CTF — Lock Box

This is one of the challenges in the series provided by Security Innovation

Daniel Luca
Jan 15 · 2 min read
Pin number hidden in plain sight

The second challenge makes you think a little bit. It’s not that hard, but it assumes you already know how to run a transaction.

The challenge is quite simple to understand

Description

Unlock the Safe

Just enter the correct pin

Find the pin number

We need to find the correct pin number. Let’s check the source code.

pragma solidity 0.4.24;import "../CtfFramework.sol";contract Lockbox1 is CtfFramework{    uint256 private pin;    constructor(address _ctfLauncher, address _player) public payable
CtfFramework(_ctfLauncher, _player)
{
pin = now%10000;
}

function unlock(uint256 _pin) external ctf{
require(pin == _pin, "Incorrect PIN");
msg.sender.transfer(address(this).balance);
}
}

When the contract was deployed a pin was set and saved.

pin = now%10000;

The pin number can be found in 2 ways

Checking contract storage

I fire up web3-console and start querying for the contract’s storage to find the pin number right away in hex and transform that to decimal.

$ web3-console https://ropsten.infura.ioRPC Endpoint: https://ropsten.infura.io
Node Version: Geth/v1.8.17-omnibus-56fef1ca/linux-amd64/go1.10.1
Latest Block: 4820852
Network ID #: 3
> web3.eth.getStorageAt("0x6d9f02e1091438ae965f9003ad8f11896f9ce3b9", "0x1")
'0x00000000000000000000000000000000000000000000000000000000000018a2'
> 0x18a2
6306

Recomputing the pin

The other method is recomputing the pin by doing the same calculation at contract deploy time.

We can see that the contract was deployed in this transaction. At block number 4799756. We just need to get the block time and we’re able to compute the pin using the same logic as in the contract.

> web3.eth.getBlock("4799756").timestamp
1547136306
> 1547136306 % 10000
6306

Plug in the pin and get your reward.

Read my previous challenge write-ups

Daniel Luca

Written by

Button pusher