Share
## https://sploitus.com/exploit?id=3401ECFA-1BF5-560B-BA4E-CECDE5B4E76E
# AutoPenX โ A fully automated CTF-solving & penetration testing system powered by LLMs
> **Three-phase hybrid solving architecture**: Deterministic multi-agent route state machine โ Parallel LLM computation โ Sequential ReAct reasoning, achieving zero API overhead for fast problem-solving + deep LLM reasoning for robustness. ---
## System Architecture Overview
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CTFReActAgent.solve(multi_agent=True) โ
โ โ
โ Phase 1: MultiAgentOrchestrator (Deterministic, 0 API overhead) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ ReconAgent โ Finger recognition โ Route evidence collection โ โ
โ โ CoordinatorAgent โ Selection of optimal route โ โ
โ โ ExploitAgent โ RouteStateMachine โ Flag? โ โ
โ โ CriticAgent โ Repetitive detection + route switching โ โ
โ โ KnowledgeLearner โ Matching known patterns โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Phase 2: Parallel LLM Racing (3 workers ร 5 turns) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Worker 1 (DeepSeek): SQLi + authentication direction โ โ
โ โ Worker 2 (OpenAI): LFI + SSTI direction โ โ
โ โ Worker 3 (Claude): CMDi + upload direction โ โ
โ โ The first worker to find a flag wins โ Disqualification of others โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Phase 3: Sequential LLM ReAct (Remaining budget) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Complete set of tools: http_request, run_python, โ โ
โ โ repl_execute, scan_flag, file_analyze, etc. โ โ
โ โ Multiple rounds of reasoning + response analysis โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## โจ Key Features
- **Three-phase hybrid solving**: Phase 1: Deterministic route finding (zero API overhead) โ Phase 2: Parallel LLM computation โ Phase 3: Sequential ReAct reasoning
- **15 route state machines**: source_leak, lfi, ssti, sqli, cmdi, jwt, upload, php_pop, ssrf, idor, xss, graphql, websocket, xxe, auth_logic
- **Multi-agent collaboration**: Four roles โ Coordinator, Recon, Exploit, Critic โ sharing state via Blackboard
- **12 LLM tools**: http_request, run_python, repl_execute, scan_flag, decode_data, file_analyze, recon_scan, ctf_knowledge_search, write_tool_script, run_tool_script, install_python_package, download_tool_url
--- **Self-Evolution Knowledge Base**: Automatically extracts patterns after solving problems, allowing direct access to similar questions next time.
--- **Multi-Model Support**: Parallel competition between DeepSeek, OpenAI, and Claude; stops as soon as a flag is detected.
--- **Flag Detection Pipeline**: Regularization โ Heuristic โ AI Verification; three-level filtering reduces false positives.
--- **Web UI**: FastAPI + SSE for real-time display of problem-solving processes.
--- **30 Real CTF Challenges**: Based on classic BUUCTF challenges for local reproduction.
--- **12 Strict Benchmark Tests**: Covering all major types of vulnerabilities.
--- **๐ Quick Start**
--- **Environment Requirements**
Python 3.10+
Windows/Linux/MacOS
--- **Installation**
`powershell`
- Clone the project: `cd C:\Users\86181\Desktop\AutoPenX`
- Create a virtual environment: `python -m venv .venv`.
- Activate the virtual environment: `source .venv/bin/activate` (Windows PowerShell) / `cp .env.example .env` and edit it to include `DEEPSEEK_API_KEY`.
--- **Windows One-Click Script**
- `InstallDependencies.bat` โ Initializes the virtual environment and installs dependencies.
- `One-ClickStartUI.bat` โ Starts the Web UI and opens a browser automatically.
- `One-ClickScan.bat` โ Scans in command-line mode.
