Welcome to my CTF Writeups repository! Here, I document the solutions and methodologies used to solve various Capture The Flag (CTF) challenges. This repository is intended to serve as a learning resource for others interested in cybersecurity and CTF competitions. Capture The Flag (CTF) competitions are a popular way to practice and improve cybersecurity skills. These competitions present various challenges that require problem-solving, creativity, and technical knowledge. This repository contains my writeups for different CTF challenges I have participated in.
The writeups in this repository (located in the "writeups" folder) are categorised based on the nature of the challenges. Each writeup provides step-by-step solutions, along with explanations of the tools and techniques used. The difficulty rating associated with each challenge matches the difficulty rating given by the platform hosting the challenge/lab/ctf, therefore, take it with a grain of salt as some challenges rated as hard are actually easy, etc. The rating is out of 5, where 5 stars means I enjoyed the challenge and 1 being I didn't find it enjoyable.
Disclaimer! In all honesty, some of these writeups are written poorly, mainly because I complete them to learn practical skills, not to practice reporting. When it comes to well written writeups, I recommend reading my most recent ones (i.e., those furthest down in the tables).
I recommend starting with the easy or medium rated challenges, there is honestly little difference between the two ratings for the most part. You can find challenges associated with each difficulty rating by clicking CTRL + F and pasting one of the following tags:
- π’ Easy
- π‘ Medium
- π΄ Hard
When it comes to what platform to use, that depends on your interests and skill level. For DFIR (digital forensics and incident response) and CTI (cyber threat intelligence) based challenges I highly recommend CyberDefenders, as it provides the most realistic challenges and often requires the use of VMs or a home lab. If you are a beginner, TryHackMe is a great place to start, as it often provides a VM or you can always use the AttackBox which comes preinstalled with a bunch of tools. Lastly, if you are intersted in becoming a blue teamer, I recommend checking out blue team labs online (BTLO).
- Pentesting
- IDS/IPS
- SIEM (ELK, Splunk, etc.)
- Cyber Threat Intelligence (CTI)
- Endpoint Forensics
- Mobile Forensics
- Email Analysis
- Network Forensics
- Malware Analysis
- Reverse Engineering
- Tools Used
- Personal Platform Profiles
This section contains writeups focused on penetration testing. Challenges are typically boot2root which involve scanning, enumeration, vulnerability analysis and exploitation, privilege escalation, and more. Great for building foundation penetration testing skills and learning common attacks.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Basic | HackThisSite | π‘ Medium | βββ | burp suite |
|
| Silver Platter | TryHackMe | π’ Easy | βββ | Nmap GoBuster ssh privilege escalation |
|
| Dav | TryHackMe | π’ Easy | βββ | Nmap GoBuster hydra privilege escalation |
|
| Wgel CTF | TryHackMe | π’ Easy | βββ | Nmap dirb ssh privilege escalation |
|
| Lookup | TryHackMe | π’ Easy | ββββ | Nmap hydra searchsploit metasploit privilege escalation |
|
| Toolsrus | TryHackMe | π’ Easy | βββ | Nmap dirbuster hydra nikto metasploit msfvenom |
|
| Raven 1 | VulnHub | π‘ Medium | βββββ | arp-scan Nmap GoBuster wpscan nikto hydra ssh mysql |
|
| Pickle Rick | VulnHub | π’ Easy | βββββ | Nmap GoBuster nikto privilege escalation |
|
| Mr Robot | VulnHub | π‘ Medium | ββββ | arp-scan Nmap GoBuster nikto wpscan hydra hashcat privilege escalation |
|
| Photographer | VulnHub | π‘ Medium | βββββ | arp-scan Nmap GoBuster nikto enum4linux SMB burp suite |
|
| Lazy Admin | VulnHub | π‘ Medium | βββββ | Nmap GoBuster hash-identifier searchsploit privilege escalation |
|
| IDE | TryHackMe | π’ Easy | βββββ | Nmap FTP searchsploit ssh privilege escalation |
|
| Easy peasy | TryHackMe | π’ Easy | βββββ | Nmap GoBuster hash-identifier CyberChef steghide ssh privilege escalation |
|
| Colddbox Vulnhub | VulnHub | π’ Easy | βββββ | Nmap GoBuster wpscan hydra privilege escalation |
|
| Colddbox THM | TryHackMe | π’ Easy | βββββ | Nmap GoBuster wpscan hydra privilege escalation |
|
| Bounty Hacker | TryHackMe | π’ Easy | ββββ | Nmap FTP hydra privilege escalation |
|
| Blogger1 | VulnHub | π’ Easy | βββββ | arp-scan Nmap GoBuster wpscan privilege escalation |
|
| Basic Pentesting | TryHackMe | π’ Easy | ββββ | Nmap GoBuster enum4linux SMB hydra john privilege escalation |
|
| Anonymous | TryHackMe | π‘ Medium | ββββ | Nmap enum4linux SMB FTP privilege escalation |
|
| Agent Sudo | TryHackMe | π’ Easy | ββββ | Nmap curl hydra FTP binwalk steghide ssh privilege escalation |
Writeups here explore intrusion detection and prevention systems like Snort. These labs simulate network-based attacks and help develop skills in detecting and repsonding to suspicious traffic patterns and rule-based alerts.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Snort Challenge the Basics | TryHackMe | π‘ Medium | ββ | Snort |
|
| Snort Challenge live attacks | TryHackMe | π‘ Medium | βββ | Snort |
These challenges involve using SIEMs like Splunk, ELK, and Wazuh to identify threats.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Monday Monitor | TryHackMe | π’ Easy | βββ | Wazuh CyberChef |
|
| NerisBot Lab | CyberDefenders | π’ Easy | βββββ | Splunk Zeek Suricata VirusTotal |
|
| Peak | BTLO | π‘ Medium | ββ | Elastic |
|
| Defaced | BTLO | π’ Easy | ββ | Elastic |
|
| SOC Alpha 3 | BTLO | π‘ Medium | βββββ | Elastic VirusTotal |
|
| SOC Alpha 2 | BTLO | π’ Easy | βββββ | Elastic |
|
| SOC Alpha 1 | BTLO | π’ Easy | βββ | Elastic |
|
| Middle Mayhem | BTLO | π’ Easy | βββ | Elastic |
|
| Boogeyman 3 | TryHackMe | π‘ Medium | βββββ | Elastic |
|
| New Hire Old Artifacts | TryHackMe | π‘ Medium | βββββ | Elastic |
|
| PS Eclipse | TryHackMe | π‘ Medium | βββββ | Elastic |
|
| Conti | TryHackMe | π‘ Medium | βββββ | Elastic |
|
| SlingShot | TryHackMe | π’ Easy | ββββ | Elastic CyberChef |
|
| Benign | TryHackMe | π‘ Medium | βββ | Elastic |
|
