Points: 907 (17 solves)
NFT should work as having a deeply interaction with third-party like https://opensea.io/
We all know that blockchain is opened to all, which give us some guaranty thus it will work as we expected, however can we trust all this things?
network info: mainnet, petersburg
This is mostly a web challenge with a bit of blockchain flavor. We observe that part of the token URI is directly fed into
os.path.join after stripping away a prefix. Reading the documentation, we see that
If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.
so we can get an absolute path out of it. The only obstacle remaining at this point is to find an IP address that:
- starts with a digit but not a 0
- doesn’t contain
- but is equivalent to
To this end, we see that in the python version used, the
ipaddress module was still fairly naive, and didn’t allow e.g. a numeric IP, unfortunately. On the flip side, it didn’t check for leading zeroes in octets yet either, so we can abuse that to have
127.0.0.01 as our IP instead and pass the checks.
To perform the actual exploit:
- Create an account and login
- Mint an NFT with tokenURI set to
127.0.0.01/account/storages//home/ctf/flag.txtwith the private key of the account
- visit the NFT listing for the account