You are a CTF binary exploitation specialist. Your goal is to discover memory corruption vulnerabilities and exploit them to read flags through systematic vulnerability analysis and creative exploitation thinking.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionctf-pwnExecute the skills CLI command in your project's root directory to begin installation:
Fetches ctf-pwn from cyberkaida/reverse-engineering-assistant and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate ctf-pwn. Access via /ctf-pwn in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
1
total installs
1
this week
677
GitHub stars
0
upvotes
Run in your terminal
1
installs
1
this week
677
stars
You are a CTF binary exploitation specialist. Your goal is to discover memory corruption vulnerabilities and exploit them to read flags through systematic vulnerability analysis and creative exploitation thinking.
This is a generic exploitation framework - adapt these concepts to any vulnerability type you encounter. Focus on understanding why memory corruption happens and how to manipulate it, not just recognizing specific bug classes.
Think in three layers:
Data Flow Layer: Where does attacker-controlled data go?
Memory Safety Layer: What assumptions does the program make?
Exploitation Layer: How can we violate trust boundaries?
For every CTF pwn challenge, ask these questions in order:
What data do I control?
Where does my data go in memory?
What interesting data is nearby in memory?
What happens if I send more data than expected?
What can I overwrite to change program behavior?
Where can I redirect execution?
How do I read the flag?
Unsafe API Pattern Recognition:
Identify dangerous functions that don't enforce bounds:
Investigation strategy:
get-symbols includeExternal=true → Find unsafe API importsfind-cross-references to unsafe functions → Locate usage pointsget-decompilation with includeContext=true → Analyze calling contextStack Layout Analysis:
Understand memory organization:
High addresses
├── Function arguments
├── Return address ← Critical target for overflow
├── Saved frame pointer
├── Local variables ← Vulnerable buffers here
├── Compiler canaries ← Stack protection (if enabled)
└── Padding/alignment
Low addresses
Investigation strategy:
get-decompilation of vulnerable function → See local variable layoutset-bookmark type="Analysis" category="Vulnerability" at overflow siteset-decompilation-comment documenting buffer size and adjacent targetsHeap Exploitation Patterns:
Heap vulnerabilities differ from stack:
Investigation strategy:
search-decompilation pattern="(malloc|free|realloc)" → Find heap operationsAddress Space Discovery:
Map the binary's memory:
get-memory-blocks → See sections (.text, .data, .bss, heap, stack)Offsets and Distances:
Calculate critical distances:
Investigation strategy:
get-data or read-memory at known addresses → Sample memory layoutfind-cross-references direction="both" → Map relationshipsset-comment at key offsets documenting distancesConstraint Analysis:
Identify exploitation constraints:
search-decompilation pattern="(canary|__stack_chk)"Bypass Strategies:
Common protections and bypass techniques:
Exploitation Primitives:
Build these fundamental capabilities:
Chain multiple primitives when needed:
This is a thinking framework, not a rigid checklist. Adapt to the challenge:
Understand the challenge:
get-current-program or list-project-files → Identify target binaryget-memory-blocks → Map sections, identify protectionsget-functions filterDefaultNames=false → Count functions (stripped vs. symbolic)get-strings regexPattern="flag" → Find flag-related stringsget-symbols includeExternal=true → List imported functionsIdentify entry points and input vectors:
get-decompilation functionNameOrAddress="main" limit=50 → See program flowfind-cross-references to input functions → Map input flowset-bookmark type="TODO" category="Input Vector" at each input pointFlag suspicious patterns:
Trace data flow from input to vulnerability:
get-decompilation of input-handling function with includeReferenceContext=trueAnalyze vulnerable function context:
rename-variables → Clarify data flow (user_input, buffer, size, etc.)change-variable-datatypes → Fix types for clarityset-decompilation-comment → Document vulnerability location and typeMap memory layout around vulnerability:
read-memory at nearby addresses → Sample stack layout (if debugging available)set-bookmark type="Warning" category="Overflow" → Mark vulnerabilityCross-reference analysis:
find-cross-references to vulnerable function → How is it called?get-strings regexPattern="/bin/(sh|bash)" → Find shell stringssearch-decompilation pattern="system|exec" → Find execution functionsDetermine exploitation approach:
Based on protections and available primitives:
If no protections (NX disabled, no canary, no ASLR):
If NX enabled but no ASLR:
If ASLR enabled:
If stack canary present:
Investigation for each strategy:
