Parallelization of Exploitation


Crosspost from Rants, Ideas, Stuff.

90% of the time I write my (or other people’s) exploits in Python. I try to

structure my code in small easy to read methods. Like every developer does ūüėȬ†Every exploit has at least one method which is called in a __name__ ==¬†'__main__' block, so it can be imported from other files.

Because most of the time every team has a vulnbox with an ip address that contains its team number, my exploit scripts get the team number as an argument.

Here’s one of the exploit scripts from the last CTF. It does a HTTP GET with¬†prepared parameters and reads flags from the resulting HTML. It’s a quick and¬†dirty solution to a small problem. During a CTF pretty much every minute¬†counts. Quick and dirty wins over great craftsmanship.

Some basic tips:

  • Your script should have sane timeouts. Waiting to long for a team’s service¬†that isn’t available doesn’t help.
  • Crash early. Single flags aren’t worth too much most of the time.
  • Write flags to STDOUT and logging to STDERR. STDOUT can then be redirected¬†to a flag submitting script.
  • Keep everything as simple as possible.

Submitting the resulting flags is handled by the WoD submit framework with which¬†a surrounding shell script “talks” via netcat:

Parallelization is then done via GNU parallel:

The -j parameter tells parallel how many parallel executions should be done.

{1} is the first argument.

::: introduces an argument block. With :::: a argument file can be passed.¬†So if it’s possible to determine if the exploited service of a team is currently¬†up it would be good to write a script, that determines all exploitable teams and¬†only pass those to parallel. Multiple ::: and :::: blocks can be given and¬†mixed. A parallel run with a script that takes a port as a second parameter¬†might look like this: parallel -j 10 ./exploit.sh {1} {2} :::¬†$(./get-exploitable-teams.sh) ::: 8080 8081

Let’s say get-exploitable-teams returns 1 5 6. The resulting parallel executions of exploit.sh would be:

Thanks for reading,

Zoran

Leave a comment

Your email address will not be published. Required fields are marked *

*