Ctf-skills solve-challenge
Solves CTF challenges by performing first-pass triage, identifying the dominant category, and routing execution to the right specialized ctf-* skill. Use when the user gives you a challenge bundle, a remote service, a suspicious file, or only a vague challenge description and you must determine where to start. Do not use it when the category is already clear and a specialized skill can be invoked directly; this is the dispatcher and recon entrypoint, not the deepest reference for category-specific techniques.
install
source · Clone the upstream repo
git clone https://github.com/ljagiello/ctf-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ljagiello/ctf-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/solve-challenge" ~/.claude/skills/ljagiello-ctf-skills-solve-challenge && rm -rf "$T"
manifest:
solve-challenge/SKILL.mdsource content
CTF Challenge Solver
You're a skilled CTF player. Your goal is to solve the challenge and find the flag.
Environment Setup
Two setup strategies depending on your workflow:
Pre-install (recommended before competitions)
Use the central installer entrypoint:
bash scripts/install_ctf_tools.sh all
Run a narrower mode when you only want one tool group:
bash scripts/install_ctf_tools.sh python bash scripts/install_ctf_tools.sh apt bash scripts/install_ctf_tools.sh brew bash scripts/install_ctf_tools.sh gems bash scripts/install_ctf_tools.sh go bash scripts/install_ctf_tools.sh manual
The full package lists now live in scripts/install_ctf_tools.sh.
On-demand (during challenges)
Each category skill's
SKILL.mdWorkflow
Step 0: CTFd Platform Detection
If the CTF platform URL is known, check if it runs CTFd and switch to API-driven navigation:
# Detect CTFd (look for /api/v1/ and /themes/core/) curl -s "$CTF_URL/api/v1/" | head -5 curl -s "$CTF_URL" | grep -oE '/themes/core/'
If CTFd is detected, ask the user for their API token (generated from CTFd Settings > Access Tokens). The token is not provided by default — the user must create one in the CTFd web UI first. Once provided, set the environment variables and proceed via API:
export CTF_URL="https://ctf.example.com" export CTF_TOKEN="ctfd_..." # Ask user for this
Invoke
/ctf-miscctfd-navigation.mdStep 1: Recon
- Explore files -- List the challenge directory, run
on everythingfile * - Triage binaries --
,strings
,xxd | head
,binwalk
on binarieschecksec - Fetch links -- If the challenge mentions URLs, fetch them FIRST for context
- Connect -- Try remote services (
) to understand what they expectnc - Read hints -- Challenge descriptions, filenames, and comments often contain clues
Step 2: Categorize
Determine the primary category, then invoke the matching skill.
By file type:
,.pcap
,.pcapng
,.evtx
,.raw
,.dd
-> forensics.E01
,.elf
,.exe
,.so
, binary with no extension -> reverse or pwn (check if remote service provided -- if yes, likely pwn).dll
,.py
,.sage
with numbers -> crypto.txt
,.apk
,.wasm
-> reverse.pyc- Web URL or source code with HTML/JS/PHP/templates -> web
- Images, audio, PDFs with no obvious content -> forensics (steganography)
By challenge description keywords:
- "buffer overflow", "ROP", "shellcode", "libc", "heap" -> pwn
- "RSA", "AES", "cipher", "encrypt", "prime", "modulus", "lattice", "LWE", "GCM" -> crypto
- "XSS", "SQL", "injection", "cookie", "JWT", "SSRF" -> web
- "disk image", "memory dump", "packet capture", "registry", "power trace", "side-channel", "spectrogram", "audio tracks", "MKV" -> forensics
- "find", "locate", "identify", "who", "where" -> osint
- "obfuscated", "packed", "C2", "malware", "beacon" -> malware
- "jail", "sandbox", "escape", "encoding", "signal", "game", "Nim", "commitment", "Gray code" -> misc
By service behavior:
- Port with interactive prompt, crash on long input -> pwn
- HTTP service -> web
- netcat with math/crypto puzzles -> crypto
- netcat with restricted shell or eval -> misc (jail)
Step 3: Invoke the Category Skill
Once you identify the category, invoke the matching skill to get specialized techniques:
| Category | Invoke | When to Use |
|---|---|---|
| Web | | XSS, SQLi, SSTI, SSRF, JWT, file uploads, prototype pollution |
| Pwn | | Buffer overflow, format string, heap, ROP, sandbox escape |
| Crypto | | RSA, AES, ECC, PRNG, ZKP, classical ciphers |
| Reverse | | Binary analysis, game clients, VMs, obfuscated code |
| Forensics | | Disk images, memory dumps, event logs, stego, network captures |
| OSINT | | Social media, geolocation, DNS, public records |
| Malware | | Obfuscated scripts, C2 traffic, PE/.NET analysis |
| Misc | | Jails, encodings, RF/SDR, esoteric languages, constraint solving |
You can also invoke
/ctf-<category>Step 4: Pivot When Stuck
If your first approach doesn't work:
- Re-examine assumptions -- Is this really the category you think? A "web" challenge might need crypto for JWT forgery. A "forensics" PCAP might contain a pwn exploit to replay.
