The CTF Toolbox

beginner30 minWriteup

Essential tools for CTF competitions

Learning Objectives

  • Set up essential tools
  • Configure your environment
  • Know when to use each tool
  • Create your CTF toolkit

Every craftsman needs their tools, and CTF players are no different. This lesson covers the essential tools for each CTF category. Master these, and you'll have the right weapon for any challenge!

You don't need every tool immediately. Start with the basics in each category, then expand your toolkit as you encounter new challenges. The best tool is often the simplest one for the job.

General Purpose Tools

bash
1606070;"># CyberChef - The Cyber Swiss Army Knife
2606070;"># https://gchq.github.io/CyberChef/
3606070;"># Browser-based, handles encoding/decoding/crypto/formatting
4606070;"># MUST HAVE for any CTF player!
5 
6606070;"># Python - Your best friend
7python3 -c 606070;">#a5d6ff;">"print('Hello CTF')"
8606070;"># Quick scripting for automation
9606070;"># pwntools, requests, pycryptodome libraries
10 
11606070;"># Command Line Essentials
12strings file.bin          606070;"># Extract printable strings
13xxd file.bin              606070;"># Hex dump
14file mystery_file         606070;"># Identify file type
15base64 -d encoded.txt     606070;"># Decode base64
16hexdump -C file.bin       606070;"># Another hex viewer
17 
18606070;"># Text Processing
19grep -r 606070;">#a5d6ff;">"flag" .          # Search for patterns
20awk 606070;">#a5d6ff;">'{print $1}' file     # Column extraction
21sed 606070;">#a5d6ff;">'s/old/new/g' file    # Find and replace
22sort | uniq -c            606070;"># Frequency analysis

CyberChef Tips

CyberChef's "Magic" operation auto-detects encodings. Drag operations to chain them together. Save recipes for reuse. The "Fork" operation processes multiple inputs at once.

Web Tools

bash
1606070;"># Burp Suite - Web proxy and testing tool
2606070;"># Intercept, modify, and replay HTTP requests
3606070;"># Essential for web challenges
4burpsuite &
5 
6606070;"># Browser DevTools (F12)
7606070;"># - Network tab for requests
8606070;"># - Application tab for cookies/storage
9606070;"># - Console for JavaScript debugging
10606070;"># - Elements for DOM inspection
11 
12606070;"># curl - Command line HTTP client
13curl http:606070;">//target.com
14curl -X POST -d 606070;">#a5d6ff;">"user=admin" http://target.com/login
15curl -H 606070;">#a5d6ff;">"Cookie: session=abc123" http://target.com
16curl -v http:606070;">//target.com  # Verbose output
17 
18606070;"># Directory Enumeration
19gobuster dir -u http:606070;">//target.com -w /usr/share/wordlists/dirb/common.txt
20ffuf -u http:606070;">//target.com/FUZZ -w wordlist.txt
21dirb http:606070;">//target.com
22 
23606070;"># SQLMap - Automated SQL injection
24sqlmap -u 606070;">#a5d6ff;">"http://target.com?id=1" --dbs
25 
26606070;"># Nikto - Web vulnerability scanner
27nikto -h http:606070;">//target.com

Cryptography Tools

bash
1606070;"># CyberChef Operations:
2606070;"># - From Base64, From Hex, URL Decode
3606070;"># - ROT13, Caesar Cipher
4606070;"># - XOR, AES Decrypt
5606070;"># - Magic (auto-detect)
6 
7606070;"># hashcat - Password/hash cracking
8hashcat -m 0 hash.txt wordlist.txt     606070;"># MD5
9hashcat -m 1000 hash.txt wordlist.txt  606070;"># NTLM
10hashcat -m 1400 hash.txt wordlist.txt  606070;"># SHA256
11 
12606070;"># john - John the Ripper
13john hash.txt --wordlist=rockyou.txt
14john --show hash.txt
15 
16606070;"># RsaCtfTool - RSA attacks
17606070;"># https://github.com/Ganapati/RsaCtfTool
18python3 RsaCtfTool.py --publickey key.pub --uncipherfile flag.enc
19 
20606070;"># SageMath - Mathematical computations
21606070;"># Great for RSA, elliptic curves, number theory
22sage script.sage
23 
24606070;"># Python crypto libraries
25pip install pycryptodome gmpy2 sympy
26 
27606070;"># dcode.fr - Online cipher identification and solving
28606070;"># quipqiup.com - Substitution cipher solver
29606070;"># factordb.com - Factor large numbers
For RSA challenges, always check factordb.com first. If N (the modulus) is already factored, you've saved yourself hours of work!

Forensics Tools

bash
1606070;"># File Analysis
2file mystery_file         606070;"># Identify file type
3exiftool image.jpg        606070;"># Extract metadata
4binwalk firmware.bin      606070;"># Find embedded files
5binwalk -e firmware.bin   606070;"># Extract embedded files
6foremost disk.img         606070;"># Carve files from disk images
7scalpel disk.img          606070;"># Alternative file carver
8 
9606070;"># Steganography
10steghide info image.jpg           606070;"># Check for hidden data
11steghide extract -sf image.jpg    606070;"># Extract hidden data
12zsteg image.png                   606070;"># PNG/BMP stego detection
13stegsolve                         606070;"># Visual stego analysis
14 
15606070;"># Network Analysis
16wireshark capture.pcap            606070;"># GUI packet analyzer
17tshark -r capture.pcap            606070;"># CLI packet analyzer
18tcpdump -r capture.pcap           606070;"># Read pcap files
19strings capture.pcap | grep flag  606070;"># Quick flag search
20 
21606070;"># Memory Forensics
22volatility -f memory.dmp imageinfo              606070;"># Get profile
23volatility -f memory.dmp --profile=X pslist     606070;"># List processes
24volatility -f memory.dmp --profile=X filescan   606070;"># Find files
25volatility -f memory.dmp --profile=X dumpfiles  606070;"># Extract files
26 
27606070;"># Disk Forensics
28fdisk -l disk.img                 606070;"># List partitions
29mount -o loop disk.img /mnt       606070;"># Mount disk image
30autopsy                           606070;"># GUI forensics tool

Binwalk Magic

binwalk -e automatically extracts files, but sometimes it misses things. Try binwalk --dd='.*' to extract ALL detected signatures.

Reverse Engineering Tools

bash
1606070;"># Disassemblers/Decompilers
2606070;"># Ghidra (Free, NSA-developed)
3ghidraRun
4 
5606070;"># IDA Free (Free for non-commercial)
6606070;"># Binary Ninja (Paid, excellent)
7606070;"># radare2/Cutter (Free, powerful CLI)
8 
9606070;"># GDB - GNU Debugger
10gdb ./binary
11(gdb) disas main         606070;"># Disassemble main function
12(gdb) break *main        606070;"># Set breakpoint
13(gdb) run                606070;"># Run program
14(gdb) x/10x $esp         606070;"># Examine memory
15 
16606070;"># GDB with pwndbg or GEF (Enhanced GDB)
17606070;"># https://github.com/pwndbg/pwndbg
18 
19606070;"># ltrace/strace - Library and system call tracing
20ltrace ./binary          606070;"># Library calls
21strace ./binary          606070;"># System calls
22 
23606070;"># objdump - Quick disassembly
24objdump -d binary        606070;"># Disassemble
25objdump -s binary        606070;"># Full contents
26 
27606070;"># strings with context
28strings -n 10 binary     606070;"># Strings ≥10 chars
29strings -t x binary      606070;"># Show offset in hex

Binary Exploitation Tools

bash
1606070;"># pwntools - Python exploitation framework
2pip install pwntools
3 
4606070;"># Basic pwntools script
5from pwn import *
6p = process(606070;">#a5d6ff;">'./binary')
7606070;"># p = remote('target.com', 1337)
8 
9payload = b606070;">#a5d6ff;">"A" * 64
10payload += p64(0xdeadbeef)  606070;"># 64-bit address
11 
12p.sendline(payload)
13p.interactive()
14 
15606070;"># checksec - Check binary protections
16checksec ./binary
17606070;"># RELRO, Stack Canary, NX, PIE, FORTIFY
18 
19606070;"># ROPgadget - Find ROP gadgets
20ROPgadget --binary ./binary
21 
22606070;"># one_gadget - Find one-shot execve gadgets
23one_gadget /lib/x86_64-linux-gnu/libc.so.6
24 
25606070;"># Pattern generation (for offset finding)
26cyclic 100              606070;"># Generate pattern
27cyclic -l 0x61616163    606070;"># Find offset

OSINT Tools

bash
1606070;"># Image Analysis
2exiftool image.jpg        606070;"># Metadata (GPS, camera, etc.)
3606070;"># images.google.com       # Reverse image search
4606070;"># tineye.com              # Reverse image search
5606070;"># yandex.com/images       # Often finds more results
6 
7606070;"># Domain/Network
8whois domain.com
9nslookup domain.com
10dig domain.com ANY
11host -a domain.com
12606070;"># shodan.io               # Internet device search
13 
14606070;"># Social Media
15606070;"># sherlock                # Username search across platforms
16python3 sherlock.py username
17 
18606070;"># Archive
19606070;"># web.archive.org         # Wayback Machine
20606070;"># cached versions of websites
21 
22606070;"># Search Operators
23606070;"># site:domain.com query
24606070;"># filetype:pdf query
25606070;"># inurl:admin
26606070;"># intitle:"index of"

Essential Online Resources

1606070;"># Encoding/Decoding
2606070;"># - CyberChef (gchq.github.io/CyberChef)
3606070;"># - dcode.fr (cipher identification)
4 
5606070;"># Cryptography
6606070;"># - factordb.com (integer factorization)
7606070;"># - quipqiup.com (substitution cipher)
8606070;"># - asecuritysite.com (crypto tools)
9 
10606070;"># Hashing
11606070;"># - crackstation.net (hash lookup)
12606070;"># - hashes.com (hash lookup)
13606070;"># - hashkiller.io (hash lookup)
14 
15606070;"># File Analysis
16606070;"># - hexed.it (online hex editor)
17606070;"># - aperisolve.com (stego analysis)
18 
19606070;"># Learning
20606070;"># - ctftime.org (CTF calendar and writeups)
21606070;"># - CTF writeups on Medium/GitHub
22606070;"># - LiveOverflow YouTube channel

Knowledge Check

Quick Quiz
Question 1 of 2

Which tool would you use to extract files hidden inside a firmware image?

Key Takeaways

  • CyberChef is essential - bookmark it immediately
  • Master basic Linux commands before specialized tools
  • Each category has specific tools - learn them as needed
  • Python + pwntools covers most automation needs
  • Online resources complement local tools
  • The best tool is the one you know how to use effectively