Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Finds uids for usernames on CTFtime
#!/usr/bin/env python3
"""Finds uids for usernames on CTFtime"""
# Seriously why is this not easier to do?
import argparse
import logging
import math
import re
import time
import requests
log = logging.getLogger(__name__)
URL = "{}"
USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) \
AppleWebKit/537.36 (KHTML, like Gecko) \
Chrome/81.0.4044.138 Safari/537.36})"
failed_attempts = 0
def main():
args = get_init_args()
usernames = args.usernames
if args.start:
i = args.start
i = get_top_uid()
while i > 0 and len(usernames) > 0:
resp = delayed_get(URL.format(i), headers={"User-Agent": USER_AGENT})
if not req_success(resp):
log.error("Request failed")
usermatch = has_usernames(resp.content, usernames)
if usermatch:
print(f"{usermatch} ({i}) - {URL.format(i)}")
i -= 1
def has_usernames(content, usernames):
"""Returns username if found in title from usernames list"""
match =
r"<title> / ([a-zA-Z0-9@._-]+)</title>",
) # Format may change; not sure regex matches all possibilities
if not match:
return None
title =
for username in usernames:
log.debug(f"{username.lower()} : {str(title).lower()}")
if username.lower() in str(title).lower():
return username
return None
def get_top_uid():
"""Finds the current maximum uid"""
i = 100000
iter_by = 100000 # Multiple of 10
target_code = 404
swap_code = 200
while True:
resp = delayed_get(URL.format(i), headers={"User-Agent": USER_AGENT})
if not req_success(resp):
log.error("Request failed")
if abs(iter_by) == 1: # Final search
if resp.status_code == 404:
return i - 1
i += 1
else: # Main search
if resp.status_code == target_code:
target_code, swap_code = swap_code, target_code
iter_by = -(math.floor(iter_by/10))
i += iter_by
def delayed_get(url, delay=0.5, headers=None): # 2 req/sec default to be nice
"""Performs a delayed requests GET to the specified url"""
log.debug(f"Waiting for {delay} seconds")
log.debug(f"GET: {url}")
return requests.get(url, headers=headers)
def req_success(resp):
"""Returns True if status code represents a desirable status code
NOTE: 3 consecutive failures will terminate execution
global failed_attempts
if resp.status_code not in [200, 404]:
failed_attempts += 1
if failed_attempts >= 3: # This logic probably doesn't belong here
log.critical("Failed 3 consecutive requests")
return False
failed_attempts = 0
return True
def get_init_args():
"""Handles argparse argument processing"""
parser = argparse.ArgumentParser(__doc__)
parser.add_argument("usernames", nargs="+")
parser.add_argument("--start", type=int, help="Starting index")
parser.add_argument("--debug", action="store_true")
args = parser.parse_args()
if args.debug:
return args
if __name__ == "__main__":
Copy link

cetaSYN commented May 11, 2020


docker run --rm -t -v$(pwd):/srv python:3.8-slim bash -c "pip install -r /srv/requirements.txt && /srv/ username_replace"

Additional Options:

  • --start <int> : Index to begin decrementing at
  • --debug : Output additional debugging information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment