diff --git a/Prequalification_Challenges/solidity/README.md b/Prequalification_Challenges/solidity/README.md new file mode 100644 index 0000000..19c50da --- /dev/null +++ b/Prequalification_Challenges/solidity/README.md @@ -0,0 +1,9 @@ +## Dan's storage is not private - Solidity challenge + +The story goes like... your friend Dan from crypto Telegram requested you to audit this small smart contract. You need to prove that it is easy to steal the flag and show "private" is not private. + +Figure out the flag by using the Solidity smart contract provided. The goal is to correctly follow the assemble logic of the concat in is_it_on_chain(). + +_Keccak256: 0x81b1ff6939fedd672ddac358a41abb7192ae1f0660a3b1cbf92ef2c82119612b_ + +_Challenge author: six_ diff --git a/Prequalification_Challenges/solidity/storage.sol b/Prequalification_Challenges/solidity/storage.sol new file mode 100644 index 0000000..28d6d05 --- /dev/null +++ b/Prequalification_Challenges/solidity/storage.sol @@ -0,0 +1,66 @@ +// SPDX-License-Identifier: GPL-3.0-or-later +pragma solidity ^0.8.17; +import "@openzeppelin/contracts/utils/Strings.sol"; + +/// @title On-chain storage to save a precious memory of you life +/// @author Challenge inspired by CCTF, coded by six +/// @notice The flag should return when the data is on-chain. +contract PMC_Sol_Challenge { + // Declare everything needed in the contract + address private admin = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4; + uint160 door = 0; + event contractStart(address indexed _admin); + uint256 public pin; + string private start; + string private data; + string private end; + string private flag; + string private result; + bytes32 private data_store; + uint private data_set; + string private ds_to_Str; + + // O, that is nasty! + constructor(address O) payable { + emit contractStart(admin); + admin = 0==0?O:0x0000000000000000000000000000000000000000; + pin = block.number + block.timestamp; // "Random" pin + start = "PMC{"; + data_set = 0; + end = ".NiceTry}"; + } + + /// @notice Mod + function callAddMod() public pure returns(uint){ + return addmod(4, 5, 3); + } + + /// @notice Only the central admin should be able to store his life memory in bytes32. + function store_me_on_chain(bytes32 _data) public returns (string memory) { + require(msg.sender == admin, 'Not admin'); + data_store = _data; + data_set = asmbl(); + ds_to_Str = Strings.toString(data_set); + return data = string("den_who_is_dan_"); + } + + /// @notice Generate number + function asmbl() public view returns (uint8 b) { + assembly { + let c := add(27, 16) + mstore(0x80, c) + { let d := add(sload(c), 255) b := d } + b := add(b, c) } + } + + /// @notice The admin wants to check the data is on chain and return the flag if is! + function is_it_on_chain(uint256 _pin) external returns (string memory) { + require(msg.sender == admin, 'Not admin'); + require(pin == _pin, 'Wrong pin'); + require(data_set > 1, 'Nothing in the on-chain storage'); + flag = string.concat(start,data,ds_to_Str,end); + return flag; + } + + fallback() external {} +} diff --git a/README.md b/README.md index 2082786..7000741 100644 --- a/README.md +++ b/README.md @@ -27,22 +27,25 @@ The flags have the following keccak256 values: ``` kusamaverse - 0x896c90f019d0aaa7977ce81c7d7299b1b43d302295f2d567509ab7e3060a797f -ink - 0x82703a464305aad655e2eb617f31e6e57b7e959bf8528f1d3b5968cc02ed60ac wss - 0x2f2d4bb11521956c486925241ffcca0cbf7b79bbd9be8eafaeb4fab95713b12d +solidity - 0x81b1ff6939fedd672ddac358a41abb7192ae1f0660a3b1cbf92ef2c82119612b +ink - 0x82703a464305aad655e2eb617f31e6e57b7e959bf8528f1d3b5968cc02ed60ac rust - 0x42ce6fca873fe4dc4ce4d9accdb53e02fdb497ffa6b30f421cea36c81d8ea289 ``` ## Prequalification challenges -__WSS challenge__: you need to play with a websocket connection and get the flag from the service. +__WSS challenge__: you need to play with a websocket connection and get the flag from the service. It is called Fibonacci. -__Rust challenge:__ you need to work with cryptography and math. The correct math will return you the flag. +__Solidity challenge__: a security audit might reveal what the developers think is private might actually not be. -__ink! challenge__: you need to get the flag from an already running Substrate node. +__Rust challenge__: work with RSA cryptography and math. The correct math will return you the flag. + +__ink! challenge__: you need to get the flag from an already running Substrate node or find "another" way. Make sure to web2 scan everything. __Kusamaverse challenge__: find the flag in Kusamaverse - this one is very easy, but important for the main event. -We also have an __optional 3D design challenge__ for the Hall of Fame, near the four listed above. If you submit it using the form, we'll add the design to the Hall of Fame, where all the successfully prequalified players get listed. +We also have an __optional 3D design challenge__ for the Hall of Fame, near the four listed above. If you submit it using the prequalification form, we'll add the design to the Hall of Fame, where all the successfully prequalified players get listed. ## Challenges for the main event @@ -50,19 +53,19 @@ The details of these challenges will be shared on 2022 December 6th 10:00 CET. T ### Track 1 - Collaboration -Challenge 1 - by Momentum +Challenge 1 - Momentum related Challenge 2 - Creator to be disclosed. ### Track 2 - Privacy and Security -Challenge 1 - by CCTF +Challenge 1 - CCTF related Challenge 2 - Creator to be disclosed. ### Track 3 - GameFi and NFT -Challenge 1 - by RMRK +Challenge 1 - RMRK related Challenge 2 - Creator to be disclosed.