Small blog about different CTFs completed or software I have worked on that I find interesting.
Task 5 asks us to determine what IPs on 10.130.0.0/16 have been compromised, based on the victim ids found in task 4.
The TOTP that each contract originally used to for authentication needs to be found, otherwise there are 2^16 IP addresses and 10^6 TOTPs to check, 65,536,000,000 combinations. Below is the general flow when a victim is compromised, further details can be found here.
Fortunately, the way the Registry contract communicates with the off chain oracle can be taken advantage of. When a Ransom contract registers the Registry contract will emit an AuthEvent, step 5, for the off chain oracle to validate the provided arguments. Events emitted by a contract can be searched, allowing us to recover the TOTPs.
The Registry contract serves multiple Escrow contracts, so the blocks to check for events need to be limited. This can be done by looking at the last AuthCallbackEvent emitted by the Escrow Contract and only searching up to that block.
Now all AuthEvents for block 0 to 13000 can be retrieved.
Below is the code to check if an IP has been compromised.