Capture The Flag Playbook

This tool provides a structured process to complete capture the flag challenges. The idea is to quickly bring your attention to the places where you’re mostly likely to find vulnerabilities, in an optimal order that applies to all challenges. I’ll continue updating this with every challenge I do.

How It’s Used

  • All copied commands use the TARGET environment variable, so set that to your target in your shell. To have it apply across sessions, I recommend setting this variable in your .zshrc and updating it every time you’re switching targets. An alias for doing this is shown in section Set Target.
  • Execute rustscan on the target
  • Sort discovered ports by priority on the table. Higher on the table == higher priority
  • For each discovered port in the sorted list
    • Complete Level 1 column action
    • Once all level 1’s have been explored, complete level 2
    • Once all level 2’s have been explored, complete level 3

Set Target


Alias definition

Add the following to your ~/.zshrc. Note: If you’re not using zsh replace with the appropriate shell profile configuration file.

function settarget {
        sed -i "/^export TARGET/c\export TARGET=\"$1\"" ~/.zshrc && source ~/.zshrc
export TARGET=""

Then you can use it like targetset, echo $TARGET

Network Scan:

rustscan -a $TARGET -- -A -sC

Reference Table

Vertical Order: Highest == Most likely to provide a higher CVE rating exploit
Horizontal Order: Leftmost == Quicker path to RCE
Service:Port Level 1 Level 2 Level 3
FTP:21 Anonymous Login Banner Grabbing Deep Dive
HTTP:80,443 Enumeration Burp Suite WIP: Playbook
SSH|SFTP:22 Automated Audit Banner Grabbing Deep Dive
Telnet:23 Enumeration Brute Force Deep Dive
Unknown:Random` Port Banner Grabbing Port Search

FTP (21)

FTP Anonymous Login

A Misconfigured FTP server will allow anonymous passwordless login:

# You can connect via browser:
$ open "ftp://anonymous:anonymous@$TARGET"
# Or use ftp CLI
$ ftp $TARGET 21
ftp> account
# Try Anonymous||anonymous
ftp> ls -a

FTP Banner Grabbing

Try to quickly determine FTP version and look for known vulnerabilities

$ nc -vn $TARGET 21
$ searchsploit <FTP Server Version>


SSH Banner Grabbing

Try to quickly determine FTP version and look for known vulnerabilities

$ nc -vn $TARGET 22
$ searchsploit <SSH Server Version>

Telnet (23)

Telnet Enumeration

Use nmap script to gather all the useful information:

nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $TARGET

Telnet Bruteforce

hydra -l root -P passwords.txt [-t 32] $TARGET telnet
ncrack -p 23 --user root -P passwords.txt $TARGET [-T 5]
medusa -u root -P 500-worst-passwords.txt -h $TARGET -M telnet

HTTP (80,443)

HTTP Enumeration

nikto --host $TARGET --port 80


dirb http://$TARGET/

HTTP Burp Suite

Generally start up Burp, Open the embedded browser and start manually navigating through the site and using the tool to drill at interesting areas. To learn more, check out Something like this.

RDP (3389)

Empty user/pass Connect

rdesktop -u "" -f <TARGET>

Unknown (Random)

Port Banner Grabbing

We want to try to learn what is running on this port… there are two quick methods available to us:



curl -v $TARGET:port

Based on the results of this, you may be able to determine what service is on the port and can move to the relevant section of this guide to explore it.

If you cannot figure it out, it never hurts to search something like ‘service on port X’, or use a site like This may provide useful information to pivot.