Solidity challenge by CCTF six

2022
six 2022-11-03 18:32:16 +01:00
parent d414b1ccf2
commit 8981b9f5d0
3 changed files with 86 additions and 8 deletions

View File

@ -0,0 +1,9 @@
## Dan's storage is not private - Solidity challenge
The story goes like... your friend Dan from crypto Telegram requested you to audit this small smart contract. You need to prove that it is easy to steal the flag and show "private" is not private.
Figure out the flag by using the Solidity smart contract provided. The goal is to correctly follow the assemble logic of the concat in is_it_on_chain().
_Keccak256: 0x81b1ff6939fedd672ddac358a41abb7192ae1f0660a3b1cbf92ef2c82119612b_
_Challenge author: six_

View File

@ -0,0 +1,66 @@
// SPDX-License-Identifier: GPL-3.0-or-later
pragma solidity ^0.8.17;
import "@openzeppelin/contracts/utils/Strings.sol";
/// @title On-chain storage to save a precious memory of you life
/// @author Challenge inspired by CCTF, coded by six
/// @notice The flag should return when the data is on-chain.
contract PMC_Sol_Challenge {
// Declare everything needed in the contract
address private admin = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4;
uint160 door = 0;
event contractStart(address indexed _admin);
uint256 public pin;
string private start;
string private data;
string private end;
string private flag;
string private result;
bytes32 private data_store;
uint private data_set;
string private ds_to_Str;
// O, that is nasty!
constructor(address O) payable {
emit contractStart(admin);
admin = 0==0?O:0x0000000000000000000000000000000000000000;
pin = block.number + block.timestamp; // "Random" pin
start = "PMC{";
data_set = 0;
end = ".NiceTry}";
}
/// @notice Mod
function callAddMod() public pure returns(uint){
return addmod(4, 5, 3);
}
/// @notice Only the central admin should be able to store his life memory in bytes32.
function store_me_on_chain(bytes32 _data) public returns (string memory) {
require(msg.sender == admin, 'Not admin');
data_store = _data;
data_set = asmbl();
ds_to_Str = Strings.toString(data_set);
return data = string("den_who_is_dan_");
}
/// @notice Generate number
function asmbl() public view returns (uint8 b) {
assembly {
let c := add(27, 16)
mstore(0x80, c)
{ let d := add(sload(c), 255) b := d }
b := add(b, c) }
}
/// @notice The admin wants to check the data is on chain and return the flag if is!
function is_it_on_chain(uint256 _pin) external returns (string memory) {
require(msg.sender == admin, 'Not admin');
require(pin == _pin, 'Wrong pin');
require(data_set > 1, 'Nothing in the on-chain storage');
flag = string.concat(start,data,ds_to_Str,end);
return flag;
}
fallback() external {}
}

View File

@ -27,22 +27,25 @@ The flags have the following keccak256 values:
``` ```
kusamaverse - 0x896c90f019d0aaa7977ce81c7d7299b1b43d302295f2d567509ab7e3060a797f kusamaverse - 0x896c90f019d0aaa7977ce81c7d7299b1b43d302295f2d567509ab7e3060a797f
ink - 0x82703a464305aad655e2eb617f31e6e57b7e959bf8528f1d3b5968cc02ed60ac
wss - 0x2f2d4bb11521956c486925241ffcca0cbf7b79bbd9be8eafaeb4fab95713b12d wss - 0x2f2d4bb11521956c486925241ffcca0cbf7b79bbd9be8eafaeb4fab95713b12d
solidity - 0x81b1ff6939fedd672ddac358a41abb7192ae1f0660a3b1cbf92ef2c82119612b
ink - 0x82703a464305aad655e2eb617f31e6e57b7e959bf8528f1d3b5968cc02ed60ac
rust - 0x42ce6fca873fe4dc4ce4d9accdb53e02fdb497ffa6b30f421cea36c81d8ea289 rust - 0x42ce6fca873fe4dc4ce4d9accdb53e02fdb497ffa6b30f421cea36c81d8ea289
``` ```
## Prequalification challenges ## Prequalification challenges
__WSS challenge__: you need to play with a websocket connection and get the flag from the service. __WSS challenge__: you need to play with a websocket connection and get the flag from the service. It is called Fibonacci.
__Rust challenge:__ you need to work with cryptography and math. The correct math will return you the flag. __Solidity challenge__: a security audit might reveal what the developers think is private might actually not be.
__ink! challenge__: you need to get the flag from an already running Substrate node. __Rust challenge__: work with RSA cryptography and math. The correct math will return you the flag.
__ink! challenge__: you need to get the flag from an already running Substrate node or find "another" way. Make sure to web2 scan everything.
__Kusamaverse challenge__: find the flag in Kusamaverse - this one is very easy, but important for the main event. __Kusamaverse challenge__: find the flag in Kusamaverse - this one is very easy, but important for the main event.
We also have an __optional 3D design challenge__ for the Hall of Fame, near the four listed above. If you submit it using the form, we'll add the design to the Hall of Fame, where all the successfully prequalified players get listed. We also have an __optional 3D design challenge__ for the Hall of Fame, near the four listed above. If you submit it using the prequalification form, we'll add the design to the Hall of Fame, where all the successfully prequalified players get listed.
## Challenges for the main event ## Challenges for the main event
@ -50,19 +53,19 @@ The details of these challenges will be shared on 2022 December 6th 10:00 CET. T
### Track 1 - Collaboration ### Track 1 - Collaboration
Challenge 1 - by Momentum Challenge 1 - Momentum related
Challenge 2 - Creator to be disclosed. Challenge 2 - Creator to be disclosed.
### Track 2 - Privacy and Security ### Track 2 - Privacy and Security
Challenge 1 - by CCTF Challenge 1 - CCTF related
Challenge 2 - Creator to be disclosed. Challenge 2 - Creator to be disclosed.
### Track 3 - GameFi and NFT ### Track 3 - GameFi and NFT
Challenge 1 - by RMRK Challenge 1 - RMRK related
Challenge 2 - Creator to be disclosed. Challenge 2 - Creator to be disclosed.