~/

BreizhCTF 2025 - Welcome Game [blockchain]

Welcome Game writeup, BreizhCTF 2025.

Difficulty : Very Easy

Team : So what if I’m a Phreaks 2600

Description : Bienvenue au BreizhCTF 2025 ! Pour commencer, nous allons jouer à un jeu, trouvez un moyen de réussir à gagner la partie pour obtenir le flag.

Author : K.L.M

TL;DR

  • Notice that it’s a sudoku grid
  • Use an online solver
  • Submit the sudoku solution and get the flag

Introduction

We were given a solidity file with a 2-dimensions array of 9 lines and 9 columns. It was possible to submit an array with the same dimensions to submitSolution() and several checks were done to verify if we got the right solution, if yes, the challenge is solved.

Here is the challenge source code :

Challenge.sol 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

// Author : K.L.M 
// Difficulty : Easy

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Challenge {
    bool public solved;
    uint8[9][9] public initialGrid;
    
    constructor() {
        solved = false;
        initialGrid = [
            [5, 3, 0, 0, 7, 0, 0, 0, 0],
            [6, 0, 0, 1, 9, 5, 0, 0, 0],
            [0, 9, 8, 0, 0, 0, 0, 6, 0],
            [8, 0, 0, 0, 6, 0, 0, 0, 3],
            [4, 0, 0, 8, 0, 3, 0, 0, 1],
            [7, 0, 0, 0, 2, 0, 0, 0, 6],
            [0, 6, 0, 0, 0, 0, 2, 8, 0],
            [0, 0, 0, 4, 1, 9, 0, 0, 5],
            [0, 0, 0, 0, 8, 0, 0, 7, 9]
        ];
    }

    function submitSolution(uint8[9][9] memory solution) public {

        if (isValidSolution(solution)) {
            solved = true;
        }
    }

    function isValidSolution(uint8[9][9] memory solution) internal view returns (bool) {
        for (uint8 i = 0; i < 9; i++) {
            for (uint8 j = 0; j < 9; j++) {
                if (initialGrid[i][j] != 0 && solution[i][j] != initialGrid[i][j]) {
                    return false;
                }
            }
        }

        for (uint8 i = 0; i < 9; i++) {
            if (!isUnique(solution[i])) return false;
            if (!isUnique(getColumn(solution, i))) return false;
        }

        for (uint8 i = 0; i < 3; i++) {
            for (uint8 j = 0; j < 3; j++) {
                if (!isUnique(getSubgrid(solution, i * 3, j * 3))) return false; 
            }
        }

        return true;
    }

    function isUnique(uint8[9] memory arr) internal pure returns (bool) {
        bool[10] memory seen;
        for (uint8 i = 0; i < 9; i++) {
            if (arr[i] < 1 || arr[i] > 9 || seen[arr[i]]) {
                return false;
            }
            seen[arr[i]] = true;
        }
        return true;
    }

    function getColumn(uint8[9][9] memory grid, uint8 col) internal pure returns (uint8[9] memory) {
        uint8[9] memory column;
        for (uint8 i = 0; i < 9; i++) {
            column[i] = grid[i][col];
        }
        return column;
    }

    function getSubgrid(uint8[9][9] memory grid, uint8 row, uint8 col) internal pure returns (uint8[9] memory) {
        uint8[9] memory subgrid;
        uint8 index = 0;
        for (uint8 i = 0; i < 3; i++) {
            for (uint8 j = 0; j < 3; j++) {
                subgrid[index++] = grid[row + i][col + j];
            }
        }
        return subgrid;
    }

    function isSolved() public view returns(bool){
        return solved;
    }
}

Code analysis

Through the constructor, an array is initialized :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 initialGrid = [
            [5, 3, 0, 0, 7, 0, 0, 0, 0],
            [6, 0, 0, 1, 9, 5, 0, 0, 0],
            [0, 9, 8, 0, 0, 0, 0, 6, 0],
            [8, 0, 0, 0, 6, 0, 0, 0, 3],
            [4, 0, 0, 8, 0, 3, 0, 0, 1],
            [7, 0, 0, 0, 2, 0, 0, 0, 6],
            [0, 6, 0, 0, 0, 0, 2, 8, 0],
            [0, 0, 0, 4, 1, 9, 0, 0, 5],
            [0, 0, 0, 0, 8, 0, 0, 7, 9]
        ];

I didn’t got it at first but the next step will make it clear.

