CTF Reference

Clean, fast, and easy to scan under time pressure.

This page is meant for quick decisions during a CTF event. Use it to spot common challenge patterns, launch the right tools quickly, and jump to theory or documentation when needed.

  _____
 / ____|
| (___   ___  __ _ _ __ ___ ___
 \___ \ / _ \/ _` | '__/ __/ _ \
 ____) |  __/ (_| | | | (_|  __/
|_____/ \___|\__,_|_|  \___\___|

0 results found. Are you sure that's not steganographically hidden?

Try: base64, xor, wireshark, sqli, burp, ghidra...

Start here

First minute checklist

This is the default workflow to apply before overthinking a challenge.

What to do first

Read the challenge text carefully and extract keywords.
Check the real file type, metadata, readable strings, and embedded content.
If it is web-related, inspect requests, cookies, parameters, and source code.
Try common decodings first: Base64, hex, ROT13, XOR patterns.
If stuck for 10 to 15 minutes, switch challenge and return later.

Default command chain

Terminal

file challenge
strings challenge | less
exiftool challenge
binwalk challenge
binwalk -e challenge
xxd challenge | less

File analysis / forensics

Inspect what the file really contains

A lot of easy and medium CTF tasks fall apart once you verify the file type, inspect metadata, or extract hidden content.

Wikipedia Aperi'Solve StegOnline

What to try

Check the real file type instead of trusting the extension.
Look for embedded files, appended data, and suspicious metadata.
Inspect the hex output for format signatures or anomalies.
Rename the extension when the file behaves oddly.
Try image steganography tools and archive extraction.
Open pcap files in Wireshark and look for credentials, flags, or file transfers.
Check audio files for spectrogram messages using Audacity or Sonic Visualiser.
For memory dumps, try Volatility to extract processes, credentials, and artifacts.
Scan for QR codes hidden in images or documents.

Useful commands

Terminal

file suspicious.pdf
strings suspicious.pdf | grep -i flag
exiftool suspicious.pdf
binwalk suspicious.pdf
binwalk -e suspicious.pdf
foremost -i suspicious.pdf -o output/
hexdump -C suspicious.pdf | less

Classic trick

A PDF may actually contain a ZIP archive or an image payload.

Terminal

mv challenge.pdf challenge.zip
unzip challenge.zip

This is exactly the kind of hidden-format trick that often appears in beginner-friendly CTF tasks.

Web hacking

Probe requests, parameters, and access control

Many web challenges are solved by observing the request flow and changing one small thing at a time.

Wikipedia PortSwigger JWT.io

Quick checks

View page source and inspect network requests in DevTools or Burp.
Change identifiers like ?id=1 to ?id=2.
Look at cookies, JWTs, hidden fields, and headers.
Check robots.txt, comments, backups, and forgotten endpoints.
Test for IDOR, SQL injection, XSS, and path traversal.
Try SSTI, SSRF, command injection, and deserialization attacks.

Payload ideas

Payloads

' OR 1=1--
"><script>alert(1)</script>
../../../../etc/passwd
{{7*7}}
; id
$(id)

Use only inside the challenge environment and where the challenge scope allows it.

Useful flow

Proxy the traffic through Burp Suite.
Replay interesting requests and change one variable at a time.
Modify parameters, methods, headers, cookies, and content types.
Check whether privilege or record access changes unexpectedly.

Cryptography / encoding

Start with decoding before assuming real encryption

A surprising number of crypto challenges begin with something simple: Base64, hex, Caesar, ROT13, XOR, or repeated-key transformations.

Wikipedia CyberChef dCode

Look for

Base64 endings like = or ==.
Hex-only strings or obvious byte-looking output.
ROT13, Caesar, Vigenère, XOR, or repeating patterns.
Morse code, binary, or substitution cipher patterns.
RSA challenges with small keys, shared primes, or known weaknesses.
AES in ECB mode (repeating blocks) or padding oracle setups.
Hash values to crack with CrackStation or hashcat.

Default approach

Try CyberChef first.
Try dCode when it resembles a known cipher.
Check whether it is encoding rather than encryption.
Search exact patterns or separators that look familiar.

