A single, idempotent Bash script that provisions a broad Capture-The-Flag toolset on
Ubuntu/Debian — across web, pwn/reverse-engineering, crypto, forensics/stego, and
networking. It pulls from apt, pip, gem, and GitHub releases, and is
architecture-aware, so it works on both x86_64 and arm64 (e.g. an
Apple-silicon VM).
chmod +x ctf-toolkit-setup.sh
./ctf-toolkit-setup.sh # full toolkit
./ctf-toolkit-setup.sh --with-ghidra # also download + unpack Ghidra
./ctf-toolkit-setup.sh --no-heavy # skip the big/slow giantsHeads up: a full run downloads a lot (sagemath alone is ~1.5 GB, plus angr and optionally Ghidra). On a fresh VM it can take 15–30+ minutes. Use
--no-heavyfor a fast core install while testing.
- Ubuntu/Debian with
apt(tested target: Ubuntu 22.04 / 24.04). sudoaccess or running as root (works in rootless containers —sudois used only when not already root).- Network access to apt mirrors, PyPI, RubyGems, and GitHub.
curl,git(git is installed by the script if missing on first apt pass).
The script cannot run on macOS directly (no apt/dpkg) — run it inside a Linux VM
or container.
| Flag | Effect |
|---|---|
--with-ghidra |
Also install a JDK and download + unpack the latest Ghidra into ~/tools/. |
--no-heavy |
Skip the large/slow packages: sagemath and angr. |
--no-extras |
Install only the apt + pip core; skip the Go/gem/git tools (ffuf, nuclei, httpx, pwninit, GEF, gems, RsaCtfTool). |
-h, --help |
Print usage and exit. |
Flags can be combined and given in any order, e.g.:
./ctf-toolkit-setup.sh --no-heavy --no-extras| Variable | Purpose |
|---|---|
GITHUB_TOKEN |
If set, authenticates GitHub API calls so you don't hit the 60 req/hr anonymous rate limit when re-running. |
GITHUB_TOKEN=ghp_xxx ./ctf-toolkit-setup.shnmap · gobuster · sqlmap · nikto · whatweb · wfuzz · dirb ·
feroxbuster · ffuf · nuclei · httpx · enum4linux · snmp (snmpwalk) ·
dnsrecon · seclists (wordlists; rockyou.txt is extracted to
/usr/share/wordlists/rockyou.txt)
subfinder · dnsx · naabu · katana · amass · gau · waybackurls ·
dalfox (XSS) · gowitness (screenshots) · jwt_tool (cloned to ~/tools)
— built with go install into ~/.local/bin.
netexec (nxc) · impacket (impacket-GetUserSPNs, -GetNPUsers, -secretsdump,
-psexec, -wmiexec, -ntlmrelayx, …) · bloodhound-python · certipy (ADCS) ·
kerbrute · ldapdomaindump · ldap-utils (ldapsearch) · evil-winrm ·
responder (cloned to ~/tools)
chisel · ligolo-ng (ligolo-proxy) · sshuttle · proxychains4 · socat ·
uploadserver (python3 -m uploadserver)
gdb · gdb-multiarch · GEF (GDB UI) · radare2 · binwalk · checksec ·
ltrace · strace · patchelf · pwninit · libc6-dbg · ROPgadget · ropper ·
qemu-user-static (run x86 binaries on ARM) · build toolchain
(build-essential, cmake, libffi-dev, python3-dev) ·
pwntools · angr (heavy) · Ghidra (opt-in via --with-ghidra)
sagemath (heavy) · pycryptodome · sympy · z3-solver · gmpy2 ·
RsaCtfTool (cloned to ~/tools/RsaCtfTool)
john · hashcat · hydra · fcrackzip · pdfcrack
exiftool · foremost · steghide · stegseek (amd64 only — ARM needs a source
build) · zsteg · outguess · pngcheck · sleuthkit · testdisk ·
bulk-extractor · binutils · volatility3 (the vol command) · one_gadget
wireshark · tshark · tcpdump · netcat-openbsd · socat · masscan ·
proxychains4 · dnsutils (dig) · whois · impacket · wpscan
git · python3-pip · pipx · jq · xxd · unzip · p7zip-full ·
ripgrep (rg) · fd-find (fdfind) · tmux
CMDR— command manager for CTF players/pentesters. Cloned to~/tools/CMDR; its installer adds acmdrshell alias and tab completion (open a new shell, thencmdr -h). The setup also auto-loads CMDR'sctf-toolkitpack, so you get ready-to-run commands (tk-*) mapped to the exact binaries and wordlist paths this script installs — browse them withcmdr -s tk-.hashcracker— hash identification + cracking toolkit (hashcat/John wrapper). Installed viapipxas thehashcrackercommand (falls back topipif pipx is unavailable).Qsafe— post-quantum file encryption (Kyber1024 + AES-256-GCM). Built from source (cloned to~/tools/Qsafe);liboqsis built first since it isn't in apt. Installs theqsafecommand into/usr/local/bin.BackupHandler— backup orchestration with local/SSH/S3/MySQL targets, AES-256 encryption, dedup, and scheduling. Installed viapipxas thebackup-handlercommand (falls back topipif pipx is unavailable). CMDR'sctf-toolkitpack ships matchingtk-backup*commands for it.
- Idempotent — re-running skips anything already present (apt/pip/gem/binaries),
and
git pulls RsaCtfTool instead of re-cloning. - Architecture-aware —
dpkg --print-architecturedrives per-arch downloads. Onarm64, tools without ARM builds (stegseek, pwninit) degrade to a clear source-build/cargo message rather than failing silently. - Robust downloads — all fetches use
curl -fsSL --retry 3so HTTP errors fail loudly instead of writing error pages to disk. - Non-interactive — the Wireshark "allow non-root capture" prompt is pre-answered;
apt runs with
DEBIAN_FRONTEND=noninteractive. - Graceful failure tracking — a failed tool is recorded, not fatal. At the end you get a ✓/✗ verification table plus a list of anything needing manual attention. The script exits non-zero if any tool failed (CI-friendly).
| File | Contents |
|---|---|
/tmp/ctf_apt_install.log |
apt / gem / GitHub install output |
/tmp/ctf_pip_install.log |
pip install output |
Both are truncated at the start of each run.
- Burp Suite Community isn't in apt — grab it from https://portswigger.net/burp/communitydownload.
- volatility3 installs as the command
vol, notvolatility3. - fd-find is invoked as
fdfind; ripgrep asrg. - nuclei — run
nuclei -update-templatesonce before first use. - RsaCtfTool — run via
python3 ~/tools/RsaCtfTool/RsaCtfTool.py. - CMDR — adds a
cmdralias to your shell rc; open a new shell orsourceit first. - hashcracker — installed via pipx into
~/.local/bin; ifhashcrackerisn't found, runpipx ensurepathand restart your shell. - Qsafe — needs
liboqs, which the script builds from source into/usr/local. Skipped by--no-extras. Ifqsafeerrors with a missingliboqs.so, runsudo ldconfig. - BackupHandler — installed via pipx into
~/.local/binasbackup-handler; if it isn't found, runpipx ensurepathand restart your shell. - Go / pipx tools —
subfinder,dnsx,naabu,katana,gau,waybackurls,dalfox,gowitness,chisel,nxc,certipy,bloodhound-pythoninstall into~/.local/bin. If a command isn't found, ensure that dir is onPATH(pipx ensurepath) and open a new shell. - ligolo-ng — the proxy installs as
ligolo-proxy; download the matching agent for the target host from the ligolo-ng releases. - responder / jwt_tool — cloned to
~/toolswith a launcher onPATH(responder,jwt_tool). - naabu needs
libpcap-dev(installed) at build time. - These pair with CMDR's
pentest-ad/pentest-web/pentest-recon/pentest-pivotpacks — load them withcmdr --pack load pentest-ad, etc. - ARM64 — use
qemu-x86_64 ./challengeto run x86 challenge binaries.
The script prints a ✓/✗ table at the end. To re-check at any time:
for c in nmap ffuf feroxbuster gdb radare2 john hashcat exiftool wireshark rg; do
command -v "$c" >/dev/null && echo "✓ $c" || echo "✗ $c"
doneMIT © 2026 SP1R4