Challenge 1

Where is the Flag?
You must find a hidden clue within a deployed smart contract. This clue is stored in global storage and can be uncovered by analyzing one of the contract’s transactions.

What do you do after you find the flag?
Once decrypted, the clue reveals a wallet address. You must then send 1 Algo token to this address. Ideally this should be sent programmatically.

Where are all these transactions happening?
Algorand Testnet
Smart contract ID: 718383248

Resource
https://developer.algorand.org/docs/get-details/dapps/smart-contracts/apps/state/

Solution to Challenge #1

Challenge 2

Find the Hidden Flag

Your task is to uncover a hidden clue within six different strings. This clue is encrypted and requires deciphering using substitution cipher techniques.

Steps to Follow

1. Decipher the Clue:

• Analyze the six strings provided.
• Use any substitution cipher method to decrypt the clue.

2. After Deciphering:

• The decrypted clue will reveal an asset ID.
• Use this asset ID to send an opt-in transaction for the corresponding NFT.

3. Transaction Requirements:

• Execute the transaction using the wallet created in “Capture the Flag Challenge #1” or a new wallet.
• Ideally, perform the transaction programmatically.

Platform:

All transactions are to be conducted on the Algorand Testnet.

Strings to Decipher:

NJMLQSORQ

QOLSRJNQM

QLJNROSMQ

JLQRNMOSQ

JNQSQORLM

NQSJMROQL

Good luck deciphering and executing the transaction!

Solution to Challenge #2

Challenge 3

1. Find the corresponding letter/number using Asset ID from the wallet address.
   1. The index begins with the first character. i.e. 2 from the wallet address
   2. First three characters from asset id will constitute: ZA2
   3. You have to continue for all the numbers from asset id and form a string of 9 characters/numbers from the wallet address

2. Now use this key to encrypt the message given below:
   1. Message: Algorand uses Pure Proof of Stake Algorithm.
   2. Reference website: https://www.devglan.com/online-tools/hmac-sha256-online

3. Now send an ALGO to the given wallet address but with a note of the encrypted string generated from the second step.
   1. Sample Code: https://github.com/algorand/py-algorand-sdk/blob/examples/examples/overview.py#L39-L49

Clue 1

Address found from Challenge 1:

2JAZQO6Z5BCXFMPVW2CACK2733VGKWLZKS6DGG565J7H5NH77JNHLIIXLY

 Clue 2

Asset ID found from Challenge 2:

720485937

Solution to Challenge #3

Challenge 4

1. This challenge involves finding a nonce value to produce a specific hash pattern.

    

2. The base string to hash is: Algorand is a carbon negative platform. (including the period)
    
3. The process involves:
   • • Concatenating the base string with a nonce (e.g., “Algorand is a carbon negative platform.1”)
     • Hashing the result using SHA-256
     • Checking if the hash contains the pattern “abc23”
     • Reference Link: https://andersbrownworth.com/blockchain/hash
4.  In the generated hash you need to find the following pattern which can be found using the first occurrence of the correct number.
   • • Pattern to find: abc23
     • Ex: 4ed163a7151d9c5726a5cf30a558831e26367a027cbe932db927c669d9418a07 (Pattern in Bold letters found in the example given above)
     • You need to continue finding the correct number which will produce the pattern in the Hash and that number is the answer.
5. Once found, the nonce should be used to interact with a smart contract
   (Application ID: 723522691) using the ABI file provided here: https://docs.google.com/document/d/1EoYtBEmnxgmfyglLjMJFZ_JzjiKwixPmZ0_TF_Xb_yQ/edit?usp=sharing. In your interaction you will need to send the nonce that you have found.  If correct, you will receive a confirmation message.

    

6. Take a screen shot of your success screen and submit your information here
   https://forms.gle/q1AkKCFfSeP3GVmN6 

Good luck!

Solution to Challenge #4

Challenge 5

1. Call the First Function passthenumber with the nonce argument received from CTF-4 which will provide you with the name of the next function to be called in the output.
   a. Second Function name as an output parameter.
   
   
2. The second function requires the input parameter as the Block number which was created when the creator deployed 723522691 (Smart Contract ID).
   a. Spend some time on Lorakit explorer to get the Block number.

   b. Once you have the Block number:
   [i]  Call the function second function. If the Block number is correct you will get the third function name. Save this function name.
   [ii] Then call a NodeJS API to get a random block number.
   – API URL: https://random-number-api-ten.vercel.app/api/random-number

   c. Traverse through that Block number found in previous step to find out the transaction details from that Block.

   d. If there are no transactions in the Block, continue to traverse forward or backward till the time a Block is found with transactions.

   e. Once you find the Block, list all the application calls transactions registered in that Block and collect the first letter/number of the said transactions and create a string.

   f. Final step:
   [i]  Pass this Block number as an argument to the third function which will store the Block number in the global storage of the Smart Contract (724753783). Submit the transaction ID to the provided Google Form.
   [ii] Store in the global storage of your smart contract and submit the transaction to the provided Google Form.

   g. Register the transaction ID with your wallet ID in the Google form: https://forms.gle/Qpmo97Co5mi2P6826

   h. Note to developers: 
   [i]  This time no arc32 json will be provided for the Smart contract ID.
   [ii] Only input and output parameters will be provided and upon finishing step(s), the function name will be revealed.
   [iii] If you haven’t participated in CTF-4, you can find the number for Step 1 in the video provided on the site as a solution to CTF-4. 

   Details for developers:
   – Application ID: 724753783

   – First Function: passthenumber
       – Input parameter – Uint64 (nonce)
       – Output parameter – String

   – Second Function: Name will be received as an output parameter from the first function.
        – Input parameter – Uint64 (blocknum)
        – Output parameter – String

   – Third Function: Name will be received as an output parameter from the second function.
        – Input parameter – Uint64 (blocknum)
        – Output parameter – String

   – Random Block Number API: https://random-number-api-ten.vercel.app/api/random-number

   Good luck!

Solution to Challenge #5

Challenge 6

1. You are invited to explore algokit commands and find a command to list the wallet called Deployer, which is a default wallet in the sandbox environment.
   1. Ex. algokit -h
2. Find the next command to export the Deployer wallet to get the mnemonic of the wallet address.
3. Now use the first command and pass as an argument to validcommand function from <applicationid>.
4. The result of this call will provide the next function name to be called.
5. This function will take the second command (to export the wallet without the wallet address) as an argument and will return the next function name.
6. Using the DEPLOYER wallet address the developers should generate an asset ID with the first word from the mnemonic phrase as a name.
   1. Ex. Mnemonic – Pull cart ground….
   2. Asset Name: Pull
7. You will now need to generate a compound transaction using a newly created wallet address, and the steps are as follows:
   1. The newly generated wallet should be funded by any master wallet having test Algos.
   2. An opt-in transaction should be generated from the same wallet to the DEPLOYER wallet for the asset created in step 6.
   3. Transfer the same asset to the newly generated wallet.
   4. Collect this transaction ID and pass it as an input parameter to the last function name received from step 4. 

• Details for Developers:
  • Application ID – 728873663
  • First Function: validcommand
    • Input parameter – String
    • Output parameter – String
  • Second Function: Name will be received as an output parameter from first function
    • Input parameter – String
    • Output parameter – String
  • Third Function: Name will be received as an output parameter from second function
    • Input parameter – String
    • Output parameter – None
  • Google Form Details: https://forms.gle/iJhYMeRToPmAx3vr8
    • DEPLOYER wallet address
    • Asset ID (step 6)
    • Transaction ID (step 7)

Good luck!