# Practical CTF ## Practical CTF - [Home - Practical CTF](https://book.jorianwoltjer.com/readme.md): A big collection of my notes for Capture The Flag (CTF) challenges and Hacking Techniques - [Enumeration](https://book.jorianwoltjer.com/web/enumeration.md): Find all content and functionality on a website, to get an idea of the attack surface. Often through fuzzing - [Finding Hosts & Domains](https://book.jorianwoltjer.com/web/enumeration/finding-hosts-and-domains.md): Find domain names and hosts relating to a company - [Masscan](https://book.jorianwoltjer.com/web/enumeration/masscan.md): Use masscan to asynchronously scan for open ports at incredible speeds, then later analyze the results with other tools - [Nmap](https://book.jorianwoltjer.com/web/enumeration/nmap.md): Network scanning tool with enumeration script to get detailed information about TCP/UDP ports, and the underlying system - [OSINT](https://book.jorianwoltjer.com/web/enumeration/osint.md): Open Source INTelligence: Abusing public information - [Client-Side](https://book.jorianwoltjer.com/web/client-side.md): Attacks on the browser, often involving the victim landing on an attacker's site - [Cross-Site Scripting (XSS)](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss.md): Inject JavaScript code on victims to perform actions on their behalf - [HTML Injection](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/html-injection.md): Tricks possible with malicious HTML, in case XSS is not quite possible - [Content-Security-Policy (CSP)](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/content-security-policy-csp.md): The CSP response header restricts what resources are allowed to execute, but can sometimes be bypassed - [postMessage Exploitation](https://book.jorianwoltjer.com/web/client-side/cross-site-scripting-xss/postmessage-exploitation.md): Send cross-origin messages with arbitrary data, which can easily lead to Cross-Site Scripting in vulnerable handler that fail to verify the origin - [CSS Injection](https://book.jorianwoltjer.com/web/client-side/css-injection.md): Injecting CSS code to leak content on a page using selectors - [Cross-Site Request Forgery (CSRF)](https://book.jorianwoltjer.com/web/client-side/cross-site-request-forgery-csrf.md): Submitting data-altering requests blindly from your domain on the client-side. Cookies are automatically sent, often requiring CSRF tokens as protection - [XS-Leaks](https://book.jorianwoltjer.com/web/client-side/xs-leaks.md): Leaking information cross-site often through private search features - [Client-Side Path Traversal (CSPT)](https://book.jorianwoltjer.com/web/client-side/client-side-path-traversal-cspt.md): Using ../ sequences and URL parts to rewrite requests made by the browser - [CRLF / Header Injection](https://book.jorianwoltjer.com/web/client-side/crlf-header-injection.md): Manipulate HTTP headers in your favor or insert completely new ones with even more control - [Window Popup Tricks](https://book.jorianwoltjer.com/web/client-side/window-popup-tricks.md): Abusing browser functionality to do interesting things with popups and interactions - [WebSockets](https://book.jorianwoltjer.com/web/client-side/websockets.md) - [Caching](https://book.jorianwoltjer.com/web/client-side/caching.md): Remember static content to resolve less requests by the backend - [Headless Browsers](https://book.jorianwoltjer.com/web/client-side/headless-browsers.md): Tricks for dealing with input into headless browsers on the server, using client-side methods - [Server-Side](https://book.jorianwoltjer.com/web/server-side.md): Attacks that have impact on the server, often by abusing dangerous functionality - [SQL Injection](https://book.jorianwoltjer.com/web/server-side/sql-injection.md): An infamous and simple attack where code is injected where data should be, rewriting the SQL Query - [NoSQL Injection](https://book.jorianwoltjer.com/web/server-side/nosql-injection.md): NoSQL databases are a type of database where objects are used instead of SQL strings. MongoDB is common but more are vulnerable - [GraphQL](https://book.jorianwoltjer.com/web/server-side/graphql.md): Query structured data through an API and perform mutations with authorization - [XML External Entities (XXE)](https://book.jorianwoltjer.com/web/server-side/xml-external-entities-xxe.md): Injecting Entities into XML data to read local files and exfiltrate data - [HTTP Request Smuggling](https://book.jorianwoltjer.com/web/server-side/http-request-smuggling.md): Parsing of Content-Length and Transfer-Encoding headers leads to messing with boundaries of requests - [Local File Disclosure](https://book.jorianwoltjer.com/web/server-side/local-file-disclosure.md): Gain information by reading files on a web server, also known as Local File Inclusion (LFI) - [Arbitrary File Write](https://book.jorianwoltjer.com/web/server-side/arbitrary-file-write.md): Being able to create or overwrite files on a server, often causing Remote Code Execution (RCE) - [Reverse Proxies](https://book.jorianwoltjer.com/web/server-side/reverse-proxies.md): Servers on top of web applications that route traffic, manage headers and more - [ImageMagick](https://book.jorianwoltjer.com/web/server-side/imagemagick.md): A tool/library for converting and editing images of many formats, with some older versions having known vulnerabilities - [Frameworks](https://book.jorianwoltjer.com/web/frameworks.md): Libraries for specific programming languages that make development easier, with their own quirks - [Flask](https://book.jorianwoltjer.com/web/frameworks/flask.md): A Python library working with Werkzeug and Jinja2 - [Ruby on Rails](https://book.jorianwoltjer.com/web/frameworks/ruby-on-rails.md): A common web framework for the Ruby Programming Language - [NodeJS](https://book.jorianwoltjer.com/web/frameworks/nodejs.md): The backend for running JavaScript as a server or application - [Bun](https://book.jorianwoltjer.com/web/frameworks/bun.md): An alternative JavaScript runtime with unique libraries and quirks - [WordPress](https://book.jorianwoltjer.com/web/frameworks/wordpress.md): A popular Content Management System (CMS) for static content, with a visual UI - [Angular](https://book.jorianwoltjer.com/web/frameworks/angular.md): Frontend framework with template-like syntax - [Encodings](https://book.jorianwoltjer.com/cryptography/encodings.md) - [Ciphers](https://book.jorianwoltjer.com/cryptography/ciphers.md): Ways to encrypt text. Often methods used a long time ago to send secret messages - [AES](https://book.jorianwoltjer.com/cryptography/aes.md): The Advanced Encryption Standard is a common symmetric encryption standard with a few different modes of operation - [Asymmetric Encryption](https://book.jorianwoltjer.com/cryptography/asymmetric-encryption.md): Using Public and Private keys to securely transmit data in a way that only the recipients can decrypt it - [RSA](https://book.jorianwoltjer.com/cryptography/asymmetric-encryption/rsa.md): An encryption standard using prime number factorization to encrypt and decrypt with an asymmetric keypair - [Diffie-Hellman](https://book.jorianwoltjer.com/cryptography/asymmetric-encryption/diffie-hellman.md): The Diffie-Hellman Key Exchange uses asymmetric encryption to set up a shared secret for symmetric encryption - [PGP / GPG](https://book.jorianwoltjer.com/cryptography/asymmetric-encryption/pgp-gpg.md): The "Pretty Good Privacy" asymmetric encryption scheme used in email and sending encrypted or signed messages - [Pseudo-Random Number Generators (PRNG)](https://book.jorianwoltjer.com/cryptography/pseudo-random-number-generators-prng.md): Often the default random function in whatever language is not cryptographically secure, making it possible to predict values - [Hashing](https://book.jorianwoltjer.com/cryptography/hashing.md): One-way functions that generate a unique hash of some data - [Cracking Hashes](https://book.jorianwoltjer.com/cryptography/hashing/cracking-hashes.md): The point of hashes are that you can't reverse them, but we can sometimes find the original text by brute-forcing - [Cracking Signatures](https://book.jorianwoltjer.com/cryptography/hashing/cracking-signatures.md): Some examples of signature implementations (often HMAC) that can be cracked using hashcat - [XOR](https://book.jorianwoltjer.com/cryptography/xor.md): An operation between bits used often in cryptography - [Custom Ciphers](https://book.jorianwoltjer.com/cryptography/custom-ciphers.md): "Never roll your own crypto" is a saying for a reason. It's hard to make a secure cryptographic algorithm because there are many ways it may be broken - [Z3 Solver](https://book.jorianwoltjer.com/cryptography/custom-ciphers/z3-solver.md): The Z3 Theorem Prover can automatically solve puzzles in Python - [Timing Attacks](https://book.jorianwoltjer.com/cryptography/timing-attacks.md): Using timing information to extract information - [Blockchain](https://book.jorianwoltjer.com/cryptography/blockchain.md) - [Smart Contracts](https://book.jorianwoltjer.com/cryptography/blockchain/smart-contracts.md): A few small bits about attacking Smart Contracts in Web3 - [Bitcoin addresses](https://book.jorianwoltjer.com/cryptography/blockchain/bitcoin-addresses.md): A bit of information about Bitcoin addresses - [Wireshark](https://book.jorianwoltjer.com/forensics/wireshark.md): A popular tool to analyze and extract data from network packet captures - [File Formats](https://book.jorianwoltjer.com/forensics/file-formats.md): What to do with a file you don't understand - [Archives](https://book.jorianwoltjer.com/forensics/archives.md): Different kinds of file archives, like ZIP, RAR or TAR - [Memory Dumps (Volatility)](https://book.jorianwoltjer.com/forensics/memory-dumps-volatility.md): Big dump of the RAM on a system. Use tools like volatility to analyze the dumps and get information about what happened - [VBA Macros](https://book.jorianwoltjer.com/forensics/vba-macros.md): Visual Basic for Applications is a programming language used to create macro scripts for Microsoft office apps - [Grep](https://book.jorianwoltjer.com/forensics/grep.md): Search for text inside of files - [Git](https://book.jorianwoltjer.com/forensics/git.md): A version control system often saving lots of information about how files were changes - [File Recovery](https://book.jorianwoltjer.com/forensics/file-recovery.md): Recovering content of deleted files - [Ghidra](https://book.jorianwoltjer.com/reverse-engineering/ghidra.md): A reverse engineering tool made by the NSA with a powerful decompiler - [Angr Solver](https://book.jorianwoltjer.com/reverse-engineering/angr-solver.md): A binary analysis tool in Python to automatically find paths to code - [Reversing C# - .NET / Unity](https://book.jorianwoltjer.com/reverse-engineering/reversing-c-.net-unity.md): Reverse Engineering executable files compiled with C# .NET (including Unity) - [PowerShell](https://book.jorianwoltjer.com/reverse-engineering/powershell.md): Deobfuscate heavily-obfuscated PowerShell scripts to find their source code - [Reverse Engineering for Pwn](https://book.jorianwoltjer.com/binary-exploitation/reverse-engineering-for-pwn.md): Understand the binary and find vulnerabilities by analyzing it - [PwnTools](https://book.jorianwoltjer.com/binary-exploitation/pwntools.md): A Python library that helps in creating scripts for binary exploitation, doing many things automagically - [ret2win](https://book.jorianwoltjer.com/binary-exploitation/ret2win.md): Jump to a predefined function in the binary, even with arguments - [ret2libc](https://book.jorianwoltjer.com/binary-exploitation/ret2libc.md): Using a buffer overflow to call the libc system("/bin/sh") function - [Shellcode](https://book.jorianwoltjer.com/binary-exploitation/shellcode.md): Writing and debugging your own shellcode - [Stack Canaries](https://book.jorianwoltjer.com/binary-exploitation/stack-canaries.md): Two protections that use a secret unpredictable value to reduce exploitability in memory corruption. Learn how to bypass them in certain scenarios - [Return-Oriented Programming (ROP)](https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop.md): Return-Oriented Programming is a common technique for exploiting buffer overflows by executing gadgets to do what you want - [SigReturn-Oriented Programming (SROP)](https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop/sigreturn-oriented-programming-srop.md): A special technique in ROP to set all registers only using a syscall - [ret2dlresolve](https://book.jorianwoltjer.com/binary-exploitation/return-oriented-programming-rop/ret2dlresolve.md): A way to exploit buffer overflows using ROP when not many gadgets are available, and Full RELRO is disabled - [Sandboxes (chroot, seccomp & namespaces)](https://book.jorianwoltjer.com/binary-exploitation/sandboxes-chroot-seccomp-and-namespaces.md): Escaping from sandboxes environments by exploiting the capabilities that were left open - [Race Conditions](https://book.jorianwoltjer.com/binary-exploitation/race-conditions.md): Multiple processes running at the same time messing with each other or interrupting code with other code to create brief flawed states - [Setup](https://book.jorianwoltjer.com/mobile/setup.md): Setting up an Android testing environment - [Reversing