Run any Skill in Manus with one click

ctf-web

Provides web exploitation techniques for CTF challenges. Use when the target is primarily an HTTP application, API, browser client, template engine, identity flow, or smart-contract frontend/backend surface, including XSS, SQLi, SSTI, SSRF, XXE, JWT, auth bypass, file upload, request smuggling, OAuth/OIDC, SAML, prototype pollution, and similar web bugs. Do not use it for native binary memory corruption, reverse engineering of standalone executables, disk or memory forensics, or pure cryptanalysis unless the web flaw is still the main path to the flag.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-web

Copy and paste this command into Claude Code to install the skill

Source

ljagiello/ctf-skills

Stars2,276

Forks278

UpdatedApril 17, 2026 at 02:40

File Explorer

21 files

SKILL.md

readonly

More from this repository

same repository

ctf-ai-ml

ljagiello/ctf-skills

Provides AI and machine learning techniques for CTF challenges. Use when attacking ML models, crafting adversarial examples, performing model extraction, prompt injection, membership inference, training data poisoning, fine-tuning manipulation, neural network analysis, LoRA adapter exploitation, LLM jailbreaking, or solving AI-related puzzles.

2026-04-172.3k

ctf-crypto

ljagiello/ctf-skills

Provides cryptography attack techniques for CTF challenges. Use when attacking encryption, hashing, signatures, ZKP, PRNG, or mathematical crypto problems involving RSA, AES, ECC, lattices, LWE, CVP, number theory, Coppersmith, Pollard, Wiener, padding oracle, GCM, key derivation, or stream/block cipher weaknesses.

2026-04-172.3k

ctf-forensics

ljagiello/ctf-skills

Provides digital forensics and signal analysis techniques for CTF challenges. Use when analyzing disk images, memory dumps, event logs, network captures, cryptocurrency transactions, steganography, PDF analysis, Windows registry, Volatility, PCAP, Docker images, coredumps, side-channel power traces, DTMF audio spectrograms, packet timing analysis, CD audio disc images, or recovering deleted files and credentials.

2026-04-172.3k

ctf-malware

ljagiello/ctf-skills

Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, RC4/AES encrypted communications, YARA rules, shellcode analysis, memory forensics for malware (Volatility malfind, process injection detection), anti-analysis techniques (VM/sandbox detection, timing evasion, API hashing, process injection, environment checks), or extracting malware configurations and indicators of compromise.

2026-04-172.3k

ctf-misc

ljagiello/ctf-skills

Provides miscellaneous CTF challenge techniques for problems that do not cleanly fit the main categories. Use for encoding puzzles, pyjails, bash jails, RF/SDR, DNS oddities, unicode tricks, esoteric languages, QR or audio puzzles, constraint solving, game theory, unusual sandbox escapes, and hybrid logic puzzles. Prefer a more specific skill first when the challenge is mainly web, pwn, reverse, forensics, malware, OSINT, or crypto. Treat this as the fallback skill for genuine cross-category or edge-case challenges, not the default starting point.

2026-04-172.3k

ctf-osint

ljagiello/ctf-skills

Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records, username enumeration, reverse image search, Google dorking, Wayback Machine, Tor relays, FEC filings, or identifying unknown data like hashes and coordinates.

2026-04-172.3k

Source

ljagiello

ljagiello/ctf-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	ctf-web
description	Provides web exploitation techniques for CTF challenges. Use when the target is primarily an HTTP application, API, browser client, template engine, identity flow, or smart-contract frontend/backend surface, including XSS, SQLi, SSTI, SSRF, XXE, JWT, auth bypass, file upload, request smuggling, OAuth/OIDC, SAML, prototype pollution, and similar web bugs. Do not use it for native binary memory corruption, reverse engineering of standalone executables, disk or memory forensics, or pure cryptanalysis unless the web flaw is still the main path to the flag.
license	MIT
compatibility	Requires filesystem-based agent (Claude Code or similar) with bash, Python 3, and internet access for tool installation.
allowed-tools	Bash Read Write Edit Glob Grep Task WebFetch WebSearch
metadata	{"user-invocable":"false"}

CTF Web Exploitation

Use this skill as a routing and execution guide for web-heavy challenges. Keep the first pass short: map the app, confirm the trust boundary, and only then dive into the detailed technique notes.

