Jan 09, 2024
MoveCTF 2024 Guide
Welcome to MoveCTF 2024, an online security competition set to be a part of the 2024 Move Developer Conference. Organized by MoveBit, one of the earliest contributors to the Move ecosystem, in partnership with ChainFlag, MoveFuns, and OpenBuild, and exclusively sponsored and supported by the Sui Foundation, this event offers an immersive narrative experience for Move ecosystem developers.
The competition kicks off from January 12th to 14th, 2024, and will last for a gripping 48 hours, held entirely online. This guide provides a comprehensive walkthrough of the MoveCTF 2024, ensuring a thorough understanding for participants. Get ready for an all-encompassing tutorial on joining and navigating through this exciting challenge!
Open the MoveCTF website link MoveCTF 2024 (movebit.xyz), then click the registration button in the top right corner.
Then, complete the registration process according to the requirements in the following image. Please use your real email address for registration
After completing the registration, a verification email will be sent to your inbox. Click on the link in the email to complete the verification process. Then, you can use this account to log in.
As this competition allows team participation, participants can join an existing team or create their own (as shown in the following image).
If you don’t want to join a team immediately after registration, you can also click the ‘Teams’ button in the top right corner of the website to proceed later.
(1) To join a team, you need to enter the correct team name and team password. Each team can have a maximum of two players.
(2) To create a team, set the team name and team password. Share this information with your teammates so they can join your team.
After joining or creating a team, you can see the team members and their scores
The four buttons in the following image can be used to edit team information, select a team leader, obtain a team-sharing link, and delete the team.
Note that once you have earned points, you cannot disband the team on your own. If you need to disband the team, please contact the staff.
Participants can use various development tools to complete challenges, such as SUI Console/Explorer, git, editors, etc. You can click on the ‘checkin’ to start the challenge.
5. Read the challenge introduction, switch to the network environment, participants invoke the curl command to obtain test tokens for their accounts, then click on the link below to open a new session window for more detailed information about the question.
Here is a brief demonstration of how to obtain test coins through the command line. For detailed explanations of the following operations, you can refer to the References Overview | Sui Documentation section in the Sui Documentation, specifically under the ‘sui API’ and ‘sui CLI’ sections.
(1) Switch the current environment to the devnet environment.
sui client switch --env devnet
(2) View the current account
sui client active-address
(3) We use the curl command to send an RPC request to the devnet faucet to obtain test tokens. Replace ‘<–YOUR_ACCOUNT_ADDRESS–>’ with your account address. Then, execute this command in the command line to get test tokens.
This command is also mentioned in the official SUI documentation: Get SUI Tokens | Sui Documentation
curl --location --request POST "https://faucet.devnet.sui.io/gas" --header
A successful invocation will return a series of transaction details (as shown in the following image)
Then, click the link to proceed to the next step
6. In a new session window, following the instructions provided in the question, click on the ‘Deploy’ button at the bottom to create a new account and automatically deploy a challenge contract.
After clicking ‘Deploy,’ the transaction hash for deploying the contract and the packageId will appear below (as shown in the following image).
If participants want to view transaction information, they can use the curl command to directly call the ‘sui_getTransactionBlock’ method of the SUI API. Provide the transaction hash as a parameter, as shown in the following image.
For a more detailed introduction to the SUI API, you can visit the following link:
Alternatively, participants can directly use ‘sui explore’ to select the devnet network and view detailed information by providing the transaction hash
In the Description, we have provided the GitHub link for the challenge contract. Participants can open the link to view the contract information.
In the ‘checkIn’ challenge, you can directly call the ‘get_flag()’ function. You can interact with the deployed contract using the SUI CLI.
You can find more commands in the official SUI documentation or by using ‘sui client –help’ in the console.
Run the following command in the console:
sui client call --function get_flag
--package <The packageId generated in the previous step> --module
checkin --gas-budget 10000000
Successfully invoking the ‘get_flag()’ function in the contract triggers the Flag event. Then, submit the transaction hash for this operation to obtain the flag.
For the subsequent challenges, you can continue to refer to the steps mentioned above to solve them.
MoveBit is a blockchain security company that specializes in the Move Ecosystem. We are at the forefront of utilizing cutting-edge Formal Verification techniques. The team comprises security professionals with extensive experience in both academia and enterprise. As one of the earliest contributors to the Move ecosystem, we have collaborated closely with Move developers to establish security standards for secure Move applications, making it the most secure Web3 destination.