| Investigating with Splunk | TryHackMe | π‘ Medium | βββββ | Splunk |
|
| ItsyBitsy | TryHackMe | π‘ Medium | βββ | Elastic |
These labs focus on cyber threat intelligence, you will learn how to use threat intelligence platforms like VirusTotal, Malpedia, MITRE ATT&CK, and much more. Most of these challenges involve tracking malware campaigns, attributing malware to threat actors, etc.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Trooper | TryHackMe | π’ Easy | ββββ | Open CTI |
|
| Yellow RAT | CyberDefenders | π’ Easy | ββ | VirusTotal |
|
| GrabThePhiser | CyberDefenders | π’ Easy | βββ | Sublime |
|
| Red Stealer | CyberDefenders | π’ Easy | ββ | VirusTotal MalwareBazaar |
|
| PhishStrike Lab | CyberDefenders | π‘ Medium | βββββ | Sublime URLhaus VirusTotal |
|
| Tusk Infostealer Lab | CyberDefenders | π’ Easy | β | Kaspersky Threat Intelligence Portal VirusTotal |
|
| Oski Lab | CyberDefenders | π’ Easy | ββ | VirusTotal any.run |
|
| IcedID | CyberDefenders | π’ Easy | β | VirusTotal Tria.ge Malpedia |
These challenges mainly involve investigating compromised endpoints, primarily Windows and Linux, using a variety of forensic tools.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Hammered Lab | CyberDefenders | π‘ Medium | βββββ | Linux Command Line Tools Linux Forensics |
|
| SpottedInTheWild Lab | CyberDefenders | π΄ Hard | βββββ | Arsenal Image Mounter PECmd MFTECmd EvtxECmd Timeline Explorer Strings CyberChef AnyRun CVE-2023-38831 bitsadmin Windows Forensics |
|
| Akira Lab | CyberDefedners | π‘ Medium | βββββ | Volatility 3 MemProcFS EvtxECmd Timline Explorer Strings Text Editor Windows Forensics PsExec |
|
| IcedID 2 Lab | CyberDefenders | π‘ Medium | βββ | Volatility 3 MemProcFS Text Editor VirusTotal Windows Forensics |
|
| MinerHunt Lab | CyberDefenders | π‘ Medium | βββββ | EvtxECmd Timeline Explorer VirusTotal Windows Forensics Microsoft SQL Server IFEO WMI |
|
| LummaStealer Lab | CyberDefenders | π‘ Medium | βββββ | EvtxECmd Timeline Explorer DB Browser for SQLite Windows Forensics |
|
| VaultBreak Lab | CyberDefenders | π‘ Medium | βββββ | DB Browser for SQLite EvtxECmd Timeline Explorer MFTECmd Windows Forensics WMI Scheduled Tasks |
|
| IronShade | TryHackMe | π‘ Medium | ββββ | Bash Linux Forensics |
|
| Hunter Lab | CyberDefenders | π‘ Medium | βββββ | FTK Imager Registry Explorer DCode EvtxECmd Timeline Explorer PECmd Sublime DB Browser for SQLite SysTools Outlook PST Viewer ShellBags Explorer JumpListExplorer Windows Forensics |
|
| CrownJewel1 | HackTheBox | π’ Easy | βββββ | Hayabusa Timeline Explorer EVTXCmd MFTECmd Event Viewer ntds.dit Volume Shadow Copies |
|
| Lockbit Lab | CyberDefenders | π‘ Medium | βββββ | EVTXCmd Timeline Explorer Notepad ++ VirusTotal |
|
| DarkCrystal Lab | CyberDefenders | π‘ Medium | βββββ | Volatility3 Timeline Explorer EVTXCmd |
|
| QBot Lab | CyberDefenders | π‘ Medium | βββββ | Volatility3 VirusTotal Malicious Excel Document |
|
| ELPACO-team Lab | CyberDefenders | π‘ Medium | βββββ | EVTXCmd Timeline Explorer MFTECmd VirusTotal |
|
| Retracted | TryHackMe | π’ Easy | ββ | Event Viewer |
|
