A simple framework that helps to automate execution of exploits for attack-defense CTFs. CTFPWNng schedules execution of exploits for all available/reachable targets and stores flags in a Redis queue. It also handles periodic submission of flags to the gameserver.
An exploit has three properties:
- Takes two positional arguments: an IP address and a port number of the target.
- Prints flags to stdout: the framework will grep for flags in the stdout data, which can include one or more flags or even other data.
- Is executable: an exploit can be written in any language or format as long as it is executable.
An exploit tries to get a flag/the flags from a single target system. The scheduling for all the other targets is handled by the framework.
Per-CTF configuration can be done in a local configuration file called
localconf.sh. Variables for the whole framework can be overwritten in Bash syntax. The following
localconf.sh shows a configuration example for a RuCTFE:
_LIB_GAMESERVER_HOST="flags.ructfe.org" _LIB_GAMESERVER_PORT="31337" _LIB_GAMESERVER_URL="http://monitor.ructfe.org/flags" _RUCTFE_TEAM_TOKEN="900008d90-c13c-4242-a801-825558d222f7"
Note: The _RUCTFE_TEAM_TOKEN is provided in the
checker_token.txt file that is included in the team configuration.
Note: RuCTFE allows to submit flags either via TCP (default) or HTTP. The following variable can be set to use HTTP submission:
Note: A deployment example is available in the Vagrantfile. It is recommended to always run CTFPWNng inside of a VM.
targets directory includes a wrapper script (
run-targets.sh) that runs Nmap scans on the target range in order to identify alive hosts. Before
ctfpwn.sh can be started, the script should run at least once to create a initial output file:
cd targets ./run-targets.sh
This script should run regularly as a cronjob. The following example shows how to run the script every five minutes:
*/5 * * * * cd /home/user/ctfpwnng/targets && ./run-targets.sh
Adding a new exploit is as easy as copying the
exploits/_template directory. The following example creates an exploit for a service called wood
cd ctfpwnng cp -r exploits/_template exploits/wood
An exploit directory requires at least two files (already included in the
service: A service definition file. This file must contain the _SERVICE_NAME and _SERVICE_PORT variables.
run.sh: The exploit wrapper script that either includes or starts the actual exploit code. It is also responsible for calling the
log_flags()function that will add flags to the Redis database.
Exploits can be disabled by either creating a
Or by preceeding the exploit directory name with an underscore:
mv exploits/wood exploits/_wood