Solving Damn Vulnerable DeFi Challenges Series (IX). Climber.

Hi there, almost finishing this saga!. Today’s post explains how I solved challenge #12 - Climber. So far this level has been the hardest for me. I hope you enjoy the walkthrough. If you want to play with this level, I ported it to Brownie, you can find it here.

In this blog post you’ll read about:

  • Proxies
  • Open Zeppelin UUPS proxy implementation
  • Timelock contracts
Read More

Solving Damn Vulnerable DeFi Challenges Series (VIII). Backdoor.

Hello everyone, I’m continuing with Damn Vulnerable DeFi challenges. In today’s post I’ll be solving challenge #11 - Backdoor.

This was a very interesting challenge that allowed me to learn and play with the following topics:

  • Gnosis Safe contracts. A powerful multisig wallet. I learned how to deploy and used it.
  • Proxy pattern and their different use cases.
  • Solidity’s delegatecall powers and how carefully you have to be while using it.
  • Encoding, ABIs, and so on.

I also ported this challenge to my project DVD Brownie, you can solve it using Python.

I hope you enjoy the read!.

Read More

Solving Damn Vulnerable DeFi Challenges Series (VII). Free Rider.

Hello! I wanted to continue the habit of publishing regularly. Today’s posts continues our saga solving and porting Damn Vulnerable DeFi challenges. During the last week I spent some time solving challenge #10 - Free Rider. I really liked it as it challenged me learning about the following topics:

  • Flash swaps in Uniswap!
  • NFT and the EIP-721 standard
  • Common pitfalls when using loops and msg.value

I’ve ported this challenge to Brownie, you can find it here

Let’s dive into it!.

Read More

Solving Damn Vulnerable DeFi Challenges Series (IV). Compromised

Hello there, I missed Monday for the second time, but it’s better late than never!. I had some time during the weekend to continue with Damn Vulnerable DeFi Challenges. This time I solved challenge #7, titled “Compromised”. So far is the challenge that I enjoyed the most. I’ll share the way approached it, enjoy!.

Read More

Damn Vulnerable Defi Challenges in Brownie, a Python-based dev framework

Introduction

Hello, happy new year! In the last months of 2021, I’ve been working on this project. Thanks to my friend and colleague Pablo Artuso I started to learn about Blockchain and the challenges and opportunities that this new technology has.

I was quickly interested in the security aspects of smart contracts. As part of my learning process I found damn vulnerable DeFi challenges, created by @tinchoabbate. that seemed a good place to start practicing.

Read More

Terraform Series - AWS S3 Buckets, policies and what Terraform can do for us?

Introduction

Hi there, I hope that you are doing well!. In this second blog post about Terraform and AWS I’ll try to shared with you what I learned about AWS S3 Buckets and how Terraform can be used to interact with them. This is a brief list of the topics that I plan to cover with today’s post:

  • A brief introduction of AWS S3
  • Differences between IAM Policies, S3 Bucket Policies and S3 ACLs
  • Using Terraform to create an S3 Bucket and host a static website
  • S3 Bucket policy creation with Terraform
  • Applying policies to buckets with Terraform
  • Uploading objects to S3 Buckets using Terraform

As you can see we have a long road ahead!. So, let’s start.

Read More

Brief introduction to Terraform, and Infrastructure as Code (IaC)

Introduction

Hello, after some time without posting we are back!. Today’s post will be focused on Terraform. For those that never heard about it, Terraform allows you to build infrastructure as if you were writing code.

I started playing with it mainly for two reasons: In the first place, I’m reading the book Test-Driven Development with Python, and at some point I had to setup my own machine with a webserver to deploy an application. I thought that having some kind of automation for it was a good idea. Secondly, I needed a good excuse to learn some AWS magic, and this was the perfect excuse for that!.

So, in this blogpost I’ll share what I learned about Terraform and my progress from zero to feeling a bit less confused with AWS and the idea of Infrastructure as Code. I’ll show you how to automate the creation of an EC2 Instance running Nginx in a non-default VPC.

Read More

Fuzzing experiments I or... I have no idea what I'm doing

Introduction

Hello! In today’s post I’ll explain my first steps in the fuzzing world. I’ll detail the steps I took to fuzz some code part of the open source code released by TP-Link for the TL-WR841N Router.

Disclaimer: This blog post will be very basic and just cover the fundamentals. No bugs were found but I learned a lot :)

Having the idea of experimenting a bit with fuzzing, I decided to focus my attention towards one of the TL-WR841N services. Specifically the router’s UPnP daemon, running on port TCP and UDP 1900. Doing a quick check, I issued an HTTP request to that port and to my surprise, it answer back with a 404, page not found error.

Read More

Bypassing upgrade limitations on a TP-Link TL-WR841N

Introduction

Hello! In this blogpost we’ll continue with our TP-Link TL-WR841N Saga. Today’s post will explain the steps that I followed to bypass a silly limitation in the Router’s Stock firmware for Latin America (ES) models that did not allow me to install the latest US firmware.

Read More

Playing with PE Files, Packers and Qiling Framework

Introduction

Hi there! I’m launching a new version of the blog… and needed some good excuse for this, so here we have a new blog post!. This time I decided to take a look at how packers work and for that I had to learn quite a few things about the PE file format, how windows load files and spend a lot of time banging my head against the keyboard.

Read More