Unix uses epoch time for some logs, convert with EpochConverter.
Some web browsers dont use epoch time, they use Webkit. Best to convert with WebKitConverter.
You can examine .emil files with eml_analyzer.
Some challenges require you to phish a fake user
Netcat can send emails using nc -c [host] [port]. A good guide is here: Netcat and Email. Example code:
nc -C challenge.ctf.games 32503
220 red-phish-blue-phish-be0042c22eaa2d04-8864dc68d-nt7jg Python SMTP 1.4.6
EHLO 127.0.0.1
250-red-phish-blue-phish-be0042c22eaa2d04-8864dc68d-nt7jg
250-SIZE 33554432
250-8BITMIME
250-SMTPUTF8
250 HELP
MAIL FROM:<read.austin@gmail.com>
250 OK
RCPT TO:<swilliams@pyrchdata.com>
250 OK
DATA
354 End data with <CR><LF>.<CR><LF>
FROM: [AJ Read] <read.austin@gmail.com>
To: <swilliams@pyrchdata.com>
Date: Wed, 2 Oct 2024 21:00:00 -0400
Subject: Marketing Ideas
Test these data concepts out for marketing!
Some challenges require a small form of scripting.
If something requires you to base64 decode something multiple times, dont re-invent the wheel: base64multipledecode
Examining audio files in CTFs is not always the most fun. But, there are some interesting tools to use to listen to the audio itself or look at the spectrum.
Audacity is a great utility for examining WAV files.
DTMF tones are interesting additions as audio files to CTFs. There is a DTMF identifier here.
There are some awesome command line utilities that can help with CTFs.
Search for a specific word within a file, cut based on a certain column, sort them so that they are alphabetical, and then make sure they are all unique, finally, count the number of lines
Command: grep word_to_search file_location | cut -d " " -f column_to_choose | sort | uniq | wc -l
Format the output of a file so that you are only adding up the number of uniq values within certain columns
Command: cat file_location | cut -d "[" -f2 | cut -d "]" -f1 | sort | uniq | wc -l
Add up the total number of values (in this instance KB) within a certain column of a file
Command: cat access.log | cut -d "-" -f4 | cut -d " " -f2 | sed 's/KB//g' | paste -s -d+ - | bc
You can run a command with: !command while in less.
grep is a great command for basic searching. One of the key flags is the -r or recursive flag.
To find out what type of shell you are running in: Command: echo $0
If you need to compare two files for differences, use diff [file1] [file2]. There is also a way to compare recursively with -r.
If you need to compare more than two files for differences, use diffuse [file1] [file2] [file3] [file4].
Some challenges require you to interact with a network file share.
Used to access Samba share
Command: smbclient //REPLACE_INSTANCE_IP_ADDRESS/**sharename**
Geo challenges can deal with geolocations to find the flag based on coordinates, reverse image searches, etc.
Python has a geoip database (called geolite2) that can be used to find specific locations the python script will look like:
import geoip2.database
reader = geoip2.database.Reader('./GeoLite2-City_20200331/GeoLite2-City.mmdb')
Use the Google Reverse Image search tool to complete challenges that require you to find a location!
There are great tools to use for cracking a password to grab the flag.
Crack a password using frcrack on a zip file with a wordlist. Some of the good options are: -D option uses dictionary mode to read passwords from file with one password per line -v option uses verbose mode, the more v's the more verbose -u option uses unzip, tries to decompress the file while calling unzip during the breaking -p option sets the initial starting password for brute force password searching
Command: fcrackzip -v -u -D -p rockout .zip_file*
Decrypting passwords with John the Ripper when /etc/passwd and /etc/shadow are given. Before cracking with John the Ripper, the passwd and shadow files need to be unshadowed.
Crack pdfs that are encrypted using a password.
Command: pdfcrack -w location_or_rockyou location_of_pdf
If provided with a zip file, you can try to crack the password to the zip file using john. But, you must first format using zip2john.
Ever since COVID, QR codes have really been on the rise.
Scan QR codes in a terminal.
zbarimg - scan and decode bar codes from image file(s)
Wifi challenges are often used for OSINT, RF, or basic network information challenges.
Wigle is a great wifi utility that basically shows networks based on location. There have been some challenges that required fetching the SSID or network name based on a certain geographic location. The website: http://wigle.net
There are various random file formats that have been seen on CTFs.
DAE files can be inspected using a tool called blender which can be downloaded on Linux. Often DAE files are mechanical drawings for engineering.
Sometimes challenges require you to escalate privileges and read a flag as root.
compgen is a command line tool native to linux that can be run to determine what can be run in the terminal. Often, CTFs will drop into a low privilege or weird terminal that you need to get out of.
In order to escalate privileges, it may be required to use python to do so. If so, the user can look at which libraries are called and in what order with python3 -c 'import sys; print("\n".join(sys.path))'.
Some CTFs drop a user into a bad terminal that requires little tricks to access the desired information.
Using echo * will read the contents of a directory if unable to use ls -la.
There are challenges where ssh requires you to run commands immediately through using echo with echo "cat flag.txt" | ssh -p 30456 user@challenge[.]ctf[.]games
There are some challenges that revolve around git repos like commits and pull history.
Review the old commits from a git repo using git log -p -2.
Look for specific flags within other branches with git branch.
There are some challenges that are specific for python code.
There is a possibility to read a file in python with f.read() where you can create a symlink to read another file.
Sometimes Cobalt Strike payloads must be grabbed by the target using PowerShell. Best avenue is to google deobfuscation of PowerShell with Cobalt Strike Beacons. Example here
Redis is a type of server that has been seen in previous CTFs.
Use redis-cli to interact with the redis server to find the flags.