ctf-skills
agent
Agent skills for solving CTF challenges - web exploitation, binary pwn, crypto, reverse engineering, forensics, OSINT, and more
README.md
ctf-skills
Agent Skills for solving CTF challenges — web exploitation, binary pwn, crypto, reverse engineering, forensics, OSINT, and more. Works with any tool that supports the Agent Skills spec, including Claude Code.
Installation
npx skills add ljagiello/ctf-skills
Environment Setup
Two setup strategies depending on your workflow:
Pre-install (recommended before competitions)
Use the central installer entrypoint:
bash scripts/install_ctf_tools.sh all
Run a narrower mode when you only want one tool group:
bash scripts/install_ctf_tools.sh python
bash scripts/install_ctf_tools.sh apt
bash scripts/install_ctf_tools.sh brew
bash scripts/install_ctf_tools.sh gems
bash scripts/install_ctf_tools.sh go
bash scripts/install_ctf_tools.sh manual
Preview what would be installed (skips already-present packages):
bash scripts/install_ctf_tools.sh --dry-run all
Verify what's already installed:
bash scripts/install_ctf_tools.sh --verify
Use --force to reinstall everything regardless of what's already present. Install logs are saved to ~/.ctf-tools/.
The full package lists now live in scripts/install_ctf_tools.sh.
On-demand (during challenges)
Each skill's SKILL.md has a Prerequisites section listing only the tools needed for that category. Install as you go when the agent encounters a missing tool.
Skills
| Skill | Files | Description |
|---|---|---|
| ctf-ai-ml | 3 | Model weight perturbation negation, adversarial examples (FGSM, PGD, C&W), prompt injection, LLM jailbreaking, model extraction, membership inference, neural network collision, LoRA adapter exploitation, gradient descent inversion, data poisoning, backdoor detection, token smuggling, context window manipulation |
| ctf-web | 15 | SQLi (EXIF metadata injection, keyword fragmentation bypass, MySQL column truncation, DNS record injection, ORDER BY CASE WHERE bypass, QR code input injection, double-keyword filter bypass, MySQL session variable dual-value injection, information_schema.processlist race condition leak, PHP PCRE backtrack limit WAF bypass, BETWEEN operator tautology bypass, Host header injection + PROCEDURE ANALYSE()), XSS (AngularJS 1.x sandbox escape via charAt/trim override, Chrome Unicode URL normalization bypass, Referer header injection + WebRTC IP leak), SSTI, SSRF (Host header, DNS rebinding, ElasticSearch Groovy script_fields RCE), JWT (JWK/JKU/KID injection), prototype pollution, file upload RCE, Node.js VM escape, XXE (DOCX/Office XML upload), JSFuck, Web3/Solidity (reentrancy DAO pattern), delegatecall abuse, transient storage clearing collision, Groth16 proof forgery, phantom market unresolve, HAProxy bypass, polyglot XSS, CVEs (Apache CVE-2012-0053 HttpOnly cookie leak), HTTP TRACE bypass, LLM jailbreak, Tor fuzzing, SSRF→Docker API RCE, PHP type juggling, PHP assert() string evaluation injection, PHP LFI / php://filter (+ /dev/fd symlink bypass), PHP zip:// wrapper LFI via PNG/ZIP polyglot, PHP extract() variable overwrite, PHP backtick eval under character limit, PHP variable variables ($$var) abuse, PHP uniqid() predictable filename, PHP ReDoS code execution skip, Python str.format() attribute traversal info leak, DOM XSS jQuery hashchange, XML entity WAF bypass, React Server Components Flight RCE (CVE-2025-55182), XS-Leak timing oracle, GraphQL CSRF, Unicode case folding XSS (long-s U+017F), Unicode homoglyph path traversal (U+2E2E), CSS font glyph container query exfiltration, Hyperscript CDN CSP bypass, PBKDF2 prefix timing oracle, SSTI __dict__.update() quote bypass, ERB SSTI Sequel bypass, affine cipher OTP brute-force, Express.js %2F middleware bypass, IDOR on WIP endpoints, Apache mod_status info disclosure + session forging, Apache mod_rewrite PATH_INFO bypass, OAuth/OIDC exploitation, OAuth email subaddressing bypass, CORS misconfiguration, hash length extension attack (hashpumpy), Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF bypass, Castor XML xsi:type JNDI, Apache ErrorDocument expression file read, SAML XPath digest smuggling (CVE-2024-45409), PaperCut auth bypass (CVE-2023-27350), Zabbix SQLi (CVE-2024-22120), CI/CD variable theft, git history credential leak, identity provider API takeover, Guacamole connection extraction, login page poisoning, TeamCity REST API RCE, Squid proxy pivoting, LaTeX injection RCE, LaTeX mpost restricted write18 bypass, Java deserialization (ysoserial, XMLDecoder RCE), .NET JSON TypeNameHandling $type deserialization, Python pickle RCE (+ STOP opcode chaining), XPath blind injection, race conditions (TOCTOU), client-side HMAC bypass via leaked JS secret, SQLite file path traversal string equality bypass, PHP preg_replace /e RCE, Prolog injection, HQL non-breaking space parser mismatch injection, sendmail parameter injection, base64-encoded path traversal LFI, terminal control character obfuscation, CSP bypass via Cloud Run whitelisted domain, multi-barcode concatenation shell injection, CSP nonce bypass via base tag hijacking, JA4/JA4H TLS fingerprint matching, git CLI newline injection, XSSI via JSONP callback exfiltration, Shift-JIS encoding SQLi (multi-byte charset mismatch), PHP serialization length manipulation via filter expansion, CSP bypass via link prefetch, bash brace expansion space-free injection, XML injection via X-Forwarded-For header, Common Lisp reader macro injection, base64 decode leniency signature bypass, Windows 8.3 short filename path traversal bypass, URL parse_url() @ symbol SSRF bypass, SSRF parse_url/curl double-@ discrepancy, TOTP recovery via PHP srand(time()) seed weakness, Ruby ObjectSpace memory scanning, Ruby Regexp.escape multibyte bypass, GraphQL injection (introspection, query batching/aliasing, string interpolation), PHP7 OPcache binary webshell + LD_PRELOAD disable_functions bypass, wget GET parameter filename trick, tar filename command injection, XSS to SSTI chain via Flask error pages, INSERT INTO dual-field SQLi column shift, session cookie forgery via timestamp-seeded PRNG, PNG/PHP polyglot upload + double extension + disable_functions scandir bypass, cross-origin cookie XSS via shared parent domain, XSS dot-filter bypass via decimal IP + bracket notation, editor backup file (~/.swp) source disclosure, date -f arbitrary file read, sequential regex replacement bypass, Java hashCode() collision auth bypass |
| ctf-pwn | 14 | Buffer overflow, ROP chains, ret2csu, ret2vdso, vsyscall ROP PIE bypass, bad char XOR bypass, exotic gadgets (BEXTR/XLAT/STOSB/PEXT), stack pivot (xchg rax,esp, double leave;ret to BSS), sprintf() gadget chaining bad char bypass, SROP with UTF-8 constraints, format string (saved EBP overwrite, argv[0] stack smash info leak, __printf_chk bypass with sequential %p, leak + GOT overwrite in single printf call, Objective-C %@ objc_msg_lookup exploitation, strlen int8_t truncation bypass), heap exploitation (unlink, House of Force top chunk overwrite, House of Apple 2 + setcontext SUID variant, Einherjar, signed/unsigned char underflow, tcache pointer decryption, unsorted bin promotion, XOR keystream brute-force write, GF(2) Gaussian elimination multi-pass tcache poisoning, application-level heap grooming, UAF vtable pointer encoding shell argument, fastbin stdout vtable two-stage hijack for PIE + Full RELRO, _IO_buf_base null byte stdin hijack, glibc 2.24+ vtable validation bypass, unsorted bin on stdin IO_buf_end, unsorted bin via mp structure), FSOP (stdout TLS leak, TLS destructor __call_tls_dtors hijack, leakless libc via multi-fgets stdout overwrite), RETF x64→x32 architecture switch seccomp bypass, x32 ABI syscall number aliasing seccomp bypass, seccomp BPF X-register addressing mode bypass, time-based blind shellcode (write blocked), GC null-ref cascading corruption, stride-based OOB leak, canary byte-by-byte brute force, stack canary null-byte overwrite leak + return-to-main, stack canary XOR epilogue as RDX zeroing gadget, seccomp bypass, sandbox escape, custom VMs, VM UAF slab reuse, io_uring UAF SQE injection, integer truncation (int32→int16, order-of-operations arithmetic), musl libc heap (meta pointer + atexit), custom shadow stack pointer overflow bypass, signed int overflow negative OOB heap write, XSS-to-binary pwn bridge, 4-byte shellcode timing side-channel via persistent registers, minimal shellcode with pre-initialized registers, unique-byte shellcode via syscall RIP→RCX, CRC oracle as arbitrary read primitive, UTF-8 case conversion buffer overflow (g_utf8_strup), ARM Thumb shellcode + dup2 socket redirect, Motorola 68000 (m68k) two-stage shellcode, DOS COM real mode shellcode (int 0x21), Forth interpreter system word exploitation, DynELF automated libc discovery, constrained shellcode (15-byte execve), protocol length field stack bleeding, timing attack character-by-character flag recovery, single-bit-flip exploitation primitive (mprotect + iterative code patching), Game of Life shellcode evolution via still-lifes, UAF via menu-driven strdup/free ordering, custom printf arginfo overwrite, Lua game logic integer underflow, Linux kernel exploitation (ret2usr, kernel ROP prepare_kernel_cred/commit_creds, modprobe_path, core_pattern, tty_struct kROP, userfaultfd race, SLUB heap spray, KPTI trampoline/signal handler bypass, KASLR/FGKASLR __ksymtab bypass, SMEP/SMAP, GDB module debugging, initramfs/virtio-9p workflow, MADV_DONTNEED race window extension, cross-cache CPU-split attack, PTE overlap file write, kmalloc size mismatch + struct file f_op corruption, eBPF verifier bypass exploitation), Windows SEH overwrite + pushad VirtualAlloc ROP, Windows CFG bypass using system() as valid call target, IAT-relative resolution, detached process shell stability, SeDebugPrivilege SYSTEM escalation, /proc/self/mem write-anywhere primitive, game AI arithmetic mean OOB read, arbitrary read/write GOT overwrite to shell, stack leak via __environ + memcpy overflow, JIT sandbox uint16 jump truncation, DNS compression pointer stack overflow, ELF code signing bypass via program header manipulation, game level signed/unsigned coordinate mismatch, FD inheritance via missing O_CLOEXEC, sign extension integer underflow in metadata parsing, ROP chain with read-only primitive, process_vm_readv sandbox escape, named pipe (mkfifo) file size bypass, format string .fini_array loop multi-stage exploitation, talloc pool header forgery, parser stack overflow via unchecked memcpy with callee-saved register restoration, unsafe unlink BSS + top chunk consolidation, mmap/munmap size mismatch UAF thread stack overlap, premature global index OOB stack write, strcspn indirect null byte injection |
| ctf-crypto | 13 | RSA (small e, common modulus, Wiener, Fermat, Pollard p-1, Hastad broadcast, Hastad broadcast with linear padding Coppersmith, Coppersmith, Coppersmith for linearly related primes q=kp+delta, Manger, Manger OAEP timing, p=q bypass, cube root CRT, phi multiple factoring, weak keygen base representation, gcd(e,phi)>1 exponent reduction, CRT fault attack bit-flip recovery, homomorphic decryption oracle bypass, small prime factors CRT decomposition, timing attack on Montgomery reduction, Bleichenbacher low-exponent signature forgery), AES (modified S-Box brute-force recovery, ECB byte-at-a-time chosen plaintext, ECB cut-and-paste block manipulation, CBC IV bit-flip auth bypass, CBC IV forgery + block truncation auth bypass, CBC UnicodeDecodeError side-channel oracle, CTR constant counter repeating keystream, CFB IV recovery from timestamp-seeded PRNG, padding oracle to CBC bitflip command injection, key recovery via byte-by-byte zeroing oracle), ECC (Ed25519 torsion side channel, shared prime factor GCD, DSA key recovery via MD5 collision on k-generation), ECDSA nonce reuse, DSA limited k-value brute force, PRNG (MT float recovery via GF(2) matrix for token prediction, MT seed recovery from subset sum, MT state recovery via constraint propagation, V8 XorShift128+ Math.random state recovery + inverse backward prediction, C srand/rand ctypes synchronization), ZKP (Shamir secret sharing reused polynomial attack), Groth16 broken setup, DV-SNARG forgery, KZG pairing oracle permutation recovery, braid group DH, BB-84 QKD MITM attack, introspective CRC via GF(2) linear algebra, LWE/CVP lattice attacks, AES-GCM, classic/modern ciphers (Polybius square), Kasiski examination, multi-byte XOR frequency analysis, variable-length homophonic substitution, hash length extension, compression oracle (CRIME-style), RC4 second-byte bias, RSA multiplicative homomorphism signature forgery, Rabin LSB parity oracle (binary search decryption), noisy LSB oracle post-hoc error correction, PBKDF2 pre-hash bypass (password > hash block size), MD5 multi-collision via fastcol, custom hash state reversal via known intermediates, CRC32 brute-force for small payloads, S-box collision, GF(2) CRT, historical ciphers, OTP key reuse, logistic map PRNG, RsaCtfTool, tropical semiring residuation, LFSR stream cipher attacks (Berlekamp-Massey, correlation attack, Galois tap recovery via autocorrelation), CRC32 collision signature forgery, Blum-Goldwasser bit-extension oracle, baby-step giant-step (BSGS, + sparse/low Hamming weight exponent variant) + Pohlig-Hellman for smooth-order DLP, Paillier cryptosystem attack, Paillier LSB oracle via homomorphic doubling, Merkle-Hellman knapsack LLL, Hamming code helical interleaving, ElGamal universal re-encryption, ElGamal trivial DLP when B=p-1, XOR consecutive byte correlation, Paillier oracle size bypass via ciphertext factoring, batch GCD shared prime factoring, hash function cycle reversal (Floyd/Brent), FPE Feistel brute-force, icosahedral symmetry group cipher, Goldwasser-Micali ciphertext replication oracle, grid permutation cipher keyspace reduction, OFB mode invertible RNG backward decryption, image-based Caesar shift ciphers, weak key derivation via public key hash XOR, HMAC-CRC linearity attack (GF(2) key recovery), DES weak keys OFB mode (period-2 keystream), square attack / integral cryptanalysis on reduced-round AES, RSA partial key recovery from dp/dq/qinv, DSA nonce reuse private key recovery, AES-GCM nonce reuse / forbidden attack (GHASH polynomial key recovery), SRP protocol bypass via modular arithmetic, XOR key recovery via file format headers (PDF/PNG/ZIP magic bytes), three-round XOR protocol key cancellation, sponge hash MITM collision on partial state, SPN S-box intersection partial key recovery, SPN column-wise XOR brute-force, Z3 constraint solving for stream ciphers, Fibonacci stream cipher position-shifting oracle, differential privacy Laplace noise cancellation, homomorphic encryption oracle bit-extraction |
| ctf-reverse | 13 | Binary analysis, custom VMs (+ VM bytecode lifting to LLVM IR), WASM, RISC-V, Rust serde, Python bytecode, OPAL, UEFI, game clients, anti-debug, anti-VM/anti-sandbox (CPUID, MAC, timing, file/registry artifacts), anti-DBI (Frida/Pin detection), code integrity/self-hashing, anti-disassembly (opaque predicates, junk bytes, control flow flattening), MBA obfuscation, instruction trace inversion with Keystone+Unicorn, SIGFPE signal handler side-channel via strace counting, batch crackme automation via objdump pattern extraction, fork + pipe + dead branch anti-analysis, Android DEX runtime bytecode patching via /proc/self/maps, Frida Android cert pinning bypass + native JNI invocation, Android TracerPid/su/system property anti-debug, Android log-based crypto key extraction, native JNI key dump + smali patching, pwntools binary patching, Binary Ninja, dogbolt.org, Frida dynamic instrumentation, angr symbolic execution, lldb, x64dbg, VMProtect/Themida analysis, binary diffing (BinDiff, Diaphora), deobfuscation (D-810, GOOMBA, Miasm), Qiling framework, Triton DSE, r2frida, reverse debugging (rr), advanced Ghidra/GDB scripting, GDB constraint extraction + ILP solver, GDB position-encoded input zero flag monitoring, LD_PRELOAD execute-only binary dump, LD_PRELOAD time() freeze for deterministic analysis, LIEF binary instrumentation, Rizin/Cutter, RetDec, Manticore, Sprague-Grundy game theory, kernel module maze solving, multi-threaded VM channels, multi-layer self-decrypting brute-force, convergence bitmap, .NET/Android RE (RijndaelManaged XOR+AES two-stage decode), Flutter/Dart AOT (Blutter), Verilog/hardware RE, Godot/Roblox game assets, CVP/LLL lattice validation, JNI RegisterNatives, decision tree obfuscation, GLSL shader VM, GF(2^8) Gaussian elimination, Z3 single-line Python circuit, sliding window popcount, Ruby/Perl polyglot, Electron ASAR + native binary reversing, Node.js npm runtime introspection, D language binary reversing (symbol demangling, Phobos library), Go binary reversing (GoReSym, goroutines), Rust binary reversing (demangling, panic strings), C++ vtable/RTTI reconstruction, C++ destructor-hidden validation (__cxa_atexit), Swift binary reversing, Kotlin/JVM reversing, multi-thread anti-debug decoy + signal handler MBA, backdoored shared library detection, keyboard LED Morse code via ioctl, Intel Pin instruction-counting side channel, SIGILL handler execution mode switching, rt_sigprocmask side-channel memory corruption, HD44780 LCD GPIO reconstruction, MIPS64 Cavium OCTEON CP2 hardware crypto, EFM32 ARM MMIO AES accelerator, MBR/bootloader reversing with QEMU+GDB, Game Boy ROM Z80 analysis (bgb debugger), MFC message map debugging, VM sequential key-chain brute-force with OpenMP, custom binfmt kernel module RC4 flat binaries, hash-resolved imports no-import ransomware, BF character-by-character static analysis, BF side-channel read count oracle, BF comparison idiom detection, Go binary UUID patching for C2 enumeration, Frida Firebase Cloud Functions bypass, ELF section header corruption anti-analysis, ARM64/AArch64 reversing and exploitation (calling convention, ROP, qemu emulation), ARM code in image pixels via UnicornJS, Intel SGX enclave RE with remote attestation, IBM AS/400 SAVF EBCDIC decoding, INT3 coredump brute-force oracle, signal handler chain LD_PRELOAD oracle, FRACTRAN program inversion, opcode-only trace reconstruction, Burrows-Wheeler Transform inversion, OpenType font ligature exploitation (GSUB table), ROP chain obfuscation analysis (ROPfuscation), instruction counter as cryptographic state (path-dependent byte transformation), thread race signed integer overflow (cdqe sign extension), ESP32/Xtensa firmware reversing with ROM symbol map, time-locked binary with date-based key, x86 16-bit MBR psadbw constraint solving |
| ctf-forensics | 13 | Disk/memory forensics, RAID 5 XOR recovery, APFS snapshot recovery, Windows KAPE triage, Windows/Linux forensics, steganography (Arnold's Cat Map descrambling, MJPEG extra bytes after FFD9, high-res SSTV custom FM demodulation, EXIF zlib + triangular numbers LSB, PDF xref generation number covert channel, pixel-wise ECB deduplication image recovery), network captures, tcpdump, TLS/SSL keylog decryption, RDP session decryption via PKCS12 key extraction, USB HID drawing, USB HID keyboard capture decoding (+ arrow key navigation tracking), USB MIDI Launchpad traffic reconstruction, UART decode, serial UART data decoding from WAV audio, side-channel power analysis, packet timing, 3D printing, signals/hardware (VGA, HDMI, DisplayPort, I2C bus protocol, IBM-29 punched card OCR), BMP bitplane QR, image puzzle reassembly, audio FFT notes, KeePass v4 cracking, cross-channel multi-bit LSB, F5 JPEG DCT detection, PNG palette stego, PNG height/CRC manipulation, APNG frame extraction, keyboard acoustic side-channel, TCP flag covert channel, Brotli decompression bomb seam, Git reflog/fsck squash recovery, browser artifact analysis, DNS trailing byte binary encoding, DNS exfiltration oracle via binary response probing, fake TLS stream with mDNS key and printability merge, seed-based pixel permutation stego, pixel coordinate chain steganography, AVI frame differential pixel steganography, SMB RID recycling via LSARPC, Timeroasting MS-SNTP hash extraction, RADIUS shared secret cracking (radius2john), RC4 stream identification in shellcode pcap, Android forensics, Docker container forensics, cloud storage forensics, Python in-memory source recovery via pyrasite, HFS+ resource fork hidden binary recovery, SQLite edit history reconstruction from diff table, corrupted ZIP repair via header field manipulation, JPEG thumbnail pixel-to-text mapping, conditional LSB with pixel filtering, GIF frame diff Morse code, GZSteg + spammimic, audio waveform binary encoding, audio spectrogram hidden QR, split archive reassembly via timestamp ordering, video frame averaging for hidden content, reversed audio, TLS master key extraction from coredump, corrupted git blob repair, corrupted PCAP repair (pcapfix), LUKS master key recovery via aeskeyfind, PRNG timestamp seed brute-force key recovery, VBA macro binary recovery, FemtoZip shared dictionary decompression, ICMP payload steganography with byte rotation, packet reconstruction via checksum validation, spreadsheet frequency analysis binary recovery, JPEG slack space steganography, nearest-neighbor interpolation pixel grid stego, XFS inode reconstruction, tar duplicate entry extraction, nested matryoshka filesystem layers, anti-carving via null byte interleaving, BTRFS subvolume/snapshot recovery, JPEG XL TOC permutation steganography, Kitty terminal graphics protocol, ANSI escape sequence steganography (+ network capture variant), CD audio disc image steganography (CIRC de-interleaving + spiral rendering), autostereogram solving, two-layer byte+line interleaving, multi-stream video container steganography, FAT16 free space data recovery, FAT16 deleted file recovery via fls/icat (+ deleted .git recovery), ext2 orphaned inode recovery via fsck, NTFS alternate data streams (ADS), Linux input_event keylogger dump parsing, VBA macro Excel cell to ELF binary extraction, RGB parity steganography, WPA/WEP WiFi decryption, SAP Dialog protocol decryption, BSON format reconstruction, TrueCrypt/VeraCrypt volume mounting, Ethereum/blockchain transaction tracing, progressive PNG layered XOR decryption, dnscat2 DNS tunnel reassembly, USB keyboard LED Morse code exfiltration, unreferenced PDF object hidden pages, Windows certutil base64 ZIP memory recovery, DNSSEC key recovery from git commit history |
| ctf-osint | 3 | Social media, geolocation, Google Lens cropped region search, reflected/mirrored text reading, Street View panorama matching, What3Words micro-landmark matching, Google Plus Codes, Baidu reverse image search, Overpass Turbo spatial queries, username enumeration, username metadata mining (postal codes), Strava fitness route OSINT, Google Maps photo verification, DNS recon, archive research, Google dorking (TBS image filters), Telegram bots, FEC filings, WHOIS investigation, music-themed landmark geolocation with key encoding, Shodan SSH fingerprint deanonymization, gaming platform OSINT (WoW/Steam/Minecraft character lookup), fake service banner detection via nmap fingerprinting |
| ctf-malware | 3 | Obfuscated scripts, C2 traffic, custom crypto protocols, .NET malware, PyInstaller unpacking, PE analysis, sandbox evasion, anti-analysis (VM detection, timing evasion, API hashing, process injection), dynamic analysis (strace/ltrace, network monitoring, memory extraction), YARA rules, shellcode analysis, memory forensics (Volatility malfind, process injection), Poison Ivy RAT Camellia decryption, DarkComet RAT forensics (keylogger log recovery, registry persistence), Cobalt Strike beacon analysis (Malleable C2 detection, dissect.cobaltstrike config extraction) |
| ctf-misc | 10 | Pyjails (func_globals module chain, restricted charset number gen, class attribute persistence, name mangling + func_code.co_consts + doc attribute access), bash jails, encodings (RTF custom tag extraction, SMS PDU decoding, RFC4042 UTF-9, pixel color binary encoding, TOPKEK binary encoding, MaxiCode 2D barcode decoding, DTMF audio + multi-tap T9 phone keypad, music note interval steganography), RF/SDR, DNS exploitation (+ round-robin A record enumeration), Unicode stego, floating-point tricks, game theory, commitment schemes, WASM, K8s, custom assembly sandbox escape, Lua sandbox escape (function name injection, table indexing bypass), Ruby sandbox escape via TracePoint.trace, cookie checkpoint, Flask cookie leakage, WebSocket game manipulation, Whitespace esolang, Docker group privesc, De Bruijn sequence, Brainfuck instrumentation, WASM linear memory manipulation, quine context detection, repunit decomposition, indexed directory QR reassembly, multi-stage URL encoding chains, Python marshal code injection, Benford's Law bypass, sudo wildcard fnmatch injection, crafted pcap sudoers.d, monit process injection, Apache -d override, backup cronjob SUID, PostgreSQL COPY TO PROGRAM, PostgreSQL backup credential extraction, NFS share exploitation, SSH Unix socket tunneling, PaperCut Print Deploy privesc, Squid proxy pivoting, Zabbix admin password reset, WinSSHTerm credential decryption, Piet/Malbolge esoteric language chains, multi-encoding sequential solver, parallel connection oracle relay, nonogram-to-QR pipeline, 100 prisoners cycle-following strategy, C code jail escape via emoji identifiers + add-eax gadget embedding, emulator ROM-switching state preservation, BuildKit daemon build secret exploitation, hexadecimal Sudoku + QR assembly, Z3 boolean gate network SAT solving for product keys, HISTFILE restricted shell file read, Levenshtein distance oracle attack, Docker container escape (privileged breakout, socket escape, CAP_SYS_ADMIN cgroup release_agent), SECCOMP high-bit file descriptor bypass, rvim jail escape via python3 |
| solve-challenge | 0 | Orchestrator skill — analyzes challenge and delegates to category skills |
| ctf-writeup | 0 | Generates standardized submission-style writeups with metadata, solution steps, code, and lessons learned |
Usage
Skills are loaded automatically based on context. You can also invoke the orchestrator directly:
/solve-challenge <challenge description or URL>
Contributing
See CONTRIBUTING.md for development setup and contribution guidelines.
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found