def createUser(mainpage,flag):
try:
userPage = mainpage.click("cgi-bin/createuser.php")
userPage.parse()
userForm = userPage.forms[0];
userName = CtfUtil.getRandomString(random.randint(6,8))
firstName = CtfUtil.getRandomString(random.randint(6,8))
lastName = CtfUtil.getRandomString(random.randint(6,8))
password = CtfUtil.getRandomAlphaNum(8)
email = flag
userForm.fields['username'] = userName
userForm.fields['lastname'] = lastName
userForm.fields['firstname']= firstName
userForm.fields['password'] = password
userForm.fields['email'] = email
resultPage = userForm.click(None)
successPtr = resultPage.page.find("User successfully created!")
if successPtr != -1:
return userName,password
else:
sys.exit(-1)
except Exception, e:
print "ERROR: got exception %s creating user" % (e)
sys.exit(-1)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
name = cookie
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality)
mainpg.open()
mainpg.parse()
candidate = random.randint(0,4)
feedbackForm = mainpg.forms[candidate]
feedbackForm.fields['name'] = name
feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!'])
resultPage = feedbackForm.click(None)
successPtr = resultPage.page.find("About")
if successPtr != -1:
oldFlag = resultPage.page[successPtr+9:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
name = cookie
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~feedback/cgi-bin/candidates.php", personality)
mainpg.open()
mainpg.parse()
candidate = random.randint(0,4)
feedbackForm = mainpg.forms[candidate]
feedbackForm.fields['name'] = name
feedbackForm.fields['comment'] = CtfUtil.getRandomString(5) + " " + CtfUtil.getRandomString(random.randint(4,9)) + random.choice(['?','.','!'])
resultPage = feedbackForm.click(None)
successPtr = resultPage.page.find("About")
if successPtr != -1:
oldFlag = resultPage.page[successPtr+9:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def createUser(mainpage,flag):
try:
userPage = mainpage.click("cgi-bin/createuser.php")
userPage.parse()
userForm = userPage.forms[0];
userName = CtfUtil.getRandomString(random.randint(6,8))
firstName = CtfUtil.getRandomString(random.randint(6,8))
lastName = CtfUtil.getRandomString(random.randint(6,8))
password = CtfUtil.getRandomAlphaNum(8)
email = flag
userForm.fields['username'] = userName
userForm.fields['lastname'] = lastName
userForm.fields['firstname']= firstName
userForm.fields['password'] = password
userForm.fields['email'] = email
resultPage = userForm.click(None)
successPtr = resultPage.page.find("User successfully created!")
if successPtr != -1:
return userName,password
else:
sys.exit(-1)
except Exception, e:
print "ERROR: got exception %s creating user" % (e)
sys.exit(-1)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
userName,password = cookie.split(":")
mainpage = pybrowse.Browser("http://" + ip + "/~estore/index.html")
mainpage.open()
mainpage.parse()
loginMainPage = login(mainpage, userName, password)
updatePage = loginMainPage.click("cgi-bin/update.php")
updatePage.parse()
updateForm = updatePage.forms[0]
updateForm.fields['username'] = userName
updateForm.fields['password'] = password
updateForm.fields['email'] = CtfUtil.getRandomEmail()
resultPage = updateForm.click(None)
successPtr = resultPage.page.find("address was:")
if(successPtr != -1):
oldFlag = resultPage.page[successPtr+13:][:len(flag)]
print "FLAG:",oldFlag
logout(loginMainPage)
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
userName,password = cookie.split(":")
mainpage = pybrowse.Browser("http://" + ip + "/~estore/index.html")
mainpage.open()
mainpage.parse()
loginMainPage = login(mainpage, userName, password)
updatePage = loginMainPage.click("cgi-bin/update.php")
updatePage.parse()
updateForm = updatePage.forms[0]
updateForm.fields['username'] = userName
updateForm.fields['password'] = password
updateForm.fields['email'] = CtfUtil.getRandomEmail()
resultPage = updateForm.click(None)
successPtr = resultPage.page.find("address was:")
if(successPtr != -1):
oldFlag = resultPage.page[successPtr+13:][:len(flag)]
print "FLAG:",oldFlag
logout(loginMainPage)
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
try:
#Login to ftp
ftp = ftplib.FTP(ip)
ftp.login()
ftp.cwd("/home/ftp/incoming")
if cookie != None:
ftp.retrlines("RETR "+cookie,flagCallback)
#set new flag
filename = CtfUtil.getRandomString(9)
file = open(filename,'w')
file.write(flag)
file.close();
file = open(filename,'r')
ftp.storlines("stor "+filename,file)
file.close()
os.remove(filename)
cookie = filename
print "COOKIE:",cookie
except Exception, e:
print "ERROR: Failed to set new flag!"
