Enumerate, then enumerate again
Most boxes fall to enumeration, not exploits. When you're stuck, you almost always missed something — re-scan all ports, re-read every page, re-check every service version.
RatCTF
Tips & Tricks
Battle-tested hunting wisdom — recon, web, privesc, AD, crypto, and the mindset to stay sharp. Filter by category, steal what you need, go pop a box.
Read the machine, not the hints
Hints get you unstuck, but the players who improve fastest reconstruct the intended path themselves. Treat each box as a puzzle the author left clues for.
Keep a notes file open
Log every credential, port, and odd response as you go. Half of privesc is remembering something you already saw three steps ago.
If it feels too hard, you're off-path
Designed boxes have an intended route. Brute-forcing a wall usually means the real door is somewhere you haven't looked.
Scan all 65535 ports
Default scans hit the top 1000. The interesting service is often on a high, non-standard port. Do a full TCP sweep, then version-scan what you find.
Always try anonymous FTP
Anonymous FTP is shockingly common. `anonymous` / blank password — browse the share before assuming it's locked down.
TTL hints at the OS
An initial TTL near 64 suggests Linux/Unix; near 128 suggests Windows. A quick fingerprint before you commit tooling.
Read robots.txt and sitemap
Disallowed paths are a map of what the admin didn't want indexed — often exactly what you want to find.
Check for vhosts and subdomains
One IP can serve many sites by Host header. Fuzz vhosts — the vulnerable app is frequently on a hostname the default page never mentions.
Test SSTI wherever XSS works
If user input is reflected and the app uses a template engine, try SSTI alongside XSS — same root cause (input concatenated server-side), much bigger impact.
GraphQL? Try introspection first
Many GraphQL APIs leave introspection enabled. Pull the full schema before guessing — it hands you every type and field.
IDOR lives in the numbers
Any `id=`, `user=`, `order=` in a URL or body is worth incrementing/decrementing. Authorization checks are skipped more often than you'd think.
LFI + log poisoning = RCE
A file-read (LFI) that can reach a log you control (User-Agent, access log) can become code execution when the log is interpreted by the language runtime.
Check every cookie and JWT
Decode JWTs (base64) and look at the alg. `none`, weak HMAC secrets, and kid path-traversal are all classic forging routes.
Upload filters are bypassable
Content-Type, extension, and magic-byte checks each fail in isolation. Double extensions, null bytes, polyglots, and case tricks all still work somewhere.
sudo -l is your first move
After any foothold, run `sudo -l`. A single NOPASSWD binary is often the whole privesc — check it on GTFOBins.
SUID + GTFOBins
`find / -perm -4000 2>/dev/null` lists SUID binaries. Cross-reference each against GTFOBins — many have a documented shell escape.
Capabilities are sneaky SUID
`getcap -r / 2>/dev/null`. A binary with cap_setuid or cap_dac_read_search can be as good as SUID root and is easy to overlook.
Read the crontab
Root-owned cron jobs that run a writable script or use a relative path are a clean, repeatable root. Check `/etc/crontab` and `/etc/cron.*`.
Reused creds everywhere
Passwords in config files, bash_history, and .env files get reused for SSH, DB, and sudo. Grep web roots and home dirs before anything fancy.
Hunt world-writable files
A world-writable script that a privileged process runs (cron, service, .bashrc sourced by root) is a direct path up. `find / -writable -type f 2>/dev/null`.
Kerberoast weak service accounts
Any authenticated user can request a TGS for an SPN and crack it offline. Service accounts often have weak, never-rotated passwords.
AS-REP roast pre-auth-disabled users
Accounts with 'do not require Kerberos preauth' hand you a crackable AS-REP without any creds. Always enumerate for them.
BloodHound finds the path
Don't hand-walk ACLs. Collect with SharpHound, then let BloodHound show you the shortest path to Domain Admin.
Dump LSASS for creds
On a compromised host, LSASS memory yields hashes, tickets, and sometimes plaintext (legacy WDigest). Credential Guard is the mitigation to watch for.
Mass assignment: send more fields
Add `role`, `isAdmin`, `verified` to a JSON body the API didn't ask for. Frameworks that bind the whole object will happily set them.
BOLA/BFLA: swap IDs and methods
Object-level auth (another user's id) and function-level auth (an admin-only verb) are the two most-paid API bugs. Test both on every endpoint.
OAuth: watch the redirect_uri
Loose redirect_uri matching + an open redirect on the client = token theft. Always inspect the full OAuth dance for where the code lands.
Rate limits gate brute force
No rate limit on login/OTP turns a 6-digit code into a 5-minute attack. Check whether the limit is per-account, per-IP, or absent.
ECB leaks structure
Identical plaintext blocks → identical ciphertext blocks. Repeating 16-byte patterns in a token usually mean ECB and copy-paste attacks.
Padding oracle = decrypt anything
A server that distinguishes 'bad padding' from 'bad MAC' on CBC ciphertext lets you decrypt (and forge) without the key. Watch for differing error responses.
Weak RSA: check the modulus
Small e with no padding, shared primes across keys, or a factorable N (try FactorDB) all break RSA. Always look at the actual parameters.
SSH is your tunnel
Once you own a jump host, `ssh -L` / `-D` reaches segments you can't touch directly. Local, remote, and dynamic forwarding cover almost every pivot.
Leaked creds rarely stop at one box
The password you found is the start of lateral movement. Spray it across every host and service you can see before escalating locally.
Internal services bind to 127.0.0.1
Run `ss -tlnp` after a foothold. Services listening only on localhost (admin panels, Redis, debug ports) are invisible from outside but yours now.