search

Russian Roulette - Blockchain

hashtag
Task

Welcome to The Fray. This is a warm-up to test if you have what it takes to tackle the challenges of the realm. Are you brave enough?

hashtag
Solution

We get two port numbers 28531 , 30230 and zip file containing two files Setup.sol and RussianRoulette.sol. These files are written in the Solidity programming language, which is used to create smart contracts. Smart contracts are programs that exist on the blockchain. Let's start the analysis from the Setup.sol file.

Setup.sol

pragma solidity 0.8.23;

import {RussianRoulette} from "./RussianRoulette.sol";

contract Setup {
    RussianRoulette public immutable TARGET;

    constructor() payable {
        TARGET = new RussianRoulette{value: 10 ether}();
    }

    function isSolved() public view returns (bool) {
        return address(TARGET).balance == 0;
    }
}

This file is deploying the smart contract RussianRoulette with 10 ether. The function isSolved checks if the challenge has been solved. To solve the contract we have to reduce the balance to 0 ether.

RussianRoulette.sol

RussianRoulette.sol is the contract that we need to solve. The code we should exploit to get the flag is located in the pullTrigger function, which is public. If certain conditions are met, this function will call selfdestruct() otherwise i'm SAFU ... for now will be returned.

Method selfdestruct deletes smart contract and transfers remaining ether to the specified address, in this case to the msg.sender address which is the address initiating the transaction.

Now let's look at the conditions that must be met for the smart contract to be destroyed:

It generates a random number by taking a blockhash of the previous block, converting it to a uint256 type, and performing a modulo by 10. Then it is checked whether the remainder is equal to 7. If this condition is met the contract self-destructs.

Now let's take a look at the ports we received. The first of them28531 port can be used to check connection information, restart the challenge instance, and receive the flag:

Before we proceed, we need to retrieve the information necessary to establish the connection:

The second socket, which is 30230 is the RPC endpoint which we will use to connect to the blockchain. For this purpose, we can use cast which is Foundry’sarrow-up-right command-line tool. To get the value equal to 7, we will use brute force and call the pullTrigger() function multiple times.

If we were lucky and the condition of the pullTrigger() function was met we can get the flag:

Flag:

PreviousCyber Apocalypse 2024: Hacker RoyaleNextRecovery - Blockchain

Last updated