/awesome-ctf-resources

A list of Capture The Flag (CTF) frameworks, libraries, resources and software for started/experienced CTF players 🚩

MIT LicenseMIT

Awesome CTF resources contributions welcome

A list of Capture The Flag (CTF) frameworks, libraries, resources and software for started/experienced CTF players 🚩

Any contribution is welcome, send me a PR! ❤️

-The software and resources collected do not belong to me and have been compiled for educational purposes only-

Contents

0x00. Create

Tools used for creating CTF challenges

Platforms

Frameworks that can be used to host a CTF

  • CTFd - Platform to host jeopardy style CTFs.
  • FBCTF - Facebook CTF platform to host Jeopardy and "King of the Hill" CTF competitions.
  • HackTheArch - Scoring server for CTF competitions.
  • kCTF - Kubernetes-based infrastructure for CTF competitions.
  • LibreCTF - CTF platform from EasyCTF.
  • Mellivora - CTF engine written in PHP.
  • NightShade - Simple CTF framework.
  • picoCTF - Infrastructure used to run picoCTF.
  • rCTF - CTF platform maintained by the redpwn CTF team.
  • RootTheBox - CTF scoring engine for wargames.
  • ImaginaryCTF - Platform to host CTFs.

Forensics

Tools used to create Forensics challenges

Steganography

Tools used to create Stego challenges

Check solve section for steganography.

Web

Tools used to create Web challenges

0x01. Solve

Cryptography

Tools used for solving Crypto challenges

  • Base65536 - Unicode's answer to Base64.
  • Braille Translator - Translate from braille to text.
  • Ciphey - Tool to automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes.
  • CyberChef - A web app for encryption, encoding, compression and data analysis.
  • Cryptii - Modular conversion, encoding and encryption online.
  • dCode.fr - Solvers for Crypto, Maths and Encodings online.
  • Decodify - Detect and decode encoded strings, recursively.
  • Enigma Machine - Universal Enigma Machine Simulator.
  • FeatherDuster - An automated, modular cryptanalysis tool.
  • Galois - A fast galois field arithmetic library/toolkit.
  • HashExtender - Tool for performing hash length extension attacks.
  • Hash-identifier - Simple hash algorithm identifier.
  • padding-oracle-attacker - CLI tool and library to execute padding oracle attacks easily.
  • PadBuster - Automated script for performing Padding Oracle attacks.
  • PEMCrack - Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks.
  • PKCrack - PkZip encryption cracker.
  • Polybius Square Cipher - Table that allows someone to translate letters into numbers.
  • Quipqiup - Automated cryptogram solver.
  • RsaCtfTool - RSA multi attacks tool.
  • RSATool - Tool to to calculate RSA and RSA-CRT parameter.
  • Rumkin Cipher Tools - Collection of ciphhers/encoders tools.
  • Vigenere Solver - Online tool that breaks Vigenère ciphers without knowing the key.
  • XOR Cracker - Online XOR decryption tool able to guess the key length and the cipher key to decrypt any file.
  • XORTool - A tool to analyze multi-byte xor cipher.
  • yagu - Automated integer factorization.
  • Crackstation - Hash cracker (database).
  • Online Encyclopedia of Integer Sequences - OEIS: The On-Line Encyclopedia of Integer Sequences

Exploiting / Pwn

Tools used for solving Pwn challenges

  • afl - Security-oriented fuzzer.
  • honggfuzz - Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage.
  • libformatstr - Simplify format string exploitation.
  • One_gadget - Tool for finding one gadget RCE.
  • Pwntools - CTF framework for writing exploits.
  • ROPgadget - Framework for ROP exploitation.
  • Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures.
  • Shellcodes Database - A massive shellcodes database.

Forensics

Tools used for solving Forensics challenges

  • A-Packets - Effortless PCAP File Analysis in Your Browser.
  • Autopsy - End-to-end open source digital forensics platform.
  • Binwalk - Firmware Analysis Tool.
  • Bulk-extractor - High-performance digital forensics exploitation tool.
  • Bkhive & samdump2 - Dump SYSTEM and SAM files.
  • ChromeCacheView - Small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
  • Creddump - Dump Windows credentials.
  • Exiftool - Read, write and edit file metadata.
  • Extundelete - Utility that can recover deleted files from an ext3 or ext4 partition.
  • firmware-mod-kit - Modify firmware images without recompiling.
  • Foremost - Console program to recover files based on their headers, footers, and internal data structures.
  • Forensic Toolkit - It scans a hard drive looking for various information. It can, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
  • Forensically - Free online tool to analysis image this tool has many features.
  • MZCacheView - Small utility that reads the cache folder of Firefox/Mozilla/Netscape Web browsers, and displays the list of all files currently stored in the cache.
  • NetworkMiner Network Forensic Analysis Tool (NFAT).
  • OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive.
  • photorec - File data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory.
  • Registry Viewer - Tool to view Windows registers.
  • Scalpel - Open source data carving tool.
  • The Sleuth Kit - Collection of command line tools and a C library that allows you to analyze disk images and recover files from them.
  • USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
  • Volatility - An advanced memory forensics framework.
  • Wireshark - Tool to analyze pcap or pcapng files.
  • X-Ways - Advanced work environment for computer forensic examiners.

