CTF Environment Setup — Cheat Sheet

Recommended distributions

Distro	Notes
Kali Linux	Ships with most tools pre-installed; best for beginners
Parrot OS	Lighter than Kali, good toolset, pleasant UI
Ubuntu 22.04	Clean base; install only what you need; fastest
REMnux	Malware/RE focused — great for forensics challenges
Tsurugi Linux	DFIR-focused; best for disk forensics CTFs

# VM settings for CTF work:
# RAM:  4–8 GB (Ghidra needs ~4 GB alone)
# CPU:  2–4 cores
# Disk: 60 GB+ (tools + challenge files)
# Network: NAT (isolated) for malware analysis
#          Bridged for CTF platform access
# Shared folder: yes (easy file transfer)

Snapshot discipline

# Take snapshots BEFORE:
# - Running unknown binaries
# - Installing new tools
# - Trying kernel exploits
# - Pwn challenges that crash the system

# VMware: VM → Snapshots → Take Snapshot
# VirtualBox: Machine → Take Snapshot
# QEMU/KVM: virsh snapshot-create-as vm snap1

# Run suspicious binaries safely:
docker run --rm -it ubuntu bash
# or
firejail ./suspicious_binary
# or
sandbox-exec -f deny.sb ./binary   # macOS

One-shot install script

#!/bin/bash — paste and run on fresh Ubuntu/Kali

# System tools
sudo apt update && sudo apt install -y \
    python3-pip git curl wget vim tmux \
    gdb gdb-multiarch ltrace strace \
    ncat netcat-openbsd socat \
    binwalk foremost scalpel \
    xxd hexedit file strings \
    exiftool steghide stegsolve \
    wireshark tshark \
    checksec patchelf \
    upx-ucl

# Python tools
pip3 install \
    pwntools z3-solver \
    requests flask \
    pycryptodome \
    ROPgadget ropper \
    frida-tools \
    volatility3 \
    r2pipe

# Rust/Go tools
# feroxbuster
cargo install feroxbuster
# chisel
go install github.com/jpillora/chisel@latest

RE/Pwn tools

# Ghidra (NSA decompiler)
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.0.3_build/ghidra_11.0.3_PUBLIC_20240410.zip
unzip ghidra_*.zip && ln -s ghidra_*/ghidraRun ~/bin/ghidra

# pwndbg
git clone https://github.com/pwndbg/pwndbg
cd pwndbg && ./setup.sh

# GEF (alternative to pwndbg)
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

# one_gadget (find execve gadgets in libc)
gem install one_gadget

# seccomp-tools
gem install seccomp-tools

# libc-database
git clone https://github.com/niklasb/libc-database
cd libc-database && ./get ubuntu   # download Ubuntu libcs

Forensics tools

# Sleuth Kit
sudo apt install sleuthkit autopsy

# bulk_extractor
sudo apt install bulk-extractor

# volatility3
pip3 install volatility3
# Symbols: https://isf-server.techanarchy.net/

# photorec / testdisk
sudo apt install testdisk

# extundelete / ext4magic
sudo apt install extundelete

# zsteg (PNG steg)
gem install zsteg

# stegseek (crack steghide)
wget https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
sudo dpkg -i stegseek_0.6-1.deb

Web tools

# ffuf
go install github.com/ffuf/ffuf/v2@latest

# sqlmap
git clone https://github.com/sqlmapproject/sqlmap

# Burp Suite Community (free)
# https://portswigger.net/burp/releases
# chmod +x burpsuite_community*.sh && ./burpsuite_community*.sh

# jwt_tool
pip3 install jwt_tool
# or
git clone https://github.com/ticarpi/jwt_tool

# flask-unsign
pip3 install flask-unsign

# SecLists wordlists
git clone https://github.com/danielmiessler/SecLists /opt/SecLists

Recommended layout

~/ctf/
├── tools/          ← cloned tools (ghidra, pwndbg, etc.)
├── wordlists/      ← rockyou, SecLists
├── 2026-picoctf/   ← per-competition folder
│   ├── web/
│   │   ├── challenge1/
│   │   │   ├── solve.py
│   │   │   ├── notes.md
│   │   │   └── flag.txt
│   │   └── challenge2/
│   ├── pwn/
│   ├── forensics/
│   ├── crypto/
│   ├── rev/
│   └── misc/
└── templates/      ← solve script templates

# Create structure quickly
mkdir -p ~/ctf/{tools,wordlists}
mkdir -p ~/ctf/2026-event/{web,pwn,forensics,crypto,rev,misc}
for cat in web pwn forensics crypto rev misc; do
    mkdir -p ~/ctf/2026-event/$cat/chall1
done

Per-challenge template

# ~/ctf/templates/solve.py
from pwn import *
import sys

HOST, PORT = 'challenge.ctf.com', 1337
BINARY     = './challenge'

elf  = ELF(BINARY)
context.binary = elf

def conn():
    if args.REMOTE: return remote(HOST, PORT)
    if args.GDB:    return gdb.debug(BINARY, 'b main\nc')
    return process(BINARY)

def exploit():
    p = conn()
    # EXPLOIT HERE
    p.interactive()

if __name__ == '__main__':
    exploit()

# notes.md template:
# ## Challenge: name
# Category: pwn / web / crypto...
# Points: 100
# ## Analysis
# ## Solution
# ## Flag: picoCTF{...}

~/.bashrc / ~/.zshrc additions

# Quick decode aliases
alias b64d='base64 -d'
alias b64e='base64 -w0'
alias xxd='xxd'
alias hd='hexdump -C'

# Quick analysis
alias checksec='python3 -c "from pwn import *; print(ELF(sys.argv[1]).checksec())" --'

# CTF function: decode a string with multiple methods
ctfdecode() {
    echo "=== hex ===" && echo "$1" | xxd -r -p 2>/dev/null
    echo "=== b64 ===" && echo "$1" | base64 -d 2>/dev/null
    echo "=== rot13 ===" && echo "$1" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
    echo "=== str ===" && printf '%b' "$1" 2>/dev/null
}

# Quick netcat with Python payload
pwn() { python3 -c "$1" | nc $2 $3; }

# Extract archive (any type)
extract() {
    case $1 in
        *.tar.gz|*.tgz) tar -xzvf $1 ;;
        *.zip)           unzip $1 ;;
        *.7z)            7z x $1 ;;
        *.rar)           unrar x $1 ;;
        *.gz)            gunzip $1 ;;
        *)               echo "Unknown type" ;;
    esac
}

# Find flag in current directory
findflag() { grep -r "picoCTF{" . 2>/dev/null; strings * 2>/dev/null | grep "picoCTF{"; }

# PATH additions
export PATH="$HOME/.local/bin:$HOME/go/bin:$HOME/.gem/ruby/3.0.0/bin:$PATH"

tmux layout

# Recommended: 3-pane layout
# ┌──────────────┬──────────────┐
# │  main shell  │   gdb/r2    │
# │  (solve.py)  │             │
# ├──────────────┴──────────────┤
# │      ghidra / notes         │
# └─────────────────────────────┘

# Create session
tmux new-session -s ctf

# Split panes
Ctrl-b %      # vertical split
Ctrl-b "      # horizontal split
Ctrl-b →←↑↓  # navigate panes
Ctrl-b z      # zoom/unzoom pane
Ctrl-b [      # scroll mode (q to exit)
Ctrl-b d      # detach
tmux attach -t ctf  # reattach

~/.tmux.conf

# Sane defaults for CTF work
set -g history-limit 50000
set -g mouse on
set -g base-index 1

# Better prefix (Ctrl-a like screen)
unbind C-b
set -g prefix C-a
bind C-a send-prefix

# Reload config
bind r source-file ~/.tmux.conf

# Easy splits
bind | split-window -h
bind - split-window -v

# Status bar
set -g status-right '%H:%M'

Bookmark these

Tool	URL	Use
CyberChef	gchq.github.io/CyberChef	Magic decode, all encodings, recipes
dcode.fr	dcode.fr/cipher-identifier	Identify classical ciphers
factordb	factordb.com	Factor large RSA moduli
libc.rip	libc.rip	Find libc version from leaked addresses
crackstation	crackstation.net	Crack MD5/SHA1/SHA256 hashes
hashes.com	hashes.com/en/decrypt	Hash cracking database
gchq.github.io	gchq.github.io/CyberChef	Swiss army knife encoding tool
requestbin	requestbin.com / pipedream.com	Receive OOB HTTP callbacks (SSRF, XSS)
interactsh	app.interactsh.com	OOB DNS/HTTP (like Burp Collaborator, free)
regex101	regex101.com	Test and debug regex
0xtools.com	0xtools.com	Hex calculator, converters
ISF server	isf-server.techanarchy.net	Volatility 3 Linux symbols
GTFOBins	gtfobins.github.io	Unix binary privilege escalation