Skip to content
Automation framework for attack-defense CTFs.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
exploits
targets
tests
.gitignore
README.md
Vagrantfile
ctfpwn.sh
lib.sh

README.md

CTFPWNng

A simple framework that helps to automate execution of exploits for attack-defense CTFs. CTFPWNng schedules execution of exploits for all available/reachable targets and stores flags in a Redis queue. It also handles periodic submission of flags to the gameserver.

An exploit has three properties:

  • Takes two positional arguments: an IP address and a port number of the target.
  • Prints flags to stdout: the framework will grep for flags in the stdout data, which can include one or more flags or even other data.
  • Is executable: an exploit can be written in any language or format as long as it is executable.

An exploit tries to get a flag/the flags from a single target system. The scheduling for all the other targets is handled by the framework.

Dependencies

Configuration

Per-CTF configuration can be done in a local configuration file called localconf.sh. Variables for the whole framework can be overwritten in Bash syntax. The following localconf.sh shows a configuration example for a RuCTFE:

_LIB_GAMESERVER_HOST="flags.ructfe.org"
_LIB_GAMESERVER_PORT="31337"
_LIB_GAMESERVER_URL="http://monitor.ructfe.org/flags"
_RUCTFE_TEAM_TOKEN="900008d90-c13c-4242-a801-825558d222f7"

Note: The _RUCTFE_TEAM_TOKEN is provided in the checker_token.txt file that is included in the team configuration.

Note: RuCTFE allows to submit flags either via TCP (default) or HTTP. The following variable can be set to use HTTP submission:

_LIB_GAMESERVER_SUBMIT_VIA_HTTP=yes

Usage

./ctfpwn.sh

Note: A deployment example is available in the Vagrantfile. It is recommended to always run CTFPWNng inside of a VM.

Target Identification

The targets directory includes a wrapper script (run-targets.sh) that runs Nmap scans on the target range in order to identify alive hosts. Before ctfpwn.sh can be started, the script should run at least once to create a initial output file:

cd targets
./run-targets.sh

This script should run regularly as a cronjob. The following example shows how to run the script every five minutes:

*/5 * * * * cd /home/user/ctfpwnng/targets && ./run-targets.sh

Add Exploits

Adding a new exploit is as easy as copying the exploits/_template directory. The following example creates an exploit for a service called wood

cd ctfpwnng
cp -r exploits/_template exploits/wood

An exploit directory requires at least two files (already included in the exploits/_template directory):

  • service: A service definition file. This file must contain the _SERVICE_NAME and _SERVICE_PORT variables.
  • run.sh: The exploit wrapper script that either includes or starts the actual exploit code. It is also responsible for calling the log_flags() function that will add flags to the Redis database.

Disable Exploits

Exploits can be disabled by either creating a .disabled file:

touch exploits/wood/.disabled

Or by preceeding the exploit directory name with an underscore:

mv exploits/wood exploits/_wood
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.