We covered an introduction to blockchain penetration testing by taking on a blockchain challenge from HackTheBox where we were presented with the challenge source code that included a code in solidity language with a couple functions that handle the challenge. We installed foundryup suite of tools to interact with the chain. We used cast tool to interact with the functions, namely loot(), strongattack() and punch() to solve the challenge. This was part of HackTheBox Survival Of The Fittest

Solidity Language

Solidity is a language commonly used in developing blockchain applications.

Interaction With The BlockChain

To interact with the chain, we will need the below information
Private key
The address of the target contract
The RPC URL

The Challenge

Think of this step as being a digital detective analyzing a mystery. You’re provided with two Solidity smart contracts: Setup.sol and Creature.sol, which serve as the game’s framework.

  • Setup.sol initiates the challenge by deploying a Creature contract and funding it with 1 ether. Your mission is to drain this balance completely.
  • Creature.sol defines your opponent—the creature you need to defeat. It starts with 20 life points, and your objective is to reduce these points to zero to claim victory.

To capture the flag, you must bring the creature’s life points from 20 to 0. You can do this using two attack options:

  1. punch() – a basic attack that deals 1 damage.
  2. strongAttack(uint256 _damage) – a more powerful attack where you choose the damage.

Flags

You can either create a script or simply use Foundry tools. Run the commands listed below, modify the URL by replacing “tag” with “flag”, and you’ll retrieve the flag.

cast send <TargetAddress> "strongAttack(uint256)" 20--rpc-url <RPC URL> --interactive

cast send <TargetAddress> "loot()" --rpc-url <RPC URL> --interactive

HTB{g0t_y0u2_f1r5t_b100d}

Video Walkthrough

Watch Also

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles