HCSC 2025 - Amazeing Blockchain
Description
Some contracts hold tokens. Some hold logic. This one holds… something else.
No tokens needed. No top-up required. Just you, and a stubborn sense of direction…
Flag format: HCSC{...}
10.10.1-9.12:8546
By: ab310
Metadata
- Filename: -
- Tags:
blockchain,smart contract,foundry,labyrinth - Points: 500
- Number of solvers: 30
Solution
As the name of the challenge hints, we have to interact with a blockchain RPC endpoint.
I used the foundry toolkit to interact with the chain. As we did not have any information about the chain I listed the contents of the blocks (there were 3 block on the chain).
$ cast block --json --rpc-url http://10.10.5.12:8546/ 0
{"hash":"0xde5889c1e328ed1910888d269bc5d0fc63d4b03f0a02513baf17e27300404377","parentHash":"0x0000000000000000000000000000000000000000000000000000000000000000","sha3Uncles":"0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347","miner":"0x0000000000000000000000000000000000000000","stateRoot":"0x3f07ec8891f21706daa4df7b1104773c2f3800985a0b5787825dc0de14f4ddb1","transactionsRoot":"0x56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421","receiptsRoot":"0x56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421","logsBloom":"0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","difficulty":"0x0","number":"0x0","gasLimit":"0x1c9c380","gasUsed":"0x0","timestamp":"0x680a5e07","extraData":"0x1234","mixHash":"0x53c5ae3ce8eefbfad3aca77e5f4e1b19a949b04e2e5ce7a24fbb64422f14f0bf","nonce":"0x0000000000000000","baseFeePerGas":"0x3b9aca00","withdrawalsRoot":"0x56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421","blobGasUsed":"0x0","excessBlobGas":"0x0","parentBeaconBlockRoot":"0x0000000000000000000000000000000000000000000000000000000000000000","totalDifficulty":"0x0","size":"0x249","uncles":[],"transactions":[],"withdrawals":[]}
$ cast block --json --rpc-url http://10.10.5.12:8546/ 1
{"hash":"0x1dff95d02c133757fe32abeb14e576723b9fc33dafce75072925104426c985fa","parentHash":"0xde5889c1e328ed1910888d269bc5d0fc63d4b03f0a02513baf17e27300404377","sha3Uncles":"0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347","miner":"0xc014ba5ec014ba5ec014ba5ec014ba5ec014ba5e","stateRoot":"0xa55e0f6790f240cddbf98f463593ffd48419a9d5ba02edc34ad2c403e19ddd9e","transactionsRoot":"0x6a03fed5d422b0727322c4b735280063e4c00e7deffc92bc8d643eb505bf8dd6","receiptsRoot":"0xf78dfb743fbd92ade140711c8bbc542b5e307f0ab7984eff35d751969fe57efa","logsBloom":"0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","difficulty":"0x0","number":"0x1","gasLimit":"0x1c9c380","gasUsed":"0x5208","timestamp":"0x680a5e09","extraData":"0x","mixHash":"0xf4fbfa6c8463f342eb58838d8c6b0661faf22e7076a518bf4deaddbf3fa8a112","nonce":"0x0000000000000000","baseFeePerGas":"0x342770c0","withdrawalsRoot":"0x56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421","blobGasUsed":"0x0","excessBlobGas":"0x0","parentBeaconBlockRoot":"0xdd8876ba5af271ae9d93ececb192d6a7b4e6094ca5999756336279fd796b8619","totalDifficulty":"0x0","size":"0x2c2","uncles":[],"transactions":[{"type":"0x2","chainId":"0x7a69","nonce":"0x0","gas":"0x5208","maxFeePerGas":"0x6fc23ac0","maxPriorityFeePerGas":"0x6fc23ac0","to":"0x19ce8b974380dfba39f5236a6711771a1a38e1b6","value":"0x3635c989f629bcaa00","accessList":[],"input":"0x","r":"0xff9c120cae9081e7110fe1a42cdfd004916d70333cbea329406d3aa7a1345857","s":"0x7517688537630d13b17bc7d4511e7de646b9eff38c777cc0fb07a9adfd0add25","yParity":"0x1","v":"0x1","hash":"0xe6b1d424b8c81855fa87d07e782baf4fd4eb620bc275da87cd71b97934aec403","blockHash":"0x1dff95d02c133757fe32abeb14e576723b9fc33dafce75072925104426c985fa","blockNumber":"0x1","transactionIndex":"0x0","from":"0x9dc012f381313c4f640c09d6cca249fce53d2a4b","gasPrice":"0x6fc23ac0"}],"withdrawals":[]}
$ cast block --json --rpc-url http://10.10.5.12:8546/ 2
{"hash":"0x0557666b9c13e1e466eb64f9df67f7fbd9b8e5ffb80d6349f62449303db6121f","parentHash":"0x1dff95d02c133757fe32abeb14e576723b9fc33dafce75072925104426c985fa","sha3Uncles":"0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347","miner":"0xc014ba5ec014ba5ec014ba5ec014ba5ec014ba5e","stateRoot":"0xd52201f5e13ed9825ee1eec4f1b339467a75f8d1437391e46c10eaf255abcfe6","transactionsRoot":"0x4b154b2539e4e7a28620fefa616556a4997199fb90422759557875989dc3de7a","receiptsRoot":"0x7311d941d63fd8403b57a31f51b7253591f9ec89bec7ca05dc7e73c888d8fbaa","logsBloom":"0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","difficulty":"0x0","number":"0x2","gasLimit":"0x1c9c380","gasUsed":"0x121c1e","timestamp":"0x680a5e0a","extraData":"0x","mixHash":"0x36e0e2ad178d961006334c968a7f38fc9e049070a61e5b8203219acebd7bfd59","nonce":"0x0000000000000000","baseFeePerGas":"0x2da4d8cd","withdrawalsRoot":"0x56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421","blobGasUsed":"0x0","excessBlobGas":"0x0","parentBeaconBlockRoot":"0x20ac26c307a8005e8e0c24ae0e18f5fb23fb724064e99ebccb2cb877faaa55ac","totalDifficulty":"0x0","size":"0x1762","uncles":[],"transactions":[{"type":"0x2","chainId":"0x7a69","nonce":"0x0","gas":"0x121c1e","maxFeePerGas":"0xc1b71080","maxPriorityFeePerGas":"0x59682f00","to":null,"value":"0x0","accessList":[],"input":"0x6080604052348015600f57600080fd5b506114988061001f6000396000f3fe608060405234801561001057600080fd5b50600436106100625760003560e01c806316e64048146100675780631f2a63c014610071578063473ca96c1461007b578063d5a49e0114610099578063d8337928146100a3578063f9633930146100ad575b600080fd5b61006f6100cb565b005b610079610217565b005b610083610363565b604051610090919061114d565b60405180910390f35b6100a16103e4565b005b6100ab610530565b005b6100b561067c565b6040516100c291906111f8565b60405180910390f35b60008060003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060008160000160009054906101000a900460ff1660ff1611610164576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161015b90611266565b60405180910390fd5b61019c60018260000160009054906101000a900460ff1661018591906112c2565b8260000160019054906101000a900460ff16610ee1565b6101db576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101d290611343565b60405180910390fd5b60018160000160008282829054906101000a900460ff166101fc91906112c2565b92506101000a81548160ff021916908360ff16021790555050565b60008060003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060058160000160009054906101000a900460ff1660ff16106102b0576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016102a790611266565b60405180910390fd5b6102e860018260000160009054906101000a900460ff166102d19190611363565b8260000160019054906101000a900460ff16610ee1565b610327576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161031e90611343565b60405180910390fd5b60018160000160008282829054906101000a900460ff166103489190611363565b92506101000a81548160ff021916908360ff16021790555050565b6000806000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060058160000160009054906101000a900460ff1660ff161480156103de575060008160000160019054906101000a900460ff1660ff16145b91505090565b60008060003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060008160000160019054906101000a900460ff1660ff161161047d576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161047490611266565b60405180910390fd5b6104b58160000160009054906101000a900460ff1660018360000160019054906101000a900460ff166104b091906112c2565b610ee1565b6104f4576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016104eb90611343565b60405180910390fd5b60018160000160018282829054906101000a900460ff1661051591906112c2565b92506101000a81548160ff021916908360ff16021790555050565b60008060003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060058160000160019054906101000a900460ff1660ff16106105c9576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016105c090611266565b60405180910390fd5b6106018160000160009054906101000a900460ff1660018360000160019054906101000a900460ff166105fc9190611363565b610ee1565b610640576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161063790611343565b60405180910390fd5b60018160000160018282829054906101000a900460ff166106619190611363565b92506101000a81548160ff021916908360ff16021790555050565b606060008060003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020905060058160000160009054906101000a900460ff1660ff161480156106f8575060008160000160019054906101000a900460ff1660ff16145b610737576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161072e906113e4565b60405180910390fd5b6000601a67ffffffffffffffff81111561075457610753611404565b5b6040519080825280601f01601f1916602001820160405280156107865781602001600182028036833780820191505090505b509050604860f81b816000815181106107a2576107a1611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350604360f81b816001815181106107ea576107e9611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350605360f81b8160028151811061083257610831611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350604360f81b8160038151811061087a57610879611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350607b60f81b816004815181106108c2576108c1611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350607360f81b8160058151811061090a57610909611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603060f81b8160068151811061095257610951611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350606c60f81b8160078151811061099a57610999611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603160f81b816008815181106109e2576109e1611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350604460f81b81600981518110610a2a57610a29611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350605f60f81b81600a81518110610a7257610a71611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350606d60f81b81600b81518110610aba57610ab9611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350606160f81b81600c81518110610b0257610b01611