https://tryhackme.com/room/hfb1passcode ``` sh RPC_URL=http://10.10.214.203:8545 API_URL=http://10.10.214.203 PRIVATE_KEY=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.private_key") CONTRACT_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".contract_address") PLAYER_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.address") is_solved=`cast call $CONTRACT_ADDRESS "isSolved()(bool)" --rpc-url ${RPC_URL}` echo "Check if is solved: $is_solved" ``` on the API_URL we could see the code ``` pragma solidity ^0.8.19; contract Challenge { string private secret = "THM{}"; bool private unlock_flag = false; uint256 private code; string private hint_text; constructor(string memory flag, string memory challenge_hint, uint256 challenge_code) { secret = flag; code = challenge_code; hint_text = challenge_hint; } function hint() external view returns (string memory) { return hint_text; } function unlock(uint256 input) external returns (bool) { if (input == code) { unlock_flag = true; return true; } return false; } function isSolved() external view returns (bool) { return unlock_flag; } function getFlag() external view returns (string memory) { require(unlock_flag, "Challenge not solved yet"); return secret; } } ``` Let's try to get the `hint` ``` cast call $CONTRACT_ADDRESS "hint()(string)" --rpc-url ${RPC_URL} The code is xxx ``` convert xxx to the uint256 and run the `unlock` >xxx = 0x0hhh ``` cast send $CONTRACT_ADDRESS "unlock(uint256)" 0x0hhh \ --legacy \ --gas-price 50gwei \ --private-key $PRIVATE_KEY \ --rpc-url $RPC_URL ``` checking if unlock was successefull ``` cast call $CONTRACT_ADDRESS "isSolved()(bool)" --rpc-url ${RPC_URL} Check if is solved: True ``` Now we can get the flag ``` cast call $CONTRACT_ADDRESS "getFlag()(string)" --rpc-url ${RPC_URL} THM{......} ``` Done