judge-ctf

Name: judge-ctf
Author: wgpsec/AboutSecurity

$npx mdskill add wgpsec/AboutSecurity/judge-ctf

Evaluate CTF challenges for flag capture and attack guidance.

Validates flag presence and diagnoses attack failures.
Analyzes logs, evidence files, and vulnerability data.
Matches patterns for SQLi, LFI, RCE, IDOR, SSRF, and deserialization.
Generates specific feedback and next-step recommendations.

SKILL.md

.github/skills/judge-ctfView on GitHub ↗

---
name: judge-ctf
description: "CTF flag 评判检查清单。当需要判断 CTF 挑战是否完成（flag 是否已获取）、分析攻击失败原因、或为下一步攻击提供精确指导时使用。覆盖 flag 搜索验证、漏洞发现评估、漏洞利用评估、flag 位置推断、常见题型模式匹配（SQLi/LFI/RCE/IDOR/SSRF/反序列化）"
metadata:
tags: "judge,evaluation,ctf,flag,decision"
category: "general"
---

# CTF Flag Capture Evaluation Checklist

## Sole Success Criterion

**Has flag{...} been found?**
- Search agent output logs for `flag{`
- Search evidence files for `flag{`
- Search vulns.json detail fields

Found → complete: true, no further evaluation needed.

## Diagnosis When Flag NOT Found

### Step 1: Was any vulnerability discovered?

```
if vuln_count == 0:
→ Insufficient reconnaissance, expand attack surface
feedback: "No vulnerabilities discovered. Suggestions:
1. Carefully inspect all HTTP responses for hidden clues
2. Try directory bruteforce to discover hidden endpoints
3. Check page source for comments and hidden parameters
4. Try common default credentials for login"
```

### Step 2: Was the vulnerability exploited?

```
if vulns_found but not_exploited:
→ Insufficient exploitation
feedback: "Discovered {vuln_type} but did not exploit to get flag. Suggestions:
- SQLi: Use UNION SELECT to read database tables, find flag table
- LFI: Read /flag.txt, /home/*/flag, /var/www/flag
- RCE: find / -name 'flag*' 2>/dev/null
- IDOR: Enumerate all id values, check each response for flag"
```

### Step 3: Exploited but no flag?

```
if vuln_exploited but no_flag:
→ Flag may not be in expected location
feedback: "Vulnerability exploited but flag not found. Suggestions:
1. Database search: SELECT * FROM flags / search all tables
2. File search: find / grep -r 'flag{' / env | grep FLAG
3. Check response headers: curl -v for HTTP headers
4. Check hidden pages: use gained privileges to access /admin, /dashboard
5. Check source code: decompile/view application source for hardcoded flag"
```

## Common CTF Challenge Patterns

Judge should know these patterns to provide precise feedback:

| Vuln Type | Flag Typically Located |
|-----------|----------------------|
| SQL Injection | A field in some database table |
| LFI/Path Traversal | /flag.txt or /etc/flag or in application directory |
| RCE/Command Injection | Filesystem, requires find/grep |
| IDOR | Content of a specific resource by id |
| Deserialization | Filesystem after gaining RCE |
| SSRF | Response from internal service |
| XSS | Usually no direct flag, unless admin bot exists |
| Info Disclosure | Source comments, backup files, config files |

## Feedback Precision Requirements

**FORBIDDEN**: vague feedback like "keep testing" or "dig deeper".

**MUST** provide specific:
1. Which discovered vulnerability to exploit
2. Concrete exploitation steps (payload-level)
3. Most likely flag location

More from wgpsec/AboutSecurity

Skill	Description
401-403-bypass	401/403 访问拒绝绕过方法论。当遇到管理后台、API 端点返回 401/403 Forbidden 时使用。覆盖路径操纵、HTTP 方法篡改、Header 注入、协议降级、组合攻击
ad-acl-abuse	Active Directory ACL 滥用攻击方法论。当 BloodHound 发现 GenericAll/WriteDACL/WriteOwner/GenericWrite/ForceChangePassword 等危险 ACE 时使用。覆盖 ACE 枚举、权限滥用链、Shadow Credentials、RBCD 攻击
ad-delegation-attack	Kerberos 委派攻击（非约束/约束/RBCD）。当 BloodHound 发现委派配置、或已获取有 SPN 的服务账号/机器账号控制权时使用。通过 S4U 协议滥用可实现跨服务模拟任意用户，常用于域内权限提升和横向移动。
ad-domain-attack	Active Directory 域环境攻击全链路。当目标主机在域环境中（systeminfo 显示 Domain 非 WORKGROUP）、发现 88/389/636 端口、或获取到域用户凭据时使用。覆盖域信息收集、用户枚举、Kerberoasting、AS-REP Roasting、委派攻击、ACL 滥用、DCSync、Golden/Silver Ticket
ad-persistence	AD 域环境持久化技术。当已获取域管/本地管理员权限、需要建立持久访问以确保重启或密码更改后仍能回到目标环境时使用。覆盖主机级持久化（计划任务/注册表Run/COM劫持/WMI事件订阅/Windows服务/启动文件夹）、域级持久化（Golden Ticket/Silver Ticket/Skeleton Key/DSRM/AdminSDHolder）、DCShadow/GoldenGMSA高级技术、清理命令与检测规避
ad-trust-attack	域信任关系攻击。当目标存在多域/多林环境时使用。包含父子域提权（Golden Ticket + ExtraSid）、跨林攻击（SID History/MSSQL Trust Links）、单向信任利用。已获取子域 Domain Admin 或发现信任关系时优先加载。
adcs-certipy-attack	Active Directory Certificate Services (ADCS) 证书攻击。当发现域内有 CA 服务器、ADCS Web Enrollment、证书模板配置错误时使用。覆盖 ESC1-ESC11 所有证书滥用路径、Certipy 工具链、证书伪造、NTLM 中继到 ADCS。发现 ADCS/CA/证书/certsrv 相关内容时一定要使用此技能
adinfo-enum	使用 Adinfo 进行 Active Directory 信息收集。当获得域用户凭据后需要快速收集域环境信息时使用。Adinfo 是一个快速 AD 信息收集工具，一条命令输出域控列表、域管用户、信任关系、GPO、SPN、委派配置等关键信息——比手动 LDAP 查询快得多。发现域环境后第一步信息收集使用此技能
agent-security	\|
ai-data-security	\|