solve-challenge
CTF Challenge Solver
You're a skilled CTF player. Your goal is to solve the challenge and find the flag.
Environment Setup
Two setup strategies depending on your workflow:
Pre-install (recommended before competitions)
Use the central installer entrypoint:
bash scripts/install_ctf_tools.sh all
Run a narrower mode when you only want one tool group:
bash scripts/install_ctf_tools.sh python
bash scripts/install_ctf_tools.sh apt
bash scripts/install_ctf_tools.sh brew
bash scripts/install_ctf_tools.sh gems
bash scripts/install_ctf_tools.sh go
bash scripts/install_ctf_tools.sh manual
The full package lists now live in scripts/install_ctf_tools.sh.
On-demand (during challenges)
Each category skill's SKILL.md has a Prerequisites section listing only the tools needed for that category. Install as you go.
Workflow
Step 1: Recon
- Explore files -- List the challenge directory, run
file *on everything - Triage binaries --
strings,xxd | head,binwalk,checksecon binaries - Fetch links -- If the challenge mentions URLs, fetch them FIRST for context
- Connect -- Try remote services (
nc) to understand what they expect - Read hints -- Challenge descriptions, filenames, and comments often contain clues
Step 2: Categorize
Determine the primary category, then invoke the matching skill.
By file type:
.pcap,.pcapng,.evtx,.raw,.dd,.E01-> forensics.elf,.exe,.so,.dll, binary with no extension -> reverse or pwn (check if remote service provided -- if yes, likely pwn).py,.sage,.txtwith numbers -> crypto.apk,.wasm,.pyc-> reverse- Web URL or source code with HTML/JS/PHP/templates -> web
- Images, audio, PDFs with no obvious content -> forensics (steganography)
By challenge description keywords:
- "buffer overflow", "ROP", "shellcode", "libc", "heap" -> pwn
- "RSA", "AES", "cipher", "encrypt", "prime", "modulus", "lattice", "LWE", "GCM" -> crypto
- "XSS", "SQL", "injection", "cookie", "JWT", "SSRF" -> web
- "disk image", "memory dump", "packet capture", "registry", "power trace", "side-channel", "spectrogram", "audio tracks", "MKV" -> forensics
- "find", "locate", "identify", "who", "where" -> osint
- "obfuscated", "packed", "C2", "malware", "beacon" -> malware
- "jail", "sandbox", "escape", "encoding", "signal", "game", "Nim", "commitment", "Gray code" -> misc
By service behavior:
- Port with interactive prompt, crash on long input -> pwn
- HTTP service -> web
- netcat with math/crypto puzzles -> crypto
- netcat with restricted shell or eval -> misc (jail)
Step 3: Invoke the Category Skill
Once you identify the category, invoke the matching skill to get specialized techniques:
| Category | Invoke | When to Use |
|---|---|---|
| Web | /ctf-web |
XSS, SQLi, SSTI, SSRF, JWT, file uploads, prototype pollution |
| Pwn | /ctf-pwn |
Buffer overflow, format string, heap, ROP, sandbox escape |
| Crypto | /ctf-crypto |
RSA, AES, ECC, PRNG, ZKP, classical ciphers |
| Reverse | /ctf-reverse |
Binary analysis, game clients, VMs, obfuscated code |
| Forensics | /ctf-forensics |
Disk images, memory dumps, event logs, stego, network captures |
| OSINT | /ctf-osint |
Social media, geolocation, DNS, public records |
| Malware | /ctf-malware |
Obfuscated scripts, C2 traffic, PE/.NET analysis |
| Misc | /ctf-misc |
Jails, encodings, RF/SDR, esoteric languages, constraint solving |
You can also invoke /ctf-<category> to load the full skill instructions with detailed techniques.
Step 4: Pivot When Stuck
If your first approach doesn't work:
- Re-examine assumptions -- Is this really the category you think? A "web" challenge might need crypto for JWT forgery. A "forensics" PCAP might contain a pwn exploit to replay.
- Try a different category skill -- Many challenges span multiple categories. Invoke a second skill for the cross-cutting technique.
- Look for what you missed -- Hidden files, alternate ports, response headers, comments in source, metadata in images.
- Simplify -- If an exploit is too complex, check if there's a simpler path (default creds, known CVE, logic bug).
- Check edge cases -- Off-by-one, race conditions, integer overflow, encoding mismatches.
Common multi-category patterns:
- Forensics + Crypto: encrypted data in PCAP/disk image, need crypto to decrypt
- Web + Reverse: WASM or obfuscated JS in web challenge
- Web + Crypto: JWT forgery, custom MAC/signature schemes
- Reverse + Pwn: reverse the binary first, then exploit the vulnerability
- Forensics + OSINT: recover data from dump, then trace it via public sources
- Misc + Crypto: jail escape requires building crypto primitives under constraints
- OSINT + Stego: social media posts with unicode homoglyph steganography (Cyrillic lookalikes encode bits)
- Web + Forensics: paywall bypass (curl reveals content hidden by CSS overlays)
- Misc + Crypto + Game Theory: multi-phase interactive challenges with AES decryption → HMAC commitment → combinatorial game solving (GF(256) Nim)
- Crypto + Geometry + Lattice: multi-layer challenges progressing from spatial reconstruction → subspace recovery → LWE solving → AES-GCM decryption
- Forensics + Signal Processing: power traces / side-channel analysis requiring statistical analysis of measurement data
- Forensics + Network + Encoding: timing-based encoding in PCAP (inter-packet intervals encode binary data)
Step 5: Generate Write-up
After solving the challenge, invoke /ctf-writeup to generate a standardized submission-style writeup — concise, reproducible, and ready for competition organizers or teammates to validate.
Flag Formats
Flags vary by CTF. Common formats:
flag{...},FLAG{...},CTF{...},TEAM{...}- Custom prefixes: check the challenge description or CTF rules for the format (e.g.,
ENO{...},HTB{...},picoCTF{...}) - Sometimes just a plaintext string with no wrapper
Validation rule (important):
- If you find multiple flag-like strings, treat them as candidates and validate before finalizing.
- Prefer the token tied to the intended artifact/workflow (not random metadata noise or obvious decoys).
- Do a corpus-wide uniqueness check and include the source file/path when reporting.
# Search for common flag patterns in files
grep -rniE '(flag|ctf|eno|htb|pico)\{' .
# Search in binary/memory output
strings output.bin | grep -iE '\{.*\}'
Quick Reference
# Recon
file * # Identify file types
strings binary | grep -i flag # Quick string search
xxd binary | head -20 # Hex dump header
binwalk -e firmware.bin # Extract embedded files
checksec --file=binary # Check binary protections
# Connect
nc host port # Connect to challenge
echo -e "answer1\nanswer2" | nc host port # Scripted input
curl -v http://host:port/ # HTTP recon
# Python exploit template
python3 -c "
from pwn import *
r = remote('host', port)
r.interactive()
"
Challenge
$ARGUMENTS
More from chi111i/ctf-skills
ctf-misc
Provides miscellaneous CTF challenge techniques. Use for encoding puzzles, RF/SDR signal processing, Python/bash/vim/ruby/java/zig/GDB/emacs/haskell jails, DNS exploitation, unicode steganography, floating-point tricks, QR codes, audio challenges, Z3 constraint solving, Kubernetes RBAC, WASM game patching, esoteric languages, game theory, commitment schemes, combinatorial games, Linux privilege escalation, container escape, or challenges that don't fit other categories.
3ctf-web
Provides web exploitation techniques for CTF challenges. Use when solving web security challenges involving XSS, SQLi, SSTI, SSRF, CSRF, XXE, file upload bypasses, JWT attacks, prototype pollution, path traversal, command injection, LaTeX injection, request smuggling, DOM clobbering, Web3/blockchain, authentication bypass, SAML exploitation, OAuth/OIDC, open redirect chains, subdomain takeover, or CI/CD credential theft.
3ctf-pwn
Provides binary exploitation (pwn) techniques for CTF challenges. Use when exploiting buffer overflows, format strings, heap vulnerabilities (House of Orange, Spirit, Lore, Apple 2, Einherjar, tcache stashing unlink), race conditions, kernel bugs, ROP chains, ret2libc, ret2dlresolve, shellcode, GOT overwrite, use-after-free, seccomp bypass, FSOP, stack pivot, sandbox escape, Windows SEH overwrite, VirtualAlloc ROP, SeDebugPrivilege escalation, Linux kernel exploitation (modprobe_path, tty_struct, userfaultfd, KASLR bypass, SLUB heap spray), or Chrome V8 exploitation (Turbofan JIT bugs, type confusion, TheHole, TPT shellcode injection, Liftoff WasmArray, V8 sandbox escape, WASM rwx page).
3ctf-forensics
Provides digital forensics and signal analysis techniques for CTF challenges. Use when analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, steganography, PDF analysis, Windows registry, Volatility, PCAP, Docker images, coredumps, side-channel power traces, DTMF audio spectrograms, packet timing analysis, CD audio disc images, or recovering deleted files and credentials.
3ctf-osint
Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records, username enumeration, reverse image search, Google dorking, Wayback Machine, Tor relays, FEC filings, or identifying unknown data like hashes and coordinates.
3ctf-writeup
Generates a single standardized submission-style CTF writeup for competition handoff and organizer review. Use after solving a CTF challenge to document the solution steps, tools used, and lessons learned in a structured format.
3