Get the FREE Ultimate OpenClaw Setup Guide →

ctf-misc

Flagged

{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"system_harm","severity":"high","description":"Kubernetes RBAC bypass technique to impersonate SA token and mount hostPath to read secrets (data exfiltration risk)","evidence":"K8s RBAC bypass: SA token -> impersonate -> hostPath mount -> read secrets. See [games-and-vms.md]."},{"category":"prompt_injection","severity":"high","description":"Sandbox/jail-escape patterns in Python jail quick references (Walrus bypass, Decorator bypass) which enable bypassing restrictions and potential code execution","evidence":"- Walrus bypass: `(abcdef := \"new_chars\")` reassigns constraint vars\n- Decorator bypass: `@__import__` + `@func.__class__.__dict__[__name__.__name__].__get__` for no-call, no-quotes escape\n- `open(''.join(['fl','ag.txt'])).read()` when `+` is blocked"},{"category":"system_harm","severity":"high","description":"Privilege escalation / SUID binary exploitation techniques (locating SUID binaries, reading restricted files or spawning shells)","evidence":"find / -perm -4000 2>/dev/null\n# xxd with SUID: xxd flag.txt | xxd -r\n# vim with SUID: vim -c ':!cat /flag.txt'"},{"category":"system_harm","severity":"high","description":"Cryptographic length-extension attack / MAC forgery (SHA-256(SECRET || msg) and hlextend) which enables forging valid MACs","evidence":"MAC = `SHA-256(SECRET || msg)` with known msg/hash -> forge valid MAC via `hlextend`."},{"category":"system_harm","severity":"high","description":"Sandbox/OS-level RCE technique via Python environment (Python env RCE) which can bypass restrictions and execute commands","evidence":"PYTHONWARNINGS=ignore::antigravity.Foo::0 + BROWSER=\"cmd\""}],"summary":"The document is a collection of CTF techniques. While many items are benign in coding contexts, several sections describe real exploit techniques (RBAC bypass in Kubernetes, sandbox/jail escapes in Python, SUID-based privilege escalation, and cryptographic MAC forgery) that could enable data exfiltration or system compromise if misused. Treat as high-risk and restrict distribution to safe, isolated environments."}

npx machina-cli add skill ljagiello/ctf-skills/ctf-misc --openclaw
Files (1)
SKILL.md
10.8 KB

CTF Miscellaneous

Quick reference for miscellaneous CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Additional Resources

  • pyjails.md - Python jail/sandbox escape techniques
  • bashjails.md - Bash jail/restricted shell escape techniques
  • encodings.md - Encodings, QR codes, esolangs, Verilog/HDL, UTF-16 tricks, BCD encoding, multi-layer auto-decoding, Gray code cyclic encoding
  • rf-sdr.md - RF/SDR/IQ signal processing (QAM-16, carrier recovery, timing sync)
  • dns.md - DNS exploitation (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling)
  • games-and-vms.md - WASM patching, Roblox place file reversing, PyInstaller, marshal, Python env RCE, Z3, K8s RBAC, floating-point precision exploitation, multi-phase crypto games with HMAC commitment-reveal and GF(256) Nim, custom assembly language sandbox escape via Python MRO chain

General Tips

  • Read all provided files carefully
  • Check file metadata, hidden content, encoding
  • Power Automate scripts may hide API calls
  • Use binary search when guessing multiple answers

Common Encodings

# Base64
echo "encoded" | base64 -d

# Base32 (A-Z2-7=)
echo "OBUWG32D..." | base32 -d

# Hex
echo "68656c6c6f" | xxd -r -p

# ROT13
echo "uryyb" | tr 'a-zA-Z' 'n-za-mN-ZA-M'

Identify by charset:

  • Base64: A-Za-z0-9+/=
  • Base32: A-Z2-7= (no lowercase)
  • Hex: 0-9a-fA-F

See encodings.md for Caesar brute force, URL encoding, and full details.

IEEE-754 Float Encoding (Data Hiding)

Pattern (Floating): Numbers are float32 values hiding raw bytes.

Key insight: A 32-bit float is just 4 bytes interpreted as a number. Reinterpret as raw bytes -> ASCII.

import struct
floats = [1.234e5, -3.456e-7, ...]  # Whatever the challenge gives
flag = b''
for f in floats:
    flag += struct.pack('>f', f)
print(flag.decode())

Variations: Double '>d', little-endian '<f', mixed. See encodings.md for CyberChef recipe.

USB Mouse PCAP Reconstruction

Pattern (Hunt and Peck): USB HID mouse traffic captures on-screen keyboard typing. Use USB-Mouse-Pcap-Visualizer, extract click coordinates (falling edges), cumsum relative deltas for absolute positions, overlay on OSK image.

File Type Detection

file unknown_file
xxd unknown_file | head
binwalk unknown_file

Archive Extraction

7z x archive.7z           # Universal
tar -xzf archive.tar.gz   # Gzip
tar -xjf archive.tar.bz2  # Bzip2
tar -xJf archive.tar.xz   # XZ

Nested Archive Script

while f=$(ls *.tar* *.gz *.bz2 *.xz *.zip *.7z 2>/dev/null|head -1) && [ -n "$f" ]; do
    7z x -y "$f" && rm "$f"
done

QR Codes

zbarimg qrcode.png       # Decode
qrencode -o out.png "data"

See encodings.md for QR structure, repair techniques, and chunk reassembly.

Audio Challenges

sox audio.wav -n spectrogram  # Visual data
qsstv                          # SSTV decoder

RF / SDR / IQ Signal Processing

See rf-sdr.md for full details (IQ formats, QAM-16 demod, carrier/timing recovery).

Quick reference:

  • cf32: np.fromfile(path, dtype=np.complex64) | cs16: int16 reshape(-1,2) | cu8: RTL-SDR raw
  • Circles in constellation = constant frequency offset; Spirals = drifting frequency + gain instability
  • 4-fold ambiguity in DD carrier recovery - try 0/90/180/270 rotation

pwntools Interaction

from pwn import *

r = remote('host', port)
r.recvuntil(b'prompt: ')
r.sendline(b'answer')
r.interactive()

Python Jail Quick Reference

  • Oracle pattern: L() = length, Q(i,x) = compare, S(guess) = submit. Linear or binary search.
  • Walrus bypass: (abcdef := "new_chars") reassigns constraint vars
  • Decorator bypass: @__import__ + @func.__class__.__dict__[__name__.__name__].__get__ for no-call, no-quotes escape
  • String join: open(''.join(['fl','ag.txt'])).read() when + is blocked

See pyjails.md for full techniques.

Z3 / Constraint Solving

from z3 import *
flag = [BitVec(f'f{i}', 8) for i in range(FLAG_LEN)]
s = Solver()
# Add constraints, check sat, extract model

See games-and-vms.md for YARA rules, type systems as constraints.

Hash Identification

MD5: 0x67452301 | SHA-256: 0x6a09e667 | MurmurHash64A: 0xC6A4A7935BD1E995

SHA-256 Length Extension Attack

MAC = SHA-256(SECRET || msg) with known msg/hash -> forge valid MAC via hlextend. Vulnerable: SHA-256, MD5, SHA-1. NOT: HMAC, SHA-3.

import hlextend
sha = hlextend.new('sha256')
new_data = sha.extend(b'extension', b'original_message', len_secret, known_hash_hex)

Technique Quick References

  • PyInstaller: pyinstxtractor.py packed.exe. See games-and-vms.md for opcode remapping.
  • Marshal: marshal.load(f) then dis.dis(code). See games-and-vms.md.
  • Python env RCE: PYTHONWARNINGS=ignore::antigravity.Foo::0 + BROWSER="cmd". See games-and-vms.md.
  • WASM patching: wasm2wat -> flip minimax -> wat2wasm. See games-and-vms.md.
  • Float precision: Large multipliers amplify FP errors into exploitable fractions. See games-and-vms.md.
  • K8s RBAC bypass: SA token -> impersonate -> hostPath mount -> read secrets. See games-and-vms.md.

3D Printer Video Nozzle Tracking (LACTF 2026)

Pattern (flag-irl): Video of 3D printer fabricating nameplate. Flag is the printed text.

Technique: Track nozzle X/Y positions from video frames, filter for print moves (top/text layer only), plot 2D histogram to reveal letter shapes:

# 1. Identify text layer frames (e.g., frames 26100-28350)
# 2. Track print head X position (physical X-axis)
# 3. Track bed X position (physical Y-axis from camera angle)
# 4. Filter for moves with extrusion (head moving while printing)
# 5. Plot as 2D scatter/histogram -> letters appear

Discord API Enumeration (0xFun 2026)

Flags hidden in Discord metadata (roles, animated emoji, embeds). Invoke /ctf-osint and see ctf-osint social-media.md for Discord API enumeration technique and code.

SUID Binary Exploitation (0xFun 2026)

# Find SUID binaries
find / -perm -4000 2>/dev/null

# Cross-reference with GTFObins
# xxd with SUID: xxd flag.txt | xxd -r
# vim with SUID: vim -c ':!cat /flag.txt'

Reference: https://gtfobins.github.io/

Linux Privilege Escalation Quick Checks

# GECOS field passwords
cat /etc/passwd  # Check 5th colon-separated field

# ACL permissions
getfacl /path/to/restricted/file

# Sudo permissions
sudo -l

Useful One-Liners

grep -rn "flag{" .
strings file | grep -i flag
python3 -c "print(int('deadbeef', 16))"

Keyboard Shift Cipher

Pattern (Frenzy): Characters shifted left/right on QWERTY keyboard layout.

Identification: dCode Cipher Identifier suggests "Keyboard Shift Cipher"

Decoding: Use dCode Keyboard Shift Cipher with automatic mode.

Pigpen / Masonic Cipher

Pattern (Working For Peanuts): Geometric symbols representing letters based on grid positions.

Identification: Angular/geometric symbols, challenge references "Peanuts" comic (Charlie Brown), "dusty looking crypto"

Decoding: Map symbols to Pigpen grid positions, or use online decoder.

