/ctfbox

A box for CTF challenges with some sugar functions, Just Enjoy it

Primary LanguagePythonMIT LicenseMIT

ctfbox

A box for CTF challenges with some sugar functions, Just enjoy it

Current version: 1.12.5

中文文档点这里

Please use python 3.6+

Guide

Install

All you need to do is

pip install ctfbox

Usage

Common

from ctfbox import * # Will not import the pwn part, please check the PWN Usage section below
# enjoy it

PWN

PWN Usage

Functions

Please refer to docstring for function's signatures and usages

utils

Some useful functions, close to intuition

  • url: url_encode(), url_decode(), force_url_encode()
  • html: html_encode(), html_decode()
  • base16: base16_encode(), base16_decode()
  • base32: base32_encode(), base32_decode()
  • base64: base64_encode(), base64_decode()
  • json: json_encode(), json_decode()
  • hex: bin2hex(), hex2bin()
  • jwt: jwt_encode(), jwt_decode()
  • rot: rot_encode()
  • hash: md5(), sha1(), sha256(), sha512()
  • random: random_int(), random_string()
  • prase od command data: od_parse()
  • A decorator to make it multi-threaded: Threader()
  • Decrypted in the usual way: auto_decode()

WEB

  • generate flask pin: get_flask_pin()

  • generate flask session: flask_session_encode(), flask_session_decode() (⚠️ There is no flask dependency in ctfbox itself, the following two functions need to install the dependency by yourself)

  • build a simple file server: provide()

  • burte force hash for ctf verification code: hashAuth()

  • Send raw request by python-requests: httpraw()

  • generate gopher reuqests: gopherraw()

  • generate php serialize escape payload: php_serialize_escape, php_serialize_escape_s2l(), php_serialize_escape_l2s()

  • change normal stirng to php serialize S string: php_serialize_S()

  • php serialize

    • serialize()
    • unserialize()
    • serialize_to_file()
    • unserialize_from_file()
    • ...

    for more information, please check docstring and here

  • generate php soapClient class payload for ssrf: soapclient_ssrf()

  • network scan

    • scan network path: scan()
    • scan for network backup file: bak_scan()
  • generate reverse shell command: reshell()

  • use for out of band: OOB()

  • build a server for blindXXE: blindXXE()

  • generate gopher payload for attack redis

    • write webshell: gopherredis_webshell()
    • write crontab: gopherredis_crontab()
    • ssh authorized keys: gopherredis_ssh()
    • rce by master-slave replication: gopherredis_msr()
  • generate gopher payload for attack fastcgi

    • arbitrary code execution: gopherfastcgi_code()
  • source code leaks, support .git .svn .DS_Store: leakdump()

  • reverse mt_rand seed without brute force: reverse_mt_rand()

REVERSE

  • print data in hex format: printHex()
  • pack number into bytes: p16(), p32(), p64()
  • unpack number from bytes: u16(), u32(), u64()

MISC

  • provide common file signatures and function to patch a file
    • patch file signature: repair_fileheader()
  • fix zip fake encrypt: repair_zip_fake_encrypt()

CRYPTO

  • srand for multiple platforms: windows_srand(), linux_srand(), android_srand(),
  • get random integer from multiple platforms: windows_rand(), linux_rand(), android_nextInt(), android_nextInt_bound()

PWN

  • Usage
    # Doesn't support Windows
    from pwn import * # import pwntools
    # set pwntools config...
    # context.os = 'linux'
    # context.log_level = 'debug'
    # context.arch = 'amd64'
    from ctfbox.pwntools.config import Config # import confit for pwn part of ctfbox
    # set necessary config 
    """
    Attributes:
    - local(bool) : connect to local binary / remote address, default: True
    - bin(str)    : the binary path, e.g. './pwn'
    - address(str): the remote address, e.g. '127.0.0.1:2333'
    - pie(bool)   : whether the memory address is randomized, default: False
    """
    Config.local = True
    Config.address = "127.0.0.1:2333"
    Config.bin = "./bin"
    # import pwn part
    from ctfbox.pwn import *
    now you can use the attributes/functions below
    slog // empty dictionary, you can set the leaked address and corresponding name. e.g. slog['libc'] = libc_addr
    elf  // pwntools.ELF(binaray)
    cn   // a connect to local binary or remote address
    re   // lambda of cn.recv(m, t)
    recv // lambda of cn.recv()
    ru   // lambda of cn.recvuntil(x)
    rl   // lambda of cn.recvline()
    sd   // lambda of cn.send(x)
    sl   // lambda of cn.sendline(x)
    ia   // lambda of cn.interactive()
    sla  // lambda of cn.sendlineafter(a, b)
    sa   // lambda of cn.sendafter(a, b)
    ft   // ft(arg, f=pwnlib.util.cyclic.de_bruijn(), l=None) lambda of flat(*arg, filler=f, length=l)
    gdba // gdba(bps) debug, argument bps save the breakpoint address, breakpoint can also be automatically set when pie is turned on, need pmap command
    slog_show // print all set slogs, in hexadecimal format
    

Techniques

Depends

  • requests
  • PyJWT
  • python-socketio[client]==4.6.0
    • python-engineio==3.14.2

Contributors

Syclover

Other

Logs

1.12.5

  • fix a bug:
    • utils
      • can't work

1.12.0

  • add a function:
    • web
      • gopherfastcgi_code

1.11.0

  • update some function:
    • hashAuth: add prefix and suffix arguments

1.10.0

  • remove dependencies:
    • python-socketio[client]==4.6.0
    • python-engineio==3.14.2
  • update some functions:
    • printHex
  • rewrite some functions:
    • OOB
  • add some functions:
    • crypto
      • windows_srand
      • windows_rand
      • linux_srand
      • linux_rand
      • android_srand
      • android_nextInt
      • android_nextInt_bound

1.9.0

  • add some functions:
    • force_url_encode

1.8.0

  • add some functions:
    • php_serialize_S

1.7.0

  • update some functions:
    • leakdump
      • update docstring
      • support .DS_Store
      • better error output
      • fix some bugs
  • add some functions:
    • reverse_mt_rand

1.6.0

  • 添加中文文档
  • add some functions:
    • leakdump
  • update some functions:
    • get_flask_bin
      • update docstring
    • print_hex
      • pretty output

1.5.0

  • add some functions:

    • scan
    • bak_scan
    • reshell
    • OOB
    • blindXXE
    • php_serialize_escape
    • gopherredis_webshell
    • gopherredis_crontab
    • gopherredis_ssh
    • gopherredis_msr
    • repair_fileheader
    • repair_zip_fake_encrypt
    • base16_encode, base16_decode, base32_encode, base32_decode, html_encode, html_decode
  • add dependencies:

    • python-socketio[client]==4.6.0
    • python-engineio==3.14.2

1.4.2

  • fix bugs:
    • Threader
      • retry can't work
  • update some functions:
    • Threader
      • add docstring
      • add task attributes: traceback

1.4.1

  • fix bugs:
    • soapclient_ssrf
      • docstring about encode is error
      • encode arugment not work
    • md5
      • can't import
    • hashAuth
      • can't work
      • return type incorrect

1.4.0

  • add all for limit export
  • add some functions:
    • soapclient_ssrf
    • rot_encode
    • thirdparty: phpserialize(Origin)
  • add tests:
    • php_serialize_escape_l2s
    • php_serialize_escape_s2l
    • httpraw
  • update some functions:
    • httpraw
      • add kwargs: session, send
  • fix bugs:
    • php_serialize_escape_l2s
      • con't work correctly
    • httpraw
      • url irregular
      • no headers will be send
      • post data may be incorrect

1.3.0

  • refactor project structure
  • add some functions:
    • flask_session_encode
    • flask_session_decode
    • php_serialize_escape_l2s
    • php_serialize_escape_s2l
    • gopherraw

1.2.1

httpraw:

  • fix a bug that httpraw may not be able to send post request correctly
  • fix a bug that could not solve port
  • fix a bug that real_host could not use
  • fix a bug that may cause encoding error

1.2.0

  • add dev dependencies: icecream
  • add some functions:
    • od_parse
    • get_flask_pin
    • httpraw
    • p16 p32 p64 and uXX functions
    • Base32 and Base64 table getter

v1.1.1

  • move project to new directory
  • update Readme.md, added missing functions

v1.1.0

  • add pwn part, please see Pwn Usage
  • add some functions that may be used in reverse
  • update hashAuth functions
    • error if startIndex is less than endIndex
    • if startIndex is zero and length of hash(endIndex - startIndex) is not equal to length of answer, endIndex will be set to length of answer
  • update Readme.md, add usage and contributors, Supplementary dependency: PyJWT

v1.0.2

  • update Readme.md

V1.0.1

  • update Readme.md

V1.0.0

  • first commit