ctf::methodology

# identify what you actually have
file sample
strings -n 6 sample
exiftool sample
checksec --file=bin
binwalk -e sample

# service?
nc host port
curl -i URL
nmap -sC -sV host

# ask these first
- file, packet capture, website, binary, archive, image?
- local challenge or remote service?
- obvious encoding?
- user-controlled input?
- flag format known?

# common mapping
forensics → metadata / hidden data / pcap / timeline
web → params / auth / template / file upload
pwn → protections / overflow / format string / heap
rev → input checks / transforms / compare logic
crypto → encoding / xor / rsa / oracle / math

file target
├─ archive → 7z l / unzip / tar tf
├─ image/audio → exiftool / zsteg / steghide
├─ executable → checksec / strings / disassembler
├─ pcap → tshark / export objects
└─ unknown → xxd / magic bytes / entropy

nc or curl first
1. read banner / prompt carefully
2. send minimal valid input
3. identify constraints / parsing / echoes
4. reproduce locally if possible
5. automate immediately in Python

# do not brute force blind before understanding format

# CTF rule
if you do it twice manually, script it.

python3 solve.py
- isolate one primitive
- test on small samples
- log intermediate values
- keep raw bytes until the end

# save evidence
tee output.txt
script -q transcript.txt

1. identify encoding before crypto
2. test hex/base64/base32/rot/xor
3. inspect block size / repetition
4. check key reuse / known plaintext
5. for RSA: factor? low e? shared n?

# quick tools
CyberChef, python, sage, factordb

1. map all parameters
2. try normal form + JSON + multipart
3. inspect cookies / JWT / headers
4. test authz separately from authn
5. look for SSTI / SQLi / file upload / IDOR

# quick tools
Burp, curl, ffuf, sqlmap

Pwn: checksec → offset → leak → primitive → shell
Rev: strings → main → input path → compare / transform → reimplement
Forensics: metadata → carving → embedded objects → timeline / stream reconstruction

OSINT: reverse image → exif / geolocation → username pivot → social / domain recon
Misc: read carefully → identify format → script interaction → edge cases
Jail: what's blocked? → enumerate reachable → reflection / meta → rebuild primitives
AI/LLM: probe model → test injection → extract prompt → bypass filters

# environment
env | grep -i flag
cat /flag /flag.txt /home/*/flag*
find / -name "*flag*" 2>/dev/null

# databases
.tables → SELECT * FROM secrets/flags/...

# web apps
config files, .env, admin panels, hidden routes

# memory / process
/proc/self/environ, core dumps, heap strings

# common flag formats
FLAG{...}  CTF{...}  flag{...}  HTB{...}
grep -rn "flag{" . 2>/dev/null

# per challenge
- read ALL challenges before starting
- easy/medium first → build momentum
- stuck 30min? switch, come back later
- partial progress is fine — note it and move

# scoring
- dynamic scoring: first-blood bonus fades
- static: 500pt takes 5× longer than 100pt
- always calculate points-per-minute

# team tips
- don't overlap on same challenge silently
- share partial findings immediately
- if someone is close, help them finish

mkdir chall && cd chall
script -q transcript.txt
python3 -m venv .venv && . .venv/bin/activate
printf '%s
' 'host=' >> notes.txt

# keep raw material
cp original.bin work.bin