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350605a60f81b81600d81518110610b4a57610b49611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603360f81b81600e81518110610b9257610b91611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350605f60f81b81600f81518110610bda57610bd9611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350604e60f81b81601081518110610c2257610c21611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603460f81b81601181518110610c6a57610c69611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350607660f81b81601281518110610cb257610cb1611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603160f81b81601381518110610cfa57610cf9611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350606760f81b81601481518110610d4257610d41611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603460f81b81601581518110610d8a57610d89611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350607460f81b81601681518110610dd257610dd1611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350603060f81b81601781518110610e1a57610e19611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350605260f81b81601881518110610e6257610e61611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350607d60f81b81601981518110610eaa57610ea9611433565b5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350809250505090565b600060058360ff161180610ef8575060058260ff16115b15610f06576000905061112c565b60006040518060c001604052806040518060c001604052806001151515158152602001600115151515815260200160011515151581526020016000151515158152602001600115151515815260200160011515151581525081526020016040518060c001604052806000151515158152602001600015151515815260200160011515151581526020016001151515158152602001600015151515815260200160011515151581525081526020016040518060c001604052806000151515158152602001600115151515815260200160011515151581526020016001151515158152602001600015151515815260200160011515151581525081526020016040518060c001604052806001151515158152602001600115151515815260200160001515151581526020016000151515158152602001600115151515815260200160011515151581525081526020016040518060c001604052806001151515158152602001600015151515815260200160001515151581526020016001151515158152602001600115151515815260200160001515151581525081526020016040518060c00160405280600115151515815260200160011515151581526020016001151515158152602001600115151515815260200160001515151581526020016000151515158152508152509050808360ff166006811061110957611108611433565b5b60200201518460ff166006811061112357611122611433565b5b60200201519150505b92915050565b60008115159050919050565b61114781611132565b82525050565b6000602082019050611162600083018461113e565b92915050565b600081519050919050565b600082825260208201905092915050565b60005b838110156111a2578082015181840152602081019050611187565b60008484015250505050565b6000601f19601f8301169050919050565b60006111ca82611168565b6111d48185611173565b93506111e4818560208601611184565b6111ed816111ae565b840191505092915050565b6000602082019050818103600083015261121281846111bf565b905092915050565b7f4f7574206f6620626f756e647300000000000000000000000000000000000000600082015250565b6000611250600d83611173565b915061125b8261121a565b602082019050919050565b6000602082019050818103600083015261127f81611243565b9050919050565b600060ff82169050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b60006112cd82611286565b91506112d883611286565b9250828203905060ff8111156112f1576112f0611293565b5b92915050565b7f57616c6c21000000000000000000000000000000000000000000000000000000600082015250565b600061132d600583611173565b9150611338826112f7565b602082019050919050565b6000602082019050818103600083015261135c81611320565b9050919050565b600061136e82611286565b915061137983611286565b9250828201905060ff81111561139257611391611293565b5b92915050565b7f596f75277265206e6f742061742074686520676f616c20796574210000000000600082015250565b60006113ce601b83611173565b91506113d982611398565b602082019050919050565b600060208201905081810360008301526113fd816113c1565b9050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b7f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fdfea2646970667358221220efb792354bb1669f6378d6233c5b522a3490602a34a83b83b733bc2a24e19f5464736f6c634300081d0033","r":"0x7e12231e35afe59775c4af4ee2bb1b6bb8c9348be28ac6f3a7f13490fbfde4e1","s":"0x139b2ed7a479a641ea0372a4aabee2a3c913f7470975f98475422b0f2b0ffb18","yParity":"0x1","v":"0x1","hash":"0x3e8d5b9cfd21beba1375d50dc423f34f2c5fc6eeb02cc9b4a58e96afdbfe3124","blockHash":"0x0557666b9c13e1e466eb64f9df67f7fbd9b8e5ffb80d6349f62449303db6121f","blockNumber":"0x2","transactionIndex":"0x0","from":"0x19ce8b974380dfba39f5236a6711771a1a38e1b6","gasPrice":"0x870d07cd"}],"withdrawals":[]}
$ cast block --json --rpc-url http://10.10.5.12:8546/ 3
Error: block 0x3 not found
The 3rd (number 2) block is interesting because it contains a smart contract deployment, the input field contains the bytecode of the contract.
