banner
Fei_xiangShi

FXLOG

你在这里发现了我, 说明了什么呢?
HomeArchives

CTF Tool Collection

#CTF105
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses the need for a comprehensive collection of CTF (Capture The Flag) tools, particularly for beginners who want to learn scripting. The author expresses a preference for Linux tools and excludes well-known ones like BurpSuite. It categorizes various tools into sections such as encoding/decoding, cryptography, PWN (exploitation), web tools, and digital forensics. 1. **Encoding/Decoding**: - **随波逐流**: A decoding tool that requires internet access for updates. - **XXencode**: An online decoding tool, limited by offline competition rules. 2. **Cryptography**: - **gmpy2**: A library for high-precision arithmetic. 3. **PWN**: - **pwntools**: A Python library for exploit development. 4. **Web**: - **wabt**: Converts WebAssembly files to C for analysis in IDA. 5. **Digital Forensics**: - **Volatility**: A memory forensics tool with plugins for extracting environment variables, listing processes, and memory dumping. 6. **Miscellaneous**: - **jwt.io**: An online tool for encoding and decoding JWT tokens. - **SQL Injection**: Mention of a method for injecting using a specific MD5 hash. The author aims to compile and share these tools for better accessibility in the CTF community.

Why is no one creating a comprehensive list of CTF tools? It feels like to get started and become a script kiddie, one needs to know which scripts can be used... Anyway, Feifei wants to organize this kind of information, structured roughly as category - name - introduction & usage example.

These are just tools we like, and we prefer using Linux, so we won't list those that can't run or have very low performance, and well-known tools like BurpSuite won't be included either.

I found that the Flowing Software Station provides some tools, so let's help consolidate them.

Encoding and Decoding#

Flowing#

One-click decoding, download link: Official Website

However, this one actually requires an internet connection to check for updates, which triggers my cyber cleanliness, I'll crack it someday.
Using Bottles to run the exe experience is also very poor, negative review.

XXencode#

An online one-click decoding tool, some offline competitions prohibit internet access, so we still have to use Flowing (ugh).
Click to visit

Crypto#

This is mainly a math problem, using some Python libraries.

gmpy2#

High precision and high efficiency large number computation library.

pip install gmpy2

PWN#

pwntools#

pip install pwntools

Web#

wabt#

Used to convert WebAssembly files into C language code, then analyze it in IDA.

wasm2c webassembly.wasm -o web.c -o-h web.h

The C code exported by wasm2c does not contain an executable entry and will lack runtime; wasm_rt_* is provided by wasm-rt-impl.c in the wabt project; names like w2c_wasi__snapshot__preview1_fd_write and w2c_env_0x5Femscripten_memcpy_js are wrapper functions generated by wasm2c for WASI/Emscripten imports, which need to be implemented or linked to an existing "mini WASI" implementation. The official example places these implementations in an imports.c file, and it just needs to return 0 or call the actual system call; otherwise, it will still report "unknown import."

// imports.c
#include <stddef.h>
#include <stdint.h>
#include "wasm-rt.h"

uint32_t w2c_wasi__snapshot__preview1_fd_write(void* unused, uint32_t fd,
                                               uint32_t iovs, uint32_t iovs_len,
                                               uint32_t nwritten) {
    return 0;
}

void w2c_env_0x5Femscripten_memcpy_js(void* unused) {}
void w2c_env_emscripten_resize_heap(void* unused) {}

The handwritten main.c can be compiled.

#include "web.h"
#include <stdio.h>

int main(void) {
    /* 1) Initialize the wasm‑rt global runtime */
    wasm_rt_init();

    /* 2) Instantiate the module (pass NULL if a complete import table is not needed) */
    struct w2c_webassembly inst;
    wasm2c_webassembly_instantiate(&inst, NULL, NULL);

    /* 3) Run all global constructors (static ctors) */
    w2c_webassembly_0x5F_wasm_call_ctors(&inst);

    /* 4) Initialize the Emscripten stack */
    w2c_webassembly_emscripten_stack_init(&inst);

    /* 5) Call the exported main (pass argc=0, argv_ptr=0) */
    u32 rc = w2c_webassembly_main(&inst, 0, 0);
    printf("wasm main returned %u\n", rc);

    /* 6) Clean up the instance and runtime */
    wasm2c_webassembly_free(&inst);
    wasm_rt_free();
    return 0;
}

Compilation command:

gcc -O2 -I. -I/usr/include/wabt/wasm2c -DWASM_RT_MALLOC \
    web.c imports.c main.c /usr/share/wabt/wasm2c/wasm-rt-impl.c \
    -lm -o webdemo

Digital Forensics#

Volatility#

Memory forensics tool.

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip install -r requirements.txt

Usage Example#

envars is a plugin in Volatility used to extract and list environment variables from memory dumps. Environment variables contain some information about system and user configurations, such as paths and system settings.

.\volatility -f .\1.raw --profile=Win7SP1x64 envars | grep 'n0wayback'

image

pslist is a plugin in Volatility used to list all processes in memory. It analyzes the process linked list in memory to list all active process information, including PID, process name, parent process, etc.

.\volatility -f .\1.raw --profile=Win7SP1x64 pslist

0xfffffa8001a022a0 mspaint.exe            2052   1028      6      120      1      0 2024-03-04 05:50:22 UTC+0000

0xfffffa8003c68a80 cmd.exe                4188   1028      3      111      1      0 2024-03-04 05:50:26 UTC+0000

0xfffffa800418c060 Code.exe                888   1028     31      696      1      0 2024-03-04 05:52:52 UTC+0000

Found the mspaint.exe process, performing a memory dump.

memdump is a plugin in Volatility used to extract the memory image of a specific process from memory. This plugin extracts the memory content of the process based on the specified PID.

.\volatility -f .\1.raw --profile=Win7SP1x64 memdump -p 2052 -D ./

consoles is a plugin in Volatility used to extract and list session information related to consoles. Console sessions refer to active sessions of command-line tools (like cmd.exe or powershell.exe), and Volatility will list their detailed information. Specifically, the consoles plugin will display relevant data of all console sessions present in memory, including session ID, command history, and executed commands.

.\volatility -f .\1.raw --profile=Win7SP1x64 consoles

image

Miscellaneous#

jwt.io#

You can encode and decode JWT Tokens online.

SQL Injection#

ffifdyop#

md5(ffifdyop) = 'or'66�]��!r,��b

This universal truth constant password can be used for injection after md5.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.