ctf-misc
CTF Miscellaneous
Quick reference for miscellaneous CTF challenges. See supporting files for full details.
Prerequisites
# Python packages
pip install z3-solver pwntools Pillow numpy requests dnslib
# Linux
apt install ffmpeg qrencode
# macOS
brew install ffmpeg qrencode
Manual: SageMath — Linux: apt install sagemath, macOS: brew install --cask sage
Additional Resources
| File | Coverage |
|---|---|
| pyjails.md | Python jail/sandbox escape, quine context detection, repunit decomposition, decorator bypass, walrus operator, restricted charset |
| bashjails.md | Bash jail escape, HISTFILE file read, bash -v verbose, ctypes.sh, no-letter SansAlpha/SansOmega, Bazel action_env injection |
| other-jails.md | vim/ruby/java/zig/GDB/DEBUG.EXE/emacs/haskell/GCC jails, nsjail/container escape via UMH |
| encodings.md | Encodings, QR codes, esolangs, UTF-16, BCD, multi-layer auto-decoding, Punycode, UTF-7, Base58Check, POSTNET, Morse |
| encodings-advanced.md | Verilog/HDL, Gray code, RTF extraction, SMS PDU, UTF-9, pixel binary, hex Sudoku + QR, TOPKEK, MaxiCode, font analysis, FNAF, Blender scripts |
| rf-sdr.md | RF/SDR/IQ signal processing (QAM-16, carrier recovery, timing sync) |
| dns.md | DNS exploitation (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling) |
| games-and-vms.md | WASM patching, PyInstaller, marshal, Python env RCE, Z3 SAT solving, K8s RBAC, float precision, Lua sandbox escape, custom assembly sandbox escape |
| games-and-vms-2.md | Cookie brute-force, Flask cookie game state, WebSocket manipulation, De Bruijn sequence, Brainfuck instrumentation, WASM memory manipulation |
| games-and-vms-3.md | memfd_create packed binaries, HMAC commitment-reveal, emulator ROM-switching, Python marshal injection, Benford's Law, nonogram solver, 100 prisoners, C emoji jail, BuildKit exploitation, Docker escape, Levenshtein oracle, SECCOMP high-bit bypass, rvim jail |
| linux-privesc.md | Sudo wildcard injection, monit process injection, PostgreSQL COPY TO PROGRAM, backup cronjob SUID, NFS exploitation, PaperCut privesc, Squid pivoting, Zabbix reset, PATH hijacking, GTFOBins, lxd group privesc, Docker group privesc |
When to Pivot
- Cryptography/number theory centered ->
/ctf-crypto - Real binary exploit (not jail/toy VM) ->
/ctf-pwnor/ctf-reverse - File/image/audio/PCAP recovery ->
/ctf-forensics - ML/AI model attacks, adversarial examples ->
/ctf-ai-ml
Quick Start Commands
# File identification
file mystery_file
xxd mystery_file | head -5
# Encoding detection
echo '<data>' | base64 -d
echo '<hex>' | xxd -r -p
# QR code decode
zbarimg qr.png
# Z3 constraint solving
python3 -c "from z3 import *; x=BitVec('x',32); s=Solver(); s.add(x^0xdead==0xbeef); s.check(); print(s.model())"
# Python jail test
python3 -c "__import__('os').system('id')"
# pwntools interaction
python3 -c "from pwn import *; r=remote('host',1337); r.interactive()"
# Find SUID binaries
find / -perm -4000 2>/dev/null
# Useful grep
grep -rn "flag{" .
