In CTFs, success often starts long before the first flag, with the quiet discipline of building the right toolkit in advance. Like reverse engineering itself, the edge comes from knowing how to break complexity apart faster than everyone else.
The only card that matters when the binary fights back
In many of our CTF training sessions, one question keeps coming up more than anything else: "What tools should I have installed before the competition?" It's a fair question, and the answer changes depending on who you ask and what category they specialise in.
Rather than repeating ourselves, we decided to write it all down. Here's our go-to list across Reverse Engineering, Binary Exploitation, Classical Crypto, and Web Security. Everything here is free and has consistently pulled its weight in real competitions.
Reverse engineering challenges ask you to take a compiled binary, strip away the abstraction, and understand what a program actually does under the hood. You'll encounter everything from simple crackmes to heavily obfuscated malware samples. The right disassembler and debugger setup is non-negotiable.
Ghidra is the crown jewel of open-source reverse engineering. Developed by the NSA and released to the public in 2019, it offers a full-featured disassembler, decompiler, and scripting environment that rivals tools costing thousands of dollars. Its decompiler produces remarkably readable C-like pseudocode from compiled binaries, which is often the fastest path to understanding a challenge. Ghidra supports a huge range of processor architectures - x86, ARM, MIPS, PowerPC, and many more - making it invaluable when CTF organisers throw exotic binaries at you. Its collaborative features also allow teammates to work on the same binary simultaneously, which is a massive advantage in time-limited competitions.
For competitors who prefer the command line, Radare2 (and its community fork, Rizin) is an incredibly powerful reverse engineering framework. It is fast, lightweight, and scriptable. Where Ghidra shines in its GUI and decompiler, Radare2 excels in rapid analysis, on-the-fly binary patching, and integration into automated workflows. The learning curve is steep - the command syntax can feel cryptic at first - but experienced users can tear through binaries at remarkable speed. Rizin, its modern fork, cleans up some rough edges and pairs with the Cutter GUI for those who want a graphical interface without leaving the ecosystem.
The GNU Debugger is the foundational dynamic analysis tool on Linux, and almost every CTF player will use it at some point. On its own, GDB's interface is spartan. That's where enhancement plugins come in. GEF (GDB Enhanced Features) and pwndbg both transform GDB into a CTF-ready powerhouse, adding color-coded register displays, automatic heap analysis, stack visualization, and dozens of convenience commands. Pwndbg is particularly popular in the CTF community for its tight integration with binary exploitation workflows. If you do nothing else, install one of these plugins before your next competition.
Aside from the basic tools above, there are also other, more advanced tools that we have posted about in the past, such as pin tool and Z3. You may also want to browse our post for guidance on solving CTF crackmes.
Binary exploitation, or "pwn," is where you move from understanding a binary to actively subverting it. You're hunting for buffer overflows, format string bugs, use-after-free vulnerabilities, and race conditions - then writing exploits to seize control. Speed and reliability matter here, so your toolchain needs to be rock solid.
Pwntools is the undisputed standard library for CTF exploit development. Written in Python, it provides everything from socket communication and process interaction to ELF parsing, ROP chain generation, and shellcode assembly. A typical CTF exploit script starts with from pwn import * and builds from there. Its cyclic utility helps you find buffer overflow offsets in seconds. Its ROP module can automatically discover and chain gadgets from a binary. And its remote/local abstraction lets you develop exploits locally, then switch to the remote target with a single line change. If you compete in CTFs and write exploits, pwntools is not optional - it's essential.
Modern binaries are protected by mitigations like NX (non-executable stack), which means you often can't just inject shellcode. Instead, you chain together small fragments of existing code - called "gadgets" - to build your exploit. ROPgadget and Ropper are two excellent tools that scan binaries for these useful instruction sequences. ROPgadget can even attempt to automatically build a complete ROP chain for you. Ropper offers a clean interactive interface and supports filtering gadgets by type, which is useful when you need something very specific, like a pop rdi; ret to set up a function argument on x86-64.
Sometimes you don't need an elaborate ROP chain. The one_gadget tool searches libc for addresses that, when jumped to, will directly spawn a shell under certain register or stack conditions. In many CTF pwn challenges, finding a single one_gadget address is the fastest path from "I control the instruction pointer" to "I have a shell." It's a small, focused tool that saves enormous amounts of time.
Before you start exploiting, you need to know what you're up against. The checksec utility (bundled with pwntools and available standalone) quickly reports which security mitigations are enabled on a binary: RELRO, stack canaries, NX, PIE, and FORTIFY. This five-second check dictates your entire exploitation strategy and should be the first thing you run on every pwn challenge.
Cryptography challenges in CTFs range from ancient ciphers to modern protocol attacks. Classical crypto problems - those involving substitution ciphers, XOR encryption, RSA with weak parameters, and similar constructions - appear frequently and reward players who have the right analytical tools ready.
