✨ add challenges and solutions

Author: cairoeth

alienspaceship/.challengeignore

@@ -0,0 +1,8 @@
+challenge/project/broadcast/*
+challenge/project/cache/*
+challenge/project/out/*
+
+
+challenge/solve.py
+challenge/project/script/Solve.s.sol
+challenge/project/src/AlienSpaceship.sol

alienspaceship/README.md

@@ -0,0 +1,32 @@
+## Solution
+
+Alien Spaceship is hard EVM challenge which provides teams with the bytecode of a smart contract. Per the description, teams need to take over control of their spaceship and successfully `abortMission`.
+
+First, you can get the bytecode of the contract by using the eth_getCode RPC Method or simply copying the bytecode provided in the [deploy script](challenge/project/script/Deploy.s.sol). With this, you can use a decompiler. However, only a few decompilers work for this bytecode. [Here](https://app.dedaub.com/decompile?md5=60cad9a4c1fe82b05f6591dcceb5ecdb) is an example of using the Dedaub decompiler.
+
+With the decompiled contract, you can trace the steps needed to call the `abortMission` function. For easy reference, we will use the [AlienSpaceship](challenge/project/src/AlienSpaceship.sol) source contract.
+
+As we can see from the `abortMission` function, the criteria to call this function is:
+
+- `distance()` must be less than 1_000_000 * 10**18
+- `payloadMass` must be less than 1_000 * 10**18
+- `numArea51Visits` must be greater than 0
+- `msg.sender` must have code (i.e. be a smart contract not calling from constructor)
+
+The `distance()` function calls the `_calculateDistance` function passing three points stored in the contract: x, y and z. The calculation function employs the L1 norm (also known as the Manhattan distance or taxicab geometry) -- for each coordinate, the function computes its absolute value using the `_abs` helper function. The purpose of using absolute values is to ensure distance is always considered as a positive quantity, regardless of the direction. Then, the distance is calculated as the sum of the absolute values of the x, y, and z coordinates, a way of measuring distance in a grid-based path.
+
+To pass the first check, the return of the calculation must be less than 1_000_000 * 10**18. If we look for modifications to the position points, we notice that the `visitArea51` function sets the position points to high values exceeding the criteria. However, the `jumpThroughWormhole` function let's us choose the points. Therefore, we know that the `visitArea51` function must be called before the `jumpThroughWormhole` function.
+
+Both mentioned functions require the `msg.sender` to have the `CAPTAIN` role. In order to get this, we can look at the `applyForPromotion` function which allows us to pass a role that we want to get promoted to. However, the first check requires us to already have the `PHYSICIST` role before `CAPTAIN`. To get the former role, we can use the `applyForJob` function but, similarly, this function requires us to have the `ENGINEER` role before. We can simply get the latter role by calling teh `applyForJob` function in the start.
+
+To get the `PHYSICIST` role, the AlienSpaceship contract must hold the `ENGINEER` role as well. If we check the `runExperiment` function, we notice that there's a way we can make the contract call itself which can be used to call the `applyForJob` function like we did. 
+
+Once the contract has the `ENGINEER` role, we can call the `applyForJob` function and claim the `PHYSICIST` role. Going back to the `applyForPromotion` function, we have another check to pass: 12 seconds must pass between our promotion to `PHYSICIST` and our call to `applyForPromotion`. Thefore, we need to separate the solve script into two transactions to pass this check.
+
+The next check in the function verifies that we have enabled the `enabledTheWormholes` variable. To do so, we need to call the `enableWormholes` function as soon as we obtain the `PHYSICIST` role and before calling the `applyForPromotion` function. The `enableWormholes` function needs to be called by an EOA (Externally Owned Account) or under specific conditions that relate to the presence of contract code (i.e. calling in constructor). Calling in constructor also makes it easier for us to split the solve into two parts to bypass the other check mentioned before.
+
+At this point, we should have the `CAPTAIN` role allowing us to call the `visitArea51` and `jumpThroughWormhole` functions. The `visitArea51` function takes a `secret` parameter, which must be 51 - the address of the caller in uint160 format (allowing this calculation to overflow). This function will increment our number of visits to Area 51, passing one of the remaining cheks in the `abortMission` function. Aditionally, it will increase our position numbers, so we need to call the `jumpThroughWormhole` function to set them to the desired values that pass the check. 
+
+This function requires one of the last checks to pass: that the payload mass of the ship is less than 1_000 * 10 ** 18. To do so, we need to call the `dumpPayload` function some time before passing the right amount. Now we can call the `jumpThroughWormhole` function passing values that pass the distance check in the `abortMission` function.
+
+Now, we can call the `abortMission` function and get the flag!

