Events in May 2021: Blockchain Budapest 4.0 and CCTF

BDAY is organized again in 2021 with great talks, presentations and the CryptoCurrency (is) The Flag hacker game.

This is another chance to meet the best in the largest cryptocurrency and blockchain gathering of Central Europe. Topics as follow:

  • NFTs and their real values
  • DeFi and its future
  • Largest Hungarian Blockchain projects such as CCTF or ILGON
  • …and the first Satoshi Statue πŸ™‚
Website: https://blockchainbudapest.hu/

The presenters and those who own a VIP ticket will be able to take part in the networking. We hope to see you there!

Crypto Guide for Beginners: Start playing CCTF

Get started with crypto! This guide helps you to create your first Ethereum account and engage with smart contracts, dapps.

With our partners* and sponsors* we are organizing CCTF for the 5th and 6th time in 2021 May. Just like at the previous events, we are providing a guide for beginners. This helps you to get started with hacking Ethereum smart contracts.

It is recommended to move step by step. Follow this guide and you will understand the basic logic of cryptocurrencies, blockchain and smart contracts.

*Partners: CryptAll / H.A.C.K. / BsdiesBUD / BlockchainBudapest

*Sponsors: HODLbag / CasperLabs / MyCryptoSeed / ILGON

Vol 5. reward for the winners: ~$6000 in crypto (ETH and tokens) and some extra awards for those who are present at the conferences 😎

Vol6. rewards to be announced soon.

CCTF Vol5. registration (event finished): https://vol5.cryptoctf.org/

CCTF Vol5. starts on 18th May, at 9:15 and finishes at 16:00.

CCTF Vol6. registration: https://vol5.cryptoctf.org/register

CCTF Vol6. starts on 27th May, at 8:35 and finishes at 17:00.

Guide intro

Cryptocurrencies such as Bitcoin and Ethereum allow you to handle digital assets on decentralized networks. There is no central authority which can censor or block your account.

Accounts are stored in digital wallets, eg. “ethereum wallet”. If you use “Metamask ethereum wallet”, you have full access your wallet, meaning only you have the private keys that are needed to make transactions. The public part to share from this wallet is only your ethereum address. In fact, when you send 1 Ethereum to another person, to his address (into her/his wallet) what happens is that you sign a transaction with your private key that this 1 Ethereum no longer belongs to you, but to the other address. That’s it. The transaction gets propagated on the Ethereum network and miners verify that transaction.

Here are the screenshots in 3 steps of sending 1 Ethereum to another address:

No central bank or complicated legal processes: you have the power to make transactions anywhere in the world fast and with a few clicks. Also, none can block it. Follow this guide further and we will create your first Ethereum wallet.

But why Ethereum? Because you can do more with transaction: engage with smart contracts. Imagine coding a program that you upload to a decentralized network, it gets stored there and can be called anytime in the future. Or imagine a business that does not have physical contracts, just virtual ones on the blockchain. All these are secure as long as somebody successfully cheats/hacks the network consensus or exploits vulnerabilities in the smart contrats itself. It may sound complicated for the first, but it is not rocket science. Let’s start creating your wallet.

Creating a wallet

Most of the Ethereum hacks (breaking smart contracts, accessing accounts without or with weak authentication, phishing) do not require more than a web browser and a bit of coding skills. For the start, only a FireFox or a Chromium/Chrome web broswer is enough with the MetaMask addon. You can connect this wallet to the Ethereum test networks and play around.

  1. Open your FireFox or Chromium browser and install the MetaMask extension: https://metamask.io/. Currenly, MetaMask is the most commonly used software by end users to interact with Ethereum contracts (these are called “dapps”/”decentralized apps” too).
  2. After installing the extension, it either automatically opens up or you can open it from the top right bar in your browser.
  3. The first step of using MetaMask is to generate your wallet. At this point you are asked to provide a password. Preferably, use a passphrase that is like a sentence, but does not include words from dictionaries (example: “HaxxA11co|ns”). Choose wisely.
  4. Move on and read the phishing warning carefully!
  5. Finally you need to make sure the secret backup words that allows restoring the wallet is secured: of course in a place only you can access and see. For playing you can just use paper, but for real wallets with high balances it is better to write the words on something that can survive even if your house burns down (eg. MyCryptoSeed)
  6. All is set. Now you have an Ethereum wallet and inside: an Ethereum account.

