Description

This is a cheatsheet for Capture the Flag (CTF) competitions.

Where can you train?

Have a look at my write-ups (bottom of this page), but a good start is:

• https://www.root-me.org/
• https://tryhackme.com/
• https://www.vulnhub.com/
• https://www.hackthebox.eu/

Helpers

Stabilize your reverse shell

SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm

or

python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm; export SHELL=/bin/bash
CTRL+Z
stty raw -echo;fg

Nmap scan script

$ cat nmap-scan.sh 
ports=$(nmap -p- --min-rate=1000  -T4 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $1

Usage:

$ ./nmap-scan.sh 111.222.33.44

Nmap scripts: https://svn.nmap.org/nmap/scripts/

ROT

Define following aliases in your ~/.bashrc to automatically solve ROT13 and ROT47:

alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
alias rot47="tr '\!-~' 'P-~\!-O'"

Usage:

$ echo "Uryyb Jbeyq!" | rot13
Hello World!
$ echo "%9:D :D C62==J 4@?G6?:6?E iX" | rot47
This is really convenient :)

Crypto

base64

Encode

$ echo -n "administrator:password" | base64
YWRtaW5pc3RyYXRvcjpwYXNzd29yZA==

Decode

$ echo "YWRtaW5pc3RyYXRvcjpwYXNzd29yZA==" | base64 -d
administrator:password 

For nested base64 files

#!/usr/bin/env python3

import sys
import base64

if len(sys.argv) < 2:
	print("Usage: {} <file.b64.txt>".format(sys.argv[0]))
	sys.exit(1)

data = open(sys.argv[1], "r").read()

while True:
	try:
		data = base64.b64decode(data)
	except:
		break

print(data)

To use it:

$ python3 decode_nested_b64.py b64.txt 
b'flag 44: ygm2my89uqzirzj0nojw'

base32

$ echo "NBSWY3DPEB3W64TMMQQQU===" | base32 -d
hello world!

base58

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

ascii to char

>>> c=[70,76,65,71,123,106,52,118,52,115,99,114,49,112,116,95,49,115,95,52,108,115,48,95,98,52,100,125]
>>> ''.join([chr(i) for i in c])
'FLAG{j4v4scr1pt_1s_4ls0_b4d}'

hex to char

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

bin to char

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Caesar cipher (custom offset)

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

ROT13 (Caesar with offset of 13)

$ cat c.03 | tr 'A-Za-z' 'N-ZA-Mn-za-m' 
FLAG{stabbed_in_the_back}

XOR

#!/usr/bin/env python3
import pwn
a = """\HWPG^DCXETEHAT^WT_RCHAEX^_XBI^CX_V;XEBEYTSTBE;B^BTRDCT;;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTR"""
a+= """DCTL;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTR"""
a+= """DCTL;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTRDCTL;w}pvJI^CnXBnBDATCnBTRDCTL"""

for key in range(0x01, 0xff):
    x = pwn.xor(a, key).decode('ascii')
    if 'flag' in x or 'FLAG' in x:
        print(x)

Vigenere

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

T9

Think in the past when you were writing text messages on your mobile phone only with the numeric keyboard. This is what T9 (predictive text) is all about.

[1     ] [2  abc] [3  def]
[4  ghi] [5  jkl] [6  mno]
[7 pqrs] [8  tuv] [9 wxyz]

Example:

333 555 2 4 7 777 33 2 66 3 777 666 444 3 2 66 3 444 666 7777
 f   l  a g p  r  e  a n  d  r   o   i  d a  n d  i   o   s

Morse

• Morse alphabet
• Decode morse from audio file (upload)

Forensics

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

strings / grep

$ wc -l f.01
2000001 f.01
$ grep -o "FLAG{.*}" f.01
FLAG{here_i_am}

Embedded resources

Extract resources in files:

• binwalk
• foremost

Fix incorrect header

In the below example, 8.png is identified as "data" instead of "png" because of incorrect header:

$ xxd 8.png | head
00000000: 0000 0000 0d0a 1a0a 0000 000d 4948 4452  ............IHDR
00000010: 0000 02d0 0000 015e 0800 0000 0089 6e77  .......^......nw
00000020: 7500 0000 0970 4859 7300 000e f300 000e  u....pHYs.......
00000030: f301 1c53 993a 0000 0011 7445 5874 5469  ...S.:....tEXtTi
00000040: 746c 6500 5044 4620 4372 6561 746f 7241  tle.PDF CreatorA
00000050: 5ebc 2800 0000 1374 4558 7441 7574 686f  ^.(....tEXtAutho
00000060: 7200 5044 4620 546f 6f6c 7320 4147 1bcf  r.PDF Tools AG..
00000070: 7730 0000 002d 7a54 5874 4465 7363 7269  w0...-zTXtDescri
00000080: 7074 696f 6e00 0008 99cb 2829 29b0 d2d7  ption.....())...
00000090: 2f2f 2fd7 2b48 49d3 2dc9 cfcf 29d6 4bce  ///.+HI.-...).K.

You can fix it using dd to overwrite the first bytes with the correct PNG header:

$ printf '\x89\x50\x4e\x47' | dd conv=notrunc of=8.png bs=1
4+0 records in
4+0 records out
4 bytes copied, 0.000119739 s, 33.4 kB/s
$ xxd 8.png | head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 02d0 0000 015e 0800 0000 0089 6e77  .......^......nw
00000020: 7500 0000 0970 4859 7300 000e f300 000e  u....pHYs.......
00000030: f301 1c53 993a 0000 0011 7445 5874 5469  ...S.:....tEXtTi
00000040: 746c 6500 5044 4620 4372 6561 746f 7241  tle.PDF CreatorA
00000050: 5ebc 2800 0000 1374 4558 7441 7574 686f  ^.(....tEXtAutho
00000060: 7200 5044 4620 546f 6f6c 7320 4147 1bcf  r.PDF Tools AG..
00000070: 7730 0000 002d 7a54 5874 4465 7363 7269  w0...-zTXtDescri
00000080: 7074 696f 6e00 0008 99cb 2829 29b0 d2d7  ption.....())...
00000090: 2f2f 2fd7 2b48 49d3 2dc9 cfcf 29d6 4bce  ///.+HI.-...).K.

Reversing

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Binary Exploitation

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Web

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.