A list of Capture The Flag(CTF) frameworks, libraries, resources, softwares and tutorials. This list aims to help starters as well as seasoned CTF players to find everything related to CTFs at one place. Focused on Crypto and Stego for now...
| Resource | Comment | Rating |
|---|---|---|
| ---- RSA --- | ||
| RSACTFTool | A tool for recovering RSA private key with various attack. | ⭐⭐ |
| RSATool | Generate private key with knowledge of p and q. | ⭐ |
| ---- Swiss Army Knife --- | ||
| Ciphey | Tool to automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes. | ⭐⭐ |
| Cryptii | Modular conversion, encoding and encryption online. | ⭐ |
| Ares | Discord based auto crypto solver | ⭐ |
| CyberChef | Web app for analysing and decoding data. | ⭐⭐⭐ |
| dcode | Solvers for Crypto, Maths and Encodings online. | ⭐⭐⭐ |
| ---- Oracle attacks --- | ||
| PadBuster | Automated script for performing Padding Oracle attacks. | ⭐ |
| padding-oracle-attacker | A CLI tool to execute padding oracle attacks. | ⭐ |
| ---- XOR --- | ||
| XORTool | A tool to analyze multi-byte xor cipher. | ⭐⭐ |
| XOR Cracker | Online XOR decryption tool able to guess the key length and the cipher key to decrypt any file. | ⭐ |
| ---- Vigenère Solvers --- | ||
| QuipQuip | Automated cryptogram solver. | ⭐⭐⭐ |
| Vigenere Solver | Online tool that breaks Vigenère ciphers without knowing the key. | ⭐⭐ |
| ---- Misc --- | ||
| FeatherDuster | An automated, modular cryptanalysis tool. | ⭐ |
| Hash Extender | A utility tool for performing hash length extension attacks. | ⭐⭐ |
| PkCrack | A tool for Breaking PkZip-encryption. | ⭐ |
| ---- Factoring / Discrete Logs --- | ||
| FactorDB | Online Automated integer factorization. | ⭐⭐⭐ |
| Alpertron | Online Descrete log, number factorisation and a few other tools | ⭐⭐ |
| yagu | Automated integer factorisation. | ⭐⭐ |
| ---- Sequences --- | ||
| Encyclopedia of Integer Sequences | OEIS: The On-Line Encyclopedia of Integer Sequences | ⭐ |
| Python Libraries |
|---|
| PyCryptodome |
| Sage |
| gmpy2 |
| pwntools |
| sympy |
| math |
| owiener |
| Requests |
| mtp |
- CryptoHack - Fun cryptography challenges.
- Cryptopals - Cryptography Challenges.
- MysteryTwister C3 - Cryptography Challenges.
| Resource | Comment |
|---|---|
| Crackstation | Hash cracker (database). |
| PEMCrack | Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks. |
| Galois | A fast galois field arithmetic library/toolkit.|
Sherlock: A tool for finding usernames across multiple platforms, useful for OSINT challenges to track down someone’s social media footprint. theHarvester: A tool to gather emails, subdomains, and IPs for a domain, valuable for footprinting and reconnaissance. Maltego: A visual link analysis tool that can map relationships between data, great for investigating people, domains, or IP addresses. Community edition is free.
Tools used for performing various kinds of attacks
- Bettercap - Framework to perform MITM (Man in the Middle) attacks.
- Yersinia - Attack various protocols on layer 2.
Tools used for various kind of bruteforcing (passwords etc.)
- Hashcat - Password Cracker
- Hydra - A parallelized login cracker which supports numerous protocols to attack
- John The Jumbo - Community enhanced version of John the Ripper.
- John The Ripper - Password Cracker.
- Nozzlr - Nozzlr is a bruteforce framework, trully modular and script-friendly.
- Ophcrack - Windows password cracker based on rainbow tables.
- Patator - Patator is a multi-purpose brute-forcer, with a modular design.
- Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests
Tools used for solving Exploits challenges
-
DLLInjector - Inject dlls in processes.
-
libformatstr - Simplify format string exploitation.
-
Metasploit - Penetration testing software.
-
one_gadget - A tool to find the one gadget
execve('/bin/sh', NULL, NULL)call.gem install one_gadget
-
Pwntools - CTF Framework for writing exploits.
-
Qira - QEMU Interactive Runtime Analyser.
-
ROP Gadget - Framework for ROP exploitation.
-
V0lt - Security CTF Toolkit.
Tools used for solving Pwn challenges
- afl - Security-oriented fuzzer.
- honggfuzz - Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage.
- libformatstr - Simplify format string exploitation.
- One_gadget - Tool for finding one gadget RCE.
- Pwntools - CTF framework for writing exploits.
- ROPgadget - Framework for ROP exploitation.
- Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures.
- Shellcodes Database - A massive shellcodes database.
Tools used for solving Forensics challenges
- Aircrack-Ng - Crack 802.11 WEP and WPA-PSK keys.
apt-get install aircrack-ng
- Audacity - Analyze sound files (mp3, m4a, whatever).
apt-get install audacity
- Bkhive and Samdump2 - Dump SYSTEM and SAM files.
apt-get install samdump2 bkhive
- CFF Explorer - PE Editor.
- Creddump - Dump windows credentials.
- DVCS Ripper - Rips web accessible (distributed) version control systems.
- Exif Tool - Read, write and edit file metadata.
- Extundelete - Used for recovering lost data from mountable images.
- Fibratus - Tool for exploration and tracing of the Windows kernel.
- Foremost - Extract particular kind of files using headers.
apt-get install foremost
- Fsck.ext4 - Used to fix corrupt filesystems.
- Malzilla - Malware hunting tool.
- NetworkMiner - Network Forensic Analysis Tool.
- PDF Streams Inflater - Find and extract zlib files compressed in PDF files.
- Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
apt-get install pngcheck
- ResourcesExtract - Extract various filetypes from exes.
- Shellbags - Investigate NT_USER.dat files.
- Snow - A Whitespace Steganography Tool.
- USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
- Volatility - To investigate memory dumps.
- Wireshark - Used to analyze pcap or pcapng files
- A-Packets - Effortless PCAP File Analysis in Your Browser.
- Autopsy - End-to-end open source digital forensics platform.
- Binwalk - Firmware Analysis Tool.
- Bulk-extractor - High-performance digital forensics exploitation tool.
- Bkhive & samdump2 - Dump SYSTEM and SAM files.
- ChromeCacheView - Small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
- Creddump - Dump Windows credentials.
- Exiftool - Read, write and edit file metadata.
- Extundelete - Utility that can recover deleted files from an ext3 or ext4 partition.
- firmware-mod-kit - Modify firmware images without recompiling.
- Foremost - Console program to recover files based on their headers, footers, and internal data structures.
- Forensic Toolkit - It scans a hard drive looking for various information. It can, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
- Forensically - Free online tool to analysis image this tool has many features.
- MZCacheView - Small utility that reads the cache folder of Firefox/Mozilla/Netscape Web browsers, and displays the list of all files currently stored in the cache.
- NetworkMiner Network Forensic Analysis Tool (NFAT).
- OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive.
- photorec - File data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory.
- Registry Viewer - Tool to view Windows registers.
- Scalpel - Open source data carving tool.
- The Sleuth Kit - Collection of command line tools and a C library that allows you to analyze disk images and recover files from them.
- USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
- Volatility - An advanced memory forensics framework.
- Wireshark - Tool to analyze pcap or pcapng files.
- X-Ways - Advanced work environment for computer forensic examiners.
Registry Viewers
- OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive and view the desired Registry key in .reg file format.
- Registry Viewer® - Used to view Windows registries.
Tools used for solving Misc challenges
Bruteforcers:
- changeme - A default credential scanner.
- Hashcat - Advanced Password Recovery.
- Hydra - Parallelized login cracker which supports numerous protocols to attack.
- John the Ripper - Open Source password security auditing and password recovery.
- jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens.
- Ophcrack - Free Windows password cracker based on rainbow tables.
- Patator - Multi-purpose brute-forcer, with a modular design and a flexible usage.
- Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Esoteric Languages:
- Brainfuck - Brainfuck esoteric programming language IDE.
- COW - It is a Brainfuck variant designed humorously with Bovinae in mind.
- Malbolge - Malbolge esoteric programming language solver.
- Ook! - Tool for decoding / encoding in Ook!
- Piet - Piet programming language compiler.
- Rockstar - A language intended to look like song lyrics.
- Try It Online - An online tool that has a ton of Esoteric language interpreters.
Sandboxes:
- Any.run - Interactive malware hunting service.
- Intezer Analyze - Malware analysis platform.
- Triage - State-of-the-art malware analysis sandbox designed for cross-platform support.
Tools used for solving Networking challenges
- Masscan - Mass IP port scanner, TCP port scanner.
- Monit - A linux tool to check a host on the network (and other non-network activities).
- Nipe - Nipe is a script to make Tor Network your default gateway.
- Nmap - An open source utility for network discovery and security auditing.
- Wireshark - Analyze the network dumps.
apt-get install wireshark
- Zeek - An open-source network security monitor.
- Zmap - An open-source network scanner.
Tools used for solving Reversing challenges
-
Androguard - Reverse engineer Android applications.
-
Angr - platform-agnostic binary analysis framework.
-
Apk2Gold - Yet another Android decompiler.
-
ApkTool - Android Decompiler.
-
Barf - Binary Analysis and Reverse engineering Framework.
-
Binary Ninja - Binary analysis framework.
-
BinUtils - Collection of binary tools.
-
BinWalk - Analyze, reverse engineer, and extract firmware images.
-
Boomerang - Decompile x86/SPARC/PowerPC/ST-20 binaries to C.
-
ctf_import – run basic functions from stripped binaries cross platform.
-
cwe_checker - cwe_checker finds vulnerable patterns in binary executables.
-
demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
-
Frida - Dynamic Code Injection.
-
GDB - The GNU project debugger.
-
GEF - GDB plugin.
-
Ghidra - Open Source suite of reverse engineering tools. Similar to IDA Pro.
-
Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
-
IDA Pro - Most used Reversing software.
-
Jadx - Decompile Android files.
-
Java Decompilers - An online decompiler for Java and Android APKs.
-
Krakatau - Java decompiler and disassembler.
-
Objection - Runtime Mobile Exploration.
-
PEDA - GDB plugin (only python2.7).
-
Pin - A dynamic binary instrumentaion tool by Intel.
-
PINCE - GDB front-end/reverse engineering tool, focused on game-hacking and automation.
-
PinCTF - A tool which uses intel pin for Side Channel Analysis.
-
Plasma - An interactive disassembler for x86/ARM/MIPS which can generate indented pseudo-code with colored syntax.
-
Pwndbg - A GDB plugin that provides a suite of utilities to hack around GDB easily.
-
radare2 - A portable reversing framework.
-
Triton - Dynamic Binary Analysis (DBA) framework.
-
Uncompyle - Decompile Python 2.7 binaries (.pyc).
-
WinDbg - Windows debugger distributed by Microsoft.
-
Xocopy - Program that can copy executables with execute, but no read permission.
-
Z3 - A theorem prover from Microsoft Research.
-
Androguard - Androguard is a full python tool to play with Android files.
-
Angr - A powerful and user-friendly binary analysis platform.
-
Apk2gold - CLI tool for decompiling Android apps to Java.
-
ApkTool - A tool for reverse engineering 3rd party, closed, binary Android apps.
-
Binary Ninja - Binary Analysis Framework.
-
BinUtils - Collection of binary tools.
-
CTF_import - Run basic functions from stripped binaries cross platform.
-
Compiler Explorer - Online compiler tool.
-
CWE_checker - Finds vulnerable patterns in binary executables.
-
Demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
-
Disassembler.io - Disassemble On Demand. A lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative.
-
dnSpy - .NET debugger and assembly editor.
-
EasyPythonDecompiler - A small .exe GUI application that will "decompile" Python bytecode, often seen in .pyc extension.
-
Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
-
GDB - The GNU Project debugger.
-
GEF - A modern experience for GDB with advanced debugging features for exploit developers & reverse engineers.
-
Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA.
-
Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
-
IDA Pro - Most used Reversing software.
-
Jadx - Command line and GUI tools for producing Java source code from Android Dex and Apk files.
-
Java Decompilers - An online decompiler for Java and Android APKs.
-
JSDetox - A JavaScript malware analysis tool.
-
miasm - Reverse engineering framework in Python.
-
Objection - Runtime mobile exploration.
-
Online Assembler/Disassembler - Online wrappers around the Keystone and Capstone projects.
-
PEDA - Python Exploit Development Assistance for GDB.
-
PEfile - Python module to read and work with PE (Portable Executable) files.
-
Pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy.
-
radare2 - UNIX-like reverse engineering framework and command-line toolset.
-
Rizin - Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
-
Uncompyle - A Python 2.7 byte-code decompiler (.pyc)
-
WinDBG - Windows debugger distributed by Microsoft.
-
Z3 - A theorem prover from Microsoft Research.
-
DogBolt - This gives output of many decompilers JavaScript Deobfuscators
-
Detox - A Javascript malware analysis tool.
-
Revelo - Analyze obfuscated Javascript code.
SWF Analyzers
- RABCDAsm - Collection of utilities including an ActionScript 3 assembler/disassembler.
- Swftools - Collection of utilities to work with SWF files.
- Xxxswf - A Python script for analyzing Flash files.
Various kind of useful services available around the internet
- CSWSH - Cross-Site WebSocket Hijacking Tester.
- Request Bin - Lets you inspect http requests to a particular url.
Tools used for solving Steganography challenges
-
AperiSolve - Aperi'Solve is a platform which performs layer analysis on image (open-source).
-
Convert - Convert images b/w formats and apply filters.
-
Exif - Shows EXIF information in JPEG files.
-
Exiftool - Read and write meta information in files.
-
Exiv2 - Image metadata manipulation tool.
-
Image Steganography - Embeds text and files in images with optional encryption. Easy-to-use UI.
-
Image Steganography Online - This is a client-side Javascript tool to steganographically hide images inside the lower "bits" of other images
-
ImageMagick - Tool for manipulating images.
-
Outguess - Universal steganographic tool.
-
Pngtools - For various analysis related to PNGs.
apt-get install pngtools
-
SmartDeblur - Used to deblur and fix defocused images.
-
Steganabara - Tool for stegano analysis written in Java.
-
SteganographyOnline - Online steganography encoder and decoder.
-
Stegbreak - Launches brute-force dictionary attacks on JPG image.
-
StegCracker - Steganography brute-force utility to uncover hidden data inside files.
-
stegextract - Detect hidden files and text in images.
-
Steghide - Hide data in various kind of images.
-
StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits (open-source).
-
Stegsolve - Apply various steganography techniques to images.
-
Zsteg - PNG/BMP analysis.
-
AperiSolve - Platform which performs layer analysis on images.
-
BPStegano - Python3 based LSB steganography.
-
DeepSound - Freeware steganography tool and audio converter that hides secret data into audio files.
-
DTMF Detection - Audio frequencies common to a phone button.
-
DTMF Tones - Audio frequencies common to a phone button.
-
Exif - Shows EXIF information in JPEG files.
-
Exiv2 - Image metadata manipulation tool.
-
FotoForensics - Provides budding researchers and professional investigators access to cutting-edge tools for digital photo forensics.
-
hipshot - Tool to converts a video file or series of photographs into a single image simulating a long-exposure photograph.
-
Image Error Level Analyzer - Tool to analyze digital images. It's also free and web based. It features error level analysis, clone detection and more.
-
Image Steganography - Client-side Javascript tool to steganographically hide/unhide images inside the lower "bits" of other images.
-
ImageMagick - Tool for manipulating images.
-
jsteg - Command-line tool to use against JPEG images.
-
Magic Eye Solver - Get hidden information from images.
-
Outguess - Universal steganographic tool.
-
Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
-
Pngtools - For various analysis related to PNGs.
-
sigBits - Steganography significant bits image decoder.
-
SmartDeblur - Restoration of defocused and blurred photos/images.
-
Snow - Whitespace Steganography Tool
-
Sonic Visualizer - Audio file visualization.
-
Steganography Online - Online steganography encoder and decoder.
-
Stegbreak - Launches brute-force dictionary attacks on JPG image.
-
StegCracker - Brute-force utility to uncover hidden data inside files.
-
stegextract - Detect hidden files and text in images.
-
Steghide - Hide data in various kinds of image- and audio-files.
-
StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits.
-
Stegosaurus - A steganography tool for embedding payloads within Python bytecode.
-
StegoVeritas - Yet another stego tool.
-
Stegpy - Simple steganography program based on the LSB method.
-
stegseek - Lightning fast steghide cracker that can be used to extract hidden data from files.
-
stegsnow - Whitespace steganography program.
-
Stegsolve - Apply various steganography techniques to images.
-
Zsteg - PNG/BMP analysis.
WavSteg: A tool to hide data in WAV audio files or extract hidden data. Sonic Visualiser / Friture: Tools to visualise sound waves and frequencies—useful for audio-based steganography challenges. Exiftool: Extracts metadata from images, audio, and video files, potentially revealing hidden information.
https://book.hacktricks.wiki/en/index.html
https://dvd848.github.io/CTFs/CheatSheet.html
Tools used for solving Web challenges
-
BurpSuite - A graphical tool to testing website security.
-
Commix - Automated All-in-One OS Command Injection and Exploitation Tool.
-
Hackbar - Firefox addon for easy web exploitation.
-
OWASP ZAP - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses
-
Postman - Add on for chrome for debugging network requests.
-
Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
-
SQLMap - Automatic SQL injection and database takeover tool.
pip install sqlmap -
W3af - Web Application Attack and Audit Framework.
-
XSSer - Automated XSS testor.
-
Arachni - Web Application Security Scanner Framework.
-
Beautifier.io - Online JavaScript Beautifier.
-
BurpSuite - A graphical tool to testing website security.
-
Commix - Automated All-in-One OS Command Injection Exploitation Tool.
-
debugHunter - Discover hidden debugging parameters and uncover web application secrets.
-
Dirhunt - Find web directories without bruteforce.
-
dirsearch - Web path scanner.
-
nomore403 - Tool to bypass 40x errors.
-
ffuf - Fast web fuzzer written in Go.
-
git-dumper - A tool to dump a git repository from a website.
-
Gopherus - Tool that generates gopher link for exploiting SSRF and gaining RCE in various servers.
-
Hookbin - Free service that enables you to collect, parse, and view HTTP requests.
-
JSFiddle - Test your JavaScript, CSS, HTML or CoffeeScript online with JSFiddle code editor.
-
ngrok - Secure introspectable tunnels to localhost.
-
OWASP Zap - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses.
-
PHPGGC - Library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
-
Postman - Addon for chrome for debugging network requests.
-
REQBIN - Online REST & SOAP API Testing Tool.
-
Request Bin - A modern request bin to inspect any event by Pipedream.
-
Revelo - Analyze obfuscated Javascript code.
-
Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python3.
-
SQLMap - Automatic SQL injection and database takeover tool.
-
W3af - Web application attack and audit framework.
-
XSSer - Automated XSS testor.
-
ysoserial - Tool for generating payloads that exploit unsafe Java object deserialization.
-
UnderTheWire is another awesome website that offers PowerShell-based wargames designed explicitly for the cybersecurity community. Similar to OverTheWire, UnderTheWire employs wargames to sharpen PowerShell skills with rare instances and practical problem-solving techniques. The platform has five sets of levels for increasing difficulty, which can be adjusted to suit the level of users and the level they are playing at.
Root-Me PRO is a more advanced version of Root-me and is entirely dedicated to ethical hacking. The website has three main levels of CTF — Jeopardy CTF, Attack – Defense CTF, and Custom Cybersecurity Event. By signing up for challenges, users get SSH access to remote systems where they can participate in exploits and earn bounties. Additionally, the website has options to onboard cybersecurity training for companies, schools, colleges, and universities.
Developed for the Whitehat hacker community, Bugcrowd University doesn’t miss when it comes to CTF competitions and online training. The firm provides numerous programs and challenges through open-source instructional content that cybersecurity experts have carefully chosen. It regularly runs CTF events on its website and offers rewards to select winners. Additionally, the site has a wide range of educational content that can assist beginners to start their cybersecurity journey.
Burp Suite: An advanced web vulnerability scanner with a suite of tools to test and manipulate web traffic. Postman: A tool to send API requests and inspect their responses, often helpful in testing or exploiting web applications. OWASP ZAP: A web application security scanner that helps detect vulnerabilities in web applications, similar to Burp Suite but open-source. Web Apps Guyerre web app game: http://google-gruyere.appspot.com/
Hackademic from owasp: https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
Memory http://www.honeynet.org/challenges/2011_7_compromised_server
Where to discover about CTF
Penetration testing and security lab Operating Systems
- Android Tamer - Based on Debian.
- BackBox - Based on Ubuntu.
- BlackArch Linux - Based on Arch Linux.
- Fedora Security Lab - Based on Fedora.
- Kali Linux - Based on Debian.
- Parrot Security OS - Based on Debian.
- Pentoo - Based on Gentoo.
- URIX OS - Based on openSUSE.
- Wifislax - Based on Slackware.
Malware analysts and reverse-engineering
Collections of installer scripts, useful tools
- CTF Tools - Collection of setup scripts to install various security research tools.
- LazyKali - A 2016 refresh of LazyKali which simplifies install of tools and configuration.
Tools used for creating CTF challenges
- Kali Linux CTF Blueprints - Online book on building, testing, and customizing your own Capture the Flag challenges.
Tools used for creating Forensics challenges
- Dnscat2 - Hosts communication through DNS.
- Kroll Artifact Parser and Extractor (KAPE) - Triage program.
- Magnet AXIOM - Artifact-centric DFIR tool.
- Registry Dumper - Dump your registry.
- Belkasoft RAM Capturer - Volatile Memory Acquisition Tool.
Projects that can be used to host a CTF
- CTFd - Platform to host jeopardy style CTFs from ISISLab, NYU Tandon.
- echoCTF.RED - Develop, deploy and maintain your own CTF infrastructure.
- FBCTF - Platform to host Capture the Flag competitions from Facebook.
- Haaukins- A Highly Accessible and Automated Virtualization Platform for Security Education.
- HackTheArch - CTF scoring platform.
- Mellivora - A CTF engine written in PHP.
- MotherFucking-CTF - Badass lightweight plaform to host CTFs. No JS involved.
- NightShade - A simple security CTF framework.
- OpenCTF - CTF in a box. Minimal setup required.
- PicoCTF - The platform used to run picoCTF. A great framework to host any CTF.
- PyChallFactory - Small framework to create/manage/package jeopardy CTF challenges.
- RootTheBox - A Game of Hackers (CTF Scoreboard & Game Manager).
- Scorebot - Platform for CTFs by Legitbs (Defcon).
- SecGen - Security Scenario Generator. Creates randomly vulnerable virtual machines.
- kCTF - Kubernetes-based infrastructure for CTF competitions.
- LibreCTF - CTF platform from EasyCTF.
- rCTF - CTF platform maintained by the redpwn CTF team.
- ImaginaryCTF - Platform to host CTFs.
Tools used to create stego challenges
Check solve section for steganography.
Tools used for creating Web challenges
JavaScript Obfustcators
Tutorials to learn how to play CTFs
-
CTF Field Guide - Field Guide by Trails of Bits.
-
CTF Resources - Start Guide maintained by community.
-
How to Get Started in CTF - Short guideline for CTF beginners by Endgame
-
Intro. to CTF Course - A free course that teaches beginners the basics of forensics, crypto, and web-ex.
-
IppSec - Video tutorials and walkthroughs of popular CTF platforms.
-
LiveOverFlow - Video tutorials on Exploitation.
-
MIPT CTF - A small course for beginners in CTFs (in Russian).
Always online CTFs
-
Backdoor - Security Platform by SDSLabs.
-
Crackmes - Reverse Engineering Challenges.
-
echoCTF.RED - Online CTF with a variety of targets to attack.
-
Exploit Exercises - Variety of VMs to learn variety of computer security issues.
-
Exploit.Education - Variety of VMs to learn variety of computer security issues.
-
Gracker - Binary challenges having a slow learning curve, and write-ups for each level.
-
Hack The Box - Weekly CTFs for all types of security enthusiasts.
-
Hack This Site - Training ground for hackers.
-
Hacker101 - CTF from HackerOne
-
Hacking-Lab - Ethical hacking, computer network and security challenge platform.
-
Hone Your Ninja Skills - Web challenges starting from basic ones.
-
IO - Wargame for binary challenges.
-
Microcorruption - Embedded security CTF.
-
Over The Wire - Wargame maintained by OvertheWire Community.
-
PentesterLab - Variety of VM and online challenges (paid).
-
PicoCTF - All year round ctf game. Questions from the yearly picoCTF competition.
-
PWN Challenge - Binary Exploitation Wargame.
-
Pwnable.kr - Pwn Game.
-
Pwnable.tw - Binary wargame.
-
Pwnable.xyz - Binary Exploitation Wargame.
-
Reversin.kr - Reversing challenge.
-
Ringzer0Team - Ringzer0 Team Online CTF.
-
Root-Me - Hacking and Information Security learning platform.
-
ROP Wargames - ROP Wargames.
-
SANS HHC - Challenges with a holiday theme released annually and maintained by SANS.
-
SmashTheStack - A variety of wargames maintained by the SmashTheStack Community.
-
Viblo CTF - Various amazing CTF challenges, in many different categories. Has both Practice mode and Contest mode.
-
VulnHub - VM-based for practical in digital security, computer application & network administration.
-
W3Challs - A penetration testing training platform, which offers various computer challenges, in various categories.
-
WebHacking - Hacking challenges for web.
-
HackLIDO - Game hacking, reverse engineering & ethical hacking. Learn how to reverse, hack & code
-
0x0539 - Online CTF challenges.
-
247CTF - Free Capture The Flag Hacking Environment.
-
Archive.ooo - Live, playable archive of DEF CON CTF challenges.
-
Atenea - Spanish CCN-CERT CTF platform.
-
CTFlearn - Online platform built to help ethical hackers learn, practice, and compete.
-
CTF365 - Security Training Platform.
-
Crackmes.One - Reverse Engineering Challenges.
-
CryptoHack - Cryptography Challenges.
-
Defend the Web - An Interactive Cyber Security Platform.
-
Dreamhack.io - Online wargame.
-
echoCTF.RED - Online Hacking Laboratories.
-
Flagyard - An Online Playground of Hands-on Cybersecurity Challenges.
-
HackBBS - Online wargame.
-
Hackropole - This platform allows you to replay the challenges of the France Cybersecurity Challenge.
-
HackTheBox - A Massive Hacking Playground.
-
HackThisSite - Free, safe and legal training ground for hackers.
-
HBH - Community designed to teach methods and tactics used by malicious hackers to access systems and sensitive information.
-
Komodo - This is a game designed to challenge your application hacking skills.
-
MicroCorruption - Embedded Security CTF.
-
MNCTF - Online cybersecurity challenges.
-
OverTheWire - Wargame offered by the OverTheWire community.
-
picoCTF - Beginner-friendly CTF platform.
-
Pwn.college - Education platform to learn about, and practice, core cybersecurity concepts.
-
PWN.TN - Educational and non commercial wargame.
-
Pwnable.kr - Pwn/Exploiting platform.
-
Pwnable.tw - Pwn/Exploiting platform.
-
Pwnable.xyz - Pwn/Exploiting platform.
-
PWNChallenge - Pwn/Exploiting platform.
-
Reversing.kr - Reverse Engineering platform.
-
Root-me - CTF training platform.
-
VibloCTF - CTF training platform.
-
VulnHub - VM-based pentesting platform.
-
W3Challs - Hacking/CTF platform.
-
WebHacking - Web challenges platform.
-
Websec.fr - Web challenges platform.
-
WeChall - Challenge sites directory & forum.