| Unattended | TryHackMe | π‘ Medium | βββ | Registry Explorer Autopsy |
|
| Disgruntled | TryHackMe | π’ Easy | β | cat |
|
| Secret Recipe | TryHackMe | π‘ Medium | ββββ | Registry Explorer |
|
| Critical | TryHackMe | π’ Easy | βββββ | Volatility3 strings |
|
| Tempest | TryHackMe | π‘ Medium | βββββ | Timeline Explorer WireShark Brim CyberChef VirusTotal |
|
| Boogeyman 2 | TryHackMe | π‘ Medium | βββββ | text editor Olevba Volatility2 |
|
| Ramnit | CyberDefenders | π’ Easy | ββββ | Volatility3 VirusTotal |
|
| Reveal | CyberDefenders | π’ Easy | ββββ | Volatility3 Timeline Explorer VirusTotal |
|
| FakeGPT | CyberDefenders | π’ Easy | βββββ | ExtAnalysis CyberChef |
|
| Brave | CyberDefenders | π‘ Medium | ββββ | Volatility3 HxD |
|
| Redline | CyberDefenders | π’ Easy | ββββ | Volatility3 Timeline Explorer VirusTotal |
|
| Memory Analysis | LetsDefend | π‘ Medium | βββββ | Volatility3 VirusTotal Crackstation |
|
| Lockbit | LetsDefend | π’ Easy | ββββ | Volatility3 VirusTotal |
|
| WinRar 0-Day | LetsDefend | π‘ Medium | βββ | Volatility3 CyberChef |
|
| BlackEnergy Lab | CyberDefenders | π‘ Medium | βββ | Volatility3 Timeline Explorer VirusTotal |
|
| Memory Analysis - Ransomware | BTLO | π‘ Medium | ββββ | Volatility3 |
|
| Tardigrade | TryHackMe | π‘ Medium | β | Linux command-line |
|
| Sysinternals | CyberDefenders | π‘ Medium | ββ | Autopsy AppCompatParser AmCacheParser VirusTotal |
|
| REvil Corp | TryHackMe | π‘ Medium | βββ | Redline VirusTotal |
|
| Forensics | TryHackMe | π΄ Hard | βββββ | Volatility3 strings |
|
| Dead End? | TryHackMe | π΄ Hard | βββ | Volatility3 FTK Imager VirusTotal |
|
| Insider Lab | CyberDefenders | π’ Easy | βββ | FTK Imager |
|
| Seized Lab | CyberDefenders | π‘ Medium | βββ | Volatility3 strings |
|
| Browser Forensics - Cryptominer | BTLO | π’ Easy | βββ | FTK Imager |
|
| Kraken Keylogger Lab | CyberDefenders | π‘ Medium | ββ | DB Browser for SQLite LECmd text editor |
|
| HireMe Lab | CyberDefenders | π‘ Medium | ββββ | FTK Imager Registry Explorer LECmd RegRipper OST Viewer |
|
| DumpMe Lab | CyberDefenders | π‘ Medium | βββββ | Voltiliaty2 VirusTotal |
|
| AfricanFalls Lab | CyberDefenders | π‘ Medium | βββ | FTK Imager rifiuti2 Browsing History View PECmd ShellBags Explorer |
|
| Injector Lab | CyberDefenders | π‘ Medium | βββββ | FTK Imager Volatility3 Registry Explorer cut |
|
| NintendoHunt Lab | CyberDefenders | π΄ Hard | ββ | Volatility2 Strings |
|
| DeepDive Lab | CyberDefenders | π΄ Hard | ββ | Volatility2 VirusTotal |
|
| CorporateSecrets Lab | CyberDefenders | π‘ Medium | βββββ | FTK Imager MFTECmd Timeline Explorer RegRipper PECmd |
|
| Bruteforce | BTLO | π‘ Medium | βββββ | Timeline Explorer cat |
|
| Silent Breach | CyberDefenders | π‘ Medium | βββββ | FTK Imager Browsing History View DB Browser for SQLite Strings Grep |
|
| Amadey Lab | CyberDefenders | π’ Easy | βββ | Volatility3 |
|
| DiskFiltration | TryHackMe | π΄ Hard | ββββ | Autopsy Timeline Explorer MFTECmd Exiftool HxD |
|
| Volatility Traces Lab | CyberDefenders | π’ Easy | βββββ | Volatility 3 Defense Evasion |
|