- Try a different category skill -- Many challenges span multiple categories. Invoke a second skill for the cross-cutting technique.
- Look for what you missed -- Hidden files, alternate ports, response headers, comments in source, metadata in images.
- Simplify -- If an exploit is too complex, check if there's a simpler path (default creds, known CVE, logic bug).
- Check edge cases -- Off-by-one, race conditions, integer overflow, encoding mismatches.
Common multi-category patterns:
- Forensics + Crypto: encrypted data in PCAP/disk image, need crypto to decrypt
- Web + Reverse: WASM or obfuscated JS in web challenge
- Web + Crypto: JWT forgery, custom MAC/signature schemes
- Reverse + Pwn: reverse the binary first, then exploit the vulnerability
- Forensics + OSINT: recover data from dump, then trace it via public sources
- Misc + Crypto: jail escape requires building crypto primitives under constraints
- OSINT + Stego: social media posts with unicode homoglyph steganography (Cyrillic lookalikes encode bits)
- Web + Forensics: paywall bypass (curl reveals content hidden by CSS overlays)
- Misc + Crypto + Game Theory: multi-phase interactive challenges with AES decryption → HMAC commitment → combinatorial game solving (GF(256) Nim)
- Crypto + Geometry + Lattice: multi-layer challenges progressing from spatial reconstruction → subspace recovery → LWE solving → AES-GCM decryption
- Forensics + Signal Processing: power traces / side-channel analysis requiring statistical analysis of measurement data
- Forensics + Network + Encoding: timing-based encoding in PCAP (inter-packet intervals encode binary data)
Step 5: Generate Write-up
After solving the challenge, invoke
/ctf-writeupFlag Formats
Flags vary by CTF. Common formats:
,flag{...}
,FLAG{...}
,CTF{...}TEAM{...}- Custom prefixes: check the challenge description or CTF rules for the format (e.g.,
,ENO{...}
,HTB{...}
)picoCTF{...} - Sometimes just a plaintext string with no wrapper
Validation rule (important):
- If you find multiple flag-like strings, treat them as candidates and validate before finalizing.
- Prefer the token tied to the intended artifact/workflow (not random metadata noise or obvious decoys).
- Do a corpus-wide uniqueness check and include the source file/path when reporting.
# Search for common flag patterns in files grep -rniE '(flag|ctf|eno|htb|pico)\{' . # Search in binary/memory output strings output.bin | grep -iE '\{.*\}'
Quick Reference
# Recon file * # Identify file types strings binary | grep -i flag # Quick string search xxd binary | head -20 # Hex dump header binwalk -e firmware.bin # Extract embedded files checksec --file=binary # Check binary protections # Connect nc host port # Connect to challenge echo -e "answer1\nanswer2" | nc host port # Scripted input curl -v http://host:port/ # HTTP recon # Python exploit template python3 -c " from pwn import * r = remote('host', port) r.interactive() "
Challenge
$ARGUMENTS