Changing networks and faucets

MetaMask allows you to change between Ethereum networks. Please change to Ropsten Test Network and remember that the game will be played from there.

Faucets provide free Ethereum for you on the test networks. Now it is time to get some from: https://faucet.ropsten.be/ (if it does not work, you can find other Ropsten faucets online or contact the CCTF organizers).

Congratulations, you are ready: time to get into code and hacking!

Coding and compiling a smart contract

Let’s compile an example smart contract and interact with it. Open https://remix.ethereum.org/ where you get an example contract written in Solidity language. Remix website has an inbuilt compiler and if you click on “Start to compile” it will compile the code. Now you can swith to the “Run” tab. If you have MetaMask running, then you should see “Injected web3” in the environment.

MetaMask injects the so called web3.js into each website you visit, that way the website can communicate with MetaMask (also think about that: is it a good idea to inject to all sites?).

Deploying a smart contract

Make sure your MetaMask account is unlocked, switched to “Ropsten” and you got a coin from the faucet. Then click on “Deploy”.

MetaMask pops you up a transaction which is actually the deployment of the compiled smart contract to the Ropsten Ethereum test network. Now you may wonder what “gas fee” is? Gas limits the computational efforts of the smart contract, meaning you cannot deploy a computational heavy infinite loop for free. You can only use a smart contract if enough gas is provided. If you are ready, click on “Confirm”.

Wait until the transaction changes from “Pending” state to “Confirmed”. This is indicated in MetaMask. The network needs time to make sure your conract is broadcasted and mined successfully. If you click on the transaction, you have a button “View transaction on Etherscan”: click on it and have a look at what happened.

Interacting with the contract functions

By going back to https://remix.ethereum.org/ you can start playing with the “Deployed Contracts”, under the “Run” tab. You can call the deployed smart contract’s functions one by one. Each call you initiate takes a transaction. The executed code runs on all of the Ropsten Ethereum nodes.

Congratulations, you have compiled your first smart contract and interacted with it.

Congratulations!

You have seen the very basics and it is time to think about what else can go wrong… Weak passwords, MetaMask seeds all over the place, programmers making mistakes in smart contracts that you can call, logic, broken crypto problems and so on.

References, to learn more

Bitcoin white paper

Cryptography tutorial

Ethereum white paper

Ethereum beige paper (a readable version of the yellow paper)

History of Ethereum Security Vulnerabilities, Hacks and Their Fixes (2017 Sept.)

CCTF4 Hacktivity Writeups 3. (Final)

Foxy challenge

The data given was printable ASCII, which implied a fair chance that it was encrypted (or obfuscated) with a cipher that always outputs such characters. Two obvious suggestions come to mind: base64 and rot13. However, the ciphertext didn’t exactly look like any mainstream base64 output, nor the rot13 of anything reasonable; what other similar ciphers (or encodings) are there?

The key giveaway was the hint of “!47 -> 42”. The main part of the solution was to take the rot42 of the reverse rot47 of the data. This produced what looked like base64 output. It was the base64 of the flag.

Author: Mr. SI

Ethereum VM bytecode challenge

The task was to uncover the flag from a thing that looked like 0x6080… To those familiar with Ethereum smart contract programming, this thing is obviously Ethereum VM bytecode; for others, as a starting point: the problem said “sometimes the code is 404”.

Decompiling the bytecode using an Ethereum VM decompiler <https://ethervm.io/decompile>, we could discover the following:

1. The constructor is uninteresting, it just sets up the contract’s long-term code.
2. The reverse engineered long-term code contains:
function getflag() {
storage[0x01] = 0x0b47326dc54f49d6f674;
}
which looks like a giveaway.

But actually “0x0b47326dc54f49d6f674” wasn’t accepted as the flag. Unfortunately, the bytes therein don’t appear to encode anything sensible either. However:

3. The rest of the long-term code is also not really interesting: it has methods to plainly store and retrieve data.
4. There was no inclination about any deployments of this smart contract.

