🎯 CTF Challenge Methodology Guide
Systematic approaches for solving different types of CTF challenges
Notes: These are just examples—there could be 10,000 different ways to reach your goal. The key is to stay focused on the main objective: completing the challenge.
🔄 Universal CTF Methodology
The RICE Framework
Reconnaissance (Information Gathering)
- Read challenge description thoroughly
- Identify challenge category and potential approaches
- Download and catalog all provided files
- Note any hints or constraints given
Investigation (Deep Analysis)
- Analyze files/services using appropriate tools
- Document all findings systematically
- Identify patterns, anomalies, and potential vulnerabilities
- Research similar challenges and techniques
Conceptualization (Strategy Formation)
- Formulate hypothesis about the solution approach
- Plan step-by-step attack strategy
- Consider alternative approaches
- Estimate time and resource requirements
Execution (Solution Implementation)
- Implement planned approach systematically
- Document each step and result
- Iterate based on findings
- Validate solution and capture flag
🌐 Web Exploitation Methodology
Phase 1: Reconnaissance
# Site structure analysis
curl -s http://target.com | html2text
wget --spider -r -l 2 http://target.com 2>&1 | grep 'http://'
# Technology identification
whatweb http://target.com
curl -I http://target.com
nmap -sV -p 80,443,8080,8443 target.com
# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
dirb http://target.comPhase 2: Vulnerability Assessment
# Automated scanning
nikto -h http://target.com
zap-baseline.py -t http://target.com
# Manual testing checklist
- [ ] SQL injection in forms/parameters
- [ ] XSS in input fields
- [ ] Directory traversal in file parameters
- [ ] Command injection in system interfaces
- [ ] Authentication bypass attempts
- [ ] Session management flaws
- [ ] File upload vulnerabilitiesPhase 3: Exploitation Development
# Example SQL injection testing
import requests
url = "http://target.com/login"
payloads = [
"admin'--",
"admin' OR '1'='1'--",
"' UNION SELECT 1,2,3--",
"'; WAITFOR DELAY '00:00:05'--"
]
for payload in payloads:
data = {"username": payload, "password": "test"}
response = requests.post(url, data=data)
if "welcome" in response.text.lower() or response.elapsed.total_seconds() > 5:
print(f"Potential vulnerability with payload: {payload}")🔐 Cryptography Methodology
Phase 1: Cipher Identification
def analyze_crypto_challenge(ciphertext):
analysis = {
'length': len(ciphertext),
'charset': set(ciphertext),
'patterns': {},
'statistics': {}
}
# Character frequency analysis
from collections import Counter
freq = Counter(ciphertext)
analysis['frequency'] = freq.most_common(10)
# Pattern detection
analysis['has_spaces'] = ' ' in ciphertext
analysis['all_uppercase'] = ciphertext.isupper()
analysis['numeric_only'] = ciphertext.isdigit()
analysis['base64_like'] = all(c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=' for c in ciphertext)
return analysisPhase 2: Systematic Decryption Attempts
# Common cipher attempts
def try_common_ciphers(ciphertext):
results = {}
# Caesar cipher (all shifts)
for shift in range(26):
decoded = caesar_decrypt(ciphertext, shift)
if is_readable_english(decoded):
results[f'caesar_{shift}'] = decoded
# ROT13
results['rot13'] = ciphertext.encode('rot13')
# Base64 variants
import base64
try:
results['base64'] = base64.b64decode(ciphertext).decode('utf-8')
except:
pass
# Hex decoding
try:
results['hex'] = bytes.fromhex(ciphertext).decode('utf-8')
except:
pass
return {k: v for k, v in results.items() if v}Phase 3: Advanced Analysis
# Frequency analysis for substitution ciphers
def frequency_analysis(text):
english_freq = {'E': 12.7, 'T': 9.1, 'A': 8.2, 'O': 7.5, 'I': 7.0, 'N': 6.7}
from collections import Counter
text_freq = Counter(text.upper())
total = sum(text_freq.values())
normalized_freq = {char: (count/total)*100 for char, count in text_freq.items()}
return normalized_freq
# Mathematical analysis for modern crypto
def analyze_rsa_challenge(n, e, c):
import math
# Check for small factors
factors = []
for i in range(2, min(10000, int(math.sqrt(n)))):
if n % i == 0:
factors.append((i, n // i))
# Check for common weak patterns
checks = {
'small_e': e < 10,
'common_e': e in [3, 65537],
'small_n': n < 10**100,
'factorizable': len(factors) > 0
}
return {'factors': factors, 'checks': checks}💾 Binary Exploitation Methodology
Phase 1: Static Analysis
# File information gathering
file binary_challenge
strings binary_challenge | grep -E "(flag|password|key)"
objdump -d binary_challenge | head -50
readelf -h binary_challenge
# Security mitigations check
checksec --file=binary_challenge
# Look for: NX, ASLR, Stack Canaries, PIE, RELROPhase 2: Dynamic Analysis
# GDB debugging setup
gdb ./binary_challenge
(gdb) info functions
(gdb) disas main
(gdb) break main
(gdb) run
# Test for buffer overflow
python3 -c "print('A' * 100)" | ./binary_challenge
python3 -c "print('A' * 200)" | ./binary_challenge
# Generate cyclic pattern
(gdb) run < <(python3 -c "from pwn import *; print(cyclic(200))")Phase 3: Exploit Development
from pwn import *
# Basic buffer overflow template
def exploit_buffer_overflow(binary_path, offset, return_address):
p = process(binary_path)
payload = b'A' * offset
payload += p64(return_address) # Return address (64-bit)
p.sendline(payload)
p.interactive()
return p
# ROP chain development
def build_rop_chain(binary_path):
elf = ELF(binary_path)
rop = ROP(elf)
# Example: call system("/bin/sh")
rop.call('system', [next(elf.search(b'/bin/sh'))])
return rop.chain()🕵️ Forensics Methodology
Phase 1: File Analysis
# Initial file examination
file evidence.img
hexdump -C evidence.img | head -20
strings evidence.img | grep -i flag
# Metadata extraction
exiftool evidence.jpg
binwalk -e evidence.bin
foremost -i evidence.dd -o output/Phase 2: Data Recovery
# Deleted file recovery
testdisk evidence.img
photorec evidence.img
# Memory analysis (if memory dump)
volatility -f memory.dmp imageinfo
volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 filescan | grep -i flagPhase 3: Steganography Detection
# LSB steganography analysis
from PIL import Image
import numpy as np
def extract_lsb(image_path, bit_plane=0):
img = Image.open(image_path)
data = np.array(img)
# Extract LSB from red channel
lsb_data = data[:, :, 0] & 1 # Get LSB of red channel
# Convert to binary string
binary_string = ''.join(lsb_data.flatten().astype(str))
# Convert to ASCII
ascii_chars = []
for i in range(0, len(binary_string), 8):
byte = binary_string[i:i+8]
if len(byte) == 8:
ascii_chars.append(chr(int(byte, 2)))
return ''.join(ascii_chars)
# Audio steganography
def analyze_audio_file(wav_file):
import wave
with wave.open(wav_file, 'rb') as wav:
frames = wav.readframes(wav.getnframes())
# Look for patterns in LSB
lsb_bits = [frame & 1 for frame in frames[::2]] # Every other sample
binary_data = ''.join(map(str, lsb_bits))
return binary_data📡 Network Analysis Methodology
Phase 1: Traffic Overview
# Wireshark command line analysis
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z prot,colinfo
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
# Protocol distribution
tshark -r capture.pcap -q -z io,phsPhase 2: Specific Protocol Analysis
# HTTP traffic analysis
tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri
tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data
# DNS analysis
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name
tshark -r capture.pcap -Y "dns.flags.response == 1" -T fields -e dns.resp.name -e dns.a
# TCP stream following
tshark -r capture.pcap -q -z follow,tcp,ascii,0Phase 3: Data Extraction
# Extract files from HTTP streams
def extract_http_files(pcap_file):
from scapy.all import *
packets = rdpcap(pcap_file)
http_streams = {}
for packet in packets:
if packet.haslayer(TCP) and packet.haslayer(Raw):
data = packet[Raw].load.decode('utf-8', errors='ignore')
if 'HTTP' in data:
# Extract HTTP responses
if 'Content-Type:' in data:
print(f"Found HTTP response: {data[:200]}")
return http_streams🔧 Miscellaneous Challenge Methodology
Programming Challenges
# Template for algorithmic challenges
def solve_programming_challenge():
# 1. Understand the problem completely
# 2. Identify input/output format
# 3. Find the pattern or algorithm needed
# 4. Implement solution
# 5. Test with examples
# 6. Optimize if necessary
pass
# Common patterns
def fibonacci(n):
if n <= 1: return n
a, b = 0, 1
for _ in range(2, n + 1):
a, b = b, a + b
return b
def prime_factors(n):
factors = []
d = 2
while d * d <= n:
while n % d == 0:
factors.append(d)
n //= d
d += 1
if n > 1:
factors.append(n)
return factorsOSINT Challenges
# OSINT investigation framework
def osint_methodology(target_info):
steps = {
'passive_recon': [
'Google dorking',
'Social media search',
'Public records search',
'Domain/IP lookup'
],
'image_analysis': [
'Reverse image search',
'EXIF data extraction',
'Geolocation analysis',
'Object recognition'
],
'data_correlation': [
'Cross-reference findings',
'Timeline construction',
'Relationship mapping',
'Verification of data'
]
}
return steps
# Example Google dork queries
google_dorks = [
'site:target.com filetype:pdf',
'intext:"target" filetype:xlsx',
'"target.com" inurl:admin',
'cache:target.com'
]⏱️ Time Management in Challenges
The 20-80 Rule for CTF
- 20% of time: Initial analysis and approach planning
- 80% of time: Implementation and iteration
Time Boxing Strategy
def ctf_time_management(challenge_difficulty, total_time):
time_allocation = {
'easy': {
'analysis': 0.2,
'initial_attempt': 0.4,
'iteration': 0.3,
'documentation': 0.1
},
'medium': {
'analysis': 0.3,
'research': 0.2,
'implementation': 0.4,
'iteration': 0.1
},
'hard': {
'analysis': 0.4,
'research': 0.3,
'experimentation': 0.2,
'final_push': 0.1
}
}
return {
phase: int(total_time * ratio)
for phase, ratio in time_allocation[challenge_difficulty].items()
}Decision Points
- 25% time elapsed: Should have clear direction
- 50% time elapsed: Should have working approach or pivot
- 75% time elapsed: Should have solution or consider stopping
- 90% time elapsed: Focus only on completion, no new approaches
🧠 Cognitive Approaches
When You’re Stuck
The 5-Minute Rule
If you haven’t made progress in 5 minutes:
- Step back: Read challenge description again
- Ask differently: Rephrase the problem
- Change tool: Try different analysis method
- Seek help: Ask teammate or community
- Take break: Sometimes fresh eyes help
Systematic Elimination
ELIMINATION CHECKLIST
□ Confirmed file type and format
□ Tried obvious/common solutions
□ Checked for hidden or encoded data
□ Verified tools are working correctly
□ Researched similar challenge types
□ Asked for hints or help
□ Considered alternative approaches
□ Documented what DOESN'T workPattern Recognition Development
- Keep a success journal: Record successful techniques
- Study writeups: Learn from others’ approaches
- Practice regularly: Build intuition through repetition
- Cross-category learning: Techniques often transfer
📚 Challenge Documentation Template
During Challenge
## Challenge: [Name]
**Start time**: [timestamp]
**Category**: [category]
**Points**: [points]
### Initial Analysis
- File type:
- Key observations:
- Initial hypothesis:
### Approaches Tried
1. **Approach 1**: [description]
- Result: [what happened]
- Time spent: [duration]
- Next: [what to try next]
2. **Approach 2**: [description]
- Result: [what happened]
- Time spent: [duration]
- Next: [what to try next]
### Breakthrough Moment
- What worked:
- Why it worked:
- How I found it:
### Solution
- Final approach:
- Flag: `flag{...}`
- Total time: [duration]Last updated: {{date}}
Practice makes perfect - methodology makes practice efficient!
Tags
ctf methodology systematic-approach problem-solving strategy