Run any Skill in Manus with one click

ctf-recon

Stars1

Forks0

UpdatedFebruary 6, 2026 at 23:54

Target reconnaissance and enumeration for CTF challenges. Use when you need to scan ports, discover services, enumerate web directories, or fingerprint technology stacks.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

ramzxy

ramzxy/CTF

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

SKILL.md

readonly

name	ctf-recon
description	Target reconnaissance and enumeration for CTF challenges. Use when you need to scan ports, discover services, enumerate web directories, or fingerprint technology stacks.
user-invocable	false
allowed-tools	["Bash","Read","Write","Edit","Glob","Grep","Task","WebFetch","WebSearch"]

CTF Reconnaissance & Enumeration

Web Reconnaissance

Initial Checks

# Fetch and inspect
curl -v http://target/
curl -s http://target/ | head -100

# Check common paths
for path in robots.txt sitemap.xml .env .git/HEAD .well-known/ admin api debug; do
    code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
    [ "$code" != "404" ] && echo "[+] /$path -> $code"
done

# Response headers
curl -sI http://target/ | grep -iE "(server|x-|powered|content-type|set-cookie)"

# View page source for comments, JS, hidden forms
curl -s http://target/ | grep -iE "(<!--|flag|secret|admin|api|token|password)"

Technology Fingerprinting

# Server identification
curl -sI http://target/ | grep -i "server:"
# X-Powered-By, X-Framework, etc.

# Common framework indicators
curl -s http://target/ | grep -ioE "(react|angular|vue|next|nuxt|flask|django|express|laravel|rails)"

# JavaScript bundles
curl -s http://target/ | grep -oE 'src="[^"]*\.js"' | head -20

# Check for source maps
curl -s http://target/main.js.map -o /dev/null -w "%{http_code}"

Directory/File Discovery

# Common wordlist paths
# /usr/share/wordlists/dirb/common.txt
# /usr/share/seclists/Discovery/Web-Content/common.txt

# ffuf for fuzzing
ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.txt,.html,.js,.bak

# gobuster alternative
gobuster dir -u http://target/ -w wordlist.txt

API Enumeration

# Check common API paths
for path in api api/v1 api/v2 graphql api/docs swagger.json openapi.json; do
    code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
    [ "$code" != "404" ] && echo "[+] /$path -> $code"
done

# Extract API endpoints from JS bundles
curl -s http://target/static/js/main.js | grep -oE '"/api/[^"]*"' | sort -u

# GraphQL introspection
curl -s http://target/graphql -H "Content-Type: application/json" \
    -d '{"query":"{__schema{types{name fields{name}}}}"}'

Network Reconnaissance

Port Scanning

# Quick TCP scan
nmap -sV -sC -T4 target

# All ports
nmap -p- -T4 target

# UDP scan (slow but important)
nmap -sU --top-ports 20 target

# Service version detection
nmap -sV -p PORT target

Service Interaction

# Banner grabbing
nc -v target port
echo "" | nc -w3 target port

# SSL/TLS info
openssl s_client -connect target:443 </dev/null 2>/dev/null | openssl x509 -noout -text

# DNS
dig target ANY
dig -t txt target
dig axfr @ns.target target  # Zone transfer attempt

Source Code Reconnaissance

Git Exposure

# Check for exposed .git
curl -s http://target/.git/HEAD
curl -s http://target/.git/config

# Dump with git-dumper
git-dumper http://target/.git/ ./dumped-repo

# Extract from downloaded .git
cd dumped-repo && git log --all --oneline
git diff HEAD~5..HEAD
git log --all --diff-filter=D --name-only  # Deleted files
git show HEAD~3:secret.txt                  # Recover deleted files

Backup File Discovery

# Common backup extensions
for ext in .bak .old .orig .save .swp ~; do
    curl -s -o /dev/null -w "%{http_code}" "http://target/index.php${ext}"
done

# Editor backups
curl -s http://target/.index.php.swp  # vim swap
curl -s http://target/index.php~      # emacs backup

CTF-Specific Patterns

Challenge description is ALWAYS a hint — read every word
Challenge title often reveals the technique (e.g., "Inject" = injection, "Token" = JWT)
Points/difficulty indicate expected complexity
If a port is unusual, try connecting with nc first to see the banner
Multiple open ports often means chaining vulnerabilities across services
Always check for custom HTTP headers in responses (X-Flag, X-Hint, etc.)