Quick examples

Terminal

echo 'ZmxhZ3t0ZXN0fQ==' | base64 -d
python3 -c "print(bytes.fromhex('666c61677b746573747d').decode())"
echo -n 'text' | md5sum
echo -n 'text' | sha256sum
openssl rsautl -decrypt -inkey priv.pem -in flag.enc

Reverse engineering

Read the binary before you fight the binary

Often the fastest start is simply extracting strings and watching runtime behavior before opening a heavier reversing tool.

Wikipedia Ghidra

What to inspect

Run strings first to find messages, hints, and comparisons.
Look for hardcoded secrets, flag formats, and obvious constants.
Use Ghidra or IDA to inspect logic and compare paths.
Use ltrace and strace to observe behavior.

Useful commands

Terminal

strings binary | less
ltrace ./binary
strace ./binary
chmod +x binary
./binary

Common patterns

Hardcoded comparisons
XOR decoding or simple obfuscation
Password or license checks
Conditional logic that can be understood or patched

Binary exploitation

Check protections and understand the crash surface

Even when you do not fully solve a pwn challenge, protections and runtime behavior often reveal the intended path.

Wikipedia pwntools docs

What to look for

Binary protections: NX, PIE, canaries, RELRO, and ASLR.
Buffer overflows, format string bugs, and unsafe reads.
ROP chains, shellcode, and ret2libc techniques.
How the process behaves under GDB.

Useful commands

Terminal

checksec binary
gdb ./binary
python3 solve.py

Reminder

Even partial progress matters. A protection check, a controlled crash, or a useful symbol can tell you what kind of exploit path the author expected.

OSINT

Search smart, not just wide

OSINT challenges are often about extracting the right clue and using the right search operator or reverse search method.

Wikipedia OSINT Framework Wayback Machine Shodan

What to try

Search exact usernames, domains, filenames, and unusual phrases.
Use reverse image search when an image is central to the challenge.
Check metadata, Wayback Machine snapshots, and cached copies.
Use Google dorking operators to narrow results quickly.
Run WHOIS lookups on domains and IP addresses.
Use Google Maps or Street View for geolocation challenges.

Useful searches

Search queries

site:example.com
site:example.com filetype:pdf
"exact phrase"
intitle:index.of backup
whois example.com
exiftool image.jpg

Common clue types

Challenge names that act as search hints
Metadata in images or documents
Fragments of URLs, usernames, or timestamps
Visual landmarks for reverse image or map lookup

Networking / packet analysis

Capture, filter, and decode network traffic

Network challenges often hand you a pcap file and expect you to find credentials, exfiltrated data, or hidden protocols.

Wikipedia Wireshark

What to look for

Open pcap files in Wireshark and follow TCP or HTTP streams.
Look for credentials sent over FTP, Telnet, or plain HTTP.
Check for DNS tunneling or suspicious ICMP payloads.
Extract transferred files from HTTP or SMB sessions.
Identify unusual ports, protocols, or covert channels.

Useful commands

Terminal

wireshark capture.pcap
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name
tcpdump -r capture.pcap -A | less
nmap -sV target_ip

Wireshark filters

http.request.method == "POST"
tcp.stream eq 0
dns.qry.name contains "flag"
ftp.request.command == "PASS"
ip.addr == 10.0.0.1

Useful links

Quick access to tools, docs, and theory

Open these directly during the event when you need a decoder, a lab, or background material.

Web and auth

Crypto and encoding

Files and stego

Reverse and pwn

Networking

OSINT

Team tips

Coordinate quickly and avoid tunnel vision

Good triage and communication often win more points than deep focus on one unsolved task.

Team strategy

Split by category where possible.
Share discoveries and dead ends immediately.
Keep one shared notes document with flags, hints, and URLs.
Do not let one person get stuck alone for too long.

Scoring strategy

Farm easy points first.
Revisit medium tasks after collecting hints from easier ones.
A solved easy challenge is usually worth more than 40 minutes of guessing on a hard one.
When a file feels wrong, verify the format before anything else.