EldoriaGate writeup from HTB Cyber Apocalypse CTF 2025
Difficulty : Medium
Team : Phreaks 2600
Description : At long last, you stand before the EldoriaGate, the legendary portal, the culmination of your perilous journey. Your escape from this digital realm hinges upon passing this final, insurmountable barrier. Your fate rests upon the passage through these mythic gates. These are no mere gates of stone and steel. They are a living enchantment, a sentinel woven from ancient magic, judging all who dare approach. The Gate sees you, divining your worth, assigning your place within Eldoria’s unyielding order. But you seek not a place within their order, but freedom beyond it. Become the Usurper. Defy the Gate’s ancient magic. Pass through, yet leave no trace, no mark of your passing, no echo of your presence. Become the unseen, the unwritten, the legend whispered but never confirmed. Outwit the Gate. Become a phantom, a myth. Your escape, your destiny, awaits.
To solve, our address (the player address) need to have an empty role which is supposed to be impossible.
Recover the passphrase from the EldoriaGateKernel smart contract storage.
Enter the Gate with a contribution of 255 wei resulting in giving an empty role.
Get the flag.
Introduction
For this challenge, there are three solidity smart contracts deployed. The “EldoriaGate” smart contract (which I will call "Gate" from now). And this gate rely on another smart contract “EldoriaGateKernel” (we will call it "Kernel") with low level functions using assembly. This part is responsible for checking a role, authenticate or giving a role.
When facing a blockchain challenge, I like to read the contracts in order to understand with is the workflow behind the challenge and what we are supposed to do. With this in mind, the setup contract help a lot with that because it directly tell the condition to solve.
Setup.sol
Let’s start with the setup. It contains two public variables: player (us) and TARGET.
Reading the constructor which is called once only to deploy the contract, we read that two parameters need to be supplied, a secret and an address :
It simply deploys an EldoriaGate contract with the submited secret (of type bytes4, which are just 4 bytes hex encoded) in argument and store it in TARGET.
This function return either True or False, so we assume it have to returns True in order to solve the challenge, so the player needs to be an Usurper.
Let’s dive in the deployed contract by the setup, the EldoriaGate contract.
EldoriaGate.sol
constructor
First, let’s read the constructor. It takes one parameter and it’s a _secret of types bytes4 again.
Since this contract is deployed using the setup secret, they share the same secret :
functiongetVillagerRoles(address _villager)publicviewreturns(string[]memory){string[8]memory roleNames =["SERF","PEASANT","ARTISAN","MERCHANT","KNIGHT","BARON","EARL","DUKE"];(,,uint8 rolesBitMask)= kernel.villagers(_villager);uint8 count =0;for(uint8 i =0; i <8; i++){if((rolesBitMask &(1<< i))!=0){ count++;}}string[]memory foundRoles =newstring[](count);uint8 index =0;for(uint8 i =0; i <8; i++){uint8 roleBit =uint8(1)<< i;if(kernel.hasRole(_villager, roleBit)){ foundRoles[index]= roleNames[i]; index++;}}return foundRoles;}
It makes a call to the kernel :
Retrive the rolesBitMask variable by calling kernel.villagers(_villager) to recover roles of a villager formated in a 8 bits numbre.
Then count the “1”’s in it.
Then declare a string array with a length of the previous count.
Recover each player role as string with kernel.hasRole and fill the string array.
checkUsurper
And for the last function, also the one called to check if we have solved challenge, it’s pretty short.
checkUsurper()
1
2
3
4
5
6
7
8
9
10
functioncheckUsurper(address _villager)externalreturns(bool){(uint id,bool authenticated ,uint8 rolesBitMask)= kernel.villagers(_villager);bool isUsurper = authenticated &&(rolesBitMask ==0); emit UsurperDetected( _villager, id,"Intrusion to benefit from Eldoria, without society responsibilities, without suspicions, via gate breach.");return isUsurper;}
For the first part, it stores the _unknown address (which is msg.sender, so the player address if done correctly) at address 0.
1
mstore(0x00, _unknown)
Then the villagers mapping storage slot in the EVM is stored at address 0x20 (32 bytes further) which use an address as key, and a Villager variable as value :
Then it computes the villagerSlot by computing the keccak256 of 64 bytes counting from the address 0. Resulting in hashing the concatenation of _unknown and the villagers mapping slot.
This operation is used to compute the storage location of a key in a mapping. Learn more here.
The _unknown is stored at address 0x0, then it is hashed with keccak256 and stored in the id variable. Finally, the result is stored at the villagerSlot computed previously.
So, the id is actually the _unknown address hashed with keccak256 and casted in uint (i guess ??).
1
let storedPacked := sload(add(villagerSlot,1))
storedPacked store the value at villagerSlot + 1 which reads the next values in the Villager struct, the authenticated and roles variables :
let storedAuth := and(storedPacked,0xff)if iszero(storedAuth){revert(0,0)}
A bitwise AND operation with 0xff and storedAuth (either 1 or 0).
The result of this operation is zero if the villager is not authenticated, and one if yes.
But at this stage the villager, can only be authenticated because the function is reverted before getting here if the villager is not authenticated.
Now, the part setting the role begin.
1
2
let defaultRolesMask := ROLE_SERF
roles := add(defaultRolesMask, _contribution)
The defaultRolesMask is a number initally set to 1 (SERF), meaning we first start at the SERF role.
Then, the contribution is added to our role (with a contribution of 0, the role is still to a value of 1) and stored in roles.
1
if lt(roles, defaultRolesMask){revert(0,0)}
The operation is reverted if roles < 1, but it’s not supposed to happen as roles is initially set at 1.
Finally,
1
2
let packed := or(storedAuth, shl(8, roles))sstore(add(villagerSlot,1), packed)
The roles value is shifted 8 bytes to the left and combined with the auth bit with a bitwise OR.
Then, packed (actually containing the concatenation of roles followed by the auth bit) is stored at villagerSlot + 1, where we initially read the auth bit.
To wrap up,
The location for our address in the villager mapping is computed.
Then the authenticated bit is read from here on the slot just after.
Finally, our role is computed by 1 + contribution, shifted by 8, concatenated with the auth bit and then stored in the struct.
hasRole
This last function is called by getVillagerRoles to check from the roles mask, which bits are set to know which roles are present for a villager.
The second storage slot in the struct of the villager value is loaded, and roles is shifted to the right by 8. It was shifted left beforehand in evaluateIdentity, so it allow us to retrieve the roles.
After that, a bitwise AND is made with roles and 0xff.
Finally, it checks if a 1 is present at the position of each role checked in the roles value for the current villager :
Then returns hasRoleFlag with the value.
Solving
Get authenticated
So, to solve we have to be authenticated and have a role equal to zero, meaning not having any role at all.
First to be authenticated we have to find the passphrase.
This passphrase is stored on the EldoriaGateKernel contract but with the visibility private.
But even if it’s private, we can read it directly from the storage as it is public on the blockchain. (see cast storage)
To know the storage slot to look at we can use forge inspect :
With that we know the passphrase is at the first slot.
And we can read it with :
1
2
3
4
5
6
# get the kernel addresscast call -r $RPC $TARGET "kernel()(address)"0x79C71Dc194e4bbEd8e33d3419858B6AEA1a163B3
cast storage -r $RPC 0x79C71Dc194e4bbEd8e33d3419858B6AEA1a163B3 00x00000000000000000000000000000000000000000000000000000000deadfade
So the passphrase is 0xdeadfade.
Have an empty role
Now that we have the passphrase, we need to have an empty role.
We know that the role bits are read a from a number on 8 bits.
In the assembly we saw that roles a bitwise AND with the role and 0xff is made in order to read it.
Thus, if we manage to have a role value that result to zero when put on a bitwise AND with 0xff, example of a bitwise AND with a role value of 1 (SERF) :
We get 1.
And with a value of 256 we got a result of 0 :
Which result in an empty role.
Now, how do we submit a value of 256 ?
First remember that the role is one by default (see evaluateIdentity).
And our contribution is added to this one to get another role.
So we have to add 255 to this value. And we can do by sending some value when calling enter().
But 1 ether is not the smallest unit, 1 ether is actually equal to $1 * 10^{18}$ wei. We need to send wei and not ethers.