So one ought to have been baffled: the flag must really be somehow in that outstanding constant. It turns out that the number 0x0b47326dc54f49d6f674 was indeed the flag, but the system accepted it only in decimal format.

Author: Mr. SI

CCTF4 Hacktivity Writeups 2.

Don’t be eval

The task was to somehow break a specified website. The HTML markup of the website contained the text “Figwheel”. A quick web search will reveal that Figwheel is a software package for developing websites β€” liveΒΉ β€” in the Clojure programming language.

On the website, the only item of interest was the link anchored to the text “do you even REPL, bro?”: the URL contained an argument of “(cons 1 2)”, which looks like Clojure code (a lot like Lisp). Along with the challenge’s name of “Don’t be eval”, these all gave the suggestion that the web request’s single parameter was taken as Clojure code to be evaluated, and indeed it was.

Clojure has access to the full Java ecosystem, including IO functions. By sending in appropriate code snippets (in the URL parameter), it was possible to list the contents of the current directory; it contained a file called “flag.txt”. Then that file could be printed, which contained the flag.

ΒΉ to get a feel for what raz, the creator of this challenge, does for a living, see https://www.youtube.com/watch?v=XSIy8gmjmgY#t=1204s

Author: Mr. SI

Pwncoin challenge

For this challenge, a host was specified, and it was suggested that one ought to use Netcat. It was also blatantly stated that one should try overflowing the “meaning of life” (i.e. 42). The solution was to send an arbitrary string exactly of length 43 (not more, which might be weird, but is realistic), over a plain TCP connection; this revealed the flag.

On top of that β€” and this is something that even the creator of this challenge didn’t think about β€”, one could discover that the service served at most 1 client at a time, denying other connections while one is open. This permitted a shrewd contestant to prevent other contestants from even attempting to solve this challenge thereafter, by leaving a connection to the server hanging without submitting anything β€” it wasn’t me! :trollface.jpg:

Note from six for this solution: it was a wargame! πŸ™‚

Author: SI

Thank you SI for submitting the writeups!

CCTF4 Hacktivity Writeups 1.

We have received many requests for the CCTF game writeups. Here is the first one, the challenge was called “BIPolognese”. Be careful, spoilers follow.

Challenge: BIPolognese

BIPolognese (100 points)
Crypto Wojack (beginner)

Crypto Wojack was considerate again and made a cold backup of his wallet seed so Bogdanoff can't hak it again.
Meanwhile, he was lost in eating β‚Ώ10.000 pizza.

Look at that picture! Can you get the account address?

The hints

  1. The challenge’s name itself suggests a BIP seed
  2. Cold backup
    • These are copied somewhere offline, but before it is shown on the screen
  3. Doing something during eating
    • Crypto Wojack is doing something with the BIP seed and a wallet
  4. Look at the picture
    • You will find the BIP seed on the right laptop’s screen

The solution

Note the BIP44 seed words from the screen, open a web browser, install MetaMask.

After you have installed it, this screen will appear:

Choose the “Import wallet” option and use the seed phrase from the picture.

You find that the wallet it empty, but the flag is the first address as mentioned in the Rules.

Writeup by: six

Guide for CCTF4 Hacktivity

We have organized (Awalcon, H.A.C.K. and QAN) CCTF for the fourth time and decided to provide a beginner guide. This helps you to get started with hacking a Ethereum smart contract. While going through the guide you will understand more about the logic of cryptocurrencies, blockchain and smart contract. For the crypto only part, please refer to the links at the end of the post.

Guide intro

Cryptocurrencies such as Bitcoin and Ethereum allow you to handle digital assets on decentralized networks. In most cases the assests are simply coins, but here is where Ethereum can provide you more: smart contracts. Imagine coding a program that you broadcast once to a decentralized network, it gets stored on the blockchain and can be called anytime in the future. Or imagine a business that does not have physical contracts, just virtual ones. All these are secure as long as somebody successfully cheats the consensus or exploits vulnerabilities in contrats. It may sound complicated for the first, but it is not. Let’s see a practical example.