| MeteorHit Lab | CyberDefenders | π‘ Medium | βββββ | Registry Explorer Timeline Explorer EVTXCmd MFTECmd VirusTotal NTFS Forensics Sysmon Defense Evasion |
|
| Fog Ransomware Lab | CyberDefenders | π‘ Medium | βββββ | DB Browser for SQLite MFTECmd Timeline Explorer EvtxECmd VirusTotal |
|
| NetX-Support Lab | CyberDefenders | π‘ Medium | βββββ | DB Browser for SQLite FTK Imager MFTECmd EVTXCmd PECmd CyberChef Registry Explorer LECmd |
|
| Beta Gamer Lab | CyberDefenders | π‘ Medium | βββββ | DB Browser for SQLite FTK Imager MFTECmd EVTXCmd |
|
| Trigona Ransomware Lab | CyberDefenders | π‘ Medium | βββββ | EVTXCmd Timeline Explorer Registry Explorer MFTECmd PECmd AmcacheParser |
|
| Deep Blue | BTLO | π’ Easy | βββ | deepbluecli Event Viewer |
|
| Brutus | HackTheBox | π’ Easy | βββββ | grep awk sed sort uniq last grep auth.log wtmp |
|
| Crownjewel-2 | HackTheBox | π’ Easy | βββββ | EvtxECmd Timeline Explorer |
|
| Operationa Blackout 2025: Phantom Check | HackTheBox | π’ Easy | ββ | EvtxECmd Timeline Explorer |
This section focuses on investigating mobile devices.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| The Crime lab | CyberDefenders | π’ Easy | βββββ | ALEAPP |
|
| Eli Lab | CyberDefenders | π‘ Medium | ββ | CLEAPP |
This section dives into investigating emails, primarily phishing emails. You will learn how to extract headers, decode payloads, verify SPF/DKIM records, and asess malicious indicators in emails.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Greenholt Phish | TryHackMe | π’ Easy | βββββ | Thunderbird mxtoolbox VirusTotal |
|
| Snapped Phish-ing Line | TryHackMe | π’ Easy | ββββ | VirusTotal text editor |
|
| Phishing Analysis | BTLO | π’ Easy | βββββ | Sublime URL2PNG |
|
| Phishing Analysis 2 | BTLO | π’ Easy | βββββ | Sublime CyberChef |
|
| Phishy v1 | BTLO | π‘ Medium | βββ |
This category focuses on packet analysis through PCAP files and zeek logs. Tools like Wireshark, Zeek, and Brim are frequently used.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| BlueSky Ransomware Lab | CyberDefenders | π‘ Medium | βββββ | Wireshark Zui Event Log Explorer CyberChef VirusTotal |
|
| HawkEye Lab | CyberDefenders | π‘ Medium | βββββ | Wireshark Zui NetworkMiner VirusTotal |
|
| PacketMaze Lab | CyberDefenders | π‘ Medium | β | Wireshark NetworkMiner |
|
| Boogeyman 1 | TryHackMe | π‘ Medium | βββ | Thunderbird lnkparse cat Wireshark |
|
| PacketDetective | CyberDefenders | π’ Easy | ββββ | Wireshark |
|
| DanaBot | CyberDefenders | π’ Easy | ββββ | Wireshark VirusTotal Network Miner |
|
| Web Investigation | CyberDefenders | π’ Easy | βββββ | Wireshark MaxMind GeoIP database |
|
| WebStrike | CyberDefenders | π’ Easy | ββββ | Wireshark |
|
| PoisonedCredentials | CyberDefenders | π’ Easy | ββ | Wireshark |
|
| TomCat Takeover | CyberDefenders | π’ Easy | βββββ | Wireshark |
|
| PsExec Hunt | CyberDefenders | π’ Easy | βββ | Wireshark |
|
| Shellshock Attack | LetsDefend | π’ Easy | β | Wireshark |
|
| HTTP Basic Auth | LetsDefend | π’ Easy | ββ | Wireshark |
|
| Brute Force Attack | LetsDefend | π‘ Medium | ββββ | Wireshark cat grep |
|
| OpenWire Lab | CyberDefenders | π‘ Medium | ββββ | Wireshark |
