$ cat writeup.md…
$ cat writeup.md…
Hack The Box
Survival of the Fittest is a Solidity-based blockchain challenge where the game contract contains a vulnerability in the game logic. The goal is to drain the target contract's balance to get the flag. The Creature.sol contract models a fighter with health/lifePoints, and Setup.sol checks the win con
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Survival of the Fittest is a Solidity-based blockchain challenge where the game contract contains a vulnerability in the game logic. The goal is to drain the target contract's balance to get the flag. The Creature.sol contract models a fighter with health/lifePoints, and Setup.sol checks the win condition.
// Simplified Creature contract structure contract Creature { uint256 public lifePoints = 20; address public owner; constructor() { owner = msg.sender; } // Damage function function punch() external { lifePoints -= 1; } // Vulnerable loot function — only available when lifePoints == 0 function loot() external { require(lifePoints == 0, "Creature is still alive"); payable(msg.sender).transfer(address(this).balance); } }
Key observations:
lifePoints is initialized to 20punch() function is public and can be called by any addressloot() function checks lifePoints == 0 before transferring ethertransfer() — a safe method (2300 gas)contract Setup { address public TARGET; constructor(address _target) { TARGET = _target; } function isSolved() public view returns (bool) { // Win is counted when TARGET balance equals 0 return address(TARGET).balance == 0; } }
Win logic:
TARGET.balance == 0loot() after killing the creature# Connect to challenge RPC CAST_RPC_URL="http://83.136.249.34:46638/rpc" # Check target contract balance cast balance <TARGET_ADDRESS> --rpc-url $CAST_RPC_URL # Expected: > 0 ether
#!/usr/bin/env python3 """ Script for exploiting Survival of the Fittest challenge. Punches the creature 20 times to reduce lifePoints to 0. """ import requests RPC_URL = "http://83.136.249.34:46638/rpc" TARGET_ADDRESS = "<TARGET_CONTRACT_ADDRESS>" ...
$ grep --similar