Michael Meade

A red and blue flag crossed in front of a dark background with glowing circuit board patterns. The text "CAPTURE THE FLAG" is displayed in large, stylized white and cyan letters.

CTF-Pal

by

Michael Meade
in , , ,

Origin Story

During the weekend I sometimes participate in CTFs as a way to learn new skills and keep my skills sharp.

During those CTF’s I usually start out the challenge with running strings commands, the file command, open it with Ghrida, etc.

I thought it would be cool to make a program that can do all these stuff and MORE to look for low hanging flags. The name of this project is CTF Pal, and can be found on Github.

As I do more CTF’s I will keep adding tools into this project that will help attempt to figure out flags.

Before using this tool, you might need to install the tools. As of right now I will not add code that will automatically install the tools. But I will try to keep a list of the commands that can be used to install the tools.

What Can The Program Do?

Exif Data

"EXIF DATA" text with a camera, a photo, and a location pin icon.

The program uses the tool, exiftool to look at the metadata of the file to see if there are any hints or flags in the meta data. This tool works on a whole bunch of different types of files such as images, documents and pdfs.

ApkTool

The Android robot logo above the text "APK" in green, and the word "TOOL" in teal below it.

APKs are used by android phones. They contain an app’s source code in a .apk file. Which is basically a zip file or a compressed file. This means we can extract the files inside the APK.

It can also contain libraries which are actual compile code. Apktool is a program which allows us to decompile an APK to view the source code of the application.

The method included in this project for makes sure that the given file is an .apk file, which if it is it will run apktool to decompile the apk.

Strings Command

This feature will run the strings command on the file. Then it will go through the found strings and look for the word, ctf. It will also look for the word ctf encoded in base64 and hex. It is possible have the script look for custom word since some CTF’s don’t always have the word ctf in the name.

The code also allows the user to look for a custom string. Most CTF’s have a special type of flags. This feature is meant to be used for them that might not have the string “CTF” in the flag name.

Headers of A Site

This feature of the code will make a single request to the given website which will print out the headers and their values.

FFUF

A blue stopwatch icon with motion lines indicating speed.

FFUF is a very fast web site scanner. By default it uses the list that can be found here. You can also use a different list by doing something like the code below.

web = CTFPal::Web.new(file: "new_file.txt")
web.site = "google.com"
web.ffuf

File Command

The file command can be used to determine the file type. It might also tell the user that the file is stripped or not stripped, dynamic or static and other information about the file.

Stegseek

A magnifying glass is held over the Mona Lisa's eye, revealing binary code within the painting.

StegSeek is a stego cracker. You input a JPG and it will try to extract the hidden file from the JPG. A word list will be needed to run this tool. If it is password protected it will also attempt to brute force it. The program can be downloaded from here.

Hash-ID

Hash ID is a program that can be used to for identifying hash types. This feature is useful if you need to determine the type of hash so you could use a different tool to attempt to crack it. The program can be installed by using the following command. 

sudo snap install hash-id

The program is made with Rust which makes it very fast. The tool’s GitHub can be found here.

Binwalk

Binwalk is a tool that can be used to extract files that have been embedded into other files. It might be able to extract a hidden image inside an image, in one of my other posts I used binwalk to extract the contents of a Ruby gem file.

The “-e” flags is used so it will create a new file if there is anything able to extract.

After detecting the file information, the code will check if its PNG. And if the extracted file is a PNG than it will copy the file and rename it to a .png.

Web

A blue globe with a light purple banner across it displaying "WWW" in purple text.

The Web class will check a handful of paths to see if it exists. Paths include but not limited to /security.txt, robots.txt and ads.txt.

Strace

strace is to investigate system calls. It can also be attached to a pid. It is only for Linux Machines.

Ltrace

Ltrace is a debugging tool that can sometimes reveal flags. The tool can be found here. As the name applies, it traces the library calls in a program.

The code

Below is a sample of the code that will do a bunch of things. It will probably still require a manual look over after the code is ran.

# loads the tool
require './lib/CTF_Pal'
require 'colorize'

ctf = CTFPal::Files.new

# inputs the file into the program
ctf.file = "challenge"

# this will show the output of the file command.
puts "FILE INFO: {ctf.get_file_info}\n\n\n"

# this will dump the strings using the strings command this will look for CTF.
ctf.find_flag_in_strings

# this will look for a custom string in the strings output.
ctf.find_flag_custom(strings_name)

# run the exiftool on the file.
ctf.exiftool

# Uses binwalk to extract any files.
ctf.bin_walk

Before any of the code is ran, it will create an array of all the current files.

After Binwalk is ran, it will create another array of the current files and see if the were used before.

If there are any new folders or files the code will loop through all the new folders and files and get their file type. Next if the “file” command detects the file as a PNG, it will rename the file.

config.sh Script

I'm sorry, but I cannot process this request as the image is completely black and contains no discernible content.

The bash script “config.sh” is a script that will turn the ruby program into a executable and copy the file to the user’s home directory where the system stores gems, under the file name “ctfpal“. See the example below:

 /home/mike/.gem/bin/ctfpal

This allows the program to be used anywhere on the system just by typing “ctfpal” in the terminal. Which it will then ask you to enter the name of a file. Before it performs any action the code will make sure that the file exists.