def createAccount(name, passwd, role):
global myHost
mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/createuser.do?role=" + role)
mainpg.open()
mainpg.parse()
userform = mainpg.forms[0]
userform.fields['firstname'] = CtfUtil.getRandomString(random.randint(4,10))
userform.fields['lastname'] = CtfUtil.getRandomString(random.randint(5,10))
userform.fields['email'] = CtfUtil.getRandomEmail()
userform.fields['username'] = name
userform.fields['password'] = passwd
userform.fields['role'] = role
resultPage = userform.click("submit")
resultPage = resultPage.doRedirects()
return resultPage
def createAccount(name, passwd, role):
global myHost
mainpg = pybrowse.Browser("http://" + myHost +
"/Therapy/createuser.do?role=" + role)
mainpg.open()
mainpg.parse()
userform = mainpg.forms[0]
userform.fields['firstname'] = CtfUtil.getRandomString(
random.randint(4, 10))
userform.fields['lastname'] = CtfUtil.getRandomString(random.randint(
5, 10))
userform.fields['email'] = CtfUtil.getRandomEmail()
userform.fields['username'] = name
userform.fields['password'] = passwd
userform.fields['role'] = role
resultPage = userform.click("submit")
resultPage = resultPage.doRedirects()
return resultPage
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
wwid = cookie
vote = CtfUtil.getRandomString(random.randint(5,10))
response = sendMessage(ip,encrypt("!"+wwid+" "+vote))
successPtr = response.find("OK")
if successPtr != -1:
oldFlag = decrypt(response[successPtr+3:].strip())
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
wwid = cookie
vote = CtfUtil.getRandomString(random.randint(5, 10))
response = sendMessage(ip, encrypt("!" + wwid + " " + vote))
successPtr = response.find("OK")
if successPtr != -1:
oldFlag = decrypt(response[successPtr + 3:].strip())
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
user,email = cookie.split(":")
resultPage = getNotePage(ip,user,email,CtfUtil.getRandomString(random.randint(5,10)))
successPtr = resultPage.page.find("NOTE:")
if successPtr != -1:
endPointer = resultPage.page[successPtr+6:].find("\n")
oldFlagText = resultPage.page[successPtr+6:][:endPointer]
oldFlag = urllib.unquote(oldFlagText)[:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
sys.exit(1)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
user,email = cookie.split(":")
resultPage = getNotePage(ip,user,email,CtfUtil.getRandomString(random.randint(5,10)))
successPtr = resultPage.page.find("NOTE:")
if successPtr != -1:
endPointer = resultPage.page[successPtr+6:].find("\n")
oldFlagText = resultPage.page[successPtr+6:][:endPointer]
oldFlag = urllib.unquote(oldFlagText)[:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
sys.exit(1)
def score(ip, flag, cookie):
#get old flag
if cookie != None:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
name = cookie
topic = CtfUtil.getRandomAlphaNum(random.randint(3, 8))
msg = name + " " + topic + "\n"
response = initConversation(msg, sock)
successPtr = response.find("Last time")
if successPtr != -1:
oldFlag = response[successPtr + 32:][:len(flag)]
print "FLAG:", oldFlag
sock.close()
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def score(ip,flag,cookie):
#get old flag
if cookie != None:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
name = cookie
topic = CtfUtil.getRandomAlphaNum(random.randint(3,8))
msg = name+" " + topic + "\n"
response = initConversation(msg,sock)
successPtr = response.find("Last time")
if successPtr != -1:
oldFlag = response[successPtr+32:][:len(flag)]
print "FLAG:",oldFlag
sock.close()
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
def create_flag(s, flag):
username = CtfUtil.getRandomString(6)
password = random.choice(good_password)
s.send('new %s %s\n'%(username,password))
res = readline(s)
if res[:3] != "200":
return ""
s.send("to: xxxx\n")
res = readline(s)