Misc

Tools used for solving Misc challenges

  • boofuzz - Network Protocol Fuzzing for Humans.
  • Veles - Binary data analysis and visualization tool.

Bruteforcers:

  • changeme - A default credential scanner.
  • Hashcat - Advanced Password Recovery.
  • Hydra - Parallelized login cracker which supports numerous protocols to attack.
  • John the Ripper - Open Source password security auditing and password recovery.
  • jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens.
  • Ophcrack - Free Windows password cracker based on rainbow tables.
  • Patator - Multi-purpose brute-forcer, with a modular design and a flexible usage.
  • Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.

Esoteric Languages:

  • Brainfuck - Brainfuck esoteric programming language IDE.
  • COW - It is a Brainfuck variant designed humorously with Bovinae in mind.
  • Malbolge - Malbolge esoteric programming language solver.
  • Ook! - Tool for decoding / encoding in Ook!
  • Piet - Piet programming language compiler.
  • Rockstar - A language intended to look like song lyrics.
  • Try It Online - An online tool that has a ton of Esoteric language interpreters.

Sandboxes:

  • Any.run - Interactive malware hunting service.
  • Intezer Analyze - Malware analysis platform.
  • Triage - State-of-the-art malware analysis sandbox designed for cross-platform support.

Reversing

Tools used for solving Reversing challenges

  • Androguard - Androguard is a full python tool to play with Android files.
  • Angr - A powerful and user-friendly binary analysis platform.
  • Apk2gold - CLI tool for decompiling Android apps to Java.
  • ApkTool - A tool for reverse engineering 3rd party, closed, binary Android apps.
  • Binary Ninja - Binary Analysis Framework.
  • BinUtils - Collection of binary tools.
  • CTF_import - Run basic functions from stripped binaries cross platform.
  • Compiler Explorer - Online compiler tool.
  • CWE_checker - Finds vulnerable patterns in binary executables.
  • Demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
  • Disassembler.io - Disassemble On Demand. A lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative.
  • dnSpy - .NET debugger and assembly editor.
  • EasyPythonDecompiler - A small .exe GUI application that will "decompile" Python bytecode, often seen in .pyc extension.
  • Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
  • GDB - The GNU Project debugger.
  • GEF - A modern experience for GDB with advanced debugging features for exploit developers & reverse engineers.
  • Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA.
  • Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
  • IDA Pro - Most used Reversing software.
  • Jadx - Command line and GUI tools for producing Java source code from Android Dex and Apk files.
  • Java Decompilers - An online decompiler for Java and Android APKs.
  • JSDetox - A JavaScript malware analysis tool.
  • miasm - Reverse engineering framework in Python.
  • Objection - Runtime mobile exploration.
  • Online Assembler/Disassembler - Online wrappers around the Keystone and Capstone projects.
  • PEDA - Python Exploit Development Assistance for GDB.
  • PEfile - Python module to read and work with PE (Portable Executable) files.
  • Pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy.
  • radare2 - UNIX-like reverse engineering framework and command-line toolset.
  • Rizin - Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
  • Uncompyle - A Python 2.7 byte-code decompiler (.pyc)
  • WinDBG - Windows debugger distributed by Microsoft.
  • Z3 - A theorem prover from Microsoft Research.

Steganography

Tools used for solving Stego challenges

  • AperiSolve - Platform which performs layer analysis on images.
  • BPStegano - Python3 based LSB steganography.
  • DeepSound - Freeware steganography tool and audio converter that hides secret data into audio files.
  • DTMF Detection - Audio frequencies common to a phone button.
  • DTMF Tones - Audio frequencies common to a phone button.
  • Exif - Shows EXIF information in JPEG files.
  • Exiv2 - Image metadata manipulation tool.
  • FotoForensics - Provides budding researchers and professional investigators access to cutting-edge tools for digital photo forensics.
  • hipshot - Tool to converts a video file or series of photographs into a single image simulating a long-exposure photograph.
  • Image Error Level Analyzer - Tool to analyze digital images. It's also free and web based. It features error level analysis, clone detection and more.
  • Image Steganography - Client-side Javascript tool to steganographically hide/unhide images inside the lower "bits" of other images.
  • ImageMagick - Tool for manipulating images.
  • jsteg - Command-line tool to use against JPEG images.
  • Magic Eye Solver - Get hidden information from images.
  • Outguess - Universal steganographic tool.
  • Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
  • Pngtools - For various analysis related to PNGs.
  • sigBits - Steganography significant bits image decoder.
  • SmartDeblur - Restoration of defocused and blurred photos/images.
  • Snow - Whitespace Steganography Tool
  • Sonic Visualizer - Audio file visualization.
  • Steganography Online - Online steganography encoder and decoder.
  • Stegbreak - Launches brute-force dictionary attacks on JPG image.
  • StegCracker - Brute-force utility to uncover hidden data inside files.
  • stegextract - Detect hidden files and text in images.
  • Steghide - Hide data in various kinds of image- and audio-files.
  • StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits.
  • Stegosaurus - A steganography tool for embedding payloads within Python bytecode.
  • StegoVeritas - Yet another stego tool.
  • Stegpy - Simple steganography program based on the LSB method.
  • stegseek - Lightning fast steghide cracker that can be used to extract hidden data from files.
  • stegsnow - Whitespace steganography program.
  • Stegsolve - Apply various steganography techniques to images.
  • Zsteg - PNG/BMP analysis.

Web

Tools used for solving Web challenges

  • Arachni - Web Application Security Scanner Framework.
  • Beautifier.io - Online JavaScript Beautifier.
  • BurpSuite - A graphical tool to testing website security.
  • Commix - Automated All-in-One OS Command Injection Exploitation Tool.
  • debugHunter - Discover hidden debugging parameters and uncover web application secrets.
  • Dirhunt - Find web directories without bruteforce.
  • dirsearch - Web path scanner.
  • nomore403 - Tool to bypass 40x errors.
  • ffuf - Fast web fuzzer written in Go.
  • git-dumper - A tool to dump a git repository from a website.
  • Gopherus - Tool that generates gopher link for exploiting SSRF and gaining RCE in various servers.
  • Hookbin - Free service that enables you to collect, parse, and view HTTP requests.
  • JSFiddle - Test your JavaScript, CSS, HTML or CoffeeScript online with JSFiddle code editor.
  • ngrok - Secure introspectable tunnels to localhost.
  • OWASP Zap - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses.
  • PHPGGC - Library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
  • Postman - Addon for chrome for debugging network requests.
  • REQBIN - Online REST & SOAP API Testing Tool.
  • Request Bin - A modern request bin to inspect any event by Pipedream.
  • Revelo - Analyze obfuscated Javascript code.
  • Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python3.
  • SQLMap - Automatic SQL injection and database takeover tool.
  • W3af - Web application attack and audit framework.
  • XSSer - Automated XSS testor.
  • ysoserial - Tool for generating payloads that exploit unsafe Java object deserialization.

0x02. Resources

Online Platforms

Always online CTFs

  • 0x0539 - Online CTF challenges.
  • 247CTF - Free Capture The Flag Hacking Environment.
  • Archive.ooo - Live, playable archive of DEF CON CTF challenges.
  • Atenea - Spanish CCN-CERT CTF platform.
  • CTFlearn - Online platform built to help ethical hackers learn, practice, and compete.
  • CTF365 - Security Training Platform.
  • Crackmes.One - Reverse Engineering Challenges.
  • CryptoHack - Cryptography Challenges.
  • Cryptopals - Cryptography Challenges.
  • Defend the Web - An Interactive Cyber Security Platform.
  • Dreamhack.io - Online wargame.
  • echoCTF.RED - Online Hacking Laboratories.
  • Flagyard - An Online Playground of Hands-on Cybersecurity Challenges.
  • HackBBS - Online wargame.
  • Hacker101 - CTF Platform by HackerOne.
  • Hackropole - This platform allows you to replay the challenges of the France Cybersecurity Challenge.
  • HackTheBox - A Massive Hacking Playground.
  • HackThisSite - Free, safe and legal training ground for hackers.
  • HBH - Community designed to teach methods and tactics used by malicious hackers to access systems and sensitive information.
  • Komodo - This is a game designed to challenge your application hacking skills.
  • MicroCorruption - Embedded Security CTF.
  • MNCTF - Online cybersecurity challenges.
  • OverTheWire - Wargame offered by the OverTheWire community.
  • picoCTF - Beginner-friendly CTF platform.
  • Pwn.college - Education platform to learn about, and practice, core cybersecurity concepts.
  • PWN.TN - Educational and non commercial wargame.
  • Pwnable.kr - Pwn/Exploiting platform.
  • Pwnable.tw - Pwn/Exploiting platform.
  • Pwnable.xyz - Pwn/Exploiting platform.
  • PWNChallenge - Pwn/Exploiting platform.
  • Reversing.kr - Reverse Engineering platform.
  • Root-me - CTF training platform.
  • VibloCTF - CTF training platform.
  • VulnHub - VM-based pentesting platform.
  • W3Challs - Hacking/CTF platform.
  • WebHacking - Web challenges platform.
  • Websec.fr - Web challenges platform.
  • WeChall - Challenge sites directory & forum.
  • YEHD 2015 - YEHD CTF 2015 online challenges.

Self-hosted CTFs

  • AWSGoat - A Damn Vulnerable AWS Infrastructure.
  • CICD-goat - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
  • Damn Vulnerable Web Application - PHP/MySQL web application that is damn vulnerable.
  • GCPGoat - A Damn Vulnerable GCP Infrastructure.
  • Juice Shop - Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop.

Collaborative Tools

  • CTFNote - Collaborative tool aiming to help CTF teams to organise their work.

Writeups Repositories

Repository of CTF Writeups

Courses

0x03. Bibliography

The resources presented here have been gathered from numerous sources. However, the most important are: