Best Free CTF Cheat Sheet 2026
CTF (Capture The Flag) challenges are one of the fastest ways to learn cybersecurity because they force you to practice real skills: finding hidden data, analyzing files, spotting weak web logic, and thinking step-by-step under pressure. But most beginners don’t get stuck because they “don’t understand hacking” they get stuck because they don’t have a clean, practical reference for what to try first. A good CTF cheat sheet is not a random list of payloads. It’s a structured map: when you see X, test Y, then verify Z.
In most CTFs, your time is lost in two places:
(1) you don’t know what to check first
(2) you try too many random things with no structure.
The goal of this cheat sheet is to turn your approach into a repeatable workflow. Instead of copying writeups, you’ll learn how to recognize patterns: a suspicious filename means “check file type,” a strange cookie means “decode it,” a parameter doesn’t validate means “test IDOR/LFI,” a blob of text means “encoding or cipher.”
This cheat sheet also avoids the common beginner trap of “tool collecting.” Tools are important, but knowing why you’re using a tool is what wins flags. So you’ll see short explanations in paragraphs (semantic and clear) and then quick command blocks or bullet lists where it makes sense.
The #1 CTF Workflow (Use This When You’re Stuck)
Before we go into categories, memorize this. It works for almost every beginner and intermediate challenge.
- Classify the challenge (Linux/Web/Crypto/Forensics/OSINT) and identify the input (file, URL, port, ciphertext, image, username).
- Do the simplest checks first (file type, strings, metadata, source code, headers). Many flags are “hidden in plain sight.”
- Change one variable at a time and observe behavior (errors, redirects, output differences).
- Take notes: what you tried, what changed, what didn’t. Notes stop you from repeating mistakes and help you think clearly.
- If you’re stuck, switch the angle, not the tool. Example: web challenge → inspect cookies and headers; forensics → check metadata and file structure; crypto → try decoding layers.
That’s how you build skill fast—because you’re practicing reasoning, not guessing.
1) Linux CTF Cheat Sheet (Essential Commands + Real Use Cases)
Linux CTFs often look simple: “connect via SSH,” “open a folder,” “find the flag.” But the learning value is huge because Linux teaches you how real systems store secrets: config files, logs, backups, permissions, and user data. Flags are commonly hidden in dotfiles, old backups, or places with weird permissions. The best Linux solvers are not faster typists—they just know how to search efficiently.
A) Navigation + File Identification (Don’t Trust Extensions)
When you land in a directory, your first job is to understand what’s there. Use ls -la to see hidden files, owners, timestamps, and permissions. The next step is identifying unknown files using file. In CTFs, attackers frequently rename a ZIP to .jpg or a binary to .txt just to trick you.
Core commands you’ll use constantly:
pwd(current directory)