CTF Reconnaissance & Enumeration

Web Reconnaissance

Initial Checks

# Fetch and inspect
curl -v http://target/
curl -s http://target/ | head -100

# Check common paths
for path in robots.txt sitemap.xml .env .git/HEAD .well-known/ admin api debug; do
    code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
    [ "$code" != "404" ] && echo "[+] /$path -> $code"
done

# Response headers
curl -sI http://target/ | grep -iE "(server|x-|powered|content-type|set-cookie)"

# View page source for comments, JS, hidden forms
curl -s http://target/ | grep -iE "(<!--|flag|secret|admin|api|token|password)"

Technology Fingerprinting

# Server identification
curl -sI http://target/ | grep -i "server:"
# X-Powered-By, X-Framework, etc.

# Common framework indicators
curl -s http://target/ | grep -ioE "(react|angular|vue|next|nuxt|flask|django|express|laravel|rails)"

# JavaScript bundles
curl -s http://target/ | grep -oE 'src="[^"]*\.js"' | head -20

# Check for source maps
curl -s http://target/main.js.map -o /dev/null -w "%{http_code}"

Directory/File Discovery

# Common wordlist paths
# /usr/share/wordlists/dirb/common.txt
# /usr/share/seclists/Discovery/Web-Content/common.txt

# ffuf for fuzzing
ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.txt,.html,.js,.bak

# gobuster alternative
gobuster dir -u http://target/ -w wordlist.txt

API Enumeration

# Check common API paths
for path in api api/v1 api/v2 graphql api/docs swagger.json openapi.json; do
    code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path")
    [ "$code" != "404" ] && echo "[+] /$path -> $code"
done

# Extract API endpoints from JS bundles
curl -s http://target/static/js/main.js | grep -oE '"/api/[^"]*"' | sort -u

# GraphQL introspection
curl -s http://target/graphql -H "Content-Type: application/json" \
    -d '{"query":"{__schema{types{name fields{name}}}}"}'

Network Reconnaissance

Port Scanning

# Quick TCP scan
nmap -sV -sC -T4 target

# All ports
nmap -p- -T4 target

# UDP scan (slow but important)
nmap -sU --top-ports 20 target

# Service version detection
nmap -sV -p PORT target

Service Interaction

# Banner grabbing
nc -v target port
echo "" | nc -w3 target port

# SSL/TLS info
openssl s_client -connect target:443 </dev/null 2>/dev/null | openssl x509 -noout -text

# DNS
dig target ANY
dig -t txt target
dig axfr @ns.target target  # Zone transfer attempt

Source Code Reconnaissance

Git Exposure

# Check for exposed .git
curl -s http://target/.git/HEAD
curl -s http://target/.git/config

# Dump with git-dumper
git-dumper http://target/.git/ ./dumped-repo

# Extract from downloaded .git
cd dumped-repo && git log --all --oneline
git diff HEAD~5..HEAD
git log --all --diff-filter=D --name-only  # Deleted files
git show HEAD~3:secret.txt                  # Recover deleted files

Backup File Discovery

# Common backup extensions
for ext in .bak .old .orig .save .swp ~; do
    curl -s -o /dev/null -w "%{http_code}" "http://target/index.php${ext}"
done

# Editor backups
curl -s http://target/.index.php.swp  # vim swap
curl -s http://target/index.php~      # emacs backup

CTF-Specific Patterns

Challenge description is ALWAYS a hint — read every word
Challenge title often reveals the technique (e.g., "Inject" = injection, "Token" = JWT)
Points/difficulty indicate expected complexity
If a port is unusual, try connecting with nc first to see the banner
Multiple open ports often means chaining vulnerabilities across services
Always check for custom HTTP headers in responses (X-Flag, X-Hint, etc.)

ctf-recon

CTF Reconnaissance & Enumeration

Web Reconnaissance

Initial Checks

Technology Fingerprinting

Directory/File Discovery

API Enumeration

Network Reconnaissance

Port Scanning

Service Interaction

Source Code Reconnaissance

Git Exposure

Backup File Discovery

CTF-Specific Patterns

More from this repository

CTF Reconnaissance & Enumeration

Web Reconnaissance

Initial Checks

Technology Fingerprinting

Directory/File Discovery

API Enumeration

Network Reconnaissance

Port Scanning

Service Interaction

Source Code Reconnaissance

Git Exposure

Backup File Discovery

CTF-Specific Patterns

More from this repository