Resources

Crypto

Dcode

Dcode is a very useful tool for decrypting various ciphers.

pycryptodome

Originally developed under the no longer maintained pycrypto, this successor has everything you need for the crypto CTF category. It offers implementations of common algorithms for symmetric crypto, assymmetric crypto, hash functions, and much more.

SageMath

SageMath is a programming language, similar to Python, but with a lot of modifications focussed on math-based crypto. If you ever need to do manual RSA computations, this tool will be a great help.

Forensics

Hex editor

A hex editor is often very useful to analyze the contents of any type of file. It allows you to see the binary contents of a file (in hex encoding). With this, you can take a closer look at any file. It is often useful in forensics, as inspecting files is a common activity there. Often, the program also allows you to modify the bytes of the file as well.

binwalk

binwalk is a Linux command line tool. It is most often used in forensics, and it allows you to detect which type of file a certain file is. While this is often indicated by the file extension, e.g. .txt or .pdf, this is (especially on Linux) purely just a part of the file name, and can be set to anything. binwalk looks at the actual contents of the file, and recognizes what is in there through file headers.

Furthermore, it looks for common identifiers of common file types (png, jpg, pdf, etc) across the entire file, which is often useful in forensics, if someone tries to hide a file by appending the binary contents of it to another file.

pillow

Often used in image forensics, this Python library allows you to edit and analyze images in Python. If you need to perform a very specific operation on an image for which no tools exist, this library is your answer, as you can implement the operation yourself.

Web

Burp Suite

Burp Suite is a GUI tool which can be very helpful to execute your attacks for the web category. It allows you to, for example, modify the HTTP requests that your browser sends. This allows you to e.g. input special values that your browser doesn't typically allow.

requests

The built-in Python library requests allows you to send HTTP requests to webservers in any format you like. This includes changing the request headers, changing the cookies, adding form data payload, you name it. Many examples for this library can be found online.

cURL

curl also allows you to execute your CTF web attacks, but instead of a graphical tool, this uses the command line. It specifically allows you to send HTTP requests (and receive the responses), with all sorts of data like cookies, payload, headers and more. One reason to use this tool, is that browsers often allow you to copy an HTTP request it sent as a curl command, by right clicking the request in the network tab.

Rev (Reverse Engineering)

IDA

IDA Free is a free tool to (statically) analyze binaries (available for Linux, Windows, and macOS).

Ghidra

Ghidra is a free and open-source tool, developed by the NSA, to (statically) analyze programs (available for Linux, Windows, and macOS).

Pwn

x64dbg

x64dbg is a free (open source) tool to analyze a program at runtime.

pwndbg

pwndbg is a "gdb plug-in that makes debugging with gdb suck less".

pwntools

The pwntools library (confusingly, imported in Python via just pwn), is to noone's surprise a library most useful in the pwn category. It offers a wide variety of useful tools for dealing with binaries.

However, on top of that it is also generally useful for many challenges, as it allows you to connect to a TCP socket (aka a netcat connection) and automate interacting with it.

For examples, see the pwntools documentation. See also this cheatsheet.

General Info


Linux command line

Commands

The following are some default Linux commands that can often be useful in CTFs.

nc

The nc command, or netcat, allows you to connect (via TCP, a common internet protocol) to a server and communicate (exchange messages) with that server. In the real world, the TCP protocol is used for many common applications, such as HTTP for visiting websites, or FTP for transferring files.

In the context of CTFs however, TCP connections are often what you need to connect to an external challenge server to interact with it, and the nc command is one of the easiest ways to do so. The syntax of this command is nc <host> <port>

If you want to automate such a connection, for example to have a Python script send the messages for you, look at the section on pwntools.

An alternative for Windows and macOS is ncat.

man

The man command stands for manual, and you can use it in combination with any other Linux command to see a manual page for that command. For example, using man nc shows you more information about the options you can use with in combination with the nc command.

cat

The cat command will print the full contents of a file to the output.

For example, you can use cat text.txt to print the contents of text.txt to output.

grep

grep allows you to search for search for text in a file (or in another command's output, see Piping). It will then print each line containing the search query to output.

This can often be useful if you want to look for the flag in a large text file, if you know the flag format (e.g., grep 'Trojan{' longtext.txt will look for the flag in the file).

For example, you could use grep dog text.txt, to search for the text 'dog' in the file. Equivalently, with piping, you could use cat text.txt | grep dog.

find

The find command allows you to search the filesystem for a specific file, with many filtering options.

Some examples:

  • find -name text.txt: look for files with the name text.txt in the current directory (and subdirectories, recursively)
  • find -type d: look for subdirectories (recursively) in the current directory.
  • find -name '*.pdf': look for all pdf files in the current directory and below

strings

The strings command is often useful in forensics, as it allows you to search through a binary file, and look for ASCII strings inside. To explain more what that means, the content of files is always just a certain amount of bytes: integer values, ranging from 0 to 255 at most. While most file types make use of this entire range of bytes, typical .txt files stick to just the range 0 to 127, the lower half of the bytes (most are even in the range 33 - 126, with the exception of some special characters).

This is known as ASCII encoding, and you can find more information about it in the section about it below.

What the strings command does, is that it looks for subsections of the input file with only bytes in this typical ASCII range, and when it finds a sequences of such bytes, it prints them to output. This allows you to search for readable text in what is otherwise an unreadable (binary) file.

Examples of this command:

  • strings myfile.bin: prints all ASCII strings found in the file to output (.bin or .raw is more commonly used to indicate that the file contains binary data, i.e. non-ASCII data, although any file extension can be used for this)
  • strings -n 15 myfile.raw: prints all ASCII strings of length at least 15 to output (if you omit this option, the default minimum length is 4)

Command tricks

Although many see the Linux shell as a simple terminal application, it offers a wide variety of programming syntax, on top of the regular command execution. With all of this syntax, you could even see Linux shell commands as their own programming language. Here, we'll explain a few basic tricks you can use to get the most out of your terminal usage.

Piping

When interacting with a Linux command line, you typically use a default terminal application. This terminal allows you to type on your keyboard to give input, and it will print (write on the screen) to give output.

However, with piping you can change where the output of your program goes. Let's start with an example:

  • python3 myfile.py | grep abc

What this will do, is it will run the command python3 myfile.py (i.e., run myfile.py with Python), and instead of printing the output of the Python script directly to your terminal, it will instead feed that output into the command grep abc. Usually, the grep command requires a file as an argument, but through piping the output of the python3 command is essentially the file that it will operate on. Therefore, this example would look for the string abc in the output of your Python script.

Another example is this: cat input.txt | python3 myfile.py. You can use this in case your Python script takes some user input (which you'd normally have to type into the terminal while the script is running), when you don't want to type this input yourself, but instead have it come from a file.

Star files

Another useful trick is using a star * in commands with files. The star essentially means all files, so cat * would print the contents every file in the current directory, instead of just one file. You can also apply some filters, for example cat *.txt would print the contents of every .txt file in the current directory.

This can be useful if you manage to get access to a restricted shell: a challenge server where you got access to a Linux command line, but the commands you enter are restricted, for example by blocking the word 'flag' from being entered via commands. This way, you can use fla* to refer to flag.txt

Encodings

Base64

The encoding base64 is often used in CTFs to encode binary (or occasionally text) data to a normal piece of text. The alphabet used by this encoding consists of the digits 0 through 9, the alphabet A-Z (and a-z, so upper and lower case), and the special characters + and /. Additionally, the last one or two characters are often an equals sign (=). The alphabet, and the (common, not always there) ending = sign(s) allows you to recognize the encoding. Tools exist online to decode from base64.

hex

Hexadecimal is often used to convert binary data (bytes) to a readable text. Each byte is represented by 2 characters, and as a byte has 256 possible values, each character needs to have 16 possible values. These values are represented by 0-9 for the first 10 values, then it is continued by the first 6 letters of the alphabet: a-f (either upper or lower case).

You can therefore recognize hex by this character set (0-9 and a-f). They often just are a way to represent bytes, but they can also be used to encode text using ASCII.

ASCII & UTF-8

ASCII has been mentioned before multiple times in this tutorial, as it is very common. It is a very common way to encode text in bytes, and it is also the basis of UTF-8. UTF-8 can be seen as an extended version of ASCII, as it has every part of the encoding that ASCII has, and more. To see how ASCII converts bytes to characters, look up a ASCII table.

Other applications

Windows Sybsystem for Linux (WSL)

We highly recommend you to use a Linux environment for the CTF. Outside of a Linux OS, a Linux environment can be accessed with a virtual machine or WSL.

Docker

A good toolset is very important when you become more experienced in CTF. However, you don't always need every tool, and you will often find new tools during a CTF. It can be difficult to manage all of these, and install new tools each time and keep track of them.

One way to manage this is through Docker. Docker provides isolation of applications, meaning a specific Docker container stands separate from the rest of your system. If you want to try out a new tool quickly without much hassle, Docker can help. Additionally, it provides a layer of security as this application will not have access to the rest of your system. However, it can be tricky to get used to.

Kali Linux

Kali Linux is another completely different way to manage your tools. Kali Linux comes with a bunch of tools pre-installed, so that you don't need to do it yourself. However, all of these tools can be overwhelming. The majority of these you will likely never need, and if you don't actually know how the tools work, Kali will not provide much.

Search engine

Google is your best friend 😊 Of course, for the sake of your privacy, there are alternative search engines such as Startpage and Qwant.

Additionally, feel free to consult your favorite AI companion for help, such as ChatGPT.