The next function allow us to submit an array and verify it through isValidSolution() :

1
2
3
4
5

function submitSolution(uint8[9][9] memory solution) public {
  if (isValidSolution(solution)) {
      solved = true;
  }
}

And this next function run a series of checks :

isValidSolution() 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

function isValidSolution(uint8[9][9] memory solution) internal view returns (bool) {
  for (uint8 i = 0; i < 9; i++) {
      for (uint8 j = 0; j < 9; j++) {
          if (initialGrid[i][j] != 0 && solution[i][j] != initialGrid[i][j]) {
              return false;
          }
      }
  }

  for (uint8 i = 0; i < 9; i++) {
      if (!isUnique(solution[i])) return false;
      if (!isUnique(getColumn(solution, i))) return false;
  }

  for (uint8 i = 0; i < 3; i++) {
      for (uint8 j = 0; j < 3; j++) {
          if (!isUnique(getSubgrid(solution, i * 3, j * 3))) return false; 
      }
  }

  return true;
}

Which check in his order :

  1. Check if the numbers from the initial grid (except zeros) are in the submitted grid by the user.
  2. Check if there are no duplicate numbers in a row
  3. Check if there are no duplicate numbers in a column
  4. Check if there are no duplicate in the 9 3x3 squares of the submitted grid.

So we can understand that the challenge is actually a sudoku.

Solving

Now we know that we have to solve the sudoku using the initial grid, we can use an online solver like https://www.dcode.fr/solveur-sudoku.

Then we get the following grid :

1
2
3
4
5
6
7
8
9

[5, 3, 4, 6, 7, 8, 9, 1, 2],
[6, 7, 2, 1, 9, 5, 3, 4, 8],
[1, 9, 8, 3, 4, 2, 5, 6, 7],
[8, 5, 9, 7, 6, 1, 4, 2, 3],
[4, 2, 6, 8, 5, 3, 7, 9, 1],    
[7, 1, 3, 9, 2, 4, 8, 5, 6],
[9, 6, 1, 5, 3, 7, 2, 8, 4],
[2, 8, 7, 4, 1, 9, 6, 3, 5],
[3, 4, 5, 2, 8, 6, 1, 7, 9]

I wrote a contract that send the grid because I didn’t know how to submit an array with cast :

Solve.sol 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./Challenge.sol";

contract Solve {
    uint8[9][9] public grid;

    Challenge public TARGET;

    constructor(address _target) {
        grid = [
        [5, 3, 4, 6, 7, 8, 9, 1, 2],
        [6, 7, 2, 1, 9, 5, 3, 4, 8],
        [1, 9, 8, 3, 4, 2, 5, 6, 7],
        [8, 5, 9, 7, 6, 1, 4, 2, 3],
        [4, 2, 6, 8, 5, 3, 7, 9, 1],    
        [7, 1, 3, 9, 2, 4, 8, 5, 6],
        [9, 6, 1, 5, 3, 7, 2, 8, 4],
        [2, 8, 7, 4, 1, 9, 6, 3, 5],
        [3, 4, 5, 2, 8, 6, 1, 7, 9]
        ];

        TARGET = Challenge(_target);
    }

    function submitSolution() public {

        TARGET.submitSolution(grid);
    }
}

And then we can deploy the contract :

1

forge create --broadcast breizh/2025/blockchain/welcome-game/Solve.sol:Solve -r https://welcome-game-268.chall.ctf.bzh/rpc  --private-key $PKEY --constructor-args $TARGET

And trigger the “submitSolution()” function from our deployed contract.

1

cast send 0xF14165Da8e14d2AFdF75a448A057D460D13b0242 --private-key $PKEY  -r https://welcome-game-268.chall.ctf.bzh/rpc "submitSolution()"

BZHCTF{W3lcome_t0_th3_BZHCTF25!}

Another way to solve the challenge was published by neoreo without deploying a contract by submitting directly the array formated as it would be written in a solidity file but without lines break :

1

cast send $TARGET "submitSolution(uint8[9][9])"   "[[5,3,4,6,7,8,9,1,2],[6,7,2,1,9,5,3,4,8],[1,9,8,3,4,2,5,6,7],[8,5,9,7,6,1,4,2,3],[4,2,6,8,5,3,7,9,1],[7,1,3,9,2,4,8,5,6],[9,6,1,5,3,7,2,8,4],[2,8,7,4,1,9,6,3,5],[3,4,5,2,8,6,1,7,9]]"  -r $RPC --private-key $PK