Skip to content

Exploit Guideline

Fast is built around exploits, making them the central component when it comes to attacking the opponent teams. The "Flag Acquisition" part of Fast is done by the exploits written by you and your team. To work properly with Fast, exploit scripts must be placed in the same directory as fast.yaml and follow the simple guideline specified below.

Python Exploits

Structure

A Python exploit script must define a function named exploit, taking the target's IP address as the sole parameter. This function is responsible for exploiting the service, and it returns a string containing one or multiple flags. That's about it, here's a minimal example:

import requests

def exploit(target):
    return requests.get(f'http://{target}:1234/flag').text

Template

If you like type hints, you can use the following template.

def exploit(target: str) -> str:

    # Exploit the target, get the flags

    return text_containing_flags

Prepare and Cleanup

Some A/D competitions include an endpoint that provides you with additional pieces of information that may be necessary to exploit particular services. This typically includes something like the username of the account that can read the flag, some useful filename, etc.

This data could be fetched only once and be reused for all the targets, saving both bandwidth and memory. For this kind of tasks, you can define the prepare function in your script, which will be invoked by Fast once before exploiting any of the targets.

import requests

shared = {}

def prepare():
    attack_json = requests.get('https://example.ctf/attack.json').json()
    shared['attack_json'] = attack_json

def exploit(target):
    username = shared['attack_json'][target]['example_service']['username']

    return requests.get(f'http://{target}:1337/readflag?username={username}').text

The prepare function in the shown example fetches the data and stores it in a global variable, as a way of preparing the environment before exploiting the services.

On the opposite end, you can define a function named cleanup for performing any needed post-exploitation actions. As the name suggests, it may be used for removing the residual files your exploit may create or download.

import os, glob

# exploit and prepare omitted for brevity

def cleanup():    
    for file in glob.glob('files/alpha/*.pdf'):
        os.remove(file)

The cleanup function in the shown example removes all PDF files downloaded by the exploit.

Note

Prepare and cleanup actions can also be defined as shell commands in fast.yaml. This way is less powerful since it provides no access to the shared interpreter, but it's compatible with non-Python exploits. Consult the Exploit Management page for more details.

Non-Python Exploits

Structure

When it comes to non-Python scripts, ensure that the target's IP address can be passed as a command-line argument. The script should only output the text containing one or multiple flags to the standard output (stdout). Here's an example using a Bash script:

#!/bin/bash
curl -s "http://$1:1234/flag"

Next steps

Once you have a new exploit ready, you can hand it to Fast to start running it. To learn how to manage exploits and see what capabilities Fast offers, continue to Exploit Management.