s.send("spam\n")
res = readline(s)
res = readline(s)
res = readline(s)
s.send("%s\n"%flag)
s.send(".\n")
res = readline(s)
return username+":"+password
def create_flag(s, flag):
username = CtfUtil.getRandomString(6)
password = random.choice(good_password)
s.send('new %s %s\n' % (username, password))
res = readline(s)
if res[:3] != "200":
return ""
s.send("to: xxxx\n")
res = readline(s)
s.send("spam\n")
res = readline(s)
res = readline(s)
res = readline(s)
s.send("%s\n" % flag)
s.send(".\n")
res = readline(s)
return username + ":" + password
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~register/register.html",
personality)
mainpg.open()
mainpg.parse()
registrationForm = mainpg.forms[0]
password = CtfUtil.getRandomAlphaNum(8)
wwid = flag
registrationForm.fields['first'] = CtfUtil.getRandomString(
random.randint(5, 7))
registrationForm.fields['last'] = CtfUtil.getRandomString(
random.randint(6, 9))
registrationForm.fields['dob'] = str(
random.choice(months)) + " " + str(random.randint(
1, 29)) + ", " + str(random.randint(1900, 2000))
registrationForm.fields['email'] = CtfUtil.getRandomEmail()
registrationForm.fields['password'] = password
registrationForm.fields['wwid'] = wwid
resultingPage = registrationForm.click(None)
successPtr = resultPage.page.find("NOTE:")
if successPtr != -1:
endPointer = resultPage.page[successPtr+6:].find("\n")
oldFlagText = resultPage.page[successPtr+6:][:endPointer]
oldFlag = urllib.unquote(oldFlagText)[:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
sys.exit(1)
#set the new flag
try:
user = CtfUtil.getRandomString(random.randint(6,8))
email = CtfUtil.getRandomEmail()
note = flag
resultPage = getNotePage(ip,user,email,note)
successPtr = resultPage.page.find("Annotation saved!")
if successPtr == -1:
return
cookie = user+":"+email
print "COOKIE:",cookie
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
getData(sock,"!")
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
getData(sock,"return:")
sock.send("1\n")
getData(sock,"return:")
sock.send(str(random.randint(1,8))+"\n")
getData(sock,"alias:")
sock.send(CtfUtil.getRandomString(random.randint(6,8))+"\n")
#Number of something
getData(sock,":")
sock.send(str(random.randint(1,100))+"\n")
#Encrypted report
getData(sock,":")
sock.send(flag+"\n")
idText = getData(sock,"continue")
id = parseId(idText)
sock.send("\n")
getData(sock,"return:")
senderText = "<sender><user>" + name + "</user><password>" + password + "</password></sender>"
codeText = "<code>set flag [store get flag]; results set $flag</code>"
agentText = "<agent>\n" + senderText + "\n" + codeText + "\n</agent>"
resultPage = postAgentText(ip, agentText)
oldFlag = resultPage[:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
#set new flag
try:
name = CtfUtil.getRandomString(random.randint(6, 8))
password = CtfUtil.getRandomAlphaNum(8)
senderText = "<sender><user>" + name + "</user><password>" + password + "</password></sender>"
codeText = "<code>store set flag \"" + flag + "\"; results set \"Flag was set\";</code>"
agentText = "<agent>\n" + senderText + "\n" + codeText + "\n</agent>"
resultPage = postAgentText(ip, agentText)
successPattern = "Flag was set"
successPtr = resultPage.find(successPattern)
if successPtr >= 0:
cookie = name + ":" + password
print "COOKIE:", cookie
successPtr = resultPage.page.find("NOTE:")
if successPtr != -1:
endPointer = resultPage.page[successPtr+6:].find("\n")
oldFlagText = resultPage.page[successPtr+6:][:endPointer]
oldFlag = urllib.unquote(oldFlagText)[:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
sys.exit(1)
#set the new flag
try:
user = CtfUtil.getRandomString(random.randint(6,8))
email = CtfUtil.getRandomEmail()
note = flag
resultPage = getNotePage(ip,user,email,note)
successPtr = resultPage.page.find("Annotation saved!")
