Summary
This is the front door for CTF challenges when you don't yet know what you're dealing with. It runs triage on whatever you throw at it (a binary, a PCAP, a URL, a zip of mixed files), figures out if it's pwn, crypto, web, reversing, forensics, OSINT, malware, or misc, then hands off to the specialized skill for that category. The recon workflow is solid: it checks file types, pulls strings, fetches remote services, and even detects CTFd platforms to switch into API mode. Use this when you're staring at a challenge bundle with no obvious entry point. Skip it if you already know the category and can go straight to the specialist. It's a dispatcher, not a reference manual.
Install to Claude Code
npx -y skills add ljagiello/ctf-skills --skill solve-challenge --agent claude-codeInstalls into .claude/skills of the current project.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Files
SKILL.mdView on GitHub
CTF Challenge Solver
You're a skilled CTF player. Your goal is to solve the challenge and find the flag.
Environment Setup
Two setup strategies depending on your workflow:
Pre-install (recommended before competitions)
Use the central installer entrypoint:
bash scripts/install_ctf_tools.sh all
Run a narrower mode when you only want one tool group:
bash scripts/install_ctf_tools.sh python
bash scripts/install_ctf_tools.sh apt
bash scripts/install_ctf_tools.sh brew
bash scripts/install_ctf_tools.sh gems
bash scripts/install_ctf_tools.sh go
bash scripts/install_ctf_tools.sh manual
The full package lists now live in scripts/install_ctf_tools.sh.
On-demand (during challenges)
Each category skill's SKILL.md has a Prerequisites section listing only the tools needed for that category. Install as you go.
Workflow
Step 0: CTFd Platform Detection
If the CTF platform URL is known, check if it runs CTFd and switch to API-driven navigation:
# Detect CTFd (look for /api/v1/ and /themes/core/)
curl -s "$CTF_URL/api/v1/" | head -5
curl -s "$CTF_URL" | grep -oE '/themes/core/'
If CTFd is detected, ask the user for their API token (generated from CTFd Settings > Access Tokens). The token is not provided by default — the user must create one in the CTFd web UI first. Once provided, set the environment variables and proceed via API:
export CTF_URL="https://ctf.example.com"
export CTF_TOKEN="ctfd_..." # Ask user for this
Invoke /ctf-misc and load its ctfd-navigation.md for the full API reference and Python client class.
Step 1: Recon
- Explore files -- List the challenge directory, run
file *on everything - Triage binaries --
strings,xxd | head,binwalk,checksecon binaries - Fetch links -- If the challenge mentions URLs, fetch them FIRST for context
- Connect -- Try remote services (
nc) to understand what they expect - Read hints -- Challenge descriptions, filenames, and comments often contain clues
Step 2: Categorize
Determine the primary category, then invoke the matching skill.
By file type:
.pcap,.pcapng,.evtx,.raw,.dd,.E01-> forensics.elf,.exe,.so,.dll, binary with no extension -> reverse or pwn (check if remote service provided -- if yes, likely pwn).py,.sage,.txtwith numbers -> crypto.apk,.wasm,.pyc-> reverse- Web URL or source code with HTML/JS/PHP/templates -> web
- Images, audio, PDFs with no obvious content -> forensics (steganography)
By challenge description keywords:
- "buffer overflow", "ROP", "shellcode", "libc", "heap" -> pwn
- "RSA", "AES", "cipher", "encrypt", "prime", "modulus", "lattice", "LWE", "GCM" -> crypto
- "XSS", "SQL", "injection", "cookie", "JWT", "SSRF" -> web
- "disk image", "memory dump", "packet capture", "registry", "power trace", "side-channel", "spectrogram", "audio tracks", "MKV" -> forensics
- "find", "locate", "identify", "who", "where" -> osint
- "obfuscated", "packed", "C2", "malware", "beacon" -> malware
- "jail", "sandbox", "escape", "encoding", "signal", "game", "Nim", "commitment", "Gray code" -> misc
By service behavior:
- Port with interactive prompt, crash on long input -> pwn
- HTTP service -> web
- netcat with math/crypto puzzles -> crypto
- netcat with restricted shell or eval -> misc (jail)
Step 3: Invoke the Category Skill
Once you identify the category, invoke the matching skill to get specialized techniques:
| Category | Invoke | When to Use |
|---|---|---|
| Web | /ctf-web | XSS, SQLi, SSTI, SSRF, JWT, file uploads, prototype pollution |
| Pwn | /ctf-pwn | Buffer overflow, format string, heap, ROP, sandbox escape |
| Crypto | /ctf-crypto | RSA, AES, ECC, PRNG, ZKP, classical ciphers |
| Reverse | /ctf-reverse | Binary analysis, game clients, VMs, obfuscated code |
| Forensics | /ctf-forensics | Disk images, memory dumps, event logs, stego, network captures |
| OSINT | /ctf-osint | Social media, geolocation, DNS, public records |
| Malware | /ctf-malware | Obfuscated scripts, C2 traffic, PE/.NET analysis |
| Misc | /ctf-misc | Jails, encodings, RF/SDR, esoteric languages, constraint solving |
You can also invoke /ctf-<category> to load the full skill instructions with detailed techniques.
Step 4: Pivot When Stuck
If your first approach doesn't work:
- Re-examine assumptions -- Is this really the category you think? A "web" challenge might need crypto for JWT forgery. A "forensics" PCAP might contain a pwn exploit to replay.
- Try a different category skill -- Many challenges span multiple categories. Invoke a second skill for the cross-cutting technique.
- Look for what you missed -- Hidden files, alternate ports, response headers, comments in source, metadata in images.
- Simplify -- If an exploit is too complex, check if there's a simpler path (default creds, known CVE, logic bug).
- Check edge cases -- Off-by-one, race conditions, integer overflow, encoding mismatches.
Common multi-category patterns:
- Forensics + Crypto: encrypted data in PCAP/disk image, need crypto to decrypt
- Web + Reverse: WASM or obfuscated JS in web challenge
- Web + Crypto: JWT forgery, custom MAC/signature schemes
- Reverse + Pwn: reverse the binary first, then exploit the vulnerability
- Forensics + OSINT: recover data from dump, then trace it via public sources
- Misc + Crypto: jail escape requires building crypto primitives under constraints
- OSINT + Stego: social media posts with unicode homoglyph steganography (Cyrillic lookalikes encode bits)
- Web + Forensics: paywall bypass (curl reveals content hidden by CSS overlays)
- Misc + Crypto + Game Theory: multi-phase interactive challenges with AES decryption → HMAC commitment → combinatorial game solving (GF(256) Nim)
- Crypto + Geometry + Lattice: multi-layer challenges progressing from spatial reconstruction → subspace recovery → LWE solving → AES-GCM decryption
- Forensics + Signal Processing: power traces / side-channel analysis requiring statistical analysis of measurement data
- Forensics + Network + Encoding: timing-based encoding in PCAP (inter-packet intervals encode binary data)
Step 5: Generate Write-up
After solving the challenge, invoke /ctf-writeup to generate a standardized submission-style writeup — concise, reproducible, and ready for competition organizers or teammates to validate.
Flag Formats
Flags vary by CTF. Common formats:
flag{...},FLAG{...},CTF{...},TEAM{...}- Custom prefixes: check the challenge description or CTF rules for the format (e.g.,
ENO{...},HTB{...},picoCTF{...}) - Sometimes just a plaintext string with no wrapper
Validation rule (important):
- If you find multiple flag-like strings, treat them as candidates and validate before finalizing.
- Prefer the token tied to the intended artifact/workflow (not random metadata noise or obvious decoys).
- Do a corpus-wide uniqueness check and include the source file/path when reporting.
# Search for common flag patterns in files
grep -rniE '(flag|ctf|eno|htb|pico)\{' .
# Search in binary/memory output
strings output.bin | grep -iE '\{.*\}'
Quick Reference
# Recon
file * # Identify file types
strings binary | grep -i flag # Quick string search
xxd binary | head -20 # Hex dump header
binwalk -e firmware.bin # Extract embedded files
checksec --file=binary # Check binary protections
# Connect
nc host port # Connect to challenge
echo -e "answer1\nanswer2" | nc host port # Scripted input
curl -v http://host:port/ # HTTP recon
# Python exploit template
python3 -c "
from pwn import *
r = remote('host', port)
r.interactive()
"
Challenge
$ARGUMENTS
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →First SeenApr 16, 2026
