CTF Guide
This Guide has been a close companion of mine for the past 6 months, taking me into different domains of the CTF World. Readers would find bits of things that the Author has learned on his CTF Journey. Enjoy !
Websites
[Welcome | OOO archive | DEF CON CTF](https://archive.ooo/) |
Linux Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
readelf -s <executable>
strings / objdump -d
stegseek --crack ~/Downloads/pecan.jpg ~/Downloads/rockyou.txt output.txt
ls
binwalk -e
nc
ltrace / strace
readelf -a <file_name>
ida
gdb
apt-cache search <file_name>
nc
rot13
install bsdgames
exiftool
zsteg
steghide
hexdump -C
mysqlbinlog
xxd
grep
ssh -X POST <hash> | grep -i <flagFormat>
man exiv2 | cat | xclip -selection clipboard
Reverse Engineering
Download Detect It Easy - MajorGeeks
1
checksec —file <filename>
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads/rev_packedaway]
└─$ upx -d packed
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX 4.2.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 3rd 2024
File size Ratio Format Name
-------------------- ------ ----------- -----------
22867 <- 8848 38.69% linux/amd64 packed
Unpacked 1 file.
IDA pro / Ghidra
Functions to convert UTF-8(Unicode) to it’s code point and vise-versa
https://bi0sctf{h1dd3n_1n_pl41n_s1ght}:hehe@ctf.bi0s.in/
Radare2
OllyDbg
Cryptography
create the virtual environment:
1 2
Copy code python3 -m venv neural
Activate the virtual environment:
1
source neural/bin/activate
Crypt Tool
RSA primer tool
💡 FactorDB
CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
mcrypt
Malbolge - Old Language
Pwn/Binary Exploitaion
1
2
3
4
5
6
7
(gdb) break *0x1190
Breakpoint 1 at 0x1190
(gdb) run
Starting program: /home/kali/Documents/CTF/htbCTF/challenge/writing_on_the_wall
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x1190
1
2
3
4
$ apt-get update
$ apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
$ python3 -m pip install --upgrade pip
$ python3 -m pip install --upgrade pwntools
Python Study
[CAESAR]strings-ord-ascii-binary-enumerate-assert-REDACTED
Steganography
1
2
3
4
5
6
7
8
9
10
11
└─$ deepsound2john beep.wav > sound.txt
└─$ john -w=/usr/share/wordlists/rockyou.txt sound.txt
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_1529 [sha1($p null_padded_to_len_32) (DeepSound) 128/128 AVX 4x1])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein (beep.wav)
1g 0:00:00:00 DONE (2024-04-20 15:18) 100.0g/s 168000p/s 168000c/s 168000C/s 123456..kenny
Use the "--show --format=dynamic_1529" options to display all of the cracked passwords reliably
Session completed.
1
2
3
4
5
6
7
└─$ stegolsb wavsteg -r -i challenge.wav -o output.txt -n 2 -b 10000
Files read in 0.05s
Recovered 10000 bytes in 0.00s
Written output file in 0.01s
└─$ cat output.txt
NexusCTF{Th3_Le4st_S1Gn1f!c4n7_B1t55_1n_A_W4v_f1L3_6fe20da1bc9}
1
2
3
4
5
pngcheck -vtp7f filename.png
sonic visualizer tool
steghide —info/—extract
stegseek
curl / less
HexEd.it - Browser-based Online and Offline Hex Editing
Steganography - A list of useful tools and resources
StegoSuite
Processing JPEG photos online - IMG online
OSINT
Find Photo Location Using Artificial Intelligence
1
sudo apt install maltego
[maltego | Kali Linux Tools](https://www.kali.org/tools/maltego/) |
URL and website scanner - urlscan.io
DNSdumpster.com - dns recon and research, find and lookup dns records
Here’s a Gold-Mine 👇🏻
[28 Online Vulnerability Scanners & Network Tools | HackerTarget.com](https://hackertarget.com/) |
Epieos, the ultimate OSINT tool
Web Exploitation
1
gobuster`-u http://fakebank.com -w wordlist.txt dir
BurpSuite
FoxyProxy
SQLMap
1
Check .robots.txt
Dev Tools
JWT Cookies JSON Web Tokens
Flask Application
Hydra
NMap
Dirsearch
💡 More Work to be done on this !
Miscellaneous
FileInfo.com - The File Format Database
Online Tools to crack CTF Contest!
Digital Forensics
https://github.com/colaclanth/sstv
1
2
3
4
5
6
7
abura@Abdur-PC MINGW64 /c/Documents3/CyberSec/CTF/cybercollosiumCTF/forensics/space
$ sstv -d task.wav -o result.png
[sstv] Searching for calibration header... Found!
[sstv] Detected SSTV mode Robot 36
[sstv] Decoding image... [#########################################] 100%
[sstv] Drawing image data...
[sstv] ...Done!
tshark
1
2
3
4
5
6
7
8
└─$ tshark -Y "icmp.ident == 0 && icmp.type == 8" -T fields -e data.data -r Echos\ Parody.pcap | awk '{ printf "%s", $1 }'
546d563464584e4456455a37517a427362444e6a6446395561444e74587a52736243456866513d3d
└─$ echo "546d563464584e4456455a37517a427362444e6a6446395561444e74587a52736243456866513d3d" | xxd -r -p
TmV4dXNDVEZ7QzBsbDNjdF9UaDNtXzRsbCEhfQ==
└─$ echo "TmV4dXNDVEZ7QzBsbDNjdF9UaDNtXzRsbCEhfQ==" | base64 -d
NexusCTF{C0ll3ct_Th3m_4ll!!}
1
2
3
4
5
6
7
8
9
10
11
Audio Anomaly
This anomaly turned out to be Morse code, though barely audible. To make the Morse code clearer, we utilized Audacity’s “Analyze > Plot Spectrum” function, revealing a concentration of beeps around 500 Hz.
Spectrum Analysis
To make the Morse code more discernible, we adjusted the audio frequencies using Audacity’s “Effect > EQ and Filters > Filter Curve EQ” feature, boosting frequencies around 500 Hz while suppressing others.
EQ Adjustment
With the Morse code now clearer, we visually represented it using red dots and dashes in free graphics software.
Autopsy
Forensics tool
pdfimages
alike tools
1
7z2john protected_2.7z > hash.txt
mysqlbinlog
1
tshark -r ./okay10.pcapng -Y 'usb.src=="1.2.1"' -T fields -e usbhid.data | sed 's/../:&/g2' > clicks
File Formats in Memory Forensics
unrar
┌──(kali㉿kali)-[~/…/pecanCTF/FINALS/Forensics/ChatGPT1] └─$ unrar x 1267.rar Completing rar command e – extract files to current directory lb – list archive (bare format) l – list archive lt – list archive (technical format) p – print file to stdout t – test archive files vb – verbosely list archive (bare format) vt – verbosely list archive (technical format) v – verbosely list archive x – extract files with full path
vol.py -f memory.raw -profile=Win10x64_19041 windows.pslist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
python3 /opt/volatility/vol.py -f ~/Documents/CTF/pecanCTF/memory.raw windows.info
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf8073a017000
DTB 0x1ad000
Symbols file:///opt/volatility/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8073ac26398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 2
SystemTime 2023-04-06 17:25:30
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995
1
2
3
4
5
6
7
8
9
10
python3 /opt/volatility/vol.py -f ~/Documents/CTF/pecanCTF/memory.raw windows.pslist | grep 3340
python3 /opt/volatility/vol.py -f ~/Documents/CTF/pecanCTF/memory.raw windows.pstree
python3 /opt/volatility/vol.py -f ~/Documents/CTF/pecanCTF/memory.raw windows.cmdline.CmdLine
sudo python3 /opt/volatility/vol.py -f ~/Documents/CTF/pecanCTF/memory.raw windows.netscan
connscan/sockscan
cmdscan
registry.userassist
registry.printkey
registry.hivelist
.evtx file format
The file extension .ps1
is used for PowerShell scripts. A PowerShell script is a text file that contains one or more PowerShell commands. Each command appears on a separate line in the file
1
2
3
4
5
6
7
└─$ python3 vol.py -f ~/Desktop/sharedfolder/jerseyctf/living-on-the-edge/living-on-the-edge.vmem -o ~/Desktop/bin windows.memmap --dump --pid 5344
└─$ strings -e l pid.5344.dmp | grep jctf{
https://www.jerseyctf.com/?flag=jctf{3dg3_0f_y0ur_s3at}
https://www.jerseyctf.com/?flag=jctf{3dg3_0f_y0ur_s3at}#Resources
https://www.jerseyctf.com/?flag=jctf{3dg3_0f_y0ur_s3at}
...
