ctf-pwn_skill
- Java
510
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill cyberkaida/reverse-engineering-assistant --skill ctf-pwn- patterns.md29.8 KB
- SKILL.md21.9 KB
Overview
This skill helps discover and exploit memory corruption vulnerabilities in CTF binary challenges to read flags. It provides a systematic exploitation framework covering data flow, memory safety, and exploitation layers, and it guides you from reconnaissance through payload planning and validation. Use it to handle buffer overflows, format strings, heap bugs, ROP, ret2libc, and related pwn tasks.
How this skill works
The skill inspects program inputs, data sinks, and surrounding memory to map attacker-controlled data to vulnerable destinations (stack, heap, globals). It identifies unsafe API patterns, computes offsets (buffer → saved registers → return address), locates leaks and gadgets, and proposes exploitation primitives (arbitrary read/write, control-flow hijack). It then outlines an exploitation plan and documents key addresses and assumptions for offline payload building and testing with tools like pwntools.
When to use it
- Binary challenges with suspicious unsafe APIs (strcpy, gets, printf(user_input)).
- Stack-based buffer overflows where input can overwrite saved registers or return addresses.
- Format string vulnerabilities that can leak addresses or perform writes (%x, %s, %n).
- Heap exploits: use-after-free, double-free, or heap overflow targeting allocator metadata.
- ROP/ret2libc when NX/DEP is enabled and code injection is not possible.
Best practices
- Start by mapping inputs to memory destinations and asking what data you control.
- Record buffer sizes, stack layout, and offsets before building payloads; verify assumptions at runtime.
- Prioritize information leaks early (canary, libc, PIE) to calculate stable addresses under ASLR.
- Chain primitives: leak → calculate bases → perform arbitrary write/read → hijack control flow.
- Annotate findings and assumptions in the analysis environment so payloads can be iteratively refined.
Example use cases
- Exploit a classic stack overflow: calculate buffer→return offset, craft padding + return overwrite to call system("/bin/cat flag.txt").
- Leverage a format string to leak libc addresses, compute libc base, then build a ret2libc payload.
- Use heap overflow to corrupt adjacent chunk metadata, trigger allocator behavior, and overwrite a function pointer or GOT entry.
- Combine a leaked stack canary with a ROP chain to bypass NX and execute a shell.
- Analyze a stripped binary to find unsafe input paths, mark exploitation targets, and document an exploit plan for offline testing.
FAQ
Yes — the skill focuses on static analysis and planning, but successful exploitation usually requires runtime verification and iterative payload testing with tools like pwntools or a debugger.
How do I handle protections like ASLR, NX, and canaries?
ASLR: obtain leaks to compute base addresses. NX: use ROP or ret2libc. Canaries: leak the canary or avoid corrupting it when crafting the payload. The skill outlines specific bypass strategies for each protection.