APKs](https://book.jorianwoltjer.com/mobile/reversing-apks.md): Decompiling and understanding unknown APKs, using dynamic and static testing - [Patching APKs](https://book.jorianwoltjer.com/mobile/patching-apks.md): After decompiling the code, you can change code and build the app again to patch the APK, and make it do different things - [HTTP(S) Proxy for Android](https://book.jorianwoltjer.com/mobile/http-s-proxy-for-android.md): Intercept traffic going from and to an emulated Android device with Burp Suite - [Frida](https://book.jorianwoltjer.com/mobile/frida.md): A JavaScript tool to interact with running Android applications through code - [Android Backup](https://book.jorianwoltjer.com/mobile/android-backup.md): Extracting information from an Android Backup (.ab) file - [Compiling C for Android](https://book.jorianwoltjer.com/mobile/compiling-c-for-android.md): Compile and run C programs on Android to debug pieces of code - [iOS](https://book.jorianwoltjer.com/mobile/ios.md): Reverse Engineering iOS applications in .app format - [Python](https://book.jorianwoltjer.com/languages/python.md): Some tricks specific to the Python language - [JavaScript](https://book.jorianwoltjer.com/languages/javascript.md): A very popular language used to create interactivity on the web, and on the backend using NodeJS - [Prototype Pollution](https://book.jorianwoltjer.com/languages/javascript/prototype-pollution.md): Exploit recursive property setting functions with special .\_\_proto\_\_ and .prototype options to add fallbacks to other property accesses - [PHP](https://book.jorianwoltjer.com/languages/php.md): Some tricks specific to the PHP web programming language - [Java](https://book.jorianwoltjer.com/languages/java.md): An Object-Oriented programming language often used in enterprise environments - [C#](https://book.jorianwoltjer.com/languages/c.md): C Sharp and the .NET Framework - [Assembly](https://book.jorianwoltjer.com/languages/assembly.md): A few cheatsheet-like things about the Assembly language - [Markdown](https://book.jorianwoltjer.com/languages/markdown.md): Markdown is an easy to use markup language used in the Github README for example - [LaTeX](https://book.jorianwoltjer.com/languages/latex.md): A powerful language for text markup and document generation, but dangerous for user input - [JSON](https://book.jorianwoltjer.com/languages/json.md): JSON is a widely used format to store structured data, with arrays and dictionary keys - [YAML](https://book.jorianwoltjer.com/languages/yaml.md): Yet Another Markup Language - [CodeQL](https://book.jorianwoltjer.com/languages/codeql.md): A query language for repositories of code - [NASL (Nessus Plugins)](https://book.jorianwoltjer.com/languages/nasl-nessus-plugins.md): Nessus Attack Scripting Language for writing plugins - [Regular Expressions (RegEx)](https://book.jorianwoltjer.com/languages/regular-expressions-regex.md): Regular Expressions are a syntax for writing patterns to match for. Lot of symbols mean something allowing you to write complex rules in a very short string - [Modbus - TCP/502](https://book.jorianwoltjer.com/networking/modbus-tcp-502.md): A protocol for PLCs to store values in coils, inputs, and registers at addresses - [Redis/Valkey - TCP/6379](https://book.jorianwoltjer.com/networking/redis-valkey-tcp-6379.md): An in-memory data store often used to store small data like cache, sessions or queues - [Shells](https://book.jorianwoltjer.com/linux/hacking-linux-boxes.md): Specific tricks to get a shell for hacking Linux-based boxes - [Bash](https://book.jorianwoltjer.com/linux/bash.md): Useful commands/syntax and bash tricks - [Linux Privilege Escalation](https://book.jorianwoltjer.com/linux/linux-privilege-escalation.md): Go from a low-privilege user to a higher one to gain access to things you're not supposed to - [Enumeration](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/enumeration.md): Finding information about the target system find vulnerabilities to allow privilege escalation - [Networking](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/networking.md): How to best communicate between you and everything on your target - [Command Triggers](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/command-triggers.md): Finding commands that are / can be executed with elevated privileges - [Command Exploitation](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/command-exploitation.md): Exploiting commands that are executed with elevated privileges to do more than you are supposed to - [Outdated Versions](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/outdated-versions.md): Some common services run with elevated privileges, and can be dangerous if set up incorrectly or are outdated - [Network File Sharing (NFS)](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/network-file-sharing-nfs.md): Sharing a fileserver over the network sometimes allows you to upload files as root and escalate privileges - [Docker](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/docker.md): Use containers to run applications in a reproducible and isolated environment - [Filesystem Permissions](https://book.jorianwoltjer.com/linux/linux-privilege-escalation/filesystem-permissions.md): Wrong permissions on files may lead to someone doing what they should not be allowed to - [Analyzing Processes](https://book.jorianwoltjer.com/linux/analyzing-processes.md): Find detailed information about other running processes using the /proc folder and other tricks - [Scanning/Spraying](https://book.jorianwoltjer.com/windows/scanning-spraying.md): Finding your attack surface and testing credentials - [Exploitation](https://book.jorianwoltjer.com/windows/exploitation.md): When you find a vulnerability, Windows has some specific ways to exploit it that differ from Linux - [Local Enumeration](https://book.jorianwoltjer.com/windows/local-enumeration.md): Get information about a compromised machine from the to find possible ways to escalate privileges - [Local Privilege Escalation](https://book.jorianwoltjer.com/windows/local-privilege-escalation.md): Escalate privileges on a local computer to become a more powerful user - [Windows Authentication](https://book.jorianwoltjer.com/windows/windows-authentication.md): Kerberos & NTLM - [Kerberos](https://book.jorianwoltjer.com/windows/windows-authentication/kerberos.md): The newest Active Directory authentication protocol with less flaws than NetNTLM, but still some possible attacks - [NTLM](https://book.jorianwoltjer.com/windows/windows-authentication/ntlm.md): A legacy authentication protocol for Active Directory with many flaws and dangers - [Lateral Movement](https://book.jorianwoltjer.com/windows/lateral-movement.md): Moving between computers by re-using accounts to get more access - [Active Directory Privilege Escalation](https://book.jorianwoltjer.com/windows/active-directory-privilege-escalation.md): Traverse the Active Directory permissions to escalate your privileges and access more - [Persistence](https://book.jorianwoltjer.com/windows/persistence.md): When a computer or even the entire domain is compromised, how do you keep it that way? (note: not normally required in a pentest) - [Antivirus Evasion](https://book.jorianwoltjer.com/windows/antivirus-evasion.md): Getting your payload and tools through antivirus protections by obfuscating them or disabling protections - [Metasploit](https://book.jorianwoltjer.com/windows/metasploit.md): Using existing exploits from the Metasploit Framework (MSF) to quickly take over machines and escalate privileges - [Alternate Data Streams (ADS)](https://book.jorianwoltjer.com/windows/alternate-data-streams-ads.md): In a NTFS file system, files can have multiple streams with extra data - [Kubernetes](https://book.jorianwoltjer.com/cloud/kubernetes.md): Container Orchestration for managing big scalable infrastructure of containerized applications - [Microsoft Azure](https://book.jorianwoltjer.com/cloud/microsoft-azure.md): The Microsoft Azure cloud, and how to attack certain parts of it - [Business Logic Errors](https://book.jorianwoltjer.com/other/business-logic-errors.md): Finding flaws of the logic in an application. Instead of complex injections, break the regular flow or perform unexpected actions - [Password Managers](https://book.jorianwoltjer.com/other/password-managers.md): Passwords stored in a central vault, which may have some weaknesses depending on your target - [ANSI Escape Codes](https://book.jorianwoltjer.com/other/ansi-escape-codes.md): Use special escape codes in the terminal to set colors, change the screen or perform other actions - [WSL Tips](https://book.jorianwoltjer.com/other/wsl-tips.md): Using Windows Subsystem Linux as your attacker environment --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://book.jorianwoltjer.com/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.