1
2
remnux@remnux:/opt/volatility/dump$ file registry.UsrClassdat.0xab0a6570d000.hive
registry.UsrClassdat.0xab0a6570d000.hive: MS Windows registry file, NT/2000 or above
Object Linking and Embedding (OLE)
1
2
.pcapng - wireshack packet
capture foresics
How to Analyze Malicious Microsoft Office Files
https://github.com/decalage2/oletools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/Desktop]
└─$ oleid invitation.docm
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: invitation.docm
WARNING For now, VBA stomping cannot be detected for files in memory
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |MS Word 2007+ Macro-|info |
|Enabled Document | |
|(.docm) | |
--------------------+--------------------+----------+--------------------------
Container format |OpenXML |info |Container type
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |Yes, suspicious |HIGH |This file contains VBA
| | |macros. Suspicious
| | |keywords were found. Use
| | |olevba and mraptor for
| | |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |0 |none |External relationships
Relationships | | |such as remote templates,
| | |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------
decompile
.dex using the dexdump
tool which is provided in android-sdk
zipcrypto
DeepBlueCLI
- Command-Line Tool to analyze windows event logs (evtx files)
LogParser
- Universal Query Tool
Blockchain
Quickstart — web3.py 6.15.1 documentation
1
2
3
4
>>> from web3 import Web3, EthereumTesterProvider
>>> w3 = Web3(EthereumTesterProvider())
>>> w3.is_connected()
True
solc (Solidity Compiler) - ABI Generation
GitHub - 0xIchigo/Ethernaut: Solutions to Ethernaut, OpenZeppelin’s Web3/Solidity based wargame
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
In [1]: from web3 import Web3, AsyncWeb3
In [2]: url = 'http://94.237.57.161:31314/'
In [3]: web3 = Web3(Web3.HTTPProvider(url))
In [4]: web3
Out[4]: <web3.main.Web3 at 0x7f771f2dd990>
In [5]: web3.is_connected()
Out[5]: True
In[6]: abi = [
{
"inputs": [],
"stateMutability": "payable",
"type": "constructor"
},
{
"inputs": [],
"name": "TARGET",
"outputs": [
{
"internalType": "contract RussianRoulette",
"name": "",
"type": "address"
}
],
"stateMutability": "view",
"type": "function"
},
{
"inputs": [],
"name": "isSolved",
"outputs": [
{
"internalType": "bool",
"name": "",
"type": "bool"
}
],
"stateMutability": "view",
"type": "function"
},
{
"inputs": [],
"stateMutability": "payable",
"type": "constructor"
},
{
"inputs": [],
"name": "pullTrigger",
"outputs": [
{
"internalType": "string",
"name": "",
"type": "string"
}
],
"stateMutability": "nonpayable",
"type": "function"
}
]
In [7]: sc = '0x0a9E45194F001F9b0b8c92F14B63d48dC37571c0'
In [8]: setup_contract = web3.eth.contract(address=sc, abi=abi)
In [9]: for f in setup_contract.functions:
...: print(f)
...:
TARGET
isSolved
pullTrigger
In [10]: web3.eth.block_number
Out[10]: 1
In [11]: balance = web3.eth.get_balance("0xD906F6268A3661414A8601c21c101b8d1323adD5")
In [12]: print(balance)
5000000000000000000000
In [13]: web3.from_wei(balance, 'ether')
Out[13]: Decimal('5000')
In [14]: setup_contract.functions.TARGET().call()
Out[14]: '0xD16950410fA12Bee8FE5f5cc20D113B29892F34a'
In [16]: target_contract = web3.eth.contract(address='0xD16950410fA12Bee8FE5f5cc20D113B29892F34a', abi=abi)
In [17]: for f in target_contract.functions:
...: print(f)
...:
TARGET
isSolved
pullTrigger
In [19]: target_contract.functions.pullTrigger().call()
Out[19]: 'im SAFU ... for now'
In [21]: setup_contract.functions.isSolved().call()
Out[21]: False
In [23]: balance = web3.eth.get_balance("0xD16950410fA12Bee8FE5f5cc20D113B29892F34a")
In [24]: print(balance)
10000000000000000000
In [25]: web3.from_wei(balance, 'ether')
Out[25]: Decimal('10')
In [26]: ca = '0xD16950410fA12Bee8FE5f5cc20D113B29892F34a'
In [27]: caller = '0xD906F6268A3661414A8601c21c101b8d1323adD5'
In [28]: pk = '0x9a7186e26154fea3976374a87e2b6b6af2c4421399bed492e3983d3a4459bacd'
In [29]: nonce = web3.eth.get_transaction_count(ca)
In [30]: print(nonce)
1
In [37]: web3.eth.chain_id
Out[37]: 31337
In [39]: web3.eth.gas_price
Out[39]: 1000000000
In [48]: tx = {
...: 'nonce': 1,
...: 'to': caller,
...: 'value': web3.to_wei(10, 'ether'),
...: 'gas': 200000,
...: 'gasPrice': web3.eth.gas_price,
...: 'chainId': 31337
...: }
In [49]: signed_tx = web3.eth.account.sign_transaction(tx, pk)
In [50]: tx_hash = web3.eth.send_raw_transaction(signed_tx.rawTransaction)
In [52]: print(tx_hash)
b'^D\xad\x0cxo\xf2\x84\x16\xa2\xe1\xa9\xe2y\x7fhuL\x97\x97\xa7%\x03\xe1;\t#\x93\x1eK\xee&'
Well, I know this was kinda all over the place,but I think it’s quite decent to get the Reader started on CTFs.