climber
      • Wallet Mining (Todo)
      • Puppet V3 (Todo)
      • ABI Smuggling (Todo)
    • Milotruck Challs
      • āœ…Greyhats Dollar
      • Escrow
      • Simple AMM Vault
      • Voting Vault
      • āœ…Meta Staking
      • āœ…Gnosis Unsafe
    • Secureum AMAZEX DSS Paris
      • āœ…Operation magic redemption
      • Mission Modern WETH: Rescue the Ether
      • LendEx pool hack
      • Operation Rescue POSI Token!
      • Balloon Vault
      • Safe Yield?
      • āœ…Crystal DAO
      • āœ…Liquidatoooor
    • āœ…Ethernaut
      • āœ…Hello Ethernaut
      • āœ…Fallback
      • āœ…Fallout
      • āœ…Coin Flip
      • āœ…Telephone
      • āœ…Token
      • āœ…Delegation
      • āœ…Force
      • āœ…Vault
      • āœ…King
      • āœ…Re-entrancy
      • āœ…Elevator
      • āœ…Privacy
      • āœ…Gatekeeper One
      • āœ…Gatekeeper Two
      • āœ…Naught Coin
      • āœ…Preservation
      • āœ…Recovery
      • āœ…MagicNumber
      • āœ…Alien Codex
      • āœ…Denial
      • āœ…Shop
      • āœ…DEX
      • āœ…DEX Two
      • āœ…Puzzle Wallet
      • Motorbike
      • DoubleEntryPoint
      • āœ…Good Samaritan
      • Gatekeeper Three
      • Switch
    • āœ…Flashbots MEV-Share CTF
    • āœ…Capture the Ether
      • āœ…Lotteries
      • āœ…Math
      • āœ…Miscellaneous
    • āœ…EVM Puzzles
      • āœ…Puzzle 1
      • āœ…Puzzle 2
      • āœ…Puzzle 3
      • āœ…Puzzle 4
      • āœ…Puzzle 5
      • āœ…Puzzle 6
      • āœ…Puzzle 7
      • āœ…Puzzle 8
      • āœ…Puzzle 9
      • āœ…Puzzle 10
    • āœ…More EVM Puzzles
      • āœ…Puzzle 1
      • āœ…Puzzle 2
      • āœ…Puzzle 3
      • āœ…Puzzle 4
      • āœ…Puzzle 5
      • āœ…Puzzle 6
      • āœ…Puzzle 7
      • āœ…Puzzle 8
      • āœ…Puzzle 9
      • āœ…Puzzle 10
    • āœ…QuillCTF
      • āœ…MetaToken
      • āœ…Temporary Variable
      • KeyCraft
      • āœ…Lottery
      • āœ…Private Club
      • Voting Machine
      • āœ…Predictable NFT
      • āœ…Invest Pool
      • PseudoRandom
      • āœ…Gold NFT
      • Slot Puzzle
      • Moloch's Vault
      • āœ…Donate
      • āœ…WETH-11
      • Panda Token
      • Gate
      • āœ…WETH10
      • āœ…Pelusa
      • āœ…True XOR
      • āœ…Collatz Puzzle
      • āœ…D31eg4t3
      • āœ…Safe NFT
      • āœ…VIP Bank
      • āœ…Confidential Hash
      • āœ…Road Closed
    • āœ…unhacked
      • āœ…reaper
  • RareSkills Puzzles
    • Solidity Exercises
    • Solidity Riddles
    • Yul Puzzles
      • āœ…01 - ReturnBool
      • āœ…02 - SimpleRevert
      • āœ…03 - Return42
      • āœ…04 - RevertWithError
      • āœ…05 - RevertWithSelectorPlusArgs
      • 06 - RevertWithPanic
    • Huff Puzzles
    • Uniswap V2 Puzzles
    • Zero Knowledge Puzzles
  • Web2 CTF
    • Grey Cat CTF 2024
      • āœ…Web Challs
    • pwn.college
      • Introduction
        • What is Computer Systems Security?
      • Program Interaction
        • Linux Command Line
        • šŸš©embryoio
      • Program Misuse
        • Privilege Escalation
        • Mitigations
        • šŸš©babysuid
      • Assembly Refresher
        • x86 Assembly
        • šŸš©embryoasm
      • Shellcoding
        • Introduction
        • Common Challenges
        • Data Execution Prevention
        • šŸš©babyshell
      • Sandboxing
        • chroot
        • seccomp
        • Escaping seccomp
        • šŸš©babyjail
      • Debugging Refresher
        • x86 Assembly
        • šŸš©embryogdb
      • Binary Reverse Engineering
        • Functions and Frames
        • Data Access
        • Static Tools
        • Dynamic Tools
        • Real-world Applications
        • šŸš©babyrev
      • Memory Errors
        • High-Level Problems
        • Smashing the Stack
        • Causes of Corruption
        • Canary
        • ASLR
        • Causes of Disclosure
        • šŸš©babymem
      • Exploitation
        • Introduction
        • Hijacking to Shellcode
        • Side Effects
        • JIT Spray
        • šŸš©toddler1
      • Return Oriented Programming
        • Binary Lego
        • Techniques
        • Complications
        • šŸš©babyrop
      • Dynamic Allocator Misuse
        • What is the Heap?
        • Dangers of the Heap
        • tcache
        • Chunks and Metadata
        • Metadata Corruption
        • šŸš©babyheap
      • Race Conditions
        • Introduction
        • Races in the Filesystem
        • šŸš©babyrace
      • Kernel Security
        • Environment Setup
        • Kernel Modules
        • Privilege Escalation
        • šŸš©babykernel
      • Advanced Exploitation
        • toddler2
    • pwnable.kr
      • fd
      • collision
      • bof
      • flag
      • passcode
      • random
      • input
      • leg
      • mistake
      • shellshock
      • coin1
      • blackjack
      • lotto
      • cmd1
      • cmd2
      • uaf
      • memcpy
      • asm
      • unlink
      • blukat
      • horcruxes
    • ROP Emporium
      • ret2win
      • split
      • callme
      • write4
      • pivot
    • āœ…Jarvis OJ Pwn Xman Series
    • āœ…Jarvis OJ Crypto RSA Series
    • āœ…picoMini by redpwn
      • Binary Exploitation
      • Reverse Engineering
      • Cryptography
      • Web Exploitation
      • Forensics
    • āœ…picoCTF 2021
      • Reverse Engineering
      • Web Exploitation
      • Forensics
    • āœ…picoCTF 2020 Mini-Competition
  • Red Teaming
    • vulnlab
      • Active Directory Chains
        • āœ…Trusted (Easy)
        • Hybrid (Easy)
        • Lustrous (Medium)
        • Reflection (Medium)
        • Intercept (Hard)
      • Red Team Labs
        • Wutai (Medium)
        • Shinra (Hard)
    • Hack The Box
      • AD
        • Intelligence
        • Pivotapi
        • Sharp
        • Monteverde
        • Resolute
        • Endgame: P.O.O.
        • Forest
        • Sauna
        • Active
        • Blackfield
      • āœ…Linux
        • āœ…Safe (Easy)
        • āœ…Delivery (Easy)
        • āœ…TheNotebook (Medium)
        • āœ…Brainfuck (Insane)
    • TCM Windows Privilege Escalation Course
      • āœ…Hack The Box - Chatterbox (Medium)
      • Hack The Box - SecNotes (Medium)
    • āœ…TCM Linux Privilege Escalation Course
      • āœ…TryHackMe - Simple CTF (Easy)
      • āœ…TryHackMe - Vulnversity (Easy)
      • āœ…TryHackMe - CMesS (Medium)
      • āœ…TryHackMe - UltraTech (Medium)
      • āœ…TryHackMe - LazyAdmin (Easy)
      • āœ…TryHackMe - Anonymous (Medium)
      • āœ…TryHackMe - tomghost (Easy)
      • āœ…TryHackMe - ConvertMyVideo (Medium)
      • āœ…TryHackMe - Brainpan 1 (Hard)
Powered by GitBook
On this page
  • Idea
  • 1. passTheBall()
  • 2. getBallPossesion()
  • 3. shoot()
  • PoC
  1. Web3 CTF
  2. QuillCTF