Using the bytecode (and removing the constructor to the next 0x0608 bytes) it is possible to decompile the bytecode to a readable Solidity-like code using: https://ethervm.io/decompile
There are a few public functions which can be called and basically it implements a labyrinth and we can move around by calling the left / right / up / down functions. If we are at the end of the maze, the win functions returns true and we can get the flag with getFlag.
left()
right()
up()
down()
win()
getFlag()
The challenge could be solve in at least three ways:
- Using an already solved contract: If you are lucky we could find a contract which is already “solved” and just call the
getFlagfunction. - Reverse engineering the contract and understanding it: I did this, read along.
- Navigate the maze by calling the functions with
web3.jsorfoundry.
If we decompile the bytecode, we should find the longest function with many branches (if statements):
function func_067C() returns (var r0) {
[...]
if (!var4) {
var temp2 = var3;
var2 = temp2;
var3 = 0x48 << 0xf8;
var4 = var2;
var var5 = 0x00;
if (var5 < memory[var4:var4 + 0x20]) {
label_07A2:
memory[var5 + 0x20 + var4:var5 + 0x20 + var4 + 0x01] = byte(var3 & ~0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff, 0x00);
var3 = 0x43 << 0xf8;
var4 = var2;
var5 = 0x01;
if (var5 < memory[var4:var4 + 0x20]) {
memory[var5 + 0x20 + var4:var5 + 0x20 + var4 + 0x01] = byte(var3 & ~0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff, 0x00);
var3 = 0x53 << 0xf8;
var4 = var2;
var5 = 0x02;
if (var5 < memory[var4:var4 + 0x20]) {
memory[var5 + 0x20 + var4:var5 + 0x20 + var4 + 0x01] = byte(var3 & ~0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff, 0x00);
var3 = 0x43 << 0xf8;
var4 = var2;
var5 = 0x03;
if (var5 < memory[var4:var4 + 0x20]) {
memory[var5 + 0x20 + var4:var5 + 0x20 + var4 + 0x01] = byte(var3 & ~0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff, 0x00);
var3 = 0x7b << 0xf8;
var4 = var2;
var5 = 0x04;
if (var5 < memory[var4:var4 + 0x20]) {
memory[var5 + 0x20 + var4:var5 + 0x20 + var4 + 0x01] = byte(var3 & ~0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff, 0x00);
var3 = 0x73 << 0xf8;
var4 = var2;
var5 = 0x05;
[...]
This function builds the flag, and the characters of the flag can be deduced from the var3 assignments:
var3 = 0x48 << 0xf8; # H
var3 = 0x43 << 0xf8; # C
var3 = 0x53 << 0xf8; # S
var3 = 0x43 << 0xf8; # C
var3 = 0x7b << 0xf8; # {
var3 = 0x73 << 0xf8; # s
...
The flag is: HCSC{s0l1D_maZ3_N4v1g4t0R}
kess created a node application which explores the labyrinth or you can manually go through with it (map.mjs, play.mjs). Pretty awesome!
$ node play.mjs explore
$ node map.mjs