blockchainfreeeasy

Honor Among Thieves

hackthebox

Task: Solidity contract with private encrypted flag and hash, need to call talk() with correct key. Solution: Read private storage via eth_getStorageAt, find successful transaction via Voice(5) event, extract XOR key from transaction input data.

$ ls tags/ techniques/

blockchain solidity private_storage event_logs xor_encryption transaction_eavesdropping

xor_key_recoveryevent_log_analysisstorage_slot_readingtransaction_data_extraction

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Honor Among Thieves — HackTheBox

Description

As Alex and the group journeyed towards the secret treasure, they noticed they were being followed. They decided to investigate and found a rival group with the second key to the treasure. Alex watched as the other group discussed their plans and listened closely, trying to learn as much as she could about their strengths. She knew they had to get the key if they wanted to reach the treasure and was determined to outsmart the rival group.

Goal: Call talk() with the correct key to set solver = msg.sender.

Analysis

Contracts

Setup.sol — standard setup, deploys Rivals with an encrypted flag and its hash. Checks solution via isSolved().

Rivals.sol — main contract:

contract Rivals {
    event Voice(uint256 indexed severity);

    bytes32 private encryptedFlag;
    bytes32 private hashedFlag;
    address public solver;

    constructor(bytes32 _encrypted, bytes32 _hashed) {
        encryptedFlag = _encrypted;
        hashedFlag = _hashed;
    }

    function talk(bytes32 _key) external {
        bytes32 _flag = _key ^ encryptedFlag;
        if (keccak256(abi.encode(_flag)) == hashedFlag) {
            solver = msg.sender;
            emit Voice(5);
        } else {
            emit Voice(block.timestamp % 5);
        }
    }
}

Key Observations

private doesn't mean secret. Variables encryptedFlag and hashedFlag are declared as private, but everything on the blockchain is public — they can be read via eth_getStorageAt.
XOR encryption is reversible. _flag = _key ^ encryptedFlag. If we know _key and encryptedFlag, we can recover _flag.
Event Voice(5) is a success marker. On failure, Voice(block.timestamp % 5) is emitted (severity 0-4), on success — Voice(5). This allows finding the successful transaction among all others.
Task theme is a hint. "Honor Among Thieves" + "spy on rivals" = eavesdrop on competitors' transactions on the blockchain.

Solution

Step 1: Getting connection info

curl http://154.57.164.64:31516/connection_info

...

$ grep --similar

Similar writeups

[blockchain][free]Magic Vault— hackthebox
[blockchain][free]False Bidding— hackthebox
[blockchain][free]Token to Wonderland— hackthebox
[crypto][free]crypto— pingctf
[blockchain][free]Locked and Loaded— hackthebox