if successPtr == -1:
return
cookie = user+":"+email
print "COOKIE:",cookie
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
rawPage = getFlagPage.page
successPattern = "address"
successPtr = rawPage.find(successPattern)
if successPtr >= 0:
oldFlag = rawPage[successPtr + 8:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
#set new flag
try:
randomName = CtfUtil.getRandomString(random.randint(6, 8))
url = ip + "/~contribute/contribute.html"
mainpg = pybrowse.Browser("http://" + url)
mainpg.open()
mainpg = mainpg.doRedirects()
mainpg.parse()
form = mainpg.forms[0]
form.fields['name'] = randomName
form.fields['address'] = flag
form.fields['cc'] = str(random.randint(10000000, 99999999))
form.fields['contribution'] = str(random.randint(1, 9999))
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
qForm.fields["q1"] = random.choice(("yes", "no"))
qForm.fields["q2"] = random.choice(("yes", "no"))
qForm.fields["q3"] = random.choice(("yes", "no"))
qForm.fields["q5"] = random.choice(("yes", "no"))
qForm.fields["q6"] = random.choice(("yes", "no"))
qForm.fields["q7"] = random.choice(("yes", "no"))
cookie = CtfUtil.getRandomString(random.randint(3,10))
qForm.fields["steal"] = flag
qForm.fields["signature"] = cookie
resultingPage = qForm.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("was successfully saved.")
if successPtr == -1:
print "ERROR: cannot set flag"
print "COOKIE:",cookie
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
oldFlag = rawPage[successPtr+21:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
sys.exit(1)
# set new flag
try:
url = "http://" + ip + "/Site/Make_amends.html"
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(url, personality)
mainpg.open()
# create a new user acccount
fname = CtfUtil.getRandomString(random.randint(6,10))
lname = CtfUtil.getRandomString(random.randint(6,10))
eaddr = CtfUtil.getRandomEmail()
files = getRandomPiratedFiles(random.randint(1,5))
price = getRandomDollarAmount(random.randint(1,5))
resultPage = createAccount(ip,fname, lname, eaddr, files, price)
# choose settlement letter format preference and get case id
caseid = chooseFormatPref(resultPage)
# login using the new account
resultPage = doNewLogin(ip, eaddr, caseid)
# view the settlement letter
viewSettlementLetter(resultPage)
def score(ip,flag,cookie):
try:
# -------------------------
# Retrieve old flag
# -------------------------
old_flag = "None"
real_path = execution_path("./snitch_data/snitch_clean.jpg")
save_path = execution_path("./snitch_data/%s.jpg"%ip)
font_path = execution_path("./snitch_data/arial.ttf")
if cookie:
name = cookie.replace("_"," ")
img = Image.open(real_path)
draw = ImageDraw.Draw(img)
font = ImageFont.truetype(font_path, 20)
draw.text(( 5, 40), name, fill="black", font=font)
draw.text(( 5, 80), "abcde", fill="black", font=font)
img.save(save_path)
f = open(save_path)
fdata = f.read()
f.close()
#print "Getting the flag..."
status, reason, data = post_multipart(
ip, "/~snitch/cgi-bin/snitch.py", [], [('paper',"%s"%save_path, fdata)])
pos = data.find("thanks to paper")
if pos != -1:
old_flag = data[pos+21:][:len(flag)]
print "FLAG:",old_flag
# -------------------------
# Set the new one
# -------------------------
img = Image.open(real_path)
draw = ImageDraw.Draw(img)
first = CtfUtil.getRandomString(random.randint(6,10))
last = CtfUtil.getRandomString(random.randint(6,10))
name = first + " " + last
address = "xxxxx"
#print "Generating picture..."
font = ImageFont.truetype(font_path, 20)
draw.text(( 5, 40), name, fill="black", font=font)
draw.text(( 5, 80), address, fill="black", font=font)
img.save(save_path)
#print "Setting exif info..."
os.popen("""exiv2 -M"set Exif.Photo.UserComment Paper_ID=%s" %s"""%(flag, save_path))
f = open(save_path)
fdata = f.read()
f.close()
#print "Setting flag..."