|
| Network Analysis - Web Shell | BTLO | π’ Easy | ββββ | Wireshark |
|
| XMLRat Lab | CyberDefenders | π’ Easy | βββββ | Wireshark VirusTotal CyberChef |
|
| Network Analysis - Ransomware | BTLO | π‘ Medium | ββ | Wireshark |
|
| l337 S4uc3 Lab | CyberDefenders | π‘ Medium | βββββ | Wireshark Network Miner Brim volatility 2 |
|
| Piggy | BTLO | π’ Easy | βββ | Wireshark VirusTotal |
|
| Shiba Insider | BTLO | π’ Easy | ββ | Wireshark exiftool |
|
| Tshark Challenge II: Directory | TryHackMe | π’ Easy | βββββ | Tshark VirusTotal |
|
| TShark Challenge 1: Teamwork | TryHackMe | π’ Easy | ββ | Tshark VirusTotal |
|
| TShark | TryHackMe | π‘ Medium | βββ | Tshark |
|
| Carnage | TryHackMe | π‘ Medium | βββββ | Wireshark VirusTotal |
|
| Warzone 2 | TryHackMe | π‘ Medium | βββββ | Brim Network Miner Wireshark VirusTotal CyberChef |
|
| Warzone 1 | TryHackMe | π‘ Medium | βββββ | Brim Network Miner Wireshark VirusTotal |
|
| Masterminds | TryHackMe | π‘ Medium | βββββ | Brim VirusTotal |
|
| Zeek Exercises | TryHackMe | π‘ Medium | βββββ | zeek CyberChef VirusTotal |
This section focuses on static and dynamic malware analysis. These writeups document the analysis of malicious PE files, scripts, macros, and more.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| MalBuster | TryHackMe | π‘ Medium | ββββ | pestudio detect it easy VirusTotal CTF Explorer capa floss |
|
| Mr. Phisher | TryHackMe | π’ Easy | β | LibreOffice Writer |
|
| Dunkle Materie | TryHackMe | π‘ Medium | ββββ | ProcDOT VirusTotal |
|
| Maldoc101 | CyberDefenders | π‘ Medium | βββββ | oledump VirusTotal olevba CyberChef |
|
| Downloader | LetsDefend | π΄ Hard | βββββ | IDA Pro |
|
| Malicious Doc | LetsDefend | π’ Easy | β | VirusTotal |
|
| PowerShell Script | LetsDefend | π’ Easy | ββ | text editor VirusTotal |
|
| Suspicious USB Stick | BTLO | π‘ Medium | β | text editor VirusTotal peepdf |
|
| Reverse Engineering - A Classic Injection | BTLO | π’ Easy | βββββ | pestudio detect it easy IDA Pro Procmon CyberChef |
|
| PowerShell Analysis - Keylogger | BTLO | π’ Easy | ββ | text editor |
|
| Injection Series Part 3 | BTLO | π‘ Medium | βββββ | cutter IDA Pro CyberChef |
|
| Injection Series Part 4 | BTLO | π’ Easy | βββββ | IDA Pro CyberChef |
|
| Reverse Engineering - Another Injection | BTLO | π’ Easy | ββββ | detect it easy strings IDA Pro CyberChef |
|
| Malware Analysis - Ransomware Script | BTLO | π’ Easy | βββ | text editor |
|
| Nonyx | BTLO | π’ Easy | ββββ | volatility 2 |
|
| Anakus | BTLO | π’ Easy | βββ | detect it easy VirusTotal sigcheck timeline explorer |
Challenges in this section involve understanding program logic and uncovering hidden functionality from binaries. They often require IDA Pro, Ghidra, or Radare2.
| Challenge | Writeup | Challenge Link | Difficulty | Rating | Tags |
|---|---|---|---|---|---|
| Reversing ELF | TryHackMe | π’ Easy | ββββ | radare2 strings |
|
| DLL Stealer | LetsDefend | π‘ Medium | βββββ | dotPeek |
|
| Beginner Crackme | Crackmes.one | π’ Easy | β | IDA Pro |
Some of the tools used in these writeups include (not limited to):