Skip to content
A red team utility for Cyber Defense Competitions.
Branch: master
Clone or download
Latest commit 1bca867 Apr 27, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Add file list filter and files docs Dec 1, 2018
fixtures Fix tests Apr 20, 2018
flag_slurper Add more default creds (#64) Apr 28, 2019
provision Add DNS test hosts and setup teams to support domain Sep 22, 2018
tests Feature/46 report user obtained flag (#60) Apr 27, 2019
.coveragerc Add tests for login command. Apr 26, 2018
.editorconfig Add schema for new projects system. Mar 4, 2018
.gitignore Add .vagrant to .gitignore Mar 14, 2018
.travis.yml Apparently that doesn't actually work. Sep 28, 2018
LICENSE Initial commit Sep 2, 2017 Fix tests Oct 4, 2017 Add sphinx and do initial port of README. Sep 13, 2018
Vagrantfile Add DNS test hosts and setup teams to support domain Sep 22, 2018
dev_db.sql Actually pwn dns correctly. Sep 23, 2018
pytest.ini Add tests for login command. Apr 26, 2018
setup.cfg Bump version: 0.7.0 → 0.8.0 (#61) Apr 27, 2019
tox.ini Add codecov May 11, 2018

Flag Slurper

Utility for grabbing CDC flags from machines.

Auto PWN

Flag slurper contains a utility for automatically attempting default credentials against team's SSH hosts. This works by grabbing the team list from IScorE and a list of all the services. The default credentials it uses are:

  • root:cdc
  • cdc:cdc


AutoPWN requires a database. For many cases sqlite will do, but in order to use parallel AutoPWN a server-based database (such as postgres) is required. This is due to sqlite only allowing one writer at a time. The database can be configured in your flagrc file:

; For sqlite (default)
url=sqlite:///{{ project }}/db.sqlite

; For postgres

The {{ project }} variable is the file path to the current project and is optional.


You first need to create a project and result database:

flag-slurper project init -b ~/cdcs/isu2-18 --name "ISU2 2018"
flag-slurper project create_db

To generate the team and service list you can simply run:

flag-slurper autopwn generate

This will cache the team an service lists into the database. This will be used by other autopwn commands so they don't need to keep hitting the IScorE API during the attack phase when the API is getting hammered.

After generating the local files, you can then pwn all the things!

flag-slurper autopwn pwn

This will print out what credentials worked on which machines and any flags found. These results are recorded in the database and can be viewed like this:

flag-slurper autopwn results


Flag slurper has the concept of "projects". These projects tell flag slurper where to find various files such as the teams.yml and services.yml files. It may also contain other configuration options such as where flags are located. The primary purpose of the project system is to keep data from different CDCs separate.

To create a project run:

flag-slurper project init --base ~/cdcs/isu2-18 --name "ISU2 2018"

This will create a project named "ISU2 2018" in the folder ~/cdcs/isu2-18. You can then run the following command to activate the project.

eval $(flag-slurper project env ~/cdcs/isu2-18)

When you want to deactivate a project, run the unslurp command.

Alternatively, you can specify --project PATH on each command. For example:

flag-slurper --project ~/cdcs/isu2-18/ autopwn generate

The above command will generate the local cache data and store it in the project.


The Auto PWN feature will automatically look in common directories for flags that look like a flag. You can also specify locations to check. The following project file defines the "Web /root flag"

_version: "1.0"
project: ISU2 2018
base: ~/cdcs/isu2-18
  - service: WWW SSH
    type: blue
    location: /root
    name: team{{ num }}_www_root.flag
    search: yes

You can specify as many flags as you want. All of the following fields are required:

  • service: The name of the service this flag is associated with. Auto PWN matches against this when determining what flags it should look for when attacking a service.
  • type: Which flag type this is blue (read) or red (write). Currently only blue is supported.
  • location: The directory the flag is supposed to be located in.
  • name: The expected file name of the flag. Pay close attention to {{ num }}. This is a placeholder that will be replaced with the team number during the attack.
  • search: Whether Auto PWN should search location for any files that are roughly the correct file size. A search is only performed if the flag is not found at it's exact name {{ location }}/{{ name }}.

Here's an example of an Auto PWN run that obtained flags:



Credentials can be managed through the creds subcommand. To add a credential:

flag-slurper creds add root cdc

List credentials:

flag-slurper creds ls

Remove credential:

flag-slurper creds rm root cdc

Show details for a credential:

flag-slurper creds show root:cdc
You can’t perform that action at this time.