CTF.md

CTF

Useful links regarding CTF

CTF LAB

currently playable CTF platform/chal. Prefered maintain CTF or the new one.

Curated List

• https://captf.com/practice-ctf/
• https://www.amanhardikar.com/mindmaps/Practice.html
• https://zaratec.github.io/ctfpractice/
• https://ctftime.org/writeups (but need to find writeup that include the challenge files,description, and still playable)

General

containing multiple types of CTF

• https://www.hackthebox.eu/
• https://www.securecodewarrior.com/
• https://www.vulnhub.com/
• https://www.offensive-security.com/labs/
• https://www.root-me.org/
• https://ctf.hacker101.com/
• https://old.liveoverflow.com/binary_hacking/reverse_engineering.html
• https://overthewire.org/wargames/
• https://ctflearn.com/challenge/1/browse
• https://net-force.nl/challenges/
• https://pentesterlab.com/pro (PAID)
• https://ringzer0ctf.com/
• https://hackmyvm.eu/
• https://hbh.sh/home
• https://hack.me/s/
• https://deusx64.ai/

PWN/RE

• https://pwnable.xyz/
• https://challenges.re/
• https://pwnable.tw/challenge/
• http://reversing.kr/challenge.php
• https://pwnable.kr/play.php
• https://w3challs.com/challenges/list/reversing
• https://microcorruption.com/login
• https://pwn.college/
• http://www.fuzzysecurity.com/tutorials.html
• https://github.com/shellphish/how2heap
• https://github.com/RPISEC/MBE
• https://ropemporium.com/

Web

• https://portswigger.net/web-security/all-labs
• https://github.com/vegabird/xvna
• https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
• https://github.com/dogangcr/vulnerable-sso
• https://github.com/bkimminich/juice-shop
• https://ctfchallenge.co.uk/
• https://www.securecodewarrior.com/ (PAID)
• https://github.com/WebGoat/WebGoat
• https://github.com/snoopysecurity/dvws-node
• https://github.com/h4x0r101/Damn-Vulnerable-Source-Code
• https://github.com/anxolerd/dvpwa
• https://github.com/appsecco/dvna
• https://github.com/incredibleindishell/CORS-vulnerable-Lab
• https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
• https://github.com/payatu/Tiredful-API
• https://websploit.org/
• https://github.com/snyk/exploit-workshop
• https://github.com/ShiftLeftSecurity/tarpit-java

Crypto

• https://github.com/DamnVulnerableCryptoApp/DamnVulnerableCryptoApp
• https://cryptohack.org/
• https://cryptopals.com/
• https://www.catchthecrypto.com/

Blockchain

• https://github.com/openblocksec/blocksec-ctfs

Cloud

• https://github.com/RhinoSecurityLabs/cloudgoat
• https://github.com/OWASP/DVSA
• https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
• https://github.com/bridgecrewio/cdkgoat
• https://github.com/bridgecrewio/cfngoat
• https://github.com/bridgecrewio/terragoat
• http://flaws.cloud/
• http://flaws2.cloud/
• https://github.com/ine-labs/AzureGoat
• https://github.com/ine-labs/AWSGoat
• https://github.com/SecuraBV/brokenbydesign-azure
• https://www.serverless-hack.me/
• https://github.com/Azure/CONVEX
• https://github.com/cyberark/escape-the-cloud
• https://github.com/avishayil/caponeme
• https://github.com/accurics/KaiMonkey
• https://gcpgoat.joshuajebaraj.com/
• https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training
• https://github.com/juanjoSanz/aws-pentesting-lab
• https://github.com/HXSecurity/TerraformGoat
• https://github.com/nccgroup/sadcloud
• https://pentesting.cloud/
• https://thunder-ctf.cloud/
• https://twitter.com/hackthebox_eu/status/1549108777298927616 (Blacksky: PAID)
• https://www.pentesteracademy.com/topics (search: cloud) (PAID)
• https://github.com/BishopFox/iam-vulnerable
• https://labs.cyberwarfare.live/

DevOps & Container

• https://github.com/madhuakula/kubernetes-goat
• https://github.com/step-security/github-actions-goat/tree/main
• https://github.com/cider-security-research/cicd-goat

Redteam Labs

labs focusing on redteaming exercise, often contains multiple machines in a single challenge

• https://github.com/Marshall-Hallenbeck/red_team_attack_lab
• https://github.com/s0wr0b1ndef/pentest-lab
• https://github.com/R3dy/capsulecorp-pentest

BlueTeam Labs

• https://cyberdefenders.org/search/labs/?q=pcap-anlysis
• https://opensoc.io/index.html
• https://blueteamlabs.online/

AndroidApp

• https://github.com/payatu/diva-android
• https://github.com/oversecured/ovaa
• https://github.com/OWASP/SecurityShepherd
• https://github.com/OWASP/owasp-mstg/tree/master/Crackmes
• https://github.com/appsecco/VyAPI
• https://github.com/WaTF-Team/WaTF-Bank
• https://github.com/abhi-r3v0/EVABS
• https://rossmarks.uk/blog/fridalab/
• https://github.com/B3nac/InjuredAndroid
• https://github.com/dineshshetty/Android-InsecureBankv2
• https://github.com/HTBridge/pivaa
• https://github.com/jaiswalakshansh/Vuldroid
• https://github.com/t0thkr1s/allsafe
• https://github.com/optiv/InsecureShop
• https://github.com/t4kemyh4nd/vulnwebview
• https://github.com/ToulouseHackingConvention/bestpig-reverse-android-serial
• https://www.ivrodriguez.com/mobile-ctf/
• https://github.com/rednaga/training/tree/master/DEFCON23/challenges/offensive
• https://github.com/luc10/h1-702-2018-ctf-wu
• https://github.com/antojoseph/androidCTF
• https://github.com/nowsecure/cybertruckchallenge19
• https://github.com/o-o-overflow/dc2019q-vitor-public
• https://github.com/kiyadesu/android-reversing-challenges
• https://github.com/tlamb96/kgb_messenger
• http://ctf.hpandro.raviramesh.info/
• https://mobisec.reyammer.io/challs | https://challs.reyammer.io/
• https://github.com/brunokaique/SAST-Android
• https://github.com/user1342/Broken-Droid-Factory
• https://github.com/satishpatnayak/AndroGoat
• https://www.insecureshopapp.com/

AndroidApp chal from CTF competition

• https://github.com/hanhanhanz/cyber-security-sources/tree/main/Hacktivity2020-mobile-chal
• https://github.com/hanhanhanz/cyber-security-sources/tree/main/nahamcon2021-mobile-chal
• https://github.com/wnagzihxa1n/CTF-Mobile-Tutorial
• https://github.com/JisoonPark/SamsungCTF
• https://enovella.github.io/android/reverse/2020/09/03/r2pay-android-crackmes-radare2con.html
• https://github.com/d3rezz/Google-Capture-The-Flag-2016
• https://github.com/ctfs/write-ups-2016/tree/master/google-ctf-2016/mobile/little-bobby-application-250
• https://ctftime.org/writeup/6853
• https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game
• http://blog.redrocket.club/2019/06/27/google-ctf-quals-2019-flaggy-bird/
• https://sectt.github.io/writeups/GoogleCTF20/android/README
• https://fineas.github.io/FeDEX/post/tridroid.html
• https://aadityapurani.com/2019/03/07/bsidessf-ctf-2019-mobile-track/

IOSapp

• https://github.com/OWASP/iGoat-Swift
• https://github.com/jsoehner/dvia2

Cheatsheet

• https://github.com/JohnHammond/ctf-katana
• https://github.com/w181496/Web-CTF-Cheatsheet

Writeup

• https://github.com/google/google-ctf
• https://github.com/yuawn/CTF
• https://github.com/bl4de/ctf
• https://github.com/sixstars/ctf

Tools

• https://github.com/devploit/CTF_OnlineTools
• https://github.com/SandySekharan/CTF-tool
• https://github.com/dloss/python-pentest-tools

Ref

• https://github.com/xtiankisutsa/awesome-mobile-CTF
• https://phonexicum.github.io/challenges.html
• https://www.linkedin.com/posts/zer0verflow_hacking-penetrationtesting-penetrationtester-activity-6848006673483747328-b11Z/