Agent skill

ctf-misc

Miscellaneous CTF challenge techniques. Use for encoding puzzles, RF/SDR signal processing, Python/bash jails, DNS exploitation, unicode steganography, floating-point tricks, QR codes, audio challenges, Z3 constraint solving, Kubernetes RBAC, WASM game patching, esoteric languages, or challenges that don't fit other categories.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/skills/other/ctf-misc

Metadata

Additional technical details for this skill

user invocable
false

SKILL.md

CTF Miscellaneous

Quick reference for miscellaneous CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

  • pyjails.md - Python jail/sandbox escape techniques
  • bashjails.md - Bash jail/restricted shell escape techniques
  • encodings.md - Encodings, QR codes, esolangs, Verilog/HDL, UTF-16 tricks, BCD encoding, multi-layer auto-decoding
  • rf-sdr.md - RF/SDR/IQ signal processing (QAM-16, carrier recovery, timing sync)
  • dns.md - DNS exploitation (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling)
  • games-and-vms.md - WASM patching, Roblox place file reversing, PyInstaller, marshal, Python env RCE, Z3, K8s RBAC, floating-point precision exploitation

General Tips

  • Read all provided files carefully
  • Check file metadata, hidden content, encoding
  • Power Automate scripts may hide API calls
  • Use binary search when guessing multiple answers

Common Encodings

bash
# Base64
echo "encoded" | base64 -d

# Base32 (A-Z2-7=)
echo "OBUWG32D..." | base32 -d

# Hex
echo "68656c6c6f" | xxd -r -p

# ROT13
echo "uryyb" | tr 'a-zA-Z' 'n-za-mN-ZA-M'

Identify by charset:

  • Base64: A-Za-z0-9+/=
  • Base32: A-Z2-7= (no lowercase)
  • Hex: 0-9a-fA-F

See encodings.md for Caesar brute force, URL encoding, and full details.

IEEE-754 Float Encoding (Data Hiding)

Pattern (Floating): Numbers are float32 values hiding raw bytes.

Key insight: A 32-bit float is just 4 bytes interpreted as a number. Reinterpret as raw bytes -> ASCII.

python
import struct
floats = [1.234e5, -3.456e-7, ...]  # Whatever the challenge gives
flag = b''
for f in floats:
    flag += struct.pack('>f', f)
print(flag.decode())

Variations: Double '>d', little-endian '<f', mixed. See encodings.md for CyberChef recipe.

USB Mouse PCAP Reconstruction

Pattern (Hunt and Peck): USB HID mouse traffic captures on-screen keyboard typing. Use USB-Mouse-Pcap-Visualizer, extract click coordinates (falling edges), cumsum relative deltas for absolute positions, overlay on OSK image.

File Type Detection

bash
file unknown_file
xxd unknown_file | head
binwalk unknown_file

Archive Extraction

bash
7z x archive.7z           # Universal
tar -xzf archive.tar.gz   # Gzip
tar -xjf archive.tar.bz2  # Bzip2
tar -xJf archive.tar.xz   # XZ

Nested Archive Script

bash
while f=$(ls *.tar* *.gz *.bz2 *.xz *.zip *.7z 2>/dev/null|head -1) && [ -n "$f" ]; do
    7z x -y "$f" && rm "$f"
done

QR Codes

bash
zbarimg qrcode.png       # Decode
qrencode -o out.png "data"

See encodings.md for QR structure, repair techniques, and chunk reassembly.

Audio Challenges

bash
sox audio.wav -n spectrogram  # Visual data
qsstv                          # SSTV decoder

RF / SDR / IQ Signal Processing

See rf-sdr.md for full details (IQ formats, QAM-16 demod, carrier/timing recovery).

Quick reference:

  • cf32: np.fromfile(path, dtype=np.complex64) | cs16: int16 reshape(-1,2) | cu8: RTL-SDR raw
  • Circles in constellation = constant frequency offset; Spirals = drifting frequency + gain instability
  • 4-fold ambiguity in DD carrier recovery - try 0/90/180/270 rotation

pwntools Interaction

python
from pwn import *

r = remote('host', port)
r.recvuntil(b'prompt: ')
r.sendline(b'answer')
r.interactive()

Python Jail Quick Reference

  • Oracle pattern: L() = length, Q(i,x) = compare, S(guess) = submit. Linear or binary search.
  • Walrus bypass: (abcdef := "new_chars") reassigns constraint vars
  • Decorator bypass: @__import__ + @func.__class__.__dict__[__name__.__name__].__get__ for no-call, no-quotes escape
  • String join: open(''.join(['fl','ag.txt'])).read() when + is blocked

See pyjails.md for full techniques.

Z3 / Constraint Solving

python
from z3 import *
flag = [BitVec(f'f{i}', 8) for i in range(FLAG_LEN)]
s = Solver()
# Add constraints, check sat, extract model

See games-and-vms.md for YARA rules, type systems as constraints.

Hash Identification

MD5: 0x67452301 | SHA-256: 0x6a09e667 | MurmurHash64A: 0xC6A4A7935BD1E995

SHA-256 Length Extension Attack

MAC = SHA-256(SECRET || msg) with known msg/hash -> forge valid MAC via hlextend. Vulnerable: SHA-256, MD5, SHA-1. NOT: HMAC, SHA-3.

python
import hlextend
sha = hlextend.new('sha256')
new_data = sha.extend(b'extension', b'original_message', len_secret, known_hash_hex)

Technique Quick References

  • PyInstaller: pyinstxtractor.py packed.exe. See games-and-vms.md for opcode remapping.
  • Marshal: marshal.load(f) then dis.dis(code). See games-and-vms.md.
  • Python env RCE: PYTHONWARNINGS=ignore::antigravity.Foo::0 + BROWSER="cmd". See games-and-vms.md.
  • WASM patching: wasm2wat -> flip minimax -> wat2wasm. See games-and-vms.md.
  • Float precision: Large multipliers amplify FP errors into exploitable fractions. See games-and-vms.md.
  • K8s RBAC bypass: SA token -> impersonate -> hostPath mount -> read secrets. See games-and-vms.md.

3D Printer Video Nozzle Tracking (LACTF 2026)

Pattern (flag-irl): Video of 3D printer fabricating nameplate. Flag is the printed text.

Technique: Track nozzle X/Y positions from video frames, filter for print moves (top/text layer only), plot 2D histogram to reveal letter shapes:

python
# 1. Identify text layer frames (e.g., frames 26100-28350)
# 2. Track print head X position (physical X-axis)
# 3. Track bed X position (physical Y-axis from camera angle)
# 4. Filter for moves with extrusion (head moving while printing)
# 5. Plot as 2D scatter/histogram -> letters appear

Discord API Enumeration (0xFun 2026)

Flags hidden in Discord metadata (roles, animated emoji, embeds). Invoke /ctf-osint and see ctf-osint social-media.md for Discord API enumeration technique and code.

SUID Binary Exploitation (0xFun 2026)

bash
# Find SUID binaries
find / -perm -4000 2>/dev/null

# Cross-reference with GTFObins
# xxd with SUID: xxd flag.txt | xxd -r
# vim with SUID: vim -c ':!cat /flag.txt'

Reference: https://gtfobins.github.io/

Linux Privilege Escalation Quick Checks

bash
# GECOS field passwords
cat /etc/passwd  # Check 5th colon-separated field

# ACL permissions
getfacl /path/to/restricted/file

# Sudo permissions
sudo -l

Useful One-Liners

bash
grep -rn "flag{" .
strings file | grep -i flag
python3 -c "print(int('deadbeef', 16))"

Keyboard Shift Cipher

Pattern (Frenzy): Characters shifted left/right on QWERTY keyboard layout.

Identification: dCode Cipher Identifier suggests "Keyboard Shift Cipher"

Decoding: Use dCode Keyboard Shift Cipher with automatic mode.

Pigpen / Masonic Cipher

Pattern (Working For Peanuts): Geometric symbols representing letters based on grid positions.

Identification: Angular/geometric symbols, challenge references "Peanuts" comic (Charlie Brown), "dusty looking crypto"

Decoding: Map symbols to Pigpen grid positions, or use online decoder.

ASCII in Numeric Data Columns

Pattern (Cooked Books): CSV/spreadsheet numeric values (48-126) are ASCII character codes.

python
import csv
with open('data.csv') as f:
    reader = csv.DictReader(f)
    flag = ''.join(chr(int(row['Times Borrowed'])) for row in reader)
print(flag)

CyberChef: "From Decimal" recipe with line feed delimiter.

Backdoor Detection in Source Code

Pattern (Rear Hatch): Hidden command prefix triggers system() call.

Common patterns:

  • strncmp(input, "exec:", 5) -> runs system(input + 5)
  • Hex-encoded comparison strings: \x65\x78\x65\x63\x3a = "exec:"
  • Hidden conditions in maintenance/admin functions

DNS Exploitation Techniques

See dns.md for full details (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling).

Quick reference:

  • ECS spoofing: dig @server flag.example.com TXT +subnet=10.13.37.1/24 - try leet-speak IPs (1337)
  • NSEC walking: Follow NSEC chain to enumerate DNSSEC zones
  • IXFR: dig @server domain IXFR=0 when AXFR is blocked
  • DNS rebinding: Low-TTL alternating resolution to bypass same-origin
  • DNS tunneling: Data exfiltrated via subdomain queries or TXT responses

Unicode Steganography

Variation Selectors Supplement (U+E0100-U+E01EF)

Patterns (Seen & emoji, Nullcon 2026): Invisible Variation Selector Supplement characters encode ASCII via codepoint offset.

python
# Extract hidden data from variation selectors after visible character
data = open('README.md', 'r').read().strip()
hidden = data[1:]  # Skip visible emoji character
flag = ''.join(chr((ord(c) - 0xE0100) + 16) for c in hidden)

Detection: Characters appear invisible but have non-zero length. Check with [hex(ord(c)) for c in text] -- look for codepoints in 0xE0100-0xE01EF or 0xFE00-0xFE0F range.

UTF-16 Endianness Reversal

Pattern (endians): Text "turned to Japanese" -- mojibake from UTF-16 endianness mismatch.

python
# If encoded as UTF-16-LE but decoded as UTF-16-BE:
fixed = mojibake.encode('utf-16-be').decode('utf-16-le')

Identification: CJK characters, challenge mentions "translation" or "endian". See encodings.md for details.

Cipher Identification Workflow

  1. ROT13 - Challenge mentions "ROT", text looks like garbled English
  2. Base64 - A-Za-z0-9+/=, title hints "64"
  3. Base32 - A-Z2-7= uppercase only
  4. Atbash - Title hints (Abash/Atbash), preserves spaces, 1:1 substitution
  5. Pigpen - Geometric symbols on grid
  6. Keyboard Shift - Text looks like adjacent keys pressed
  7. Substitution - Frequency analysis applicable

Auto-identify: dCode Cipher Identifier

Didn't find tool you were looking for?

Be as detailed as possible for better results