ASCII in Numeric Data Columns

Pattern (Cooked Books): CSV/spreadsheet numeric values (48-126) are ASCII character codes.

import csv
with open('data.csv') as f:
    reader = csv.DictReader(f)
    flag = ''.join(chr(int(row['Times Borrowed'])) for row in reader)
print(flag)

CyberChef: "From Decimal" recipe with line feed delimiter.

Backdoor Detection in Source Code

Pattern (Rear Hatch): Hidden command prefix triggers system() call.

Common patterns:

  • strncmp(input, "exec:", 5) -> runs system(input + 5)
  • Hex-encoded comparison strings: \x65\x78\x65\x63\x3a = "exec:"
  • Hidden conditions in maintenance/admin functions

DNS Exploitation Techniques

See dns.md for full details (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling).

Quick reference:

  • ECS spoofing: dig @server flag.example.com TXT +subnet=10.13.37.1/24 - try leet-speak IPs (1337)
  • NSEC walking: Follow NSEC chain to enumerate DNSSEC zones
  • IXFR: dig @server domain IXFR=0 when AXFR is blocked
  • DNS rebinding: Low-TTL alternating resolution to bypass same-origin
  • DNS tunneling: Data exfiltrated via subdomain queries or TXT responses

Unicode Steganography

Variation Selectors Supplement (U+E0100-U+E01EF)

Patterns (Seen & emoji, Nullcon 2026): Invisible Variation Selector Supplement characters encode ASCII via codepoint offset.

# Extract hidden data from variation selectors after visible character
data = open('README.md', 'r').read().strip()
hidden = data[1:]  # Skip visible emoji character
flag = ''.join(chr((ord(c) - 0xE0100) + 16) for c in hidden)

Detection: Characters appear invisible but have non-zero length. Check with [hex(ord(c)) for c in text] -- look for codepoints in 0xE0100-0xE01EF or 0xFE00-0xFE0F range.

UTF-16 Endianness Reversal

Pattern (endians): Text "turned to Japanese" -- mojibake from UTF-16 endianness mismatch.

# If encoded as UTF-16-LE but decoded as UTF-16-BE:
fixed = mojibake.encode('utf-16-be').decode('utf-16-le')

Identification: CJK characters, challenge mentions "translation" or "endian". See encodings.md for details.

Cipher Identification Workflow

  1. ROT13 - Challenge mentions "ROT", text looks like garbled English
  2. Base64 - A-Za-z0-9+/=, title hints "64"
  3. Base32 - A-Z2-7= uppercase only
  4. Atbash - Title hints (Abash/Atbash), preserves spaces, 1:1 substitution
  5. Pigpen - Geometric symbols on grid
  6. Keyboard Shift - Text looks like adjacent keys pressed
  7. Substitution - Frequency analysis applicable

Auto-identify: dCode Cipher Identifier

Source

git clone https://github.com/ljagiello/ctf-skills/blob/main/ctf-misc/SKILL.mdView on GitHub

Overview

CTF Miscellaneous is a quick-reference hub for a wide range of niche CTF techniques. It bundles encoding puzzles, RF/SDR signal processing, sandbox escapes, DNS exploitation, unicode steganography, floating-point tricks, QR codes, audio challenges, Z3 constraint solving, Kubernetes RBAC, WASM patching, esoteric languages, game theory, and other outliers into actionable guidance.

How This Skill Works

Each technique has a concise one-liner and links to deeper files (encodings.md, rf-sdr.md, dns.md, pyjails.md, etc.). Practitioners apply the relevant technique to a puzzle, then use the exact command patterns shown in the supporting docs to reproduce and verify results.

When to Use It

  • Facing encoding puzzles (Base64/Base32/Hex/ROT13) and multi-layer decodings
  • Investigating data hidden in floating-point representations (IEEE-754 tricks)
  • Analyzing RF/SDR signals, IQ data, or audio challenges for covert messages
  • Escaping Python/bash sandbox/jail environments (pyjails, bashjails)
  • Tackling DNS exploitation, Z3 constraints, Kubernetes RBAC, or WASM patching tasks

Quick Start

  1. Step 1: Review this page and the linked technique docs (encodings.md, rf-sdr.md, dns.md, Games-and-VMs.md).
  2. Step 2: Pick a puzzle and apply a relevant pattern (encodings, IEEE-754 floats, QR, audio, archives).
  3. Step 3: Reproduce results with the provided command snippets and consult deeper sections for advanced variants (Z3, K8s RBAC, WASM patching).

Best Practices

  • Review the corresponding technique file before attempting a puzzle
  • Use the exact command snippets provided (e.g., encoding decoders, archive extract, RF/SDR steps)
  • Test multi-layer puzzles by decoding and re-encoding iteratively
  • Verify file types and encodings with standard tools (file, xxd, binwalk, etc.)
  • Document steps with reproducible commands and notes for team review

Example Use Cases

  • IEEE-754 floating-point data hiding (float32/float64 to ASCII)
  • USB HID mouse PCAP reconstruction to recover on-screen coordinates
  • QR code data encoding/repair and chunk reassembly
  • Nested archive extraction and automated extraction scripts
  • WASM patching, Z3 constraints, and Kubernetes RBAC puzzles

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers