CTF-CheatSheet

overall useful website/tools

• hacktricks.xyz reference book

– web –

• webhook.site to get request bin
• dirsearch to brute force directory
• GitTools to pull git repo from public website, if .git is exposed
• php_filter_chain_generator to generate php filter chain
• postman to send http requests
• burpsuite to intercept http request packages
• wireshark to capture/analyse network traffic
• csp evaluator to evaluate CSP

– rev –

• disasm.pro to disassemble bytecode online
• fernflower to decompile java bytecode, made by JetBrains
• angr to get solution of input or sth

–misc –

• z3 to find solution under constrains
• dcode to decode anything
• CyberChef combine multiple tools to do sth
• pylingual decompiling pyc file

–forensics / osint –

• saucenao to search for image source
• aperisolve.com do stego for image online
• photo-forensics do stego for image online
• stegseek crack jpeg password
• exiftool print out EXIF
• maigret to search for social media account, one of forks of sherlock
• F5 a common F5 implementation
• autopsy a GUI tool for forensics
• volatility a CLI tool for forensics memory dump
• zsteg to do stego for PNG/BMP
• png chunk checker
• binwalk

– crypto –

• RsaCtfTool to attack RSA
• hashclash for MD5 collision
• hashcat to attack hash
• yafu to factorize number
• John the Ripper jumbo to crack password

– pwn –

• checksec.sh to check binary security properties
• gef very useful GDB plugin / gdb-dashboard Modular visual interface for GDB / pwndbg
• pwntools utility for pwn in python
• shellcheck check fault in shell script
• rp fast ROP gadget finder x86/x64/ARM/ARM64
• compiler explorer Online code to assembly
• Opcode and Instruction Reference Home for 32 and 64 bits
• Syscall Reference for 64 bits or Linux_System_Call_Table_for_x86_64
• dectect it easy for detecting binary wrapper
• pwninit for fetching ld and libc for given binary
• libc database given some libc symbols and address, return libc version

– purple team –

• gtfobins to search for binaries that can be used to get root shell under certain conditions, red team
• revshells.com to generate reverse shell code, red team
• PEASS-ng to enumerate windows/linux privilege escalation, red team
• NetExec to scan the network, red team
• Responder Responder(poisoner)/MultiRelay of many protocols, red team
• BloodHunt Active Directory analysis frameware, red team
• pypykatz Windows security tools(mimikatz) implementation in Python, red team
• GodPotato Windows 2012 ~ 2022 privilege escalation, red team
• Sliver red team frameware

PWN

ROP

• If you pop a non-privilege shell by using system or sth from a SUID binary, you can do a setuid(0) as syscall beforehand to get the privilege shell.
• __nptl_change_stack_perm can change stack NX permission.

leak address

• Leak libc, ld, stack, vdso, vvar addresses by an arbitary read: Sailing the C BuckeyeCTF-2024.

Disable ASLR temporary

• setarch `uname -m` -R [executable] from StackOverFlow.

Web

• add . dot at the end of domain to bypass simple check example.com.

DOM Clobbering

• blink SECCON CTF 2023

Cascading

• CSS Font Cascading People can use unicode-range to do cascading.
• Font side-channel Font Review BuckeyeCTF 2023 - use linguistics to make page overflow in order to leak the flag char by char.
• STTF reference, basically, use :target in style in order to send request if the scroll to text fragment part is matched.

NoSQL Injection

• the input is in JSON and use regex Area51 BuckeyeCTF 2023

JWT

• RS256 to HS256 certs BuckeyeCTF 2023

JSDom jail

• Optimized Admin Bot vsCTF 2023 spawnSync to do RCE, require process and spawn_sync.

CORS bypass

• makes-sense ASIS-ctf-qual 2023 use shadow dom to let inside iframe access parent‘s document by shadowContainer.attachShadow. Basically is let e.source in window.onmessage = e=>(e.source == top && e.source.length == 0 ? eval(e.data) : '') is not undefined.

CSP bypass

• hacktricks.xyz check this website for more CSP bypass tricks.
• JS polygots, embed JavaScript code in multiple languages image file. Then use <script charset = "ISO-8859-1" src=url></script> to call those JavaScript Code. Refers: js jpeg polyglot script and Bypassing CSP using polyglot JPEGs.
• CSS side-channel, using color made with color-mix to make tab crushed with signal: issue and Another-csp DiceCTF-2024-qual

JavaScript Jail

• inside of function: use var process=this.constructor.constructor("return process;")(); to get process object. Then use var require = global.require || global.process.mainModule.constructor._load;, the script here spawnSync.js, or even this.require to get RCE.

Misc

find solution under constrains

Use z3-solver, e.g. based emoji hackasat qual 2023

python jail / pyjail

• starship CrewCTF 2023 character limit: @^_":,. and acsii letters; type: @__build_class__.__self__.exec\r@__build_class__.__self__.input\rclass\x0cx:pass.
• Bonus_The_Revenge_of_Checkpass_1 BxMCTF 2023 eval(inp, {'__builtins__': None}, None); type: ().__class__.__bases__[0].__subclasses__().
• Username_Decorator BxMCTF 2023 Flask escape; type: ().__class__.__bases__[0].__subclasses__().
• 'f{32:c}' can format an int to char (equalivant to chr(32)).
• use other fonts to bypass alphabet filter (e.g. use Italic alphabet from ItalicTextGenerator and use long underline like ＿𝘤𝘭𝘢𝘴𝘴＿) Zero uoftctf-2024.
• PWN pyjail
  • use ctype to override the definition of function (e.g. os._exit) diligent-auditor DiceCTF-2024-qual
  • use this behavior to do PWN IRS DiceCTF-2024-qual
  • use UAF in field like issues#91153 audit hook POC
• use vars() and |= to add functions into globals(concat two dictionaries): x=vars();x|=vars(list)
• use match to get member method or properties pep-0636: cast dict(items=items1): print(items1())
• use gc module to get locals inside function or deleted object

Rev

Angr to find solution for input

• Homework Help WolvCTF 2023
• Angry BuckeyeCTF 2022