We covered an introduction to blockchain penetration testing by taking on a blockchain challenge from HackTheBox where we were presented with the challenge source code that included a code in solidity language with a couple functions that handle the challenge. We installed foundryup suite of tools to interact with the chain. We used cast tool to interact with the functions, namely loot(), strongattack() and punch() to solve the challenge. This was part of HackTheBox Survival Of The Fittest
Solidity is a language commonly used in developing blockchain applications.
Interaction With The Chain
To interact with the chain, we will need the below information
The address of the target contract
The RPC URL
To solving the challenge and getting the flag. But nevertheless, Always pay attention to details.
So, if we go here and open the web page, we see this is the challenge. I will read survival of the fittest, the title, the description. Are you ready to feed your monitors? And we have two buttons restart and attack.
one more time if you click continuously, as you can see here, So restart assumingly. We will reset the game and attack upon, clicking on the button. It will start attacking. So if you click for one time, The bar.
We need this part needs to go all the way to the left until it becomes zero. This represents the life of the monitors here. So if you keep, just keep clicking Right.
so, The bar here represents the life of the monster or the monsters. We need to put this bar or two in order to kill the monster. Eventually you’re going to reach 0.
But we’re gonna do that, we’re supposed to solve the challenge, the methodical, and systematic way.
Say, we need this information. We need the RPC code. How to get this? If you go back to the challenge, You see here slash RPC. RPC endpoint used for interacting with the network. Let’s try to access this URL. Method, not allowed, but to access, but, the RPC orl is this URL. It is the full URL slash RPC.
now, going back to the scenario here, the scenario is to So, let’s go to the code and see if there is some function responsible for storing the energy of the sponsor, you go back.
Going back here to? Yeah, the scenario is to Drain the Monster Energy. So that this bar goes all the way to the left until the energy is zeroed out.
Underscore damage can be 20 can be less than or can be more than 20. So if you are able to use the strong attack function and specify underscore damage to be more than 20,
You will be able to. Think dilute function. So the root function, as you can see, it doesn’t take any argument.
So this is this process in the blockchain is called signing a contract. You need to sign a contract, a transaction story, In order to modify data. So the private key and Target address are very necessary in order to sign a transaction. So this is a transaction in the blockchain.
We have to start over so. We should. Yeah, so that is the flag.
That was it guys. I hope this was I kind and slight introduction to blockchain app. Interesting. And this is these are the notes. These are parts of my channel membership. You can join my channel membership to access these notes. So I finished with this today, and I’m gonna see you in the next.