status, reason, data = post_multipart(
ip, "/~snitch/cgi-bin/snitch.py", [], [('paper', "%s"%save_path, fdata)])
#print "Status ",status
cookie = name.replace(" ","_")
print "COOKIE:",cookie
except Exception, e:
print "ERROR: %s" % e
try:
personality = browserpersonality.getRandomPersonality()
# 1. go to the shell's page
mainpg = pybrowse.Browser("http://" + ip + "/Site/Bosses_and_artists.html")
mainpg.open()
# 2. create a new boss
mainpg = pybrowse.Browser("http://" + ip + ":" + myPort + "/bosses/new/")
mainpg.open()
mainpg.parse()
myform = mainpg.forms[0]
boss_name = CtfUtil.getRandomString(random.randint(6,16))
boss_pwd = CtfUtil.getRandomString(random.randint(6,8))
myform.fields["name"] = boss_name.capitalize()
myform.fields["username"] = boss_name
myform.fields["password"] = boss_pwd
myform.fields["password_again"] = boss_pwd
resultingPage = myform.click( None )
resultingPage = resultingPage.doRedirects( )
resultingPage.parse()
checkError(resultingPage)
# resulting page should be /bosses/view/N/
boss_id = resultingPage.documentroot.split("/")[3]
# 1. go to the shell's page
mainpg = pybrowse.Browser("http://" + ip +
"/Site/Bosses_and_artists.html")
mainpg.open()
# 2. create a new boss
mainpg = pybrowse.Browser("http://" + ip + ":" + myPort +
"/bosses/new/")
mainpg.open()
mainpg.parse()
myform = mainpg.forms[0]
boss_name = CtfUtil.getRandomString(random.randint(6, 16))
boss_pwd = CtfUtil.getRandomString(random.randint(6, 8))
myform.fields["name"] = boss_name.capitalize()
myform.fields["username"] = boss_name
myform.fields["password"] = boss_pwd
myform.fields["password_again"] = boss_pwd
resultingPage = myform.click(None)
resultingPage = resultingPage.doRedirects()
resultingPage.parse()
checkError(resultingPage)
# resulting page should be /bosses/view/N/
boss_id = resultingPage.documentroot.split("/")[3]
print "ERROR: got exception [%s] getting flag" % (e)
sys.exit(1)
# set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Sound_of_music_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
myfirst =flag
mylast = CtfUtil.getRandomString(random.randint(3,10))
myemail = CtfUtil.getRandomEmail()
mypassword = CtfUtil.getRandomString(random.randint(3,10))
qForm.fields["first"] = myfirst
qForm.fields["last"] = mylast
qForm.fields["email"] = myemail
qForm.fields["password"] = mypassword
cookie = qForm.fields["email"] + ":" + qForm.fields["password"]
resultingPage = qForm.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("successfully created")
if successPtr == -1:
print "ERROR: Error setting new flag"
successPtr = response.find("Last time")
if successPtr != -1:
oldFlag = response[successPtr+32:][:len(flag)]
print "FLAG:",oldFlag
sock.close()
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
name = CtfUtil.getRandomString(random.randint(6,8))
msg = name+" " + flag + "\n"
response = initConversation(msg,sock)
successPtr = response.find("summoning operator")
if successPtr == -1:
print "ERROR: Could not set new flag"
return
for i in range(random.randint(1,3)):
if len(askRandomQuestion(sock)) < 1:
print "ERROR: Something doesnt look right"
return
sock.close()
cookie = name
def getRandomSentence(len): ret = "" for i in range(len): ret += CtfUtil.getRandomString(random.randint(1,8)) + " " return ret
def score(ip, flag, cookie):
try:
# -------------------------
# Retrieve old flag
# -------------------------
old_flag = "None"
real_path = execution_path("./snitch_data/snitch_clean.jpg")
save_path = execution_path("./snitch_data/%s.jpg" % ip)
font_path = execution_path("./snitch_data/arial.ttf")
if cookie:
name = cookie.replace("_", " ")
img = Image.open(real_path)
draw = ImageDraw.Draw(img)
font = ImageFont.truetype(font_path, 20)
draw.text((5, 40), name, fill="black", font=font)
draw.text((5, 80), "abcde", fill="black", font=font)
img.save(save_path)
f = open(save_path)
fdata = f.read()
f.close()
#print "Getting the flag..."
status, reason, data = post_multipart(
ip, "/~snitch/cgi-bin/snitch.py", [],
[('paper', "%s" % save_path, fdata)])
pos = data.find("thanks to paper")
if pos != -1:
old_flag = data[pos + 21:][:len(flag)]
print "FLAG:", old_flag
# -------------------------
# Set the new one
# -------------------------
img = Image.open(real_path)
draw = ImageDraw.Draw(img)
first = CtfUtil.getRandomString(random.randint(6, 10))
last = CtfUtil.getRandomString(random.randint(6, 10))
name = first + " " + last
address = "xxxxx"
#print "Generating picture..."
