$loading...
All your CTF tools in one place, organized by competition category. Jump straight to what you need — no searching, no context-switching.
Before diving into exploitation, run full recon. Use the Dork Generator for OSINT, Header Analyzer to fingerprint the stack, and the HTTP Parser to inspect raw requests. Missing a hidden endpoint is the #1 reason teams lose points.
WAFs often check for a single encoding layer. Use the Encoding Pipeline to stack Base64 > URL-encode > double-encode. The WAF Bypass Transformer and Payload Mutator can auto-generate 50+ variants of any blocked payload.
If you see a JWT in a cookie or Authorization header, decode it right away. Look for "alg": "none", weak HMAC secrets, and kid injection. The JWT Decoder has built-in attack templates for all common CTF JWT challenges.
CTF forensics challenges often embed timestamps in unusual formats (NTFS, HFS+, UUID v1, Snowflake IDs). The Timestamp Converter supports 16+ formats and auto-detects pasted values.
Do not waste time looking up shell syntax mid-competition. The Reverse Shell Generator covers Bash, Python, PHP, PowerShell, and more with one-click copy. Pair it with the MSFVenom Builder for compiled payloads.
Classical cipher challenges are common in CTF crypto categories. The Cipher Decoder auto-detects Caesar/ROT shifts using index of coincidence, brute-forces all 25 shifts at once, and handles Vigenère, Atbash, Rail Fence, Morse, A1Z26, and XOR. Paste the ciphertext and hit Auto-Detect first.
Once you have a shell in a jeopardy-style CTF, check the Linux PrivEsc cheat sheet immediately. Run SUID enumeration, check sudo -l, and look for writable cron scripts. The GTFOBins payloads for common binaries (vim, python, awk, tar) are copy-ready.