Chainsaw

Starting the Discussion

Got the files! Now what… :astonished:

Decoded bytecode… Not sure what I’m looking at apart from a whole world of pain Im about to open myself up to

any nudge on decoding the bytecode? I feel like it’s a contract bytecode, need to study more about solidity it seems!

You really don’t need to decode the bytecode. You got the contract source code. Now pay attention to the contract name and maybe think what the underlying process might do

To see the underlying code, don’t we need to decode the bytecode? Or are you suggesting we assume the underlying code by couple of getter and setter functions? Anyways, even though I decoded the bytecode it doesn’t seem to be of any use since it looks like a mix of Assembly and JS.

@lyak said:
You really don’t need to decode the bytecode. You got the contract source code. Now pay attention to the contract name and maybe think what the underlying process might do

Anyone else found that high port 9*** that only responds to a certain type of http requests? I’m not sure what options I have to enumerate further.

gives 400 on all type of req

400*

Sometimes it responds with a 200, but I’m not sure if that’s a rabbit hole or not…
Might try another option…

Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3

Type your comment> @lyak said:

Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3

Is this a hint for starting out? Or is it for escalating from user to root just wondering?

edit: got shell from this hint, follow by user after a couple of steps, thanks lyak!

edit 2: useful link Intro to Web3.js · Ethereum Blockchain Developer Crash Course | Dapp University

Starting out

Well, I can communicate with the server, I can issue ‘set’ and ‘get’, I can get a receipt, but I have no idea how to exploit this. Is there any advanced knowledge of the technology needed?

No advanced knowledge necessary, the vulnerability itself is rather vanilla. The platform upon which the vulnerability lives is not vanilla though, took me an hour or so of reading to really understand what it was and how to use it. As @lyak said, reading a few tutorials on smart contracts should give you a good idea of what to do for user.

Type your comment> @lyak said:

Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3

Thank you @lyak for this phenomenal hint. I was trapped for a long time. Kudos to you and +1.

Don’t kill and restart certain processes. They don’t re-instantiate and you end up with unusable services.

Question to those who got user:
I can pop a shell using a pretty basic technique (even though the path of delivery is quite different and took me a while to figure out, because I never worked with that kind of technology which in my book is placed in the chapter “Hipster techno-BS”) as “some very well known username”. Is the user flag supposed to be there or do I first need to pwn another user on the system? If so, is the user I need to pwn referred to by name in a very popular xkcd about a very popular attack technique? :wink:

@Xentropy said:
Don’t kill and restart certain processes. They don’t re-instantiate and you end up with unusable services.

Obviously – one should be careful when engaging with a target, there is no ‘reset’ button IRL.

Type your comment> @darkkilla said:

Question to those who got user:
I can pop a shell using a pretty basic technique (even though the path of delivery is quite different and took me a while to figure out, because I never worked with that kind of technology which in my book is placed in the chapter “Hipster techno-BS”) as “some very well known username”. Is the user flag supposed to be there or do I first need to pwn another user on the system? If so, is the user I need to pwn referred to by name in a very popular xkcd about a very popular attack technique? :wink:

I’m sure no one deleted the user.txt file :slight_smile: