Author: Robin_Jadoul

Tags: blockchain

Points: 907 (17 solves)


NFT should work as having a deeply interaction with third-party like

We all know that blockchain is opened to all, which give us some guaranty thus it will work as we expected, however can we trust all this things?

contract: 0x4e2daa29B440EdA4c044b3422B990C718DF7391c




network info: mainnet, petersburg

This is mostly a web challenge with a bit of blockchain flavor. We observe that part of the token URI is directly fed into os.path.join after stripping away a prefix. Reading the documentation, we see that

If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.

so we can get an absolute path out of it. The only obstacle remaining at this point is to find an IP address that:

To this end, we see that in the python version used, the ipaddress module was still fairly naive, and didn’t allow e.g. a numeric IP, unfortunately. On the flip side, it didn’t check for leading zeroes in octets yet either, so we can abuse that to have as our IP instead and pass the checks.

To perform the actual exploit: