This guide will be a handy reference point for tools you might want / need for the Beginner CTF and beyond (although its far from exhaustive)
General Pointers
Make sure to ask for help! CTFs are played in teams for a reason, work with your team and feel free to ask the SIGINT members that are around any questions about challenges; We won't solve the challenge for you but we will push you in the right direction and make sure you're working along the right lines and not bashing your head against a wall.
If you are running windows we strongly recommend that you have WSL Windows Subsystem for Linux installed on your system as it allows you to run a Linux instance on your machine without needing to dule boot or ever leave windows. It's needed because many CTF challenges may only provide Linux binary's and many tools only provide Linux support (Plus if you're an informatics student you'd need someway to use Linux sooner or later anyway).
Make sure you have python installed and you understand how to program in it and install new packages with pip because it is by far the most common way to create exploits and interact with challenges.
If you have any issues setting up or have any questions in general feel free to dm platinumxy or emily.747 on discord or ask in the SIGINT discord server for help.
Web Challenges
- PortSwigger's BurpSuite
- Allows you to see everything normally hidden that your browser and server sends between one another
- Allows you to send forged requests that normal browsers are unable to produce
- Mozilla developer docs
- Useful checklist for finding things you can use that were missing from filters
- Great for reminding yourself on headers or tags you've forgotten
- cURL
- Command line tool allowing you to quickly send and receive web requests of all kinds
- Pretty much all attacks you use burp suite for can be done in it though its not as pretty
- Make sure to use
-vvvto see full details of what's happening between the request and the response
- Command line tool allowing you to quickly send and receive web requests of all kinds
If you want to practice web exploitation the best place to do it is Port Swigger Academy as it has detailed lessons and labs for most web challenges
Reverse Engineering Challenges
- Binary Ninja / Ghidra
- This will be your bread and butter for converting program binary's into something you can read and understand
- Both of them can be used however my advice is to learn one well.
- For people who've never reversed a binary before I strongly recommend Binary Ninja
- If you know the basics of one don't feel you need to change.
- JS de-obfuscators
- There's no one definitive tool to use for this
- because of how many different JS obfuscations there are and most de-obfuscators being specialised
- You'll probably have try a few ones before you find some readable code
- You may need to use one after another (though that's not common)
- Just be aware they exist and some common encodings like JSFuck
- There's no one definitive tool to use for this
If you'd like to see how you can solve some real CTF challenges / push yourself after the beginner CTF have a look at Platinumxys writeups of ToasterBirb's challenges
Pwn Challenges
- pwntools
- Allows you to quickly develop exploits for binary's with easy ways to manage the I/O
- Lets you connect to remote servers over TCP to send exploits
- Lets you generate shellcode for a target
- GDB or WinGDB for windows
- Lets you inspect the behaviour of memory and registers of any binary
- Lets you step though execution and modify behaviour to tests exploits
- For some basic usage advice have a look at Emily's guide
- Binary Ninja
- A said above its critical you've a way to convert the binary into a readable version you can work with
- Its important for rev but make especially sure you're confident reading the asm
To push yourself further after the CTF pwn college has tones of lessons and practice for pwn and Andrej's Notes being an excellent reference sheet
Crypto Challenges
- pycryptodome
- Its not really a useful tool per se rather its more a mandatory python library if you want to play crypto
- Sage Maths
- Incredibly powerful language extension for python that allows for complex algebra to be quickly computed
- Can solve modular arithmetic, large primes, lattice reduction, and elliptic curves
- Generally really useful for symbolic solves of calculus and linear algebra questions which will generally help you in any maths course you have to do
- Very effective at most CTF crypto attacks like RSA key recovery and discrete logs
- CryptoHacks Docker Image
- Gives you a preconfigured dockerfile for preforming crypto challenges within without cluttering up your host env
- Includes needed python library's and Sage maths already
Miscellaneous Challenges
- GCHQ's CyberChef
- Can be used for most data conversion / manipulations you could ever need
- Conversions
- Base encodings
- Encryption and Decryption
- Additionally can often detect possible encodings / file types to help you
- Can be used for most data conversion / manipulations you could ever need
- dCode.fr
- Has pretty much every cypher under the sun https://www.dcode.fr/tools-list
- Along with a cipher identifier that can detect alot of common ciphers https://www.dcode.fr/cipher-identifier
- Although don't use it as a crutch as it'll happily give false positives
- Google / DuckDuckGo
- Sounds cliché but it is your best ally in finding new information which is what a misc challenge is at its heart
- When searching things to do with exploits use DuckDuckGo as google blocks most hacking related links