Awesome CTF resources

A list of Capture The Flag (CTF) frameworks, libraries, resources and software for started/experienced CTF players 🚩

Any contribution is welcome, send me a PR! ❤️

-The software and resources collected do not belong to me and have been compiled for educational purposes only-

Contents

• Create

  • Platforms
  • Forensics
  • Steganography
  • Web

• Solve

  • Cryptography
  • Exploiting / Pwn
  • Forensics
  • Misc
  • Reversing
  • Steganography
  • Web

• Resources

  • Online Platforms
  • Collaborative Tools
  • Writeups Repositories
  • Courses

• Bibliography

0x00. Create

Tools used for creating CTF challenges

Platforms

Frameworks that can be used to host a CTF

• CTFd - Platform to host jeopardy style CTFs.
• FBCTF - Facebook CTF platform to host Jeopardy and "King of the Hill" CTF competitions.
• HackTheArch - Scoring server for CTF competitions.
• kCTF - Kubernetes-based infrastructure for CTF competitions.
• LibreCTF - CTF platform from EasyCTF.
• Mellivora - CTF engine written in PHP.
• NightShade - Simple CTF framework.
• picoCTF - Infrastructure used to run picoCTF.
• rCTF - CTF platform maintained by the redpwn CTF team.
• RootTheBox - CTF scoring engine for wargames.
• ImaginaryCTF - Platform to host CTFs.

Forensics

Tools used to create Forensics challenges

• Belkasoft RAM Capturer - Volatile Memory Acquisition Tool.
• Dnscat2 - Hosts communication through DNS.
• Magnet AXIOM 2.0 - Artifact-centric DFIR tool.
• Registry Dumper - Tool to dump Windows Registry.

Steganography

Tools used to create Stego challenges

Check solve section for steganography.

Web

Tools used to create Web challenges

• Metasploit JavaScript Obfuscator - How to obfuscate JavaScript in Metasploit.

0x01. Solve

Cryptography

Tools used for solving Crypto challenges

• Base65536 - Unicode's answer to Base64.
• Braille Translator - Translate from braille to text.
• Ciphey - Tool to automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes.
• CyberChef - A web app for encryption, encoding, compression and data analysis.
• Cryptii - Modular conversion, encoding and encryption online.
• dCode.fr - Solvers for Crypto, Maths and Encodings online.
• Decodify - Detect and decode encoded strings, recursively.
• Enigma Machine - Universal Enigma Machine Simulator.
• FeatherDuster - An automated, modular cryptanalysis tool.
• Galois - A fast galois field arithmetic library/toolkit.
• HashExtender - Tool for performing hash length extension attacks.
• Hash-identifier - Simple hash algorithm identifier.
• padding-oracle-attacker - CLI tool and library to execute padding oracle attacks easily.
• PadBuster - Automated script for performing Padding Oracle attacks.
• PEMCrack - Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks.
• PKCrack - PkZip encryption cracker.
• Polybius Square Cipher - Table that allows someone to translate letters into numbers.
• Quipqiup - Automated cryptogram solver.
• RsaCtfTool - RSA multi attacks tool.
• RSATool - Tool to to calculate RSA and RSA-CRT parameter.
• Rumkin Cipher Tools - Collection of ciphhers/encoders tools.
• Vigenere Solver - Online tool that breaks Vigenère ciphers without knowing the key.
• XOR Cracker - Online XOR decryption tool able to guess the key length and the cipher key to decrypt any file.
• XORTool - A tool to analyze multi-byte xor cipher.
• yagu - Automated integer factorization.
• Crackstation - Hash cracker (database).
• Online Encyclopedia of Integer Sequences - OEIS: The On-Line Encyclopedia of Integer Sequences

Exploiting / Pwn

Tools used for solving Pwn challenges

• afl - Security-oriented fuzzer.
• honggfuzz - Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage.
• libformatstr - Simplify format string exploitation.
• One_gadget - Tool for finding one gadget RCE.
• Pwntools - CTF framework for writing exploits.
• ROPgadget - Framework for ROP exploitation.
• Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures.
• Shellcodes Database - A massive shellcodes database.

