Share
## https://sploitus.com/exploit?id=3401ECFA-1BF5-560B-BA4E-CECDE5B4E76E
# AutoPenX โ€“ A fully automated CTF-solving & penetration testing system powered by LLMs

> **Three-phase hybrid solving architecture**: Deterministic multi-agent route state machine โ†’ Parallel LLM computation โ†’ Sequential ReAct reasoning, achieving zero API overhead for fast problem-solving + deep LLM reasoning for robustness. ---

## System Architecture Overview

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  CTFReActAgent.solve(multi_agent=True)                      โ”‚
โ”‚                                                             โ”‚
โ”‚  Phase 1: MultiAgentOrchestrator (Deterministic, 0 API overhead)       โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”    โ”‚
โ”‚  โ”‚ ReconAgent โ†’ Finger recognition โ†’ Route evidence collection     โ”‚    โ”‚
โ”‚  โ”‚ CoordinatorAgent โ†’ Selection of optimal route             โ”‚    โ”‚
โ”‚  โ”‚ ExploitAgent โ†’ RouteStateMachine โ†’ Flag?                   โ”‚    โ”‚
โ”‚  โ”‚ CriticAgent โ†’ Repetitive detection + route switching           โ”‚    โ”‚
โ”‚  โ”‚ KnowledgeLearner โ†’ Matching known patterns                   โ”‚    โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜    โ”‚
โ”‚                                                             โ”‚
โ”‚  Phase 2: Parallel LLM Racing (3 workers ร— 5 turns)         โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”    โ”‚
โ”‚  โ”‚ Worker 1 (DeepSeek): SQLi + authentication direction     โ”‚    โ”‚
โ”‚  โ”‚ Worker 2 (OpenAI): LFI + SSTI direction                    โ”‚    โ”‚
โ”‚  โ”‚ Worker 3 (Claude): CMDi + upload direction                โ”‚    โ”‚
โ”‚  โ”‚ The first worker to find a flag wins โ†’ Disqualification of others   โ”‚    โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜    โ”‚
โ”‚                                                             โ”‚
โ”‚  Phase 3: Sequential LLM ReAct (Remaining budget)                   โ”‚
โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”    โ”‚
โ”‚  โ”‚ Complete set of tools: http_request, run_python,                 โ”‚    โ”‚
โ”‚  โ”‚ repl_execute, scan_flag, file_analyze, etc.              โ”‚    โ”‚
โ”‚  โ”‚ Multiple rounds of reasoning + response analysis            โ”‚    โ”‚
โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## โœจ Key Features

- **Three-phase hybrid solving**: Phase 1: Deterministic route finding (zero API overhead) โ†’ Phase 2: Parallel LLM computation โ†’ Phase 3: Sequential ReAct reasoning
- **15 route state machines**: source_leak, lfi, ssti, sqli, cmdi, jwt, upload, php_pop, ssrf, idor, xss, graphql, websocket, xxe, auth_logic
- **Multi-agent collaboration**: Four roles โ€“ Coordinator, Recon, Exploit, Critic โ€“ sharing state via Blackboard
- **12 LLM tools**: http_request, run_python, repl_execute, scan_flag, decode_data, file_analyze, recon_scan, ctf_knowledge_search, write_tool_script, run_tool_script, install_python_package, download_tool_url

--- **Self-Evolution Knowledge Base**: Automatically extracts patterns after solving problems, allowing direct access to similar questions next time.  
--- **Multi-Model Support**: Parallel competition between DeepSeek, OpenAI, and Claude; stops as soon as a flag is detected.  
--- **Flag Detection Pipeline**: Regularization โ†’ Heuristic โ†’ AI Verification; three-level filtering reduces false positives.  
--- **Web UI**: FastAPI + SSE for real-time display of problem-solving processes.  
--- **30 Real CTF Challenges**: Based on classic BUUCTF challenges for local reproduction.  
--- **12 Strict Benchmark Tests**: Covering all major types of vulnerabilities.  

--- **๐Ÿš€ Quick Start**  
--- **Environment Requirements**  
Python 3.10+  
Windows/Linux/MacOS  
--- **Installation**  
`powershell`  
  - Clone the project: `cd C:\Users\86181\Desktop\AutoPenX`  
  - Create a virtual environment: `python -m venv .venv`.  
  - Activate the virtual environment: `source .venv/bin/activate` (Windows PowerShell) / `cp .env.example .env` and edit it to include `DEEPSEEK_API_KEY`.  
--- **Windows One-Click Script**  
  - `InstallDependencies.bat` โ€“ Initializes the virtual environment and installs dependencies.  
  - `One-ClickStartUI.bat` โ€“ Starts the Web UI and opens a browser automatically.  
  - `One-ClickScan.bat` โ€“ Scans in command-line mode.  
--- **Running CTF Challenges**  
  ```powershell
  # Multi-Agent Mode (Recommended)
  python run_ctf_solve.py
  # Or specify a target directly
  python -c"
    import asyncio
    from autopnex.ctf.react_agent import CTFReActAgent
    from configSettings import settings

    agent = CTFReActAgent(
        target='http://target-url:port',
        challenge_type='web',
        max_iterations=30,
        multi_agent=True,
        runtime_config=settings.snapshot(),
    )
    result = asyncio.run(agent.solve())
    print(f'Flag: {result.get("flag")}')
  "`
--- **Starting the Web UI**  
  ```powershell
  .venv\Scripts\python -m uvicorn autopnex.web.api:app --reload --host 127.0.0.1 --port 8000
  ```
  Open a browser and visit http://127.0.0.1:8000/
--- **Traditional Penetration Testing**  
  ```powershell
  # LLM Mode
  python autopnex.py --target http://testphp.vulnweb.com
  # Offline Rule Mode (No API Key Required)
  python autopnex.py --target http://testphp.vulnweb.com --mock --yes
--- **Running Benchmark Tests**  
  ```powershell
  # Strict 12-Benchmark Test (Deterministic Approach, No API Key Required)
  pytest tests/benchmark/test_web_benchmark.py -v
  # 30 Real CTF Benchmarks
  pytest tests/benchmark/test_real_ctf.py -v
  # Exploratory Mode (21 Challenges, Testing Route Coverage)
  pytest tests/benchmark/test_web_benchmark_explore.py -v
  # All Unit Tests
  pytest tests/ -v --ignore=tests/benchmark
  # Smoke Tests (Quickly Verifying Core Features)
  pytest tests/benchmark/test_web_benchmark_smoke.py -v
--- **Project Structure**  
  `AutoPenX/`
  โ”‚   โ”œโ”€โ”€ autopnex/
  โ”‚   โ”‚   โ”œโ”€โ”€ ctf/                          # CTF-solving core engine
  โ”‚   โ”‚   โ”œโ”€โ”€ multi_agent.py              # Multi-agent orchestrator + 4 agents
  โ”‚   โ”‚   โ”œโ”€โ”€ route_state_machine.py     # 13 route state machines + factory
  โ”‚   โ”‚   โ”œโ”€โ”€ routes/                    # Modular route packages (15 route files)
  โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ source_leak.py           # Source leak routes
  โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ lfi.py                  # Local file inclusion
  โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ ssti.py                 # Template injection
  โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ sqli.py                 # SQL injection

โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ cmdi.py               # Command injection  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ jwt.py                # JWT spoofing  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ upload.py             # File upload  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ php_pop.py            # PHP deserialization  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ ssrf.py               # SSRF  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ idor.py               # Privilege escalation  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ xss.py                # XSS  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ graphql.py            # GraphQL injection  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ websocket.py          # WebSocket bypass  
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ xxe.py                # XXE injection  
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ auth_logic.py         # Authentication logic bypass  
โ”‚   โ”‚   โ”œโ”€โ”€ react_agent.py            # CTFReActAgent (LLM ReAct loop)  
โ”‚   โ”‚   โ”œโ”€โ”€ tool_router.py            # Tool definition + execution gateway  
โ”‚   โ”‚   โ”œโ”€โ”€ web_state_blackboard.py   # Shared state board  
โ”‚   โ”‚   โ”œโ”€โ”€ knowledge_learner.py      # Self-evolving knowledge learner  
โ”‚   โ”‚   โ”œโ”€โ”€ flag_engine.py            # Flag detection engine  
โ”‚   โ”‚   โ”œโ”€โ”€ prompt_compiler.py        # Prompt compiler  
โ”‚   โ”‚   โ”œโ”€โ”€ workers.py                # Parallel LLM Workers  
โ”‚   โ”‚   โ””โ”€โ”€ ... โ”‚   โ”œโ”€โ”€ orchestrator/                 # LLM client layer  
โ”‚   โ”‚   โ”œโ”€โ”€ llm_client.py             # DeepSeek/OpenAI compatible client  
โ”‚   โ”‚   โ”œโ”€โ”€ mock_brain.py             # Offline rule engine  
โ”‚   โ”‚   โ””โ”€โ”€ orchestrator.py           # Traditional penetration orchestrator  
โ”‚   โ”œโ”€โ”€ tools/                        # Toolset  
โ”‚   โ”‚   โ”œโ”€โ”€ recon/                    # Reconnaissance tools  
โ”‚   โ”‚   โ”œโ”€โ”€ scan/                     # Scanning tools  
โ”‚   โ”‚   โ”œโ”€โ”€ vuln/                     # Vulnerability detection  
โ”‚   โ”‚   โ”œโ”€โ”€ exploit/                  # Exploitation tools  
โ”‚   โ”‚   โ”œโ”€โ”€ ctf_web/                  # CTF Web-specific tools  
โ”‚   โ”‚   โ””โ”€โ”€ ctf_crypto/              # CTF Crypto tools  
โ”‚   โ”œโ”€โ”€ web/                          # Web UI  
โ”‚   โ”‚   โ”œโ”€โ”€ api.py                    # FastAPI backend + SSE  
โ”‚   โ”‚   โ””โ”€โ”€ static/                   # Front-end static files  
โ”‚   โ”œโ”€โ”€ state_machine/                # PTES state machine  
โ”‚   โ”œโ”€โ”€ evasion/                      # WAF bypass engine  
โ”‚   โ””โ”€โ”€ knowledge_base/               # Vulnerability fingerprint/payload library  
โ”œโ”€โ”€ tests/  
โ”‚   โ”œโ”€โ”€ benchmark/  
โ”‚   โ”‚   โ”œโ”€โ”€ test_web_benchmark.py     # Strict 12 target benchmark  
โ”‚   โ”‚   โ”œโ”€โ”€ test_real_ctf.py          # 30 real CTF targets  
โ”‚   โ”‚   โ”œโ”€โ”€ challenges.py             # Battlefield implementations  
โ”‚   โ”‚   โ””โ”€โ”€ real_ctf_targets.py       # Real CTF targets registered  
โ”‚   โ””โ”€โ”€ ctf/                          # CTF engine unit tests  
โ”œโ”€โ”€ config/  
โ”‚   โ””โ”€โ”€ settings.py                   # Configuration management  
โ”œโ”€โ”€ run_ctf_solve.py                  # CTF solving CLI entry  
โ”‚   โ”œโ”€โ”€ autopnex.py                       # Traditional penetration CLI entry  
โ”‚   โ”œโ”€โ”€ ctf_knowledge.json                # Self-evolving knowledge library  
โ”‚   โ”œโ”€โ”€ .env                              # Environment variable configuration  
โ”‚   โ””โ”€โ”€ requirements.txt                  # Python dependencies

---

## โš™๏ธ Configuration Instructions

### `.env` Environment Variables

```bash
# ---- Required: Main LLM ----
DEEPSEEK_API_KEY=sk-xxx              # DeepSeek API Key
DEEPSEEK_BASE_URL=https://api.deepseek.com
DEEPSEEK_MODEL=deepseek-chat

# ---- Optional: Multiple models in parallel ----
OPENAI_API_KEY=                       # OpenAI API Key (Worker 2)
OPENAI_BASE_URL=https://api.openai.com/v1
OPENAI_MODEL=gpt-4o
CLAUDE_API_KEY=                       # Claude API Key (Worker 3)
CLAUDE_BASE_URL=https://api.anthropic.com/v1
CLAUDE_MODEL=claude-sonnet-4-20250514

# ---- Runtime Configuration ----
AUTOPENX_SCAN_MODE=active             # passive | active
AUTOPENX_MAX_ITER_PER_STATE=6         # Maximum iterations per state
AUTOPENX_HTTP_TIMEOUT=8               # HTTP timeout seconds
AUTOPENX_REQUEST_DELAY=0.0            # Request interval (seconds)

# ---- WAF Bypass ----
AUTOPENX_EVASION_ENABLED=false        # Enable bypass engine
AUTOPENX_WAF_BYPASS_LEVEL=none        # none | light | aggressive

# ---- CTF Tool Management ----
AUTOPENX_CTF_AUTO_TOOLING_ENABLED=true   # Allow LLM to write scripts
AUTOPENX_CTF_TOOL_INSTALL_ENABLED=true   # Allow pip install
AUTOPENX_CTF_WORKSPACE_DIR=ctf_workspace # Working directory
```

---

## ๐Ÿ”ง How to Extend

### Adding New Routes

1. Create a new file under `autopnex/ctf/routes/` (e.g., `nosql.py`).
2. Inherit from `RouteStateMachine` and implement `preconditions_met()`, `get_probes()`, `score_evidence()`, and `get_exploit_steps()`.
3. Register it in `autopnex/ctf/routes/registry.py`.
4. Add a priority in `CoordinatorAgent.ROUTE_PRIORITY`.

### Adding New CTF Targets

1. Add a new Target class in `tests/benchmark/real_ctf_targets.py` (or `_real_ctf_extra.py`).
2. Implement properties like `start()`, `stop()`, `url`, `flag`, `name`, and `category`.
3. Register it in the `REAL_CTF_TARGETS` dictionary.

### Adding New LLM Tools

1. Add an OpenAI function schema in the `TOOL_DEFINITIONS` list of `autopnex/ctf/tool_router.py`.
2. Add corresponding execution branches in the `ToolRouter.execute()` method.
3. Add the tool name to the `CORE_TOOL_NAMES` collection.

---

## ๐Ÿ“Š Current Capabilities

| Metric | Value |
|-------|-------|
| Strict benchmark success rate | 12/12 (100%) |
| Real CTF success rate | 30/30 (100%) |
| Number of supported routes | 15 |
| Number of LLM tools | 12 |
| Average number of attempts | ~5 attempts |
| Average time to solve | ~1.5s (local targets) |

### Vulnerability Types Covered

SQL injection, File Inclusion (LFI), Template Injection (SSTI), Command Injection (CMDi), JWT Forgery, File Uploading, PHP Deserialization, SSRF, IDOR Elevation, XSS, GraphQL Injection, WebSocket Bypass, XXE Injection, Authentication Bypass, Source Code Leakage

---

## ๐Ÿ› ๏ธ Technology Stack

| Level | Technologies |
|------|-------|
| Language | Python 3.12 |
| LLM | DeepSeek V3 / GPT-4o / Claude (OpenAI-compatible protocol) |
| Web Framework | FastAPI + Uvicorn |
| HTTP Client | requests + aiohttp |
| Testing Framework | pytest + hypothesis |
| Frontend | Native HTML/JS + SSE |
| Configuration | python-dotenv |
| Templates | Jinja2 |

---

## โš ๏ธ Laws and Permissions

This tool is intended only for educational purposes, CTF competitions, and authorized penetration testing. Unauthorized use of systems is illegal, and any consequences are the responsibility of the user.