--- name: pentest-ctf description: CTF (Capture the Flag) challenge solving advisory — HackTheBox, TryHackMe, PicoCTF, web/pwn/rev/crypto/forensics. Triggers on CTF, HackTheBox, HTB, TryHackMe, THM, PicoCTF, OverTheWire, pwn, reverse engineering, crypto challenge, forensics challenge, stego. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents ctf-solver --- # pentest-ctf CTF (Capture the Flag) challenge solving. **Yetki: CTF platformlari kendi platformlarinda yetkili saldiriyi onaylar** (HackTheBox, THM, vb. ROE'lerinde). Diger platforma kullanim ihlal sayilir. ## Triggers - "HackTheBox machine" - "TryHackMe room" - "PicoCTF challenge" - "pwn challenge" - "reverse engineering challenge" - "crypto challenge" - "stego challenge" ## Kategori Bazli Yaklasim ### Web ```bash # Tipik flag: HTB{...}, picoCTF{...}, flag.txt # Yaklasim: 1. Nmap full TCP (-p-) 2. HTTP banner + tech detect (whatweb) 3. Content discovery (ffuf / gobuster) 4. Parameter discovery (paramspider, Arjun) 5. SQL injection (sqlmap test ama LOUD) 6. SSRF / XXE / SSTI / template injection 7. Source code reveal (.git, .env, backup files) ``` ### Pwn (Binary Exploitation) ```bash # Tipik: ELF binary + nc # Yaklasim: 1. `file ./challenge` + checksec 2. Strings + main fonksiyonu disas (Ghidra) 3. Vulnerability sinif tespit: - Buffer overflow (stack) - Format string - Use-after-free - Heap overflow / off-by-one 4. ROP gadget arama (ROPgadget / rp++) 5. Exploit yazma (pwntools) 6. Lokal test -> remote ``` ```python # Pwntools sablon from pwn import * context.arch = 'amd64' context.log_level = 'debug' # Lokal vs remote local = True if local: p = process('./challenge') else: p = remote('host', port) # Exploit payload = b'A'*40 + p64(0xdeadbeef) p.sendline(payload) p.interactive() ``` ### Reverse Engineering ```bash # Yaklasim: 1. `file ./binary` 2. Strings (ascii + utf16) 3. Ghidra / IDA Free / Cutter 4. Anti-debug bypass (gdb scripts) 5. Decompile + ana algorithm analiz 6. Trace edip output flag uretimi ``` ```bash # Standart RE tools ghidra ./binary r2 -A ./binary # radare2 gdb-peda ./binary # gdb + PEDA / pwndbg strace -f ./binary # syscall trace ltrace ./binary # library call trace ``` ### Crypto ```python # Yaygin saldiri kategorileri: # - RSA: small e, common factor, common modulus # - ECC: weak curve, invalid curve attack # - AES: ECB pattern, CBC bit flipping, padding oracle # - Stream: key reuse XOR # - Hash: length extension, collision # RSA small e from Crypto.Util.number import long_to_bytes import gmpy2 c, e, n = ..., 3, ... m, exact = gmpy2.iroot(c, e) if exact: print(long_to_bytes(int(m))) # XOR cribdrag from pwn import xor plaintext_known = b'flag{' c1, c2 = ..., ... # c1 XOR c2 = m1 XOR m2 — krip ile crib drag ``` ### Forensics ```bash # Disk image / memory dump file challenge.img binwalk -e challenge.img # nested file extraction volatility -f memory.raw --profile=Win10x64 pslist exiftool image.jpg # metadata # Network capture wireshark capture.pcap tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri ``` ### Stego ```bash # Image stego binwalk -e image.jpg # appended data strings -a image.jpg | head # ASCII strings zsteg image.png # LSB stego steghide extract -sf image.jpg # password gerekli (rockyou ile crack) stegseek image.jpg rockyou.txt # otomatik password crack # Audio stego audacity audio.wav # spectrogram view (gizli mesaj!) ``` ## CTF-Specific Tools | Tool | Kullanim | |------|----------| | pwntools (Python) | Pwn exploit dev | | Ghidra / IDA Free | RE | | Burp / ZAP | Web | | CyberChef | Encoding/decoding (offline) | | RsaCtfTool | RSA hizli attack | | dcode.fr | Cipher recognition | | stegsolve.jar | Image bit-plane analyz | | binwalk + foremost | File carving | ## Methodology (Genel) ``` 1. Read challenge description carefully (2 kez) 2. Identify category (web/pwn/rev/crypto/forensics/stego) 3. Quick recon (file, nmap, strings) 4. Initial hypothesis (3 olasi yaklasim) 5. Try sırayla, dead-end'i hizli birak 6. Hint kullan (genelde puan dusurur ama time saver) 7. Flag formati: regex match (HTB{...}, flag{...}) 8. Submit + writeup ``` ## Writeup Sablonu ```markdown # ## Description [Original challenge text] ## Recon - file: ELF 64-bit, dynamically linked, NX off - checksec: No PIE, No Canary, NX disabled ## Vulnerability Stack-based buffer overflow in `gets()` call, offset 40. ## Exploit ```python from pwn import * # ... code ``` ## Flag `flag{example_flag_here}` ## Learning - gets() yasak (use fgets) - NX off + No PIE -> shellcode direct ``` ## Out-of-Scope - CTF platform ToS ihlal (real-world exploit denemesi) - Flag paylasimi (kendi solve gerekir) - Tournament cheating