--- **Running CTF Challenges**
```powershell
# Multi-Agent Mode (Recommended)
python run_ctf_solve.py
# Or specify a target directly
python -c"
import asyncio
from autopnex.ctf.react_agent import CTFReActAgent
from configSettings import settings
agent = CTFReActAgent(
target='http://target-url:port',
challenge_type='web',
max_iterations=30,
multi_agent=True,
runtime_config=settings.snapshot(),
)
result = asyncio.run(agent.solve())
print(f'Flag: {result.get("flag")}')
"`
--- **Starting the Web UI**
```powershell
.venv\Scripts\python -m uvicorn autopnex.web.api:app --reload --host 127.0.0.1 --port 8000
```
Open a browser and visit http://127.0.0.1:8000/
--- **Traditional Penetration Testing**
```powershell
# LLM Mode
python autopnex.py --target http://testphp.vulnweb.com
# Offline Rule Mode (No API Key Required)
python autopnex.py --target http://testphp.vulnweb.com --mock --yes
--- **Running Benchmark Tests**
```powershell
# Strict 12-Benchmark Test (Deterministic Approach, No API Key Required)
pytest tests/benchmark/test_web_benchmark.py -v
# 30 Real CTF Benchmarks
pytest tests/benchmark/test_real_ctf.py -v
# Exploratory Mode (21 Challenges, Testing Route Coverage)
pytest tests/benchmark/test_web_benchmark_explore.py -v
# All Unit Tests
pytest tests/ -v --ignore=tests/benchmark
# Smoke Tests (Quickly Verifying Core Features)
pytest tests/benchmark/test_web_benchmark_smoke.py -v
--- **Project Structure**
`AutoPenX/`
โ โโโ autopnex/
โ โ โโโ ctf/ # CTF-solving core engine
โ โ โโโ multi_agent.py # Multi-agent orchestrator + 4 agents
โ โ โโโ route_state_machine.py # 13 route state machines + factory
โ โ โโโ routes/ # Modular route packages (15 route files)
โ โ โ โโโ source_leak.py # Source leak routes
โ โ โ โโโ lfi.py # Local file inclusion
โ โ โ โโโ ssti.py # Template injection
โ โ โ โโโ sqli.py # SQL injection
โ โ โ โโโ cmdi.py # Command injection
โ โ โ โโโ jwt.py # JWT spoofing
โ โ โ โโโ upload.py # File upload
โ โ โ โโโ php_pop.py # PHP deserialization
โ โ โ โโโ ssrf.py # SSRF
โ โ โ โโโ idor.py # Privilege escalation
โ โ โ โโโ xss.py # XSS
โ โ โ โโโ graphql.py # GraphQL injection
โ โ โ โโโ websocket.py # WebSocket bypass
โ โ โ โโโ xxe.py # XXE injection
โ โ โ โโโ auth_logic.py # Authentication logic bypass
โ โ โโโ react_agent.py # CTFReActAgent (LLM ReAct loop)
โ โ โโโ tool_router.py # Tool definition + execution gateway
โ โ โโโ web_state_blackboard.py # Shared state board
โ โ โโโ knowledge_learner.py # Self-evolving knowledge learner
โ โ โโโ flag_engine.py # Flag detection engine
โ โ โโโ prompt_compiler.py # Prompt compiler
โ โ โโโ workers.py # Parallel LLM Workers
โ โ โโโ ... โ โโโ orchestrator/ # LLM client layer
โ โ โโโ llm_client.py # DeepSeek/OpenAI compatible client
โ โ โโโ mock_brain.py # Offline rule engine
โ โ โโโ orchestrator.py # Traditional penetration orchestrator
โ โโโ tools/ # Toolset
โ โ โโโ recon/ # Reconnaissance tools
โ โ โโโ scan/ # Scanning tools
โ โ โโโ vuln/ # Vulnerability detection
โ โ โโโ exploit/ # Exploitation tools
โ โ โโโ ctf_web/ # CTF Web-specific tools
โ โ โโโ ctf_crypto/ # CTF Crypto tools
โ โโโ web/ # Web UI
โ โ โโโ api.py # FastAPI backend + SSE
โ โ โโโ static/ # Front-end static files
โ โโโ state_machine/ # PTES state machine
โ โโโ evasion/ # WAF bypass engine
โ โโโ knowledge_base/ # Vulnerability fingerprint/payload library
โโโ tests/
โ โโโ benchmark/
โ โ โโโ test_web_benchmark.py # Strict 12 target benchmark
โ โ โโโ test_real_ctf.py # 30 real CTF targets
โ โ โโโ challenges.py # Battlefield implementations
โ โ โโโ real_ctf_targets.py # Real CTF targets registered
โ โโโ ctf/ # CTF engine unit tests
โโโ config/
โ โโโ settings.py # Configuration management
โโโ run_ctf_solve.py # CTF solving CLI entry
โ โโโ autopnex.py # Traditional penetration CLI entry
โ โโโ ctf_knowledge.json # Self-evolving knowledge library
โ โโโ .env # Environment variable configuration
โ โโโ requirements.txt # Python dependencies
---
## โ๏ธ Configuration Instructions
### `.env` Environment Variables
```bash
# ---- Required: Main LLM ----
DEEPSEEK_API_KEY=sk-xxx # DeepSeek API Key
DEEPSEEK_BASE_URL=https://api.deepseek.com
DEEPSEEK_MODEL=deepseek-chat
# ---- Optional: Multiple models in parallel ----
OPENAI_API_KEY= # OpenAI API Key (Worker 2)
OPENAI_BASE_URL=https://api.openai.com/v1
OPENAI_MODEL=gpt-4o
CLAUDE_API_KEY= # Claude API Key (Worker 3)
CLAUDE_BASE_URL=https://api.anthropic.com/v1
CLAUDE_MODEL=claude-sonnet-4-20250514
# ---- Runtime Configuration ----
AUTOPENX_SCAN_MODE=active # passive | active
AUTOPENX_MAX_ITER_PER_STATE=6 # Maximum iterations per state
AUTOPENX_HTTP_TIMEOUT=8 # HTTP timeout seconds
AUTOPENX_REQUEST_DELAY=0.0 # Request interval (seconds)
# ---- WAF Bypass ----
AUTOPENX_EVASION_ENABLED=false # Enable bypass engine
AUTOPENX_WAF_BYPASS_LEVEL=none # none | light | aggressive
# ---- CTF Tool Management ----
AUTOPENX_CTF_AUTO_TOOLING_ENABLED=true # Allow LLM to write scripts
AUTOPENX_CTF_TOOL_INSTALL_ENABLED=true # Allow pip install
AUTOPENX_CTF_WORKSPACE_DIR=ctf_workspace # Working directory
```
---
## ๐ง How to Extend
### Adding New Routes
1. Create a new file under `autopnex/ctf/routes/` (e.g., `nosql.py`).
2. Inherit from `RouteStateMachine` and implement `preconditions_met()`, `get_probes()`, `score_evidence()`, and `get_exploit_steps()`.
3. Register it in `autopnex/ctf/routes/registry.py`.
4. Add a priority in `CoordinatorAgent.ROUTE_PRIORITY`.
### Adding New CTF Targets
1. Add a new Target class in `tests/benchmark/real_ctf_targets.py` (or `_real_ctf_extra.py`).
2. Implement properties like `start()`, `stop()`, `url`, `flag`, `name`, and `category`.
3. Register it in the `REAL_CTF_TARGETS` dictionary.
### Adding New LLM Tools
1. Add an OpenAI function schema in the `TOOL_DEFINITIONS` list of `autopnex/ctf/tool_router.py`.
2. Add corresponding execution branches in the `ToolRouter.execute()` method.
3. Add the tool name to the `CORE_TOOL_NAMES` collection.
---
## ๐ Current Capabilities
| Metric | Value |
|-------|-------|
| Strict benchmark success rate | 12/12 (100%) |
| Real CTF success rate | 30/30 (100%) |
| Number of supported routes | 15 |
| Number of LLM tools | 12 |
| Average number of attempts | ~5 attempts |
| Average time to solve | ~1.5s (local targets) |
### Vulnerability Types Covered
SQL injection, File Inclusion (LFI), Template Injection (SSTI), Command Injection (CMDi), JWT Forgery, File Uploading, PHP Deserialization, SSRF, IDOR Elevation, XSS, GraphQL Injection, WebSocket Bypass, XXE Injection, Authentication Bypass, Source Code Leakage
---
## ๐ ๏ธ Technology Stack
| Level | Technologies |
|------|-------|
| Language | Python 3.12 |
| LLM | DeepSeek V3 / GPT-4o / Claude (OpenAI-compatible protocol) |
| Web Framework | FastAPI + Uvicorn |
| HTTP Client | requests + aiohttp |
| Testing Framework | pytest + hypothesis |
| Frontend | Native HTML/JS + SSE |
| Configuration | python-dotenv |
| Templates | Jinja2 |
---
## โ ๏ธ Laws and Permissions
This tool is intended only for educational purposes, CTF competitions, and authorized penetration testing. Unauthorized use of systems is illegal, and any consequences are the responsibility of the user.