Pelusa

Idea

We have to overcome 3 barriers:

  1. passTheBall()

  2. getBallPossesion()

  3. shoot()

1. passTheBall()

    function passTheBall() external {
        require(msg.sender.code.length == 0, "Only EOA players");
        require(uint256(uint160(msg.sender)) % 100 == 10, "not allowed");

        player = msg.sender;
    }

The first require can be bypassed by storing all code in the constructor. The second require is about bruteforcing create2() salt but it is a very simple bruteforce. Note that the probability of xmodā€‰ā€‰100ā‰”10x \mod 100 \equiv 10xmod100ā‰”10 is 1100\frac{1}{100}1001ā€‹ if we are bruteforcing xxx.

2. getBallPossesion()

    function isGoal() public view returns (bool) {
        // expect ball in owners posession
        return IGame(player).getBallPossesion() == owner;
    }
    constructor() {
        owner = address(uint160(uint256(keccak256(abi.encodePacked(msg.sender, blockhash(block.number))))));
    }

Just re-compute owner locally.

3. shoot()

    function shoot() external {
        require(isGoal(), "missed");
		/// @dev use "the hand of god" trick
        (bool success, bytes memory data) = player.delegatecall(abi.encodeWithSignature("handOfGod()"));
        require(success, "missed");
        require(uint256(bytes32(data)) == 22_06_1986);
    }

Returning 22_06_1986 is easy. Updating goals to 2 via delegatecall is also a simple task.

PoC

PreviousWETH10NextTrue XOR

Last updated 1 year ago

āœ…
āœ…
https://github.com/ret2basic/QuillCTF-PoC/blob/main/Pelusa/test/Pelusa.t.sol
Pelusa PoC