Agent Skills for solving CTF challenges — web exploitation, binary pwn, crypto, reverse engineering, forensics, OSINT, and more. Works with any tool that supports the Agent Skills spec, including Claude Code.
npx skills add ljagiello/ctf-skillsTwo setup strategies depending on your workflow:
Use the central installer entrypoint:
bash scripts/install_ctf_tools.sh allRun a narrower mode when you only want one tool group:
bash scripts/install_ctf_tools.sh python
bash scripts/install_ctf_tools.sh apt
bash scripts/install_ctf_tools.sh brew
bash scripts/install_ctf_tools.sh gems
bash scripts/install_ctf_tools.sh go
bash scripts/install_ctf_tools.sh manualPreview what would be installed (skips already-present packages):
bash scripts/install_ctf_tools.sh --dry-run allVerify what's already installed:
bash scripts/install_ctf_tools.sh --verifyUse --force to reinstall everything regardless of what's already present. Install logs are saved to ~/.ctf-tools/.
The full package lists now live in scripts/install_ctf_tools.sh.
Each skill's SKILL.md has a Prerequisites section listing only the tools needed for that category. Install as you go when the agent encounters a missing tool.
| Skill | Files | Description |
|---|---|---|
| ctf-ai-ml | 3 | Model weight perturbation negation, adversarial examples (FGSM, PGD, C&W), foolbox L1BasicIterativeAttack Keras evasion, hand-rolled Keras FGSM via K.gradients, prompt injection, LLM jailbreaking, model extraction, membership inference, neural network collision, LoRA adapter exploitation, gradient descent inversion, data poisoning, backdoor detection, token smuggling, context window manipulation |
| ctf-web | 20 | SQLi (EXIF metadata injection, keyword fragmentation bypass, MySQL column truncation, DNS record injection, ORDER BY CASE WHERE bypass, QR code input injection, double-keyword filter bypass, MySQL session variable dual-value injection, information_schema.processlist race condition leak, PHP PCRE backtrack limit WAF bypass, BETWEEN operator tautology bypass, Host header injection + PROCEDURE ANALYSE(), INSERT ON DUPLICATE KEY UPDATE password overwrite, MySQL innodb_table_stats WAF bypass), XSS (AngularJS 1.x sandbox escape via charAt/trim override, Chrome Unicode URL normalization bypass, Referer header injection + WebRTC IP leak), SSTI (Vue.js toString.constructor injection), SSRF (Host header, DNS rebinding, ElasticSearch Groovy script_fields RCE, rogue MySQL server LOAD DATA LOCAL file read), JWT (JWK/JKU/KID injection), prototype pollution, file upload RCE (BMP pixel webshell + filename truncation bypass), Node.js VM escape, XXE (DOCX/Office XML upload), JSFuck, Web3/Solidity (reentrancy DAO pattern), delegatecall abuse, transient storage clearing collision, Groth16 proof forgery, phantom market unresolve, HAProxy bypass, polyglot XSS, CVEs (Apache CVE-2012-0053 HttpOnly cookie leak), HTTP TRACE bypass, LLM jailbreak, Tor fuzzing, SSRF→Docker API RCE, PHP type juggling, PHP assert() string evaluation injection, PHP LFI / php://filter (+ /dev/fd symlink bypass), PHP zip:// wrapper LFI via PNG/ZIP polyglot, PHP extract() variable overwrite, PHP backtick eval under character limit, PHP variable variables ($$var) abuse, PHP uniqid() predictable filename, PHP ReDoS code execution skip, PHP SoapClient CRLF SSRF via __call() deserialization, Python str.format() attribute traversal info leak, DOM XSS jQuery hashchange, XML entity WAF bypass, React Server Components Flight RCE (CVE-2025-55182), XS-Leak timing oracle, GraphQL CSRF, Unicode case folding XSS (long-s U+017F), Unicode homoglyph path traversal (U+2E2E), CSS font glyph container query exfiltration, Hyperscript CDN CSP bypass, PBKDF2 prefix timing oracle, SSTI __dict__.update() quote bypass, ERB SSTI Sequel bypass, affine cipher OTP brute-force, Express.js %2F middleware bypass, IDOR on WIP endpoints, Apache mod_status info disclosure + session forging, Apache mod_rewrite PATH_INFO bypass, Nginx alias traversal .env leak, OAuth/OIDC exploitation, OAuth email subaddressing bypass, CORS misconfiguration, hash length extension attack (hashpumpy), Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF bypass, Castor XML xsi:type JNDI, Apache ErrorDocument expression file read, SAML XPath digest smuggling (CVE-2024-45409), PaperCut auth bypass (CVE-2023-27350), Zabbix SQLi (CVE-2024-22120), CI/CD variable theft, git history credential leak, identity provider API takeover, Guacamole connection extraction, login page poisoning, TeamCity REST API RCE, Squid proxy pivoting, LaTeX injection RCE, LaTeX mpost restricted write18 bypass, Java deserialization (ysoserial, XMLDecoder RCE), .NET JSON TypeNameHandling $type deserialization, Python pickle RCE (+ STOP opcode chaining), XPath blind injection, race conditions (TOCTOU), client-side HMAC bypass via leaked JS secret, SQLite file path traversal string equality bypass, PHP preg_replace /e RCE, Prolog injection, HQL non-breaking space parser mismatch injection, sendmail parameter injection, base64-encoded path traversal LFI, terminal control character obfuscation, CSP bypass via Cloud Run whitelisted domain, multi-barcode concatenation shell injection, CSP nonce bypass via base tag hijacking, JA4/JA4H TLS fingerprint matching, git CLI newline injection, XSSI via JSONP callback exfiltration, Shift-JIS encoding SQLi (multi-byte charset mismatch), PHP serialization length manipulation via filter expansion, CSP bypass via link prefetch, bash brace expansion space-free injection, XML injection via X-Forwarded-For header, Common Lisp reader macro injection, base64 decode leniency signature bypass, Windows 8.3 short filename path traversal bypass, URL parse_url() @ symbol SSRF bypass, SSRF parse_url/curl double-@ discrepancy, TOTP recovery via PHP srand(time()) seed weakness, Ruby ObjectSpace memory scanning, Ruby Regexp.escape multibyte bypass, GraphQL injection (introspection, query batching/aliasing, string interpolation), PHP7 OPcache binary webshell + LD_PRELOAD disable_functions bypass, wget GET parameter filename trick, tar filename command injection, XSS to SSTI chain via Flask error pages, INSERT INTO dual-field SQLi column shift, session cookie forgery via timestamp-seeded PRNG, PNG/PHP polyglot upload + double extension + disable_functions scandir bypass, cross-origin cookie XSS via shared parent domain, XSS dot-filter bypass via decimal IP + bracket notation, editor backup file (~/.swp) source disclosure, date -f arbitrary file read, sequential regex replacement bypass, Java hashCode() collision auth bypass, SQLite randomblob() blind timing oracle, wget CRLF SSRF-to-SMTP injection, CSS @font-face unicode-range exfiltration, Gopher SSRF to MySQL blind SQLi, PHP hash_hmac NULL via array bypass, Smarty SSTI CVE-2017-1000480, vsprintf double-prepare format string SQLi, custom serializer integer overflow field injection, postMessage null origin bypass via data: URI iframe, WAV polyglot upload via .wave extension bypass, SNI-based FTP protocol smuggling through HTTPS, Apache mod_vhost_alias docroot override via Host header, unescaped-dot SSRF regex allowlist bypass, PHP eval regex bypass via current(getallheaders()), Python f-string format injection blind extraction, CSP bypass via attacker-controlled mime-type for same-origin scripts, React __reactInternalInstance$ component state extraction, PHP parse_str() variable injection, SQLi inline comment multi-field split, PHP full-width dollar regex anchor bypass, MySQL REGEXP byte-by-byte oracle with backtick comment bypass, LDAP filter breakout with wildcard injection, Jinja2 SSTI via globals.self.exec() string concat bypass, web.py reparam() eval + subclasses with blanked builtins, Redis Lua redis.call() injection, unanchored regex command injection, Java TiedMapEntry + LazyMap reflection HashMap patch, X-Forwarded-Host CDN template fetch cache poisoning, std::unordered_set bucket collision auth bypass, AES cookie length-field truncation + CRC32 swap, multi-slash URL path.startswith bypass, Xalan XSLT math:random() seed guess, SoapClient _user_agent CRLF HTTP method smuggling, gopher:/// no-host URL scheme bypass, SSRF credential leak via attacker-specified outbound URL, nodeprep.prepare Unicode homograph username collision, PHP (int) cast leading-number path traversal, recursive-replace ....// traversal, jQuery $(location.hash) CSS selector timing leak, Werkzeug SecureCookie pickle RCE after SECRET_KEY leak, PHP create_function string interpolation RCE, php://input + NULL-byte + ~ bitwise base64 filter bypass, SVG XXE via svglib-to-PNG pipeline, strpos substring-match blacklist bypass, ExpressionEngine FileManager ORDER BY sort-key SQLi, EXIF ImageDescription shell injection via exiftool, SRP A=0/A=N auth bypass, ArangoDB AQL MERGE injection, .phar extension upload bypass, vsftpd 2.3.4 smiley backdoor (CVE-2011-2523), colon/newline injection in string-separator serialization, PHP unserialize double-URL-encode curl LFI, Python pickle RCE wrapped in ROT13(Base64), SQLite UNION via X-Forwarded-For PHPSESSID oracle, quote-adjacent UNION filter bypass, AMQP/TLS interception via sslsplit + arpspoof, CairoSVG XXE via oversized width, Bazaar (.bzr) repository reconstruction, WordPress RevSlider upload + MySQL load_file() SSH pivot (CVE-2014-9734), User-Agent-gated robots.txt, PHP log()/INF math equality + recursive urldecode, CloudFlare cache poisoning via .js username + stored SVG XSS |
| ctf-pwn | 18 | Buffer overflow, ROP chains, ret2csu, ret2vdso, vsyscall ROP PIE bypass, bad char XOR bypass, exotic gadgets (BEXTR/XLAT/STOSB/PEXT), stack pivot (xchg rax,esp, double leave;ret to BSS), sprintf() gadget chaining bad char bypass, SROP with UTF-8 constraints, stub_execveat syscall as execve alternative, format string (saved EBP overwrite, argv[0] stack smash info leak, __printf_chk bypass with sequential %p, leak + GOT overwrite in single printf call, Objective-C %@ objc_msg_lookup exploitation, strlen int8_t truncation bypass, ROT13-encoded format string exploit), heap exploitation (unlink, House of Force top chunk overwrite, House of Apple 2 + setcontext SUID variant, Einherjar, signed/unsigned char underflow, tcache pointer decryption, unsorted bin promotion, XOR keystream brute-force write, GF(2) Gaussian elimination multi-pass tcache poisoning, application-level heap grooming, UAF vtable pointer encoding shell argument, fastbin stdout vtable two-stage hijack for PIE + Full RELRO, _IO_buf_base null byte stdin hijack, glibc 2.24+ vtable validation bypass, unsorted bin on stdin IO_buf_end, unsorted bin via mp structure), FSOP (stdout TLS leak, TLS destructor __call_tls_dtors hijack, leakless libc via multi-fgets stdout overwrite), RETF x64→x32 architecture switch seccomp bypass, x32 ABI syscall number aliasing seccomp bypass, seccomp BPF X-register addressing mode bypass, time-based blind shellcode (write blocked), GC null-ref cascading corruption, stride-based OOB leak, canary byte-by-byte brute force, stack canary null-byte overwrite leak + return-to-main, stack canary XOR epilogue as RDX zeroing gadget, seccomp bypass, sandbox escape (CPU emulator eval injection), custom VMs, VM UAF slab reuse, io_uring UAF SQE injection, integer truncation (int32→int16, order-of-operations arithmetic), musl libc heap (meta pointer + atexit), custom shadow stack pointer overflow bypass, signed int overflow negative OOB heap write, XSS-to-binary pwn bridge, 4-byte shellcode timing side-channel via persistent registers, minimal shellcode with pre-initialized registers, unique-byte shellcode via syscall RIP→RCX, shellcode unique-byte counter overflow bypass, CRC oracle as arbitrary read primitive, UTF-8 case conversion buffer overflow (g_utf8_strup), ARM Thumb shellcode + dup2 socket redirect, Motorola 68000 (m68k) two-stage shellcode, DOS COM real mode shellcode (int 0x21), Forth interpreter system word exploitation, DynELF automated libc discovery, constrained shellcode (15-byte execve), protocol length field stack bleeding, timing attack character-by-character flag recovery, single-bit-flip exploitation primitive (mprotect + iterative code patching), Game of Life shellcode evolution via still-lifes, UAF via menu-driven strdup/free ordering, custom printf arginfo overwrite, Lua game logic integer underflow, neural network function pointer index OOB, Linux kernel exploitation (ret2usr, kernel ROP prepare_kernel_cred/commit_creds, modprobe_path, core_pattern, tty_struct kROP, userfaultfd race, SLUB heap spray, KPTI trampoline/signal handler bypass, KASLR/FGKASLR __ksymtab bypass, SMEP/SMAP, GDB module debugging, initramfs/virtio-9p workflow, MADV_DONTNEED race window extension, cross-cache CPU-split attack, PTE overlap file write, kmalloc size mismatch + struct file f_op corruption, eBPF verifier bypass exploitation, addr_limit bypass via failed file open), Windows SEH overwrite + pushad VirtualAlloc ROP, Windows CFG bypass using system() as valid call target, IAT-relative resolution, detached process shell stability, SeDebugPrivilege SYSTEM escalation, /proc/self/mem write-anywhere primitive, game AI arithmetic mean OOB read, arbitrary read/write GOT overwrite to shell, stack leak via __environ + memcpy overflow, JIT sandbox uint16 jump truncation, DNS compression pointer stack overflow, ELF code signing bypass via program header manipulation, game level signed/unsigned coordinate mismatch, FD inheritance via missing O_CLOEXEC, sign extension integer underflow in metadata parsing, ROP chain with read-only primitive, process_vm_readv sandbox escape, named pipe (mkfifo) file size bypass, format string .fini_array loop multi-stage exploitation, talloc pool header forgery, parser stack overflow via unchecked memcpy with callee-saved register restoration, unsafe unlink BSS + top chunk consolidation, mmap/munmap size mismatch UAF thread stack overlap, premature global index OOB stack write, strcspn indirect null byte injection, printf_function_table/printf_arginfo_table dispatch hijack, atexit PTR_MANGLE secret recovery, scanf format string stack overwrite, realloc(ptr 0) UAF, JIT-ROP syscall byte scanning in leaked GOT function, ret2dl_resolve 64-bit with VERSYM bypass, prime-only ROP via Goldbach decomposition, single-byte refcount wraparound UAF, Unicorn emulator sysenter/alt-syscall bypass, empty-token strncmp(n=0) MAC bypass, Chip-8 emulator OOB memory ret2libc, double-precision float quicksort canary repositioning, bloom filter abs(INT_MIN) negative index OOB write, uninitialized chunk residue pointer leak, tcache strcpy null-byte overflow + backward consolidation, ARM64 getusershell() x0 setup gadget for system(), user-kernel-hypervisor I/O port hypercall chain, return address LSB overwrite + read() chaining, canary trailing-byte leak via past-null padding, imperfect-gadget stack pivot with junk arithmetic, _fini_array double-entry staged ROP on static binaries, ACPI DSDT OperationRegion shellcode for kernel privesc, ARM fcntl64 set_fs() CVE-2015-8966 pipe exfil, format string HTTP User-Agent PIE+canary single-request leak, null-byte address fragmentation for tiny-buffer format strings, custom VM swap pointer self-overwrite, 9-byte test+je socket-timeout bit leak, RtlCaptureContext deterministic Windows stack leak, IEEE 754 double-as-shellcode via exponent fixing, adjacent-struct fn-pointer overflow for libc leak + GOT overwrite, hidden-menu-option tcache poisoning, index-only bounds check + stride OOB write, signed index negative OOB to preceding GOT, PIE same-page function pivot via single-byte overwrite, tcache double-free + fake _IO_FILE vtable stdout hijack, tcache-to-fastbin promotion cross-bin attack, 6-bit OOB array + written_bytes accumulator for incremental function-pointer overwrite, IS_MMAPED bit-flip libc leak + tcache __free_hook hijack, LSB-only fastbin poisoning under filename regex constraint, custom-allocator unsafe unlink GOT overwrite, alphanumeric shellcode push r12/pop rax bootstrap when rax=0, scanf "-" format-error skip as canary bypass, PIE bypass via consistent glibc mmap base, static ret2libc with 3-character input constraint, OOB dispatch-table read via controlled rdx*8 function-pointer index, Game Genie 6-char binary patch encoding, Go slice capacity aliasing via struct-by-value copy, custom binfmt kernel module loader exploit |
| ctf-crypto | 16 | RSA (small e, common modulus, Wiener, Fermat, Pollard p-1, Hastad broadcast, Hastad broadcast with linear padding Coppersmith, Coppersmith, Coppersmith for linearly related primes q=kp+delta, Coppersmith linearly-related primes q~4p, Franklin-Reiter related message attack e=3, Manger, Manger OAEP timing, p=q bypass, cube root CRT, phi multiple factoring, weak keygen base representation, gcd(e,phi)>1 exponent reduction, CRT fault attack bit-flip recovery, homomorphic decryption oracle bypass, small prime factors CRT decomposition, timing attack on Montgomery reduction, Bleichenbacher low-exponent signature forgery, e=1 signature bypass with crafted modulus), AES (modified S-Box brute-force recovery, ECB byte-at-a-time chosen plaintext, ECB cut-and-paste block manipulation, CBC IV bit-flip auth bypass, CBC IV forgery + block truncation auth bypass, CBC UnicodeDecodeError side-channel oracle, CTR constant counter repeating keystream, CFB IV recovery from timestamp-seeded PRNG, padding oracle to CBC bitflip command injection, key recovery via byte-by-byte zeroing oracle, error-message decryption oracle ciphertext forging), ECC (Ed25519 torsion side channel, shared prime factor GCD, DSA key recovery via MD5 collision on k-generation), ECDSA nonce reuse, DSA limited k-value brute force, PRNG (MT float recovery via GF(2) matrix for token prediction, MT seed recovery from subset sum, MT state recovery via constraint propagation, V8 XorShift128+ Math.random state recovery + inverse backward prediction, C srand/rand ctypes synchronization), ZKP (Shamir secret sharing reused polynomial attack), Groth16 broken setup, DV-SNARG forgery, KZG pairing oracle permutation recovery, braid group DH, BB-84 QKD MITM attack, introspective CRC via GF(2) linear algebra, LWE/CVP lattice attacks, AES-GCM, classic/modern ciphers (Polybius square), Kasiski examination, multi-byte XOR frequency analysis, variable-length homophonic substitution, hash length extension, compression oracle (CRIME-style), RC4 second-byte bias, RSA multiplicative homomorphism signature forgery, Rabin LSB parity oracle (binary search decryption), noisy LSB oracle post-hoc error correction, PBKDF2 pre-hash bypass (password > hash block size), MD5 multi-collision via fastcol, custom hash state reversal via known intermediates, CRC32 brute-force for small payloads, S-box collision, GF(2) CRT, historical ciphers, OTP key reuse, logistic map PRNG, RsaCtfTool, tropical semiring residuation, LFSR stream cipher attacks (Berlekamp-Massey, correlation attack, Galois tap recovery via autocorrelation), CRC32 collision signature forgery, Blum-Goldwasser bit-extension oracle, baby-step giant-step (BSGS, + sparse/low Hamming weight exponent variant) + Pohlig-Hellman for smooth-order DLP, Paillier cryptosystem attack, Paillier LSB oracle via homomorphic doubling, Merkle-Hellman knapsack LLL, Hamming code helical interleaving, ElGamal universal re-encryption, ElGamal trivial DLP when B=p-1, XOR consecutive byte correlation, Paillier oracle size bypass via ciphertext factoring, batch GCD shared prime factoring, hash function cycle reversal (Floyd/Brent), FPE Feistel brute-force, icosahedral symmetry group cipher, Goldwasser-Micali ciphertext replication oracle, grid permutation cipher keyspace reduction, OFB mode invertible RNG backward decryption, image-based Caesar shift ciphers, weak key derivation via public key hash XOR, HMAC-CRC linearity attack (GF(2) key recovery), HMAC XOR+addition bit-by-bit key oracle, custom MAC forgery via XOR block cancellation key rotation, DES weak keys OFB mode (period-2 keystream), square attack / integral cryptanalysis on reduced-round AES, RSA partial key recovery from dp/dq/qinv, DSA nonce reuse private key recovery, AES-GCM nonce reuse / forbidden attack (GHASH polynomial key recovery), SRP protocol bypass via modular arithmetic, XOR key recovery via file format headers (PDF/PNG/ZIP magic bytes), three-round XOR protocol key cancellation, sponge hash MITM collision on partial state, SPN S-box intersection partial key recovery, SPN column-wise XOR brute-force, Z3 constraint solving for stream ciphers, Fibonacci stream cipher position-shifting oracle, differential privacy Laplace noise cancellation, homomorphic encryption oracle bit-extraction, AES-CTR + CRC GF(2)-linearity signature forgery, SHA-256 basis attack for XOR-aggregate hash bypass, 3D Vigenere palindrome symmetry key recovery, ElGamal over matrices via Jordan normal form, Rule 86 cellular automaton PRNG reversal via Z3, ROCA attack CVE-2017-15361, OSS (Ong-Schnorr-Shamir) signature forgery, Nihilist cipher double-crib key recovery, 16-byte XOR block cipher structural reversal, SHA-1 chosen-prefix PDF signature forgery, hash chain preimage auth bypass, Cayley-Purser decryption without private key, dependent-prime RSA (q=e^-1 mod p), keystream recovery via run-length encoding collisions, AES-CBC nonce strip via block boundary alignment, RSA three-key pairwise GCD triangle, Java LCG meet-in-the-middle via partial modulo, LCG backward stepping via multiplicative inverse, Schmidt-Samoa RSA n=p^2*q variant, modulus recovery via GCD of encryption residuals, textbook RSA negation via encrypt(-1), poly-exponent RSA GCD of p^p combinations, biased LSB oracle with mode-of-runs recovery, cube-root wraparound via AES-CTR length hint, LFSR bit-fold recovery from ASCII parity, Z3 solve-time timing oracle on PRNG, randcrack-fed DSA k prediction, time-seeded PRNG offset via format-string global write, NTP-poisoned PRNG UUID XOR state leak, CBC IV recovery from block-2 known plaintext, iterated SHA-256 timing oracle on character match, flag semaphore photo decoding, two-byte nibble reassembly with random padding, RSA p = next_prime(2^k + small) shared-prime batch GCD, PNG encryption bounded by 512-bit key trailer replacement, BIP39 partial-mnemonic checksum brute force, Asmuth-Bloom threshold secret sharing via CRT, LFSR filter linear annihilator attack, hostname-as-XOR-key leaked via DNS capture, modulus recovery via plaintext malleability, RSA CRT d_p null-byte overflow primes leak, textbook RSA signature blinding via message factoring, last-byte modulus overwrite via strlen-1 null truncation, Ed25519 same-nonce key recovery, singular curve ECDLP to additive/multiplicative group, GF(p) linear-system AES key recovery from PCAP matrix, SHA-1 length extension with UTF-8 high-byte bypass, cross-session cube-root recovery via CRT, Rabin cryptosystem with polynomial primes, LCG period detection, polynomial coefficient recovery via Vandermonde, custom GCM GHASH key recovery over prime modulus, SHA-1 length extension + AES-CBC cookie forgery, CRC32 collision oracle + RSA homomorphism signature forgery, Hensel's lemma polynomial root lifting mod p^k, Rabin decryption via four-roots CRT combination, CBC previous-block byte flipping for cookie privilege escalation |
| ctf-reverse | 18 | Binary analysis, custom VMs (+ VM bytecode lifting to LLVM IR), WASM, RISC-V, Rust serde, Python bytecode, OPAL, UEFI, game clients, anti-debug, anti-VM/anti-sandbox (CPUID, MAC, timing, file/registry artifacts), anti-DBI (Frida/Pin detection), code integrity/self-hashing, anti-disassembly (opaque predicates, junk bytes, control flow flattening), MBA obfuscation, instruction trace inversion with Keystone+Unicorn, SIGFPE signal handler side-channel via strace counting, batch crackme automation via objdump pattern extraction, fork + pipe + dead branch anti-analysis, Android DEX runtime bytecode patching via /proc/self/maps, Frida Android cert pinning bypass + native JNI invocation, Android TracerPid/su/system property anti-debug, Android log-based crypto key extraction, native JNI key dump + smali patching, pwntools binary patching, Binary Ninja, dogbolt.org, Frida dynamic instrumentation, angr symbolic execution, lldb, x64dbg, VMProtect/Themida analysis, binary diffing (BinDiff, Diaphora), deobfuscation (D-810, GOOMBA, Miasm), Qiling framework, Triton DSE, r2frida, reverse debugging (rr), advanced Ghidra/GDB scripting, GDB constraint extraction + ILP solver, GDB position-encoded input zero flag monitoring, LD_PRELOAD execute-only binary dump, LD_PRELOAD time() freeze for deterministic analysis, LIEF binary instrumentation, Rizin/Cutter, RetDec, Manticore, Sprague-Grundy game theory, kernel module maze solving, multi-threaded VM channels, multi-layer self-decrypting brute-force, convergence bitmap, .NET/Android RE (RijndaelManaged XOR+AES two-stage decode), Flutter/Dart AOT (Blutter), Verilog/hardware RE, Godot/Roblox game assets, CVP/LLL lattice validation, JNI RegisterNatives, decision tree obfuscation, GLSL shader VM, GF(2^8) Gaussian elimination, Z3 single-line Python circuit, sliding window popcount, Ruby/Perl polyglot, Electron ASAR + native binary reversing, Node.js npm runtime introspection, D language binary reversing (symbol demangling, Phobos library), Go binary reversing (GoReSym, goroutines), Haskell GHC CMM intermediate language RE, Rust binary reversing (demangling, panic strings), C++ vtable/RTTI reconstruction, C++ destructor-hidden validation (__cxa_atexit), Swift binary reversing, Kotlin/JVM reversing, multi-thread anti-debug decoy + signal handler MBA, call-less function chaining via stack frame manipulation, backdoored shared library detection, keyboard LED Morse code via ioctl, Intel Pin instruction-counting side channel, LD_PRELOAD memcmp side-channel bruteforce, SIGILL handler execution mode switching, rt_sigprocmask side-channel memory corruption, HD44780 LCD GPIO reconstruction, MIPS64 Cavium OCTEON CP2 hardware crypto, EFM32 ARM MMIO AES accelerator, MBR/bootloader reversing with QEMU+GDB, Game Boy ROM Z80 analysis (bgb debugger), MFC message map debugging, VM sequential key-chain brute-force with OpenMP, custom binfmt kernel module RC4 flat binaries, hash-resolved imports no-import ransomware, BF character-by-character static analysis, BF side-channel read count oracle, BF comparison idiom detection, Go binary UUID patching for C2 enumeration, Frida Firebase Cloud Functions bypass, Android native .so bypass via new project, BPF JIT filter analysis, TensorFlow DNN sigmoid inversion, ELF section header corruption anti-analysis, ARM64/AArch64 reversing and exploitation (calling convention, ROP, qemu emulation), ARM code in image pixels via UnicornJS, Intel SGX enclave RE with remote attestation, IBM AS/400 SAVF EBCDIC decoding, INT3 coredump brute-force oracle, signal handler chain LD_PRELOAD oracle, FRACTRAN program inversion, opcode-only trace reconstruction, Burrows-Wheeler Transform inversion, OpenType font ligature exploitation (GSUB table), ROP chain obfuscation analysis (ROPfuscation), instruction counter as cryptographic state (path-dependent byte transformation), thread race signed integer overflow (cdqe sign extension), ESP32/Xtensa firmware reversing with ROM symbol map, time-locked binary with date-based key, x86 16-bit MBR psadbw constraint solving, Haskell STG closure reversing + hsdecomp, custom VM fuzzing instruction set discovery, Intel Pin genetic algorithm for self-modifying code, Frida memoization for recursive function speedup, printf format string VM decompilation to Z3, parent-patched child binary dump via strace process_vm_writev, quadtree recursive image format parser, Glulx interactive fiction bytecode matrix validation, KVM guest analysis via ioctl + KVM_EXIT_HLT block chaining, Coreboot ROM XOR-pair bit-flip address discovery, Rust lifetime escape via compiler bug #25860, Rust #[no_mangle] libc override for seccomp bypass, GDB trap-flag self-check with cmovz patcher, SIGFPE handler mprotect code mutation, GDB register side-channel on putchar(), GNU Make Turing machine simulator, Rust xmmword constant extraction via IDAPython, Nuitka-compiled Python module stub injection, RISC-V QEMU execution with GLIBC symbol version patching, APK certificate SHA-256 as AES key, radare2 visual panels for custom VM tracing, boolector SMT2 for custom hash reversal, single-byte XOR ROM deobfuscation sweep, WebKit Array.slice OOB CVE-2016-4622, ConfuserEx dynamic module dump via constructor breakpoint, Moxie ISA custom opcode discovery, Unity APK Assembly-CSharp.dll runtime patch, Il2CppDumper for Unity IL2CPP metadata recovery, libSegFault.so register dump at crash, r2pipe binary walking + DP constraint solver, Android smali injection to defeat LocalBroadcastManager, GDB breakpoint-commands at strcmp for dynamic XOR key recovery, multi-modulus CRT keygen with matrix lookup password, PEDA current_inst bit-by-bit flag scraper, VM trace diffing instead of full disassembly |
| ctf-forensics | 14 | Disk/memory forensics (GIMP raw memory dump visual inspection, Kyoto Cabinet hash DB forensics), RAID 5 XOR recovery, APFS snapshot recovery, Windows KAPE triage, Windows/Linux forensics, steganography (Arnold's Cat Map descrambling, MJPEG extra bytes after FFD9, high-res SSTV custom FM demodulation, EXIF zlib + triangular numbers LSB, PDF xref generation number covert channel, pixel-wise ECB deduplication image recovery), network captures, tcpdump, TLS/SSL keylog decryption, RDP session decryption via PKCS12 key extraction, USB HID drawing, USB HID keyboard capture decoding (+ arrow key navigation tracking), USB MIDI Launchpad traffic reconstruction, UART decode, serial UART data decoding from WAV audio, side-channel power analysis, packet timing, 3D printing, signals/hardware (VGA, HDMI, DisplayPort, I2C bus protocol, IBM-29 punched card OCR), BMP bitplane QR, image puzzle reassembly, audio FFT notes, KeePass v4 cracking, cross-channel multi-bit LSB, F5 JPEG DCT detection, PNG palette stego, PNG height/CRC manipulation, APNG frame extraction, keyboard acoustic side-channel, caps-lock LED Morse code from video, DeepSound audio stego + password cracking, QR code reconstruction from curved glass reflection, TCP flag covert channel, Brotli decompression bomb seam, Git reflog/fsck squash recovery, browser artifact analysis, DNS trailing byte binary encoding, DNS exfiltration oracle via binary response probing, fake TLS stream with mDNS key and printability merge, seed-based pixel permutation stego, pixel coordinate chain steganography, AVI frame differential pixel steganography, SMB RID recycling via LSARPC, Timeroasting MS-SNTP hash extraction, RADIUS shared secret cracking (radius2john), RC4 stream identification in shellcode pcap, Android forensics, Docker container forensics, cloud storage forensics, Python in-memory source recovery via pyrasite, HFS+ resource fork hidden binary recovery, SQLite edit history reconstruction from diff table, corrupted ZIP repair via header field manipulation, JPEG thumbnail pixel-to-text mapping, conditional LSB with pixel filtering, GIF frame diff Morse code, GZSteg + spammimic, audio waveform binary encoding, audio spectrogram hidden QR, split archive reassembly via timestamp ordering, video frame averaging for hidden content, reversed audio, TLS master key extraction from coredump, corrupted git blob repair, corrupted PCAP repair (pcapfix), LUKS master key recovery via aeskeyfind, PRNG timestamp seed brute-force key recovery, VBA macro binary recovery, FemtoZip shared dictionary decompression, ICMP payload steganography with byte rotation, packet reconstruction via checksum validation, spreadsheet frequency analysis binary recovery, JPEG slack space steganography, nearest-neighbor interpolation pixel grid stego, XFS inode reconstruction, tar duplicate entry extraction, nested matryoshka filesystem layers, anti-carving via null byte interleaving, BTRFS subvolume/snapshot recovery, JPEG XL TOC permutation steganography, Kitty terminal graphics protocol, ANSI escape sequence steganography (+ network capture variant), CD audio disc image steganography (CIRC de-interleaving + spiral rendering), autostereogram solving, two-layer byte+line interleaving, multi-stream video container steganography, FAT16 free space data recovery, FAT16 deleted file recovery via fls/icat (+ deleted .git recovery), ext2 orphaned inode recovery via fsck, NTFS alternate data streams (ADS), Linux input_event keylogger dump parsing, VBA macro Excel cell to ELF binary extraction, RGB parity steganography, WPA/WEP WiFi decryption, SAP Dialog protocol decryption, BSON format reconstruction, TrueCrypt/VeraCrypt volume mounting, Ethereum/blockchain transaction tracing, progressive PNG layered XOR decryption, dnscat2 DNS tunnel reassembly, USB keyboard LED Morse code exfiltration, unreferenced PDF object hidden pages, Windows certutil base64 ZIP memory recovery, DNSSEC key recovery from git commit history, GIF palette manipulation QR reconstruction, JPEG single-bit-flip brute-force + OCR, Angecryption (AES-CBC valid file to valid file), SVG micro-coordinate steganography, NTFS EFSTMPWP cipher.exe wipe artifact detection, byte-reversed .docx ZIP bidirectional archive, ICMP echo payload length as covert channel, Bluetooth RFCOMM packet reassembly, ICMP ping time-delay covert channel, Volatility mftparser offset-based deleted file recovery, XZ stream header repair via CRC32 reconstruction, GIF frame PLTE chunk concatenation to ELF, nested-resize QR overlay at survivor pixels, ImageMagick +append puzzle stitching with gaps solver, ZipCrypto bkcrack known-plaintext cracking, SQLite serial-type byte forensics, MIDI Note-On/Note-Off pitch pair encoding, Volatility clipboard plugin for copy-paste secret recovery, Brotli blob detection via ASCII-art signature, corkami/pocs MD5 PDF collision pipeline, GBA USB URB_INTERRUPT framebuffer extraction, Volatility credential recovery toolkit (mimikatz/hashdump/printkey/memdump/netscan/pstree/dlllist), Tektronix logic-analyzer CSV clock-edge extraction, steghide passphrase hidden in JPEG header metadata, corrupted PNG magic + lowercase chunk header repair, recursive binwalk PNG->PDF->DOCX->PNG->Base64 chain, regex-password nested zip chain with exrex, multi-color QR code binary mapping brute force |
| ctf-osint | 3 | Social media, geolocation, Google Lens cropped region search, reflected/mirrored text reading, Street View panorama matching, What3Words micro-landmark matching, Google Plus Codes, Baidu reverse image search, Overpass Turbo spatial queries, username enumeration, username metadata mining (postal codes), Strava fitness route OSINT, Google Maps photo verification, DNS recon, archive research, Google dorking (TBS image filters), Telegram bots, FEC filings, WHOIS investigation, music-themed landmark geolocation with key encoding, Shodan SSH fingerprint deanonymization, gaming platform OSINT (WoW/Steam/Minecraft character lookup), fake service banner detection via nmap fingerprinting, git commit author email mining for credential pivot, .DS_Store directory enumeration via python-dsstore, TTF glyph contour diffing for obfuscated CAPTCHA, cross-challenge Docker container IP reuse |
| ctf-malware | 3 | Obfuscated scripts, C2 traffic, custom crypto protocols, .NET malware, PyInstaller unpacking, PE analysis, sandbox evasion, anti-analysis (VM detection, timing evasion, API hashing, process injection), dynamic analysis (strace/ltrace, network monitoring, memory extraction), YARA rules, shellcode analysis, memory forensics (Volatility malfind, process injection), Poison Ivy RAT Camellia decryption, DarkComet RAT forensics (keylogger log recovery, registry persistence), Cobalt Strike beacon analysis (Malleable C2 detection, dissect.cobaltstrike config extraction), trojanized plugin custom alphabet C2 decoding, ARP spoof + TCP RST injection to capture IRC C2 credentials |
| ctf-misc | 12 | Pyjails (func_globals module chain, restricted charset number gen, class attribute persistence, name mangling + func_code.co_consts + doc attribute access, f-string config injection via stored eval), bash jails, encodings (RTF custom tag extraction, SMS PDU decoding, RFC4042 UTF-9, pixel color binary encoding, TOPKEK binary encoding, MaxiCode 2D barcode decoding, DTMF audio + multi-tap T9 phone keypad, music note interval steganography), RF/SDR, DNS exploitation (+ round-robin A record enumeration), Unicode stego, floating-point tricks, game theory, commitment schemes, WASM, K8s, custom assembly sandbox escape, Lua sandbox escape (function name injection, table indexing bypass), Ruby sandbox escape via TracePoint.trace, cookie checkpoint, Flask cookie leakage, WebSocket game manipulation, Whitespace esolang, Docker group privesc, De Bruijn sequence, Brainfuck instrumentation, WASM linear memory manipulation, quine context detection, repunit decomposition, indexed directory QR reassembly, multi-stage URL encoding chains, Python marshal code injection, Benford's Law bypass, sudo wildcard fnmatch injection, crafted pcap sudoers.d, monit process injection, Apache -d override, backup cronjob SUID, PostgreSQL COPY TO PROGRAM, PostgreSQL backup credential extraction, NFS share exploitation, SSH Unix socket tunneling, PaperCut Print Deploy privesc, Squid proxy pivoting, Zabbix admin password reset, WinSSHTerm credential decryption, Piet/Malbolge esoteric language chains, multi-encoding sequential solver, parallel connection oracle relay, nonogram-to-QR pipeline, 100 prisoners cycle-following strategy, C code jail escape via emoji identifiers + add-eax gadget embedding, emulator ROM-switching state preservation, BuildKit daemon build secret exploitation, hexadecimal Sudoku + QR assembly, Z3 boolean gate network SAT solving for product keys, HISTFILE restricted shell file read, Levenshtein distance oracle attack, Docker container escape (privileged breakout, socket escape, CAP_SYS_ADMIN cgroup release_agent), SECCOMP high-bit file descriptor bypass, rvim jail escape via python3, bash $'...' octal encoding + env var substring jail bypass, 15-puzzle solvability bit encoder, DNS maze traversal, Python eval() tuple injection jail escape, taint analysis type coercion bypass in custom languages, shredded document pixel-edge reassembly, CTFd platform API navigation (no-browser challenge listing, flag submission, file download, scoreboard, Python client), restricted vim escape via K (man) to :!sh, pixel-sampling BFS maze auto-solver, restricted vim escape via CTRL-W F netrw file browser, dir() attribute lookup jail escape bypassing class blocklist, base65536 CJK Unicode binary encoding, LD_PRELOAD hook via rbash-allowed variable set, /dev/tcp exfiltration from minimal command set, layer-by-layer echo-only bash escape, sudo file -m magic-file directory traversal, XSLT as Turing-complete VM for binary search, JavaScript MAX_SAFE_INTEGER successor equality bypass, binary search oracle in comparison-only DSL, blind SQLi via script-engine timeout error, OEIS sequence lookup automation, QR code reassembly from format-string structural constraints, matrix exponentiation for Fibonacci-like recurrence, Tribonacci for frog-jump counting, Selenium + Tesseract dynamic CAPTCHA solver, Brainfuck→Piet multi-layer polyglot, bytebeat synth code recognition, CVE-2018-19788 polkit UID integer overflow → systemctl RCE, Ruby Array#unpack CVE-2018-8778 buffer under-read, binary grid text to QR image + XOR key, sudo glob path + symlink confused deputy via vim, TOCTOU symlink swap race on FileChecker, TCP Fast Open SYN-payload command injection, closed-stdout jail with \r truncation (exec > /dev/tty + cat -A) |
| solve-challenge | 0 | Orchestrator skill — analyzes challenge and delegates to category skills |
| ctf-writeup | 0 | Generates standardized submission-style writeups with metadata, solution steps, code, and lessons learned |
Skills are loaded automatically based on context. You can also invoke the orchestrator directly:
/solve-challenge <challenge description or URL>
See CONTRIBUTING.md for development setup and contribution guidelines.
MIT