strings file | grep -i flag
Quick Reference
Encodings & Ciphers
| Encoding | Charset / Indicator | Decode | File |
|---|---|---|---|
| Base64 | A-Za-z0-9+/= |
base64 -d |
encodings.md |
| Base32 | A-Z2-7= (no lowercase) |
base32 -d |
encodings.md |
| Hex | 0-9a-fA-F |
xxd -r -p |
encodings.md |
| ROT13 | Garbled English | tr 'a-zA-Z' 'n-za-mN-ZA-M' |
encodings.md |
| IEEE-754 float | Numbers hiding bytes | struct.pack('>f', val) → ASCII |
encodings.md |
| Keyboard Shift | Adjacent keys pressed | dCode | encodings.md |
| Pigpen/Masonic | Geometric symbols on grid | Grid position mapping | encodings.md |
| MaxiCode | Hexagonal 2D barcode | zxing (Java) |
encodings-advanced.md |
| TOPKEK | KEK=0, TOP=1, !=repeat |
Binary decode | encodings-advanced.md |
Auto-identify: dCode Cipher Identifier
Unicode Steganography
| Technique | Range | Decode | File |
|---|---|---|---|
| Variation Selectors | U+E0100-E01EF | chr(ord(c) - 0xE0100 + 16) |
encodings.md |
| Unicode Tags | U+E0000-E007F | chr(ord(c) - 0xE0000) |
encodings.md |
| UTF-16 endianness | CJK mojibake | text.encode('utf-16-be').decode('utf-16-le') |
encodings.md |
Detection: Text longer than expected in bytes. Check [hex(ord(c)) for c in text] for high codepoints.
QR Codes & Audio
| Technique | Command / Tool | File |
|---|---|---|
| QR decode | zbarimg qr.png |
encodings.md |
| QR generate | qrencode -o out.png "data" |
encodings.md |
| Spectrogram | sox audio.wav -n spectrogram |
- |
| SSTV decode | qsstv |
- |
| USB Mouse PCAP | USB-Mouse-Pcap-Visualizer | encodings.md |
Python Jail Escape
| Technique | Example | File |
|---|---|---|
| Oracle pattern | L() length, Q(i,x) compare, binary search |
pyjails.md |
| Walrus bypass | (abcdef := "new_chars") reassigns constraints |
pyjails.md |
| Decorator bypass | @__import__ no-call, no-quotes escape |
pyjails.md |
| String join | open(''.join(['fl','ag.txt'])).read() |
pyjails.md |
| Quine context | Dual-purpose quine with globals gate | pyjails.md |
| Repunit decomposition | Target as sum of 1+11+111+... |
pyjails.md |
Bash Jail Escape
| Technique | Payload | File |
|---|---|---|
| HISTFILE file read | HISTFILE=/flag bash && history |
bashjails.md |
| Verbose mode | bash -v flag.txt prints lines |
bashjails.md |
| ctypes.sh | dlcall for direct C library calls |
bashjails.md |
Games, VMs & Sandbox Escape
| Technique | Summary | File |
|---|---|---|
| PyInstaller | pyinstxtractor.py packed.exe → opcode remap |
games-and-vms.md |
| WASM patching | wasm2wat → flip logic → wat2wasm |
games-and-vms.md |
| Flask cookie game | flask-unsign -d leaks game answers |
games-and-vms-2.md |
| Z3 boolean gate SAT | Model 250 gates as Z3 constraints, solve | games-and-vms.md |
| K8s RBAC bypass | SA token → impersonate → hostPath mount | games-and-vms.md |
| Float precision | Large multipliers amplify FP errors | games-and-vms.md |
| Docker escape | Host device mount, docker.sock, cgroup agent | games-and-vms-3.md |
| C emoji jail | (X==X) as 1, embed gadgets in add eax,imm32 |
games-and-vms-3.md |
| SECCOMP high-bit bypass | 64-bit fd passes BPF, kernel truncates to 32-bit | games-and-vms-3.md |
| rvim jail escape | :python3 import os; os.system("cmd") |
games-and-vms-3.md |
| Emulator ROM-switch | /load replaces ROM but preserves CPU state |
games-and-vms-3.md |
| BuildKit secrets | Nested buildctl build --mount=type=secret |
games-and-vms-3.md |
DNS Exploitation
| Technique | Quick Payload | File |
|---|---|---|
| ECS spoofing | dig @server domain TXT +subnet=10.13.37.1/24 |
dns.md |
| NSEC walking | Follow NSEC chain to enumerate DNSSEC zones | dns.md |
| IXFR | dig @server domain IXFR=0 (when AXFR blocked) |
dns.md |
| DNS rebinding | Low-TTL alternating resolution | dns.md |
Linux Privilege Escalation
| Technique | Quick Check | File |
|---|---|---|
| SUID binaries | find / -perm -4000 2>/dev/null + GTFOBins |
linux-privesc.md |
| Sudo perms | sudo -l |
linux-privesc.md |
| Docker group | id | grep docker → mount host root |
linux-privesc.md |
| GECOS passwords | /etc/passwd 5th field |
linux-privesc.md |
| ACL permissions | getfacl /path/to/file |
linux-privesc.md |
| PostgreSQL RCE | COPY TO PROGRAM 'cmd' |
linux-privesc.md |
| Sudo wildcard | fnmatch() matches * across arg boundaries |
linux-privesc.md |
| PATH hijacking | Write to early PATH dir | linux-privesc.md |
Hash & Crypto Quick Checks
| Hash Type | Magic Constant | Tool |
|---|---|---|
| MD5 | 0x67452301 |
hashcat |
| SHA-256 | 0x6a09e667 |
hashcat |
| MurmurHash64A | 0xC6A4A7935BD1E995 |
- |
SHA-256 length extension: hlextend — forge MAC from SHA-256(SECRET \|\| msg) with known msg/hash. Vulnerable: SHA-256, MD5, SHA-1. NOT: HMAC, SHA-3.
RF/SDR Quick Reference
- cf32:
np.fromfile(path, dtype=np.complex64)| cs16: int16 reshape(-1,2) | cu8: RTL-SDR raw - Circles in constellation = constant frequency offset; Spirals = drifting frequency
- 4-fold ambiguity in DD carrier recovery — try 0/90/180/270 rotation
- See rf-sdr.md for full QAM-16 demod pipeline
Miscellaneous Patterns
| Pattern | Technique | File |
|---|---|---|
| Backdoor in source | strncmp(input, "exec:", 5) → system() |
- |
| 3D printer video | Track nozzle X/Y, plot 2D histogram for letters | - |
| Discord API flags | Roles, animated emoji, embeds metadata | /ctf-osint |
| ASCII in CSV columns | Values 48-126 → chr() |
encodings.md |
| Nested archives | while loop with 7z x |
- |
Common Flag Locations
Files: /flag.txt, /flag, /app/flag.txt, /home/*/flag*. Env: /proc/self/environ. DB: flag, secret tables. Container: host filesystem via docker -v /:/mnt.
More from chi111i/ctf-skills
ctf-web
Provides web exploitation techniques for CTF challenges. Use when solving web security challenges involving XSS, SQLi, SSTI, SSRF, CSRF, XXE, file upload bypasses, JWT attacks, prototype pollution, path traversal, command injection, LaTeX injection, request smuggling, DOM clobbering, Web3/blockchain, authentication bypass, SAML exploitation, OAuth/OIDC, open redirect chains, subdomain takeover, or CI/CD credential theft.
3ctf-pwn
Provides binary exploitation (pwn) techniques for CTF challenges. Use when exploiting buffer overflows, format strings, heap vulnerabilities (House of Orange, Spirit, Lore, Apple 2, Einherjar, tcache stashing unlink), race conditions, kernel bugs, ROP chains, ret2libc, ret2dlresolve, shellcode, GOT overwrite, use-after-free, seccomp bypass, FSOP, stack pivot, sandbox escape, Windows SEH overwrite, VirtualAlloc ROP, SeDebugPrivilege escalation, Linux kernel exploitation (modprobe_path, tty_struct, userfaultfd, KASLR bypass, SLUB heap spray), or Chrome V8 exploitation (Turbofan JIT bugs, type confusion, TheHole, TPT shellcode injection, Liftoff WasmArray, V8 sandbox escape, WASM rwx page).
3ctf-forensics
Provides digital forensics and signal analysis techniques for CTF challenges. Use when analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, steganography, PDF analysis, Windows registry, Volatility, PCAP, Docker images, coredumps, side-channel power traces, DTMF audio spectrograms, packet timing analysis, CD audio disc images, or recovering deleted files and credentials.
3solve-challenge
Solves CTF challenges by analyzing files, connecting to services, and applying exploitation techniques. Orchestrates category-specific CTF skills for pwn, crypto, web, reverse engineering, forensics, OSINT, malware analysis, and miscellaneous challenges. Use when given a CTF challenge to solve, a challenge file to analyze, or a service endpoint to exploit.
3ctf-osint
Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records, username enumeration, reverse image search, Google dorking, Wayback Machine, Tor relays, FEC filings, or identifying unknown data like hashes and coordinates.
3ctf-writeup
Generates a single standardized submission-style CTF writeup for competition handoff and organizer review. Use after solving a CTF challenge to document the solution steps, tools used, and lessons learned in a structured format.
3