Forensics

Tools used for solving Forensics challenges

• A-Packets - Effortless PCAP File Analysis in Your Browser.
• Autopsy - End-to-end open source digital forensics platform.
• Binwalk - Firmware Analysis Tool.
• Bulk-extractor - High-performance digital forensics exploitation tool.
• Bkhive & samdump2 - Dump SYSTEM and SAM files.
• ChromeCacheView - Small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
• Creddump - Dump Windows credentials.
• Exiftool - Read, write and edit file metadata.
• Extundelete - Utility that can recover deleted files from an ext3 or ext4 partition.
• firmware-mod-kit - Modify firmware images without recompiling.
• Foremost - Console program to recover files based on their headers, footers, and internal data structures.
• Forensic Toolkit - It scans a hard drive looking for various information. It can, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
• Forensically - Free online tool to analysis image this tool has many features.
• MZCacheView - Small utility that reads the cache folder of Firefox/Mozilla/Netscape Web browsers, and displays the list of all files currently stored in the cache.
• NetworkMiner Network Forensic Analysis Tool (NFAT).
• OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive.
• photorec - File data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory.
• Registry Viewer - Tool to view Windows registers.
• Scalpel - Open source data carving tool.
• The Sleuth Kit - Collection of command line tools and a C library that allows you to analyze disk images and recover files from them.
• USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
• Volatility - An advanced memory forensics framework.
• Wireshark - Tool to analyze pcap or pcapng files.
• X-Ways - Advanced work environment for computer forensic examiners.

Misc

Tools used for solving Misc challenges

• boofuzz - Network Protocol Fuzzing for Humans.
• Veles - Binary data analysis and visualization tool.

Bruteforcers:

• changeme - A default credential scanner.
• Hashcat - Advanced Password Recovery.
• Hydra - Parallelized login cracker which supports numerous protocols to attack.
• John the Ripper - Open Source password security auditing and password recovery.
• jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens.
• Ophcrack - Free Windows password cracker based on rainbow tables.
• Patator - Multi-purpose brute-forcer, with a modular design and a flexible usage.
• Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.

Esoteric Languages:

• Brainfuck - Brainfuck esoteric programming language IDE.
• COW - It is a Brainfuck variant designed humorously with Bovinae in mind.
• Malbolge - Malbolge esoteric programming language solver.
• Ook! - Tool for decoding / encoding in Ook!
• Piet - Piet programming language compiler.
• Rockstar - A language intended to look like song lyrics.
• Try It Online - An online tool that has a ton of Esoteric language interpreters.

Sandboxes:

• Any.run - Interactive malware hunting service.
• Intezer Analyze - Malware analysis platform.
• Triage - State-of-the-art malware analysis sandbox designed for cross-platform support.

Reversing

Tools used for solving Reversing challenges

• Androguard - Androguard is a full python tool to play with Android files.
• Angr - A powerful and user-friendly binary analysis platform.
• Apk2gold - CLI tool for decompiling Android apps to Java.
• ApkTool - A tool for reverse engineering 3rd party, closed, binary Android apps.
• Binary Ninja - Binary Analysis Framework.
• BinUtils - Collection of binary tools.
• CTF_import - Run basic functions from stripped binaries cross platform.
• Compiler Explorer - Online compiler tool.
• CWE_checker - Finds vulnerable patterns in binary executables.
• Demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
• Disassembler.io - Disassemble On Demand. A lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative.
• dnSpy - .NET debugger and assembly editor.
• EasyPythonDecompiler - A small .exe GUI application that will "decompile" Python bytecode, often seen in .pyc extension.
• Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
• GDB - The GNU Project debugger.
• GEF - A modern experience for GDB with advanced debugging features for exploit developers & reverse engineers.
• Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA.
• Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
• IDA Pro - Most used Reversing software.
• Jadx - Command line and GUI tools for producing Java source code from Android Dex and Apk files.
• Java Decompilers - An online decompiler for Java and Android APKs.
• JSDetox - A JavaScript malware analysis tool.
• miasm - Reverse engineering framework in Python.
• Objection - Runtime mobile exploration.
• Online Assembler/Disassembler - Online wrappers around the Keystone and Capstone projects.
• PEDA - Python Exploit Development Assistance for GDB.
• PEfile - Python module to read and work with PE (Portable Executable) files.
• Pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy.
• radare2 - UNIX-like reverse engineering framework and command-line toolset.
• Rizin - Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
• Uncompyle - A Python 2.7 byte-code decompiler (.pyc)
• WinDBG - Windows debugger distributed by Microsoft.
• Z3 - A theorem prover from Microsoft Research.

Steganography

Tools used for solving Stego challenges

• AperiSolve - Platform which performs layer analysis on images.
• BPStegano - Python3 based LSB steganography.
• DTMF Detection - Audio frequencies common to a phone button.
• DTMF Tones - Audio frequencies common to a phone button.
• Exif - Shows EXIF information in JPEG files.
• Exiv2 - Image metadata manipulation tool.
• FotoForensics - Provides budding researchers and professional investigators access to cutting-edge tools for digital photo forensics.
• hipshot - Tool to converts a video file or series of photographs into a single image simulating a long-exposure photograph.
• Image Error Level Analyzer - Tool to analyze digital images. It's also free and web based. It features error level analysis, clone detection and more.
• Image Steganography - Client-side Javascript tool to steganographically hide/unhide images inside the lower "bits" of other images.
• ImageMagick - Tool for manipulating images.
• jsteg - Command-line tool to use against JPEG images.
• Magic Eye Solver - Get hidden information from images.
• Outguess - Universal steganographic tool.
• Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
• Pngtools - For various analysis related to PNGs.
• sigBits - Steganography significant bits image decoder.
• SmartDeblur - Restoration of defocused and blurred photos/images.
• Snow - Whitespace Steganography Tool
• Sonic Visualizer - Audio file visualization.
• Steganography Online - Online steganography encoder and decoder.
• Stegbreak - Launches brute-force dictionary attacks on JPG image.
• StegCracker - Brute-force utility to uncover hidden data inside files.
• stegextract - Detect hidden files and text in images.
• Steghide - Hide data in various kinds of image- and audio-files.
• StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits.
• Stegosaurus - A steganography tool for embedding payloads within Python bytecode.
• StegoVeritas - Yet another stego tool.
• Stegpy - Simple steganography program based on the LSB method.
• stegseek - Lightning fast steghide cracker that can be used to extract hidden data from files.
• stegsnow - Whitespace steganography program.
• Stegsolve - Apply various steganography techniques to images.
• Zsteg - PNG/BMP analysis.

Web

Tools used for solving Web challenges

• Arachni - Web Application Security Scanner Framework.
• Beautifier.io - Online JavaScript Beautifier.
• BurpSuite - A graphical tool to testing website security.
• Commix - Automated All-in-One OS Command Injection Exploitation Tool.
• debugHunter - Discover hidden debugging parameters and uncover web application secrets.
• Dirhunt - Find web directories without bruteforce.
• dirsearch - Web path scanner.
• dontgo403 - Tool to bypass 40x errors.
• ffuf - Fast web fuzzer written in Go.
• git-dumper - A tool to dump a git repository from a website.
• Gopherus - Tool that generates gopher link for exploiting SSRF and gaining RCE in various servers.
• Hookbin - Free service that enables you to collect, parse, and view HTTP requests.
• JSFiddle - Test your JavaScript, CSS, HTML or CoffeeScript online with JSFiddle code editor.
• ngrok - Secure introspectable tunnels to localhost.
• OWASP Zap - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses.
• PHPGGC - Library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
• Postman - Addon for chrome for debugging network requests.
• REQBIN - Online REST & SOAP API Testing Tool.
• Request Bin - A modern request bin to inspect any event by Pipedream.
• Revelo - Analyze obfuscated Javascript code.
• Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python3.
• SQLMap - Automatic SQL injection and database takeover tool.
• W3af - Web application attack and audit framework.
• XSSer - Automated XSS testor.
• ysoserial - Tool for generating payloads that exploit unsafe Java object deserialization.

0x02. Resources

Online Platforms

Always online CTFs

• 247CTF - Free Capture The Flag Hacking Environment.
• Atenea - Spanish CCN-CERT CTF platform.
• CTFlearn - Online platform built to help ethical hackers learn, practice, and compete.
• CTF365 - Security Training Platform
• Crackmes.One - Reverse Engineering Challenges.
• CryptoHack - Cryptography Challenges.
• Cryptopals - Cryptography Challenges.
• echoCTF.RED - Online Hacking Laboratories.
• Hacker101 - CTF Platform by HackerOne.
• HackTheBox - A Massive Hacking Playground.
• HackThisSite - Free, safe and legal training ground for hackers.
• MicroCorruption - Embedded Security CTF.
• OverTheWire - Wargame offered by the OverTheWire community.
• picoCTF - Beginner-friendly CTF platform.
• Pwnable.kr - Pwn/Exploiting platform.
• Pwnable.tw - Pwn/Exploiting platform.
• Pwnable.xyz - Pwn/Exploiting platform.
• PWNChallenge - Pwn/Exploiting platform.
• Reversing.kr - Reverse Engineering platform.
• Root-me - CTF training platform.
• VibloCTF - CTF training platform.
• VulnHub - VM-based pentesting platform.
• W3Challs - Hacking/CTF platform.
• WebHacking - Web challenges platform.
• Websec.fr - Web challenges platform.
• WeChall - Challenge sites directory & forum

Self-hosted CTFs

• Damn Vulnerable Web Application - PHP/MySQL web application that is damn vulnerable.
• Juice Shop - Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop.

Collaborative Tools

• CTFNote - Collaborative tool aiming to help CTF teams to organise their work.

Writeups Repositories

Repository of CTF Writeups

• Courgettes.Club - CTF Writeup Finder.
• CTFtime - CTFtime Writeups Collection.
• Github.com/CTFs - Collection of CTF Writeups.

Courses

• Roppers Bootcamp - CTF Bootcamp.

0x03. Bibliography

The resources presented here have been gathered from numerous sources. However, the most important are:

• apsdehal_awesome-ctf
• vavkamil_awesome-bugbounty-tools
• zardus_ctf-tools