movectf-website

Welcome to MoveCTF 2024, an online security competition set to be a part of the 2024 Move Developer Conference. Organized by MoveBit, one of the earliest contributors to the Move ecosystem, in partnership with ChainFlag, MoveFuns, and OpenBuild, and exclusively sponsored and supported by the Sui Foundation, this event offers an immersive narrative experience for Move ecosystem developers.

The competition kicks off from January 12th to 14th, 2024, and will last for a gripping 48 hours, held entirely online. This guide provides a comprehensive walkthrough of the MoveCTF 2024, ensuring a thorough understanding for participants. Get ready for an all-encompassing tutorial on joining and navigating through this exciting challenge!

1. Register for a MoveCTF account and log in.

Open the MoveCTF website link MoveCTF 2024 (movebit.xyz), then click the registration button in the top right corner.

movectf-website

Then, complete the registration process according to the requirements in the following image. Please use your real email address for registration

movectf-register

After completing the registration, a verification email will be sent to your inbox. Click on the link in the email to complete the verification process. Then, you can use this account to log in.

2. Create (Join) a team

As this competition allows team participation, participants can join an existing team or create their own (as shown in the following image).

movectf_team

If you don’t want to join a team immediately after registration, you can also click the ‘Teams’ button in the top right corner of the website to proceed later.

movectf_edit-team

(1) To join a team, you need to enter the correct team name and team password. Each team can have a maximum of two players.

movectf_join_team

(2) To create a team, set the team name and team password. Share this information with your teammates so they can join your team.

movectf_create_team

After joining or creating a team, you can see the team members and their scores

movectf_check_team

The four buttons in the following image can be used to edit team information, select a team leader, obtain a team-sharing link, and delete the team.

movectf_team_buttons

Note that once you have earned points, you cannot disband the team on your own. If you need to disband the team, please contact the staff.

3. Click on the ‘Challenges’ button to enter the challenges page

movectf_challenges

4. Start solving the challenges.

Participants can use various development tools to complete challenges, such as SUI Console/Explorer, git, editors, etc. You can click on the ‘checkin’ to start the challenge.

movectf_checkin

5. Read the challenge introduction, switch to the network environment, participants invoke the curl command to obtain test tokens for their accounts, then click on the link below to open a new session window for more detailed information about the question.

Here is a brief demonstration of how to obtain test coins through the command line. For detailed explanations of the following operations, you can refer to the References Overview | Sui Documentation section in the Sui Documentation, specifically under the ‘sui API’ and ‘sui CLI’ sections.

(1) Switch the current environment to the devnet environment.


sui client switch --env devnet

(2) View the current account


sui client active-address

(3) We use the curl command to send an RPC request to the devnet faucet to obtain test tokens. Replace ‘<–YOUR_ACCOUNT_ADDRESS–>’ with your account address. Then, execute this command in the command line to get test tokens.

This command is also mentioned in the official SUI documentation: Get SUI Tokens | Sui Documentation


curl --location --request POST "https://faucet.devnet.sui.io/gas" --header
"Content-Type:application/json" --data-raw
"{"FixedAmountRequest":{"recipient":"<--YOUR_ACCOUNT_ADDRESS-->"}}"

A successful invocation will return a series of transaction details (as shown in the following image)

movectf_checkin_1

Then, click the link to proceed to the next step

movectf_checkin_2

6. In a new session window, following the instructions provided in the question, click on the ‘Deploy’ button at the bottom to create a new account and automatically deploy a challenge contract.

After clicking ‘Deploy,’ the transaction hash for deploying the contract and the packageId will appear below (as shown in the following image).

movectf_checkin_3

movectf_checkin_4

7. Step Two: Participants begin solving challenges

If participants want to view transaction information, they can use the curl command to directly call the ‘sui_getTransactionBlock’ method of the SUI API. Provide the transaction hash as a parameter, as shown in the following image.

movectf_checkin_5

For a more detailed introduction to the SUI API, you can visit the following link:

Sui API Reference | Sui Documentation | Sui Documentation

Alternatively, participants can directly use ‘sui explore’ to select the devnet network and view detailed information by providing the transaction hash

movectf_checkin_6

In the Description, we have provided the GitHub link for the challenge contract. Participants can open the link to view the contract information.

movectf_checkin_7

In the ‘checkIn’ challenge, you can directly call the ‘get_flag()’ function. You can interact with the deployed contract using the SUI CLI.

You can find more commands in the official SUI documentation or by using ‘sui client –help’ in the console.

Run the following command in the console:


sui client call --function get_flag
--package <The packageId generated in the previous step> --module
checkin --gas-budget 10000000

movectf_checkin_8

Successfully invoking the ‘get_flag()’ function in the contract triggers the Flag event. Then, submit the transaction hash for this operation to obtain the flag.

movectf_flag

8. Step Three: Obtain the flag

movectf_obtain_flag

9. The final step is to submit the flag, only successful submissions will earn a point

movectf-point

10. Proceed to solve the next challenge.

For the subsequent challenges, you can continue to refer to the steps mentioned above to solve them.

About MoveBit

MoveBit is a blockchain security company that specializes in the Move Ecosystem. We are at the forefront of utilizing cutting-edge Formal Verification techniques. The team comprises security professionals with extensive experience in both academia and enterprise. As one of the earliest contributors to the Move ecosystem, we have collaborated closely with Move developers to establish security standards for secure Move applications, making it the most secure Web3 destination.

Requests a quote

Website: https://www.movebit.xyz/
Twitter: https://twitter.com/movebit_

Jan 09, 2024

MoveCTF 2024 Guide