CyberChef, developed by GCHQ, is often called "the cyber Swiss Army knife," and it earns that title. It's a web-based tool that lets you chain together hundreds of data transformation operations: Base64 encoding and decoding, XOR brute-forcing, frequency analysis, various cipher decryptions, compression, hashing, and far more. Its drag-and-drop "recipe" interface means you can quickly experiment with different decoding chains until the flag tumbles out. For quick classical crypto challenges, CyberChef alone can get you from ciphertext to plaintext in minutes.
RSA is the most common public-key cryptosystem you'll encounter in CTFs, and challenge authors love to give you RSA instances with deliberately weak parameters. RsaCtfTool automates a large collection of known RSA attacks: small public exponent, Wiener's attack on small private exponents, Fermat factorization for close primes, common modulus attacks, Hastads broadcast attack, and many others. Give it the public key or the raw parameters (n, e, c), and it will cycle through its attack library looking for a weakness. It won't solve every RSA challenge, but it handles the low-hanging fruit instantly, freeing you to spend your time on the harder problems.
When the automated tools fail and you need to do real mathematical computation, SageMath is your best friend. It's a mathematics software system built on top of Python that provides powerful number theory, algebra, and combinatorics capabilities. Need to compute discrete logarithms? Factor large integers with a specific structure? Work with elliptic curves over finite fields? SageMath handles all of it with clean Python syntax. Many top CTF players write their crypto solutions as SageMath scripts because it bridges the gap between mathematical notation and executable code more naturally than any other free tool.
When a crypto challenge comes down to cracking a hash or breaking a weak password, John the Ripper and Hashcat are the industry standards. John the Ripper is flexible, supports a vast range of hash formats, and works well for dictionary and rule-based attacks. Hashcat leverages GPU acceleration to achieve staggering cracking speeds and is the tool of choice when brute force is the only way forward.
Web challenges test your ability to find and exploit vulnerabilities in web applications - SQL injection, cross-site scripting, server-side request forgery, authentication bypasses, and much more. The web category is often the most accessible for beginners, but advanced challenges can be fiendishly clever.
Burp Suite is the single most important tool for web CTF challenges. The Community Edition is free and provides an intercepting proxy that lets you capture, inspect, modify, and replay every HTTP request between your browser and the target. This visibility is fundamental - you can't exploit what you can't see. The built-in Repeater tool lets you tweak requests and resend them instantly, which is invaluable for testing injection payloads. While the Professional edition adds an automated scanner and other advanced features, the Community Edition's proxy and Repeater alone are enough for the vast majority of CTF web challenges.
OWASP ZAP (Zed Attack Proxy) is a fully open source alternative to Burp Suite, backed by the OWASP Foundation. It provides an intercepting proxy, automated scanner, fuzzer, and a rich plugin ecosystem with no feature gating. ZAP's active scanner can automatically discover common vulnerabilities like SQL injection and XSS, giving you a head start on web challenges. For competitors who want a completely open source setup or need automated scanning capabilities without a commercial license, ZAP is an excellent choice.
When you've identified a potential SQL injection point, SQLMap automates the tedious work of confirming and exploiting it. Feed it a vulnerable URL or a saved Burp request, and it will detect the injection type, determine the backend database, and extract data - all automatically. It supports MySQL, PostgreSQL, SQLite, MSSQL, Oracle, and many other database engines. In a CTF context, SQLMap can save you fifteen minutes of manual payload crafting, which is an eternity when the scoreboard is moving.
Hidden directories, backup files, and undocumented API endpoints are common attack surfaces in web CTFs. Directory and content discovery tools like ffuf (Fuzz Faster U Fool) and Gobuster rapidly brute-force URL paths against a wordlist to find what the challenge author tried to hide. Ffuf is particularly versatile - it can fuzz not just paths but also parameters, headers, and POST data. Running a quick directory scan is often one of the first things experienced CTF players do when they encounter a web challenge, because the flag might be sitting in an exposed admin panel or a forgotten backup file.
Never overlook what's already built into your browser. The developer tools in Firefox and Chrome let you inspect the DOM, read JavaScript source, monitor network requests, manipulate cookies, and debug client-side code. Many web challenges hide clues in JavaScript comments, obfuscated client-side validation logic, or unusual HTTP headers. Before reaching for any other tool, open the developer console - the answer might be staring right at you.
Having the tools is only the first step. The smartest approach is to build a dedicated CTF environment - a Linux virtual machine or a Docker container - with everything pre-installed and configured. Distributions like Kali Linux and ParrotOS come with many of these tools out of the box, and for the rest, a simple setup script can get you from a fresh install to competition-ready in minutes.
The open-source security community has given you everything you need to compete at the highest level. The only remaining investment is your time. Start building, start breaking, and capture those flags.