Ethernaut Walkthrough - Part 2
Lazy loaded imageEthernaut Walkthrough - Part 2
type
status
date
slug
summary
tags
category
icon
password
Importance
Tweet

We are back at it!

In case you missed the previous post, here is the link to the previous post
Ethernaut Walkthrough - Part 1
Ethernaut Walkthrough - Part 1

Levels

5. Telephone

source: 0x2C2307bb8824a0AbBf2CC7D76d8e63374D2f8446

Thought process

  1. Notice in Telephone.sol that we just have to call changeOwner such that tx.origin and msg.sender are not the same and we can change the owner to whichever address we want
  1. Did a quick google on “tx origin solidity” which led me to this page https://docs.guardrails.io/docs/vulnerabilities/solidity/use_of_insecure_function#:~:text=,calls into a malicious contract.
  1. So tx.origin is the address of the account that sent the transaction
Solution
  1. Deploy the following contract
    1. Get contract’s address by running the following in the browser console
      1. Run the deployed TelephoneSolution.solve with the contract’s address

      Takeaways

      • tx.origin is the address which started the transaction
      • msg.sender is the address which sent the message to the contract, and this could be another contract that was triggered by the transaction

      6. Token

      source: 0x478f3476358Eb166Cb7adE4666d04fbdDB56C407

      Thought Process

      1. I had to google for help on this one. I googled a little and found out that it had to do with integer underflow and overflow.
          2. To hack this contract first you need to understand the concept of integer underflow and overflow. The overflow is a situation when uint (unsigned integer) reaches its byte size. Then the next element added will return the first variable element. - https://hackernoon.com/how-to-solve-the-ethernaut-games-level-5-token
      Solution
      1. Execute the following in the browser console

      Takeaways

      • We can check overflow with the following
        • An easier alternative is to use OpenZeppelin's SafeMath library that automatically checks for overflows in all the mathematical operators. The resulting code looks like this:

          7. Delegation

          source: 0x73379d8B82Fda494ee59555f333DF7D44483fD58

          Thought Process

          1. Went to research about delegatecall as suggested (reference: Solidity Docs)
            1. Notice that delegatecall is similar to using another contract’s code as a library
          1. Notice that in Delegate.sol the pwn() function changes the owner to msg.sender

          Solution

          1. Load this interface into remix IDE
            1. Just overlay this interface on top of the level's contract address
            1. And call pwn()
            1. Make sure that there is enough gas limit given

            Takeaways

            • delegatecall combined with fallback is very much like composition in OOP (Object Oriented Programming)
            • Solidity documentation on fallback function was not easy to understand, in my opinion.
            • The first possible way to trigger fallback function was just calling a non-existent method on the target contract. This can be simulated by overlaying a wrong interface on an contract address and calling whichever method that was defined in the interface but not on the contract
            • The second possible way to trigger fallback function was not easy to understand for me. I thought I could trigger solve the level another way by sending Ether to it but turns out that does not work. The fallback function has to be marked payable for that to work
            ID Theft Protection: The Simple Watermark Trick You Need to KnowThe Lambdas that forms me
            Loading...