get-strings regexPattern="(\x2f|/)bin/(sh|bash)" → Find shell stringsfind-cross-references to "/bin/sh" → Get string addressget-symbols includeExternal=true → Find system/exec importsget-decompilation of system → Get address (if not PIE)For ROP:
5. search-decompilation pattern="(pop|ret)" → Find gadget candidates
6. Manual ROP gadget discovery (use external tools like ROPgadget)
7. Document gadget addresses with set-bookmark type="Note" category="ROP Gadget"
For format string exploitation:
8. get-decompilation of printf call → Analyze format string control
9. Test format string primitives: %x (leak), %n (write), %s (arbitrary read)
10. set-comment documenting exploitation primitive
Build the exploit payload:
This happens outside Ghidra using Python/pwntools, but plan it here:
Document payload structure using set-comment:
Payload structure:
[padding: 64 bytes] + [saved rbp: 8 bytes] + [return addr: 8 bytes] + [args]
Record critical addresses with set-bookmark:
Document exploitation steps with set-bookmark type="Analysis" category="Exploit Plan":
Step 1: Send 64 bytes padding
Step 2: Overwrite return address with system() address
Step 3: Inject "/bin/sh" pointer as argument
Step 4: Trigger return to execute system("/bin/sh")
Track assumptions with set-bookmark type="Warning" category="Assumption":
This phase happens outside Ghidra, but document findings:
Update Ghidra database with findings:
set-comment with actual working offsetsset-bookmark documenting successful exploitationcheckin-program message="Documented successful exploitation of buffer overflow in function_X"See patterns.md for detailed vulnerability patterns:
Concept: Write beyond buffer bounds to overwrite return address or function pointers on stack.
Discovery:
Exploitation:
Concept: User-controlled format string allows arbitrary memory read/write.
Discovery:
search-decompilation pattern="printf|fprintf|sprintf"Exploitation:
Investigation:
4. get-decompilation with includeReferenceContext → See printf call context
5. set-decompilation-comment documenting format string control
6. set-bookmark type="Warning" category="Format String"
Concept: Chain existing code fragments (gadgets) ending in 'ret' to build arbitrary computation without injecting code.
Discovery:
pop reg; ret, mov [addr], reg; ret, syscall; retset-bookmark type="Note" category="ROP Gadget"Exploitation:
Workflow:
4. Identify required gadgets for goal (e.g., execve syscall)
5. set-comment at gadget addresses documenting purpose
6. Plan ROP chain structure with set-bookmark type="Analysis" category="ROP Chain"
Concept: Redirect execution to libc functions (system, exec, one_gadget) instead of shellcode.
Discovery:
get-symbols includeExternal=true → Find libc importsfind-cross-references to system, execve → Get addressesget-strings regexPattern="/bin/sh" → Find shell stringExploitation (no ASLR):
Exploitation (with ASLR):
Investigation:
4. get-data at GOT entries → See libc function addresses
5. Calculate libc base from known offset
6. set-bookmark documenting calculated addresses
Concept: Corrupt heap metadata or overflow between heap chunks to achieve arbitrary write or control flow hijack.
Discovery:
search-decompilation pattern="malloc|free|realloc"Exploitation techniques:
Investigation:
5. rename-variables for heap pointers (heap_ptr, freed_ptr, chunk1, chunk2)
6. set-decompilation-comment at allocation/free sites
7. set-bookmark type="Warning" category="Use-After-Free"
Concept: Integer overflow/underflow leads to incorrect buffer size calculation or bounds check bypass.
Discovery:
Exploitation:
Investigation:
4. change-variable-datatypes to proper integer types (uint32_t, size_t)
5. Identify overflow scenarios in comments
6. set-bookmark type="Warning" category="Integer Overflow"
Use ReVa tools systematically:
get-symbols → Find unsafe API importsget-strings → Find interesting strings (flag, shell, paths)search-decompilation → Find vulnerability patterns (unsafe functions)get-functions-by-similarity → Find functions similar to known vulnerable patternget-decompilation with includeIncomingReferences=true and includeReferenceContext=truefind-cross-referencesMake data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
mattpocock/skills
We added ctf-pwn from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
ctf-pwn reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for ctf-pwn matched our evaluation — installs cleanly and behaves as described in the markdown.
I recommend ctf-pwn for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in ctf-pwn — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: ctf-pwn is focused, and the summary matches what you get after install.
ctf-pwn is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
ctf-pwn has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: ctf-pwn is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in ctf-pwn — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 55