NorthSec Flag Token

Challenge statement:

Jon is lost in the metaverse, and wants to get his hands on a sweet sweet NFT of this collection (alt link). Can you hack the blockchain to grab one for yourself?

RULES
DO NOT ATTACK WEBSITES, API OR USERS; DO NOT TRY TO BUY NFTs; ONLY USE PLAIN RINKEBY TESTNET BLOCKCHAIN INTERACTIONS!

Send me an Ethereum personal signature of "NFT stands for NorthSec Flag Token" (without quotes) from the wallet owning the NFT. Do not leak your signature as it can be used by anyone to solve the challenge. You can use https://app.mycrypto.com/sign-message or any other tools to create the signature which is a string that starts with 0x.

The collection can be seen here or here

The first step is to have access to an Eth wallet. The easiest way is to install MetaMask in your browser.

The second step is to get a bit of Eth to be able to generate transactions. We need to get some on faucets like https://faucets.chain.link/rinkeby.

By browsing the collection, we can see that a few token were owned by 0xc745a32262b944ABd01a119598BBB6e7654779a3 and 0x836A3cBEB8a962707a9387Db5C80bA9508a04Dc5. I had at first not seen, but the last NFT was owned by 0x0b055ded5fc8c8b107fcFD8f22B76E1C5D59490F.

We can scour the list of transactions done by that first address on etherscan. Most of the challenge was doable by using the etherscan website and looking at the Transactions and Contract tabs.

This transaction is the creation of the contract for the challenge’s NFT marketplace.

We can then go check the contract located at this address which will probably have a lot of failed transactions by the time that you read this writeup. That address could also be found directly on the collection page, which would have been lightly faster.

We can see the first three NFT being minted directly on the marketplace, but that turned out to be a dead end.

Looking at the marketplace contract, we could also see two interesting transactions, one for Approve Admin and one for Revoke Admin. Those two specify the address 0x836a3cbeb8a962707a9387db5c80ba9508a04dc5. Looking at that address’ transactions, we can see the creation of two Giveaway contracts, with the first one’s giveaway function called twice, which created the NFT 4 and 5.

Going on the Givaway contract which created those NFT, we can call the giveaway function the same way and generate a new NFT that would be given to our address. The source address needed to be the marketplace, and the target our own address.

On the Contract tab, we can see the actual code behind the giveaway function:

/**
 * @title GiveAway NSEC2022 WARMUP
 * @dev Give away NFTs!
 */
contract GiveAway is CreatorExtensionBasic {
 
    constructor() {}
    
    /**
     * @dev This public function is used to give away NFT!
     * @param source The source contract address to mint the NFT from
     * @param target The target wallet address to receive the minted NFT
     */
    function giveaway(address source, address target) public {
        IERC721CreatorCore(source).mintExtension(target);
    }
}

The same function can be found at the bottom of the second Giveaway contract.

From the marketplace, it was also possible to find the last original NFT owner’s address in this transaction which interacts with the first Giveaway contract to invoke the giveaway function the same way, to create the sixth NFT.

If we keep looking at the transactions made by the marketplace creator, we can find one calling registerExtension that is specifying the address of that first Giveaway contract. The second parameter, the baseURI, doesn’t related to https://studio.api.manifoldxyz.dev/asset_uploader/asset/2852698318/metadata/full which contains metadata for the tokens.

After receiving the NFT, we had to sign a message and send it to the flag validator. The signature was done using MyCrypto, which generated a sig in the proper format.