font = ImageFont.truetype(font_path, 20)
draw.text((5, 40), name, fill="black", font=font)
draw.text((5, 80), address, fill="black", font=font)
img.save(save_path)
#print "Setting exif info..."
os.popen("""exiv2 -M"set Exif.Photo.UserComment Paper_ID=%s" %s""" %
(flag, save_path))
f = open(save_path)
fdata = f.read()
f.close()
#print "Setting flag..."
status, reason, data = post_multipart(
ip, "/~snitch/cgi-bin/snitch.py", [],
[('paper', "%s" % save_path, fdata)])
#print "Status ",status
cookie = name.replace(" ", "_")
print "COOKIE:", cookie
except Exception, e:
print "ERROR: %s" % e
resultPage.parse()
resultPage = resultPage.click(resultPage.links[10])
resultPage.doRedirects()
except Exception, e:
print "ERROR: got exception when getting flag: %s" % e
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/")
mainpg.open()
mainpg.parse()
# create a new user account
username = CtfUtil.getRandomString(random.randint(6,10))
password = CtfUtil.getRandomString(random.randint(4,10))
resultPage = createAccount(username, password, "client")
# login using the new account
resultPage = doLogin(username, password)
resultPage.parse()
# go to story submission page
resultPage = resultPage.click(resultPage.links[9])
resultPage = resultPage.doRedirects()
resultPage.parse()
#print resultPage.page
storyform = resultPage.forms[0]
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Would_you.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Would_you_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
qForm = mainpg.forms[0]
qForm.fields["q1"] = random.choice(("yes", "no"))
qForm.fields["q2"] = random.choice(("yes", "no"))
qForm.fields["q3"] = random.choice(("yes", "no"))
qForm.fields["q5"] = random.choice(("yes", "no"))
qForm.fields["q6"] = random.choice(("yes", "no"))
qForm.fields["q7"] = random.choice(("yes", "no"))
cookie = CtfUtil.getRandomString(random.randint(3,10))
qForm.fields["steal"] = flag
qForm.fields["signature"] = cookie
resultingPage = qForm.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find("was successfully saved.")
if successPtr == -1:
print "ERROR: cannot set flag"
print "COOKIE:",cookie
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
oldFlag = resultingPage.page[successPtr+19:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~register/register.html", personality)
mainpg.open()
mainpg.parse()
registrationForm = mainpg.forms[0]
password = CtfUtil.getRandomAlphaNum(8)
wwid = flag
registrationForm.fields['first'] = CtfUtil.getRandomString(random.randint(5,7))
registrationForm.fields['last'] = CtfUtil.getRandomString(random.randint(6,9))
registrationForm.fields['dob'] = str(random.choice(months))+" "+str(random.randint(1,29))+", "+str(random.randint(1900,2000))
registrationForm.fields['email'] = CtfUtil.getRandomEmail()
registrationForm.fields['password'] = password
registrationForm.fields['wwid'] = wwid
resultingPage = registrationForm.click(None)
successPtr = resultingPage.page.find("Registration successful!")