Prerequisites

Python packages (all platforms):

pip install sqlmap flask-unsign requests

Linux (apt):

apt install hashcat jq curl

macOS (Homebrew):

brew install hashcat jq curl

Go tools (all platforms, requires Go):

go install github.com/ffuf/ffuf/v2@latest

Manual install:

ysoserial — GitHub, requires Java (Java deserialization payloads)

Additional Resources

sql-injection.md - SQL injection techniques: auth bypass, UNION extraction, filter bypasses, second-order SQLi, truncation, race-assisted leaks, INSERT ON DUPLICATE KEY UPDATE password overwrite, innodb_table_stats WAF bypass
server-side.md - PHP type juggling, php://filter LFI, Python str.format traversal, SSTI (Jinja2, Twig, ERB, Mako, EJS, Vue.js, Smarty), SSRF (Host header, DNS rebinding, curl redirect, unescaped-dot regex, SNI FTP smuggling, mod_vhost_alias), PHP hash_hmac NULL
server-side-2.md - XXE (basic, OOB, DOCX upload), XML injection via X-Forwarded-For, PHP variable variables, PHP uniqid predictable filename, sequential regex replacement bypass, command injection (newline, blocklist, sendmail CGI, multi-barcode, git CLI), GraphQL injection (introspection, batching, interpolation)
server-side-exec.md - Direct code execution paths, upload-to-RCE, deserialization-adjacent execution, LaTeX injection, header and API abuses
server-side-exec-2.md - More execution chains: SQLi fragmentation, path parser tricks, polyglot uploads, wrapper abuse, filename injection, BMP pixel webshell with filename truncation
server-side-deser.md - Java/Python/PHP deserialization and race-condition playbooks, PHP SoapClient CRLF SSRF via deserialization
server-side-advanced.md - Advanced SSRF, traversal, archive, parser, framework, and modern app-server issues, Nginx alias traversal
server-side-advanced-2.md - Docker API SSRF, Castor/XML, Apache expression reads, parser discrepancies, Windows path tricks, rogue MySQL server file read
server-side-advanced-3.md - Part 3 (CSAW/35C3/ASIS/PlaidCTF 2018): WAV polyglot upload, multi-slash URL path.startswith bypass, Xalan XSLT math:random() seed guess, SoapClient _user_agent CRLF method smuggling, gopher:/// no-host URL scheme bypass, SSRF credential leak via attacker-specified outbound URL
server-side-advanced-4.md - Part 4: WeasyPrint SSRF/file read (CVE-2024-28184), MongoDB regex/$where blind oracle, Pongo2 Go template injection, ZIP PHP webshell, basename() bypass, wget CRLF SSRF→SMTP, Gopher SSRF to MySQL blind SQLi, React Server Components Flight RCE (CVE-2025-55182), AMQP/TLS interception via sslsplit+arpspoof, CairoSVG XXE, Bazaar repo reconstruction
client-side.md - XSS, CSRF, cache poisoning, DOM tricks, admin bot abuse, request smuggling, paywall bypass
client-side-advanced.md - CSP bypasses, Unicode tricks, XSSI, CSS exfiltration, browser normalization quirks, postMessage null origin bypass
auth-and-access.md - Auth/authz bypasses, hidden endpoints, IDOR, redirect chains, subdomain takeover, AI chatbot jailbreaks
auth-and-access-2.md - Part 2 (2018-era): std::unordered_set bucket collision auth bypass, nodeprep.prepare Unicode homograph username collision, SRP A=0/A=N auth bypass, ArangoDB AQL MERGE privilege escalation
auth-jwt.md - JWT/JWE manipulation, weak secrets, header injection, key confusion, replay
auth-infra.md - OAuth/OIDC, SAML, CORS, CI/CD secrets, IdP abuse, login poisoning
node-and-prototype.md - Prototype pollution, JS sandbox escape, Node.js attack chains
web3.md - Solidity and Web3 challenge notes
cves.md - CVE-driven techniques you can match against challenge banners, headers, dependency leaks, or version strings
field-notes.md - Long-form exploit notes: quick references for SQLi, XSS, LFI, JWT, SSTI, SSRF, command injection, XXE, deserialization, race conditions, auth bypass, and multi-stage chains

When to Pivot

If the target is a native binary, custom VM, or firmware image, switch to /ctf-reverse first.
If the HTTP bug only gives you code execution and the hard part becomes memory corruption or seccomp escape, switch to /ctf-pwn.
If the "web" challenge really turns on JWT math, custom MACs, or crypto primitives, switch to /ctf-crypto.
If the web challenge involves analyzing logs, PCAPs, or recovering artifacts from a web server, switch to /ctf-forensics.
If the challenge requires gathering intelligence from public web sources, DNS records, or social media before exploitation, switch to /ctf-osint.