Creating a wallet

Most of the Ethereum hacks (breaking smart contracts, accessing accounts without or with weak authentication, phishing) do not require more than a web browser and a bit of coding skills. For the start, only a FireFox or a Chromium/Chrome web broswer will be enough to connect to the test network and to use an addon which allows interacting with (maybe) your first live smart contract.

Open your FireFox or Chromium browser and install the MetaMask extension: https://metamask.io/. Currenly, MetaMask is the most commonly used software by end users to interact with Ethereum systems. After getting the extension, it either automatically opens up or you can open it from the top right bar in your browser. The first step of using MetaMask is to generate a wallet. At this point you are asked to provide a password. Preferably, use a passphrase that is like a sentence, but does not include words from dictionaries (example: “HaxxA11co|ns”). Choose wisely. Move on and read the phishing warning carefully. Finally you need to make sure the secret backup phrase that allows restoring the wallet is secured somewhere, of course in a place only you can access and see.

All is set, now you have an Ethereum wallet, an account.

Changing networks and faucets

MetaMask allows you to change between Ethereum networks. Please change to Ropsten and note that the game will be played there too.

Faucets provide free Ethereum for you on the test networks. Now it is time to get some from: https://faucet.ropsten.be/ (if it does not work, you can find other Ropsten faucets).

Coding and compiling a smart contract

Let’s compile an example smart contract and interact with it. Open https://remix.ethereum.org/ where you get an example contract written in Solidity language. Remix website has an inbuilt compiler and if you click on “Start to compile” it will compile the code. Now you can swith to the “Run” tab. If you have MetaMask running, then you should see “Injected web3” in the environment.

MetaMask injects the so called web3.js into each website you visit, that way the website can communicate with MetaMask (also think about that: is it a good idea to inject to all sites?).

Deploying a smart contract

Make sure your MetaMask account is unlocked, switched to “Ropsten” and you got a coin from the faucet. Then click on “Deploy”.

MetaMask pops you up a transaction which is actually the deployment of the compiled smart contract to the Ropsten Ethereum test network. Now you may wonder what “gas fee” is? Gas limits the computational efforts of the smart contract, meaning you cannot deploy a computational heavy infinite loop for free. You can only use a smart contract if enough gas is provided. If you are ready, click on “Confirm”.

Wait until the transaction changes from “Pending” state to “Confirmed”. This is indicated in MetaMask. The network needs time to make sure your conract is broadcasted and mined successfully. If you click on the transaction, you have a button “View transaction on Etherscan”: click on it and have a look at what happened.

Interacting with the contract functions

By going back to https://remix.ethereum.org/ you can start playing with the “Deployed Contracts”, under the “Run” tab. You can call the deployed smart contract’s functions one by one. Each call you initiate takes a transaction. The executed code runs on all of the Ropsten Ethereum nodes.

Congratulations, you have compiled your first smart contract and interacted with it.

Congratulations

You have seen the very basics now and it is time to think about what can go wrong… Weak passwords, MetaMask seeds all over the place, programmers making mistakes in smart contracts that you can call, logic, broken crypto problems and so on.

References, to learn more

Bitcoin white paper

Cryptography tutorial

Ethereum white paper

Ethereum beige paper (a readable version of the yellow paper)

History of Ethereum Security Vulnerabilities, Hacks and Their Fixes (2017 Sept.)

CCTF3 – The official CTF game of Bday 3.0

CCTF is organized the third time, now for Bday 3.0 (Blockchain Day) which is one of the largest cryptocurrency related event in Central-Europe.

CCTF is a “Capture The Flag” game where the participants need to hack realistic challenges related to cryptography and cryptocurrencies. The best ones will get rewarded by some presents and QARK tokens, offered by QAN.

If you would like to participate, you can do so by registering here: https://cryptoctf.org/

What about the previous CCTF events? An archive will be created including all the three of them after the last finishes. It will be available on the CCTF’s website.

Who creates these events? The founder of the CCTF project is six from Awalcon who initiated it in 2019 by calling fellow hackers into the project. It is a joint project where the creators include not just Awalcon, but also members from H.A.C.K. and this year Silur from QAN.

six speaking at BDAY3.0 conference