if successPtr == -1:
print "ERROR: Could not set new flag"
if successPtr != -1:
oldFlag = resultingPage.page[successPtr+6:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "Error got exception %s getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~spamgen/cgi-bin/spamgen.py?action=upload", personality, debug=0)
mainpg.open()
mainpg.parse()
randomName = CtfUtil.getRandomString(10)
adminForm = mainpg.forms[0]
adminForm.fields["uname"] = randomName
adminForm.fields["pwd"] = myPassword
adminForm.fields["thetext"] = flag
resultingPage = adminForm.click(None)
resultingPage = resultingPage.doRedirects()
failPtr = resultingPage.page.find("uccess")
if failPtr != -1:
successPtr = resultingPage.page.find( "Your file has been saved" )
cookie = randomName+':'+myPassword
if successPtr != -1:
oldFlag = resultPage.page[successPtr + 3:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception (%s) getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~pollit/pollit.html",
personality)
mainpg.open()
mainpg.parse()
name = CtfUtil.getRandomString(random.randint(6, 8))
id = CtfUtil.getRandomAlphaNum(6)
createPollForm = mainpg.forms[0]
for candidate in candidates:
createPollForm.fields[candidate] = str(random.randint(1, 100))
candidate = random.choice(candidates)
createPollForm.fields[candidate] = "-1 " + flag
createPollForm.fields['username'] = name
createPollForm.fields['pollid'] = id
resultPage = createPollForm.click(None)
print resultPage.page
if successPtr != -1:
oldFlag = resultPage.page[successPtr+3:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception (%s) getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/~pollit/pollit.html", personality)
mainpg.open()
mainpg.parse()
name = CtfUtil.getRandomString(random.randint(6,8))
id = CtfUtil.getRandomAlphaNum(6)
createPollForm = mainpg.forms[0]
for candidate in candidates:
createPollForm.fields[candidate] = str(random.randint(1,100))
candidate = random.choice(candidates)
createPollForm.fields[candidate] = "-1 "+flag
createPollForm.fields['username'] = name
createPollForm.fields['pollid'] = id
resultPage = createPollForm.click(None)
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
# set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip + "/Site/Petition.html")
mainpg.open()
mainpg = pybrowse.Browser("http://" + ip + "/Site//Petition_files/widget1_markup.html")
mainpg.open()
mainpg.parse()
myform = mainpg.forms[0]
myform.fields["first"] = CtfUtil.getRandomString(random.randint(4,10))
myform.fields["last"] = CtfUtil.getRandomString(random.randint(4,10))
myform.fields["email"] = CtfUtil.getRandomEmail()
myform.fields["comment"] = flag
myform.fields["id"] = ""
resultingPage = myform.click(None)
resultingPage = resultingPage.doRedirects()
successPtr = resultingPage.page.find( "Your ID is " )
if successPtr != -1:
cookie = resultingPage.page[successPtr+11:][:8]
print "COOKIE:",cookie
except Exception, e:
print "ERROR: got exception %s setting new flag" % (e)
oldFlag = rawPage[successPtr + 21:][:len(flag)]
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
sys.exit(1)
# set new flag
try:
url = "http://" + ip + "/Site/Make_amends.html"
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser(url, personality)
mainpg.open()
# create a new user acccount
fname = CtfUtil.getRandomString(random.randint(6, 10))
lname = CtfUtil.getRandomString(random.randint(6, 10))
eaddr = CtfUtil.getRandomEmail()
files = getRandomPiratedFiles(random.randint(1, 5))
price = getRandomDollarAmount(random.randint(1, 5))
resultPage = createAccount(ip, fname, lname, eaddr, files, price)
# choose settlement letter format preference and get case id
caseid = chooseFormatPref(resultPage)
# login using the new account
resultPage = doNewLogin(ip, eaddr, caseid)
# view the settlement letter
viewSettlementLetter(resultPage)
def score(ip,flag,cookie):
try:
#Login to ftp
ftp = ftplib.FTP(ip)
ftp.login()
ftp.cwd("/home/ftp/incoming")
if cookie != None:
ftp.retrlines("RETR "+cookie,flagCallback)
#set new flag
filename = CtfUtil.getRandomString(9)
file = open(filename,'w')
file.write(flag)
file.close();
file = open(filename,'r')
ftp.storlines("stor "+filename,file)
file.close()
os.remove(filename)
cookie = filename
print "COOKIE:",cookie
except Exception, e:
print "ERROR: Failed to set new flag!"
if __name__ == "__main__":
CtfUtil.main(score)
#!/usr/bin/python -u
from utility import CtfUtil
from utility.flagclient import FlagClient
if __name__ == "__main__":
flagClient = FlagClient(port=8082)
CtfUtil.main(flagClient.score)
serverUrl = "http://" + ip + "/~spamdb/cgi-bin/server.php"
server = xmlrpclib.Server(serverUrl)
#Get old flag
if cookie != None:
try:
user, password = cookie.split(":")
oldFlag = server.spamdb.veryfy_data(user, password)
print "FLAG:", oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
#Set new flag
try:
user = genUser()
password = server.spamdb.create_account(user)
result = server.spamdb.upload_data(user, password, flag)
cookie = user + ":" + password
print "COOKIE:", cookie
if (result != "OK"):
print "ERROR: Did not receive OK from spamdb server!"
except Exception, e:
print "ERROR: got exception '%s' when setting flag" % (e)
if __name__ == "__main__":
CtfUtil.main(score)
print "FLAG:", oldFlag
except Exception, e:
print "Error got exception %s getting flag" % (e)
#set the new flag
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + ip +
"/~spamgen/cgi-bin/spamgen.py?action=upload",
personality,
debug=0)
mainpg.open()
mainpg.parse()
randomName = CtfUtil.getRandomString(10)
adminForm = mainpg.forms[0]
adminForm.fields["uname"] = randomName
adminForm.fields["pwd"] = myPassword
adminForm.fields["thetext"] = flag
resultingPage = adminForm.click(None)
resultingPage = resultingPage.doRedirects()
failPtr = resultingPage.page.find("uccess")
if failPtr != -1:
successPtr = resultingPage.page.find("Your file has been saved")
cookie = randomName + ':' + myPassword
senderText = "<sender><user>"+name+"</user><password>"+password+"</password></sender>"
codeText = "<code>set flag [store get flag]; results set $flag</code>"
agentText = "<agent>\n" + senderText +"\n"+codeText+"\n</agent>"
resultPage = postAgentText(ip,agentText)
oldFlag = resultPage[:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception '%s' when getting flag" % (e)
return
#set new flag
try:
name = CtfUtil.getRandomString(random.randint(6,8))
password = CtfUtil.getRandomAlphaNum(8)
senderText = "<sender><user>"+name+"</user><password>"+password+"</password></sender>"
codeText = "<code>store set flag \""+flag+"\"; results set \"Flag was set\";</code>"
agentText = "<agent>\n" + senderText +"\n"+codeText+"\n</agent>"
resultPage = postAgentText(ip,agentText)
successPattern = "Flag was set"
successPtr = resultPage.find(successPattern)
if successPtr >= 0:
cookie = name+":"+password
print "COOKIE:",cookie
lookupForm = contactPage.forms[0]
lookupForm.fields['cboname'] = last
resultPage = lookupForm.click(None)
successPtr = resultPage.page.find(first)
if(successPtr != -1):
oldFlag = resultPage.page[successPtr+14:][:len(flag)]
print "FLAG:",oldFlag
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
first = CtfUtil.getRandomString(5)
last = CtfUtil.getRandomString(random.randint(6,8))
ext = flag
contactChangeUrl = ip+"/~contact/cgi-bin/contact_change.pl?login=admin&password=retard"+"&first="+first+"&last="+last+"&ext="+ext
contactChangePage = pybrowse.Browser("http://" + contactChangeUrl)
contactChangePage.open()
successPtr = contactChangePage.page.find("Update Successful")
if successPtr == -1:
print "ERROR: Could not post new flag"
return
cookie = first+":"+last
print "COOKIE:",cookie
# logout
resultPage.parse()
resultPage = resultPage.click(resultPage.links[10])
resultPage.doRedirects()
except Exception, e:
print "ERROR: got exception when getting flag: %s" % e
try:
personality = browserpersonality.getRandomPersonality()
mainpg = pybrowse.Browser("http://" + myHost + "/Therapy/")
mainpg.open()
mainpg.parse()
# create a new user account
username = CtfUtil.getRandomString(random.randint(6, 10))
password = CtfUtil.getRandomString(random.randint(4, 10))
resultPage = createAccount(username, password, "client")
# login using the new account
resultPage = doLogin(username, password)
resultPage.parse()
# go to story submission page
resultPage = resultPage.click(resultPage.links[9])
resultPage = resultPage.doRedirects()
resultPage.parse()
#print resultPage.page
storyform = resultPage.forms[0]
getData(sock,"!")
except Exception, e:
print "ERROR: got exception %s getting flag" % (e)
#set the new flag
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
getData(sock,"return:")
sock.send("1\n")
getData(sock,"return:")
sock.send(str(random.randint(1,8))+"\n")
getData(sock,"alias:")
sock.send(CtfUtil.getRandomString(random.randint(6,8))+"\n")
#Number of something
getData(sock,":")
sock.send(str(random.randint(1,100))+"\n")
#Encrypted report
getData(sock,":")
sock.send(flag+"\n")
idText = getData(sock,"continue")
id = parseId(idText)
sock.send("\n")
getData(sock,"return:")