[CTF] Shooting 101 - Cyber Apocalypse 2023

Hello, today i gonna show you how i solved the challenge Shooting 101 from Hack the Box hackthon

What we gonna need :

• Remix IDE
• Metamask
• Smart Contracts
• Information about connection

The connection and how interact with remix i gonna skipped, but if you are curious you can start with the first challenge of this link, to see how i prepare all the things :

• Link to the first challenge [CTF] Navigating the Unknown

First lets start the docker of the challenge and download the files :

Ok lets go to see the smart contracts donloaded, we have two files :

• Setup.sol
• ShootingArea.sol

Setup.sol

pragma solidity ^0.8.18;

import {ShootingArea} from "./ShootingArea.sol";

contract Setup {
    ShootingArea public immutable TARGET;

    constructor() {
        TARGET = new ShootingArea();
    }

    function isSolved() public view returns (bool) {
        return TARGET.firstShot() && TARGET.secondShot() && TARGET.thirdShot();
    }
}

ShootingArea.sol

pragma solidity ^0.8.18;

contract ShootingArea {
    bool public firstShot;
    bool public secondShot;
    bool public thirdShot;

    modifier firstTarget() {
        require(!firstShot && !secondShot && !thirdShot);
        _;
    }

    modifier secondTarget() {
        require(firstShot && !secondShot && !thirdShot);
        _;
    }

    modifier thirdTarget() {
        require(firstShot && secondShot && !thirdShot);
        _;
    }

    receive() external payable secondTarget {
        secondShot = true;
    }

    fallback() external payable firstTarget {
        firstShot = true;
    }

    function third() public thirdTarget {
        thirdShot = true;
    }
}

To solve this challenge is so simple, we need to interact with the 3 functions of the Target ( ShootingArea.sol )

• fallback
• receive
• third

Lets explain in the IDE with a draw :

So here are interesting things, because the fallback function is gonna be activated only when the functions is called with data and has a value ( eth ) Let me draw it :

Note : if you try to intract with the function without data or value ( eth sended ), the transaction is gonna be revert

you can do this :

and you get the first shot done

Lets go now for the second shot, the second shot to be activated you need to understand how works the receive function, in this case works like oposite of fallback funtion, this means you need to interact only with value but not with data, let me draw it :

Ok so lets do that :

And then the last one, that only need to interact with a normal function :

Lets do it :

And thats it, now only need to connect with the docker and get the flag :

Thats it :)