-
YEHD 2015 - YEHD CTF 2015 online challenges -CTF-LEARN - The most beginner-friendly way to get into hacking.
-
TryHackMe - huge number of training rooms
-
Web Security Academy - Free, online web security training from the creators of Burp Suite
-
hacktoria - story driven OSINT CTF
Self-hosted CTFs
- Damn Vulnerable Web Application - PHP/MySQL web application that is damn vulnerable.
- Juice Shop CTF - Scripts and tools for hosting a CTF on OWASP Juice Shop easily.
- AWSGoat - A Damn Vulnerable AWS Infrastructure.
- CICD-goat - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
- Damn Vulnerable Web Application - PHP/MySQL web application that is damn vulnerable.
- GCPGoat - A Damn Vulnerable GCP Infrastructure.
- Juice Shop - Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop.
- CTFNote - Collaborative tool aiming to help CTF teams to organise their work.
- GSMEVIL 2 : a python web based tool which use for capturing imsi numbers and sms
- RouterSploit : an open-source exploitation framework dedicated to embedded devices.
- moroccan numbers : site:wa.me “+212”
Various general websites about and on CTF
- Awesome CTF Cheatsheet - CTF Cheatsheet.
- CTF Time - General information on CTF occuring around the worlds.
- Reddit Security CTF - Reddit CTF category.
Various Wikis available for learning about CTFs
- Bamboofox - Chinese resources to learn CTF.
- bi0s Wiki - Wiki from team bi0s.
- CTF Cheatsheet - CTF tips and tricks.
- ISIS Lab - CTF Wiki by Isis lab.
- OpenToAll - CTF tips by OTA CTF team members.
Collections of CTF write-ups
- 0e85dc6eaf - Write-ups for CTF challenges by 0e85dc6eaf
- Captf - Dumped CTF challenges and materials by psifertex.
- CTF write-ups (community) - CTF challenges + write-ups archive maintained by the community.
- CTFTime Scrapper - Scraps all writeup from CTF Time and organize which to read first.
- HackThisSite - CTF write-ups repo maintained by HackThisSite team.
- Mzfr - CTF competition write-ups by mzfr
- pwntools writeups - A collection of CTF write-ups all using pwntools.
- SababaSec - A collection of CTF write-ups by the SababaSec team
- Shell Storm - CTF challenge archive maintained by Jonathan Salwan.
- Smoke Leet Everyday - CTF write-ups repo maintained by SmokeLeetEveryday team.
Repository of CTF Writeups
- Courgettes.Club - CTF Writeup Finder.
- CTFtime - CTFtime Writeups Collection.
- Github.com/CTFs - Collection of CTF Writeups.
- Braincoke - Blog and Collection of CTF Writeups.
- Roppers Bootcamp - CTF Bootcamp.
The resources presented here have been gathered from numerous sources. However, the most important are:
-
zlib Decompressor - It's somewhat useful to extract data from corrupted ZIP archives and other binary blobs which might contains DEFLATE streams.
Pwn / RE Pwn.College ROP Emporium Exploit Education How2Heap Pwnables Deusx64 Roppers Academy Azeria Labs Reversing Challenges Begin RE CrackMes
Blue Team LetsDefend Blue Team Labs Online Cyber Defenders Attack Defense Immersive Labs
Videos LiveOverflow John Hammond IppSec XCT Gynvael ZetaTwo PwnFunction 0xdf 247CTF MalFind DayZeroSec Rana Khalil PinkDraconian Superhero1 S1lk Alh4zr3d Paweł Łukasik Ephemeral Hak5 Conda HackerSploit Condingo InsiderPhd HackSplained TheCyberMentor StackSmashing Cybersecurity Meg Tib3rius SecAura DarkSec Hexorcist PwnCollege NahamSec Optional TheHackerish Ryan Gordon AlmondForce VulnMachines More Even More..
Tools Ghidra Volatility PwnTools CyberChef DCode Decompile Code Run Code GTFOBins ExploitDB RevShells
More Resources Bug Bounty Platforms HackTricks CTF Resources Security Resources Bug Bounty Resources Seal9055 Resources Forensics Learn RE Learn BinExp HTB Writeups