First-Pass Workflow

Identify the real boundary: browser only, backend only, mixed app, or auth flow.
Capture one normal request/response pair for every major feature before fuzzing.
Enumerate hidden functionality from JS bundles, response headers, routes, and alternate methods.
Classify the likely bug family: injection, authz, parser mismatch, upload, trust proxy, state machine, or client-side execution.
Build the smallest proof first: leak, bypass, or primitive. Save full exploit chaining for later.

Quick Start Commands

# Recon
curl -sI https://target.com
ffuf -u https://target.com/FUZZ -w wordlist.txt
curl -s https://target.com/robots.txt

# SQLi quick test
sqlmap -u "https://target.com/page?id=1" --batch --dbs

# JWT decode (no verification)
echo '<token>' | cut -d. -f2 | base64 -d 2>/dev/null | jq .

# Cookie decode (Flask)
flask-unsign --decode --cookie '<cookie>'
flask-unsign --unsign --cookie '<cookie>' --wordlist rockyou.txt

# SSTI probes
curl "https://target.com/page?name={{7*7}}"
curl "https://target.com/page?name={{config}}"

# Request inspection
curl -v -X POST https://target.com/api -H "Content-Type: application/json" -d '{}'

First Questions to Answer

Is the flag likely in the browser, an API response, a local file, a database row, or an internal service?
Does the app trust user-controlled data in templates, redirects, file paths, headers, serialized objects, or background jobs?
Are there multiple parsers disagreeing with each other: proxy vs app, URL parser vs fetcher, sanitizer vs browser, serializer vs filter?
Can you turn the bug into a smaller primitive first: read one file, forge one token, call one internal endpoint, trigger one bot visit?

High-Value Recon Checks

Read the HTML, inline scripts, and bundled JS before guessing the API surface.
Compare what the UI submits with what the backend accepts; optional JSON fields often unlock hidden paths.
Check obvious metadata and helper paths early: /robots.txt, /sitemap.xml, /.well-known/, /admin, /debug, /.git/, /.env.
Try alternate verbs and content types on interesting routes: GET, POST, PUT, PATCH, TRACE, JSON, form, multipart, XML.
Treat file upload, PDF/export, webhook, OAuth callback, and admin bot features as likely exploit multipliers.

Fast Pattern Map

SQL errors, odd filtering, or state-dependent DB behavior: start with sql-injection.md.
Templating, file reads, SSRF, command execution, XML, or parser bugs: start with server-side.md and server-side-exec.md.
XSS, CSP bypass, admin bot, client routing, DOM issues, or scriptless exfiltration: start with client-side.md.
Session forgery, hidden admin routes, JWT, OAuth, SAML, or weak trust boundaries: start with auth-and-access.md, auth-jwt.md, and auth-infra.md.
Node.js apps, prototype pollution, VM sandboxes, or SSRF into internal services: add node-and-prototype.md.
Smart contract frontends or blockchain-integrated apps: add web3.md.

Common Chain Shapes

Recon -> hidden route -> auth bypass -> internal file read -> token or flag
XSS or HTML injection -> admin bot -> privileged action -> secret leak
Traversal or upload -> config/source leak -> secret recovery -> session forgery
SSRF -> metadata or internal API -> credential leak -> code execution
SQLi or NoSQL injection -> credential bypass -> second-stage template or upload abuse

Deep-Dive Notes

Use field-notes.md once you have confirmed the challenge is truly web-heavy and you need the long exploit catalog.

Recon, SQLi, XSS, traversal, JWT, SSTI, SSRF, XXE, and command injection quick notes
Deserialization, race conditions, file upload to RCE, and multi-stage chain examples
Node, OAuth/SAML, CI/CD, Web3, bot abuse, CSP bypasses, and modern browser tricks
CVE-shaped playbooks and older challenge patterns that still show up in modern CTFs

Common Flag Locations

Files: /flag.txt, /flag, /app/flag.txt, /home/*/flag*
Environment: /proc/self/environ, process command line, debug config dumps
Database: tables named flag, flags, secret, or seeded challenge content
HTTP: custom headers, archived responses, hidden routes, admin exports
Browser: hidden DOM nodes, data-* attributes, inline state objects, source maps