alienspaceship/challenge.yaml

@@ -0,0 +1,18 @@
+apiVersion: kctf.dev/v1
+kind: Challenge
+metadata:
+  name: alienspaceship
+  annotations:
+    type: PWN
+    name: Alien Spaceship
+    description: "You have hacked into an alien spaceship and stolen the bytecode that controls their spaceship. They are on a mission to attack your home planet. Luckily for you their spaceship runs on the EVM. Take over control of their spaceship and successfully `abortMission`."
+    author: "steventhornton"
+    tags: "pwn"
+    flag: "OZCTF{Th1s_miSs10n_d3S3rv3s_1tS_0Wn_M0v13}"
+spec:
+  deployed: true
+  powDifficultySeconds: 0
+  network:
+    public: true
+  healthcheck:
+    enabled: false

alienspaceship/challenge/Dockerfile

@@ -0,0 +1,33 @@
+FROM ghcr.io/foundry-rs/foundry:latest AS foundry
+
+COPY project /project
+
+# artifacts must be the same path
+RUN true && \
+    cd /project && \
+    forge build --out /artifacts/out --cache-path /artifacts/cache && \
+    true
+
+FROM ghcr.io/openzeppelin/ctf-infra:latest as chroot
+
+# ideally in the future, we can skip the chowns, but for now Forge wants to write the cache and broadcast artifacts
+
+USER 1000
+WORKDIR /home/user
+
+COPY --chown=user:user . /home/user/challenge/
+
+COPY --from=foundry --chown=user:user /artifacts /artifacts
+
+FROM gcr.io/paradigmxyz/ctf/kctf-challenge:latest
+
+VOLUME [ "/chroot", "/tmp" ]
+
+COPY --from=chroot / /chroot
+
+# nsjail help
+RUN touch /chroot/bin/kctf_restore_env && touch /chroot/environ
+
+CMD kctf_setup && \
+    kctf_persist_env && \
+    kctf_drop_privs socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"nsjail --config /nsjail.cfg -- /bin/kctf_restore_env /usr/local/bin/python3 -u challenge/challenge.py"

alienspaceship/challenge/challenge.py

@@ -0,0 +1,16 @@
+from typing import Dict
+
+from ctf_launchers.pwn_launcher import PwnChallengeLauncher
+from ctf_server.types import LaunchAnvilInstanceArgs
+
+BLOCK_TIME = 12
+
+class Challenge(PwnChallengeLauncher):
+    def get_anvil_instances(self) -> Dict[str, LaunchAnvilInstanceArgs]:
+        return {
+            "main": self.get_anvil_instance(
+                block_time=BLOCK_TIME,
+            ),
+        }
+
+Challenge().run()

alienspaceship/challenge/docker-compose.yml

@@ -0,0 +1,19 @@
+name: paradigm-ctf-challenge
+services:
+  launcher:
+    container_name: challenge
+    image: challenge
+    build:
+      context: .
+      target: chroot
+    command: socat TCP-LISTEN:1337,reuseaddr,fork exec:"python3 -u challenge/challenge.py"
+    expose:
+      - 1337
+    ports:
+      - "1337:1337"
+    networks:
+      - ctf_network
+networks:
+  ctf_network:
+    name: paradigmctf
+    external: true

alienspaceship/challenge/project/.gitignore

@@ -0,0 +1,3 @@
+broadcast/
+cache/
+out/

alienspaceship/challenge/project/foundry.toml

@@ -0,0 +1,11 @@
+[profile.default]
+src = 'src'
+libs = ['lib']
+fs_permissions = [{ access = 'read-write', path = '/'}]
+
+remappings = [
+    "forge-std=lib/forge-std/src",
+    "forge-ctf=lib/forge-ctf/src",
+]
+
+# See more config options https://github.com/foundry-rs/foundry/tree/master/config

alienspaceship/challenge/project/lib/forge-ctf/src/CTFDeployment.sol

@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity >=0.6.2 <0.9.0;
+
+import "forge-std/Script.sol";
+
+abstract contract CTFDeployment is Script {
+    function run() external {
+        address player = getAddress(0);
+        address system = getAddress(1);
+
+        address challenge = deploy(system, player);
+        
+        vm.writeFile(vm.envOr("OUTPUT_FILE", string("/tmp/deploy.txt")), vm.toString(challenge));
+    }
+
+    function deploy(address system, address player) virtual internal returns (address);
+    
+    function getAdditionalAddress(uint32 index) internal returns (address) {
+        return getAddress(index + 2);
+    }
+
+    function getPrivateKey(uint32 index) private returns (uint) {
+        string memory mnemonic = vm.envOr("MNEMONIC", string("test test test test test test test test test test test junk"));
+        return vm.deriveKey(mnemonic, index);
+    }
+
+    function getAddress(uint32 index) private returns (address) {
+        return vm.addr(getPrivateKey(index));
+    }
+}

alienspaceship/challenge/project/lib/forge-ctf/src/CTFSolver.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity >=0.6.2 <0.9.0;
+
+import "forge-std/Script.sol";
+
+abstract contract CTFSolver is Script {
+    function run() external {
+        uint256 playerPrivateKey = vm.envOr("PLAYER", uint256(0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80));
+        address challenge = vm.envAddress("CHALLENGE");
+
+        vm.startBroadcast(playerPrivateKey);
+
+        solve(challenge, vm.addr(playerPrivateKey));
+
+        vm.stopBroadcast();
+    }
+
+    function solve(address challenge, address player) virtual internal;
+}

alienspaceship/challenge/project/lib/forge-std/.github/workflows/ci.yml

@@ -0,0 +1,134 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Foundry
+        uses: onbjerg/foundry-toolchain@v1
+        with:
+          version: nightly
+
+      - name: Print forge version
+        run: forge --version
+
+      # Backwards compatibility checks:
+      # - the oldest and newest version of each supported minor version
+      # - versions with specific issues
+      - name: Check compatibility with latest
+        if: always()
+        run: |
+          output=$(forge build --skip test)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      - name: Check compatibility with 0.8.0
+        if: always()
+        run: |
+          output=$(forge build --skip test --use solc:0.8.0)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      - name: Check compatibility with 0.7.6
+        if: always()
+        run: |
+          output=$(forge build --skip test --use solc:0.7.6)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      - name: Check compatibility with 0.7.0
+        if: always()
+        run: |
+          output=$(forge build --skip test --use solc:0.7.0)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      - name: Check compatibility with 0.6.12
+        if: always()
+        run: |
+          output=$(forge build --skip test --use solc:0.6.12)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      - name: Check compatibility with 0.6.2
+        if: always()
+        run: |
+          output=$(forge build --skip test --use solc:0.6.2)
+
+          if echo "$output" | grep -q "Warning"; then
+            echo "$output"
+            exit 1
+          fi
+
+      # via-ir compilation time checks.
+      - name: Measure compilation time of Test with 0.8.17 --via-ir
+        if: always()
+        run: forge build --skip test --contracts test/compilation/CompilationTest.sol --use solc:0.8.17 --via-ir
+
+      - name: Measure compilation time of TestBase with 0.8.17 --via-ir
+        if: always()
+        run: forge build --skip test --contracts test/compilation/CompilationTestBase.sol --use solc:0.8.17 --via-ir
+
+      - name: Measure compilation time of Script with 0.8.17 --via-ir
+        if: always()
+        run: forge build --skip test --contracts test/compilation/CompilationScript.sol --use solc:0.8.17 --via-ir
+
+      - name: Measure compilation time of ScriptBase with 0.8.17 --via-ir
+        if: always()
+        run: forge build --skip test --contracts test/compilation/CompilationScriptBase.sol --use solc:0.8.17 --via-ir
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Foundry
+        uses: onbjerg/foundry-toolchain@v1
+        with:
+          version: nightly
+
+      - name: Print forge version
+        run: forge --version
+
+      - name: Run tests
+        run: forge test -vvv
+
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Foundry
+        uses: onbjerg/foundry-toolchain@v1
+        with:
+          version: nightly
+
+      - name: Print forge version
+        run: forge --version
+
+      - name: Check formatting
+        run: forge fmt --check

alienspaceship/challenge/project/lib/forge-std/.github/workflows/sync.yml

@@ -0,0 +1,29 @@
+name: Sync Release Branch
+
+on:
+  release:
+    types:
+      - created
+
+jobs:
+  sync-release-branch:
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.release.tag_name, 'v1')
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: v1
+
+      - name: Configure Git
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+
+      - name: Sync Release Branch
+        run: |
+          git fetch --tags
+          git checkout v1
+          git reset --hard ${GITHUB_REF}
+          git push --force

alienspaceship/challenge/project/lib/forge-std/.gitignore

@@ -0,0 +1,4 @@
+cache/
+out/
+.vscode
+.idea

alienspaceship/challenge/project/lib/forge-std/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "lib/ds-test"]
+	path = lib/ds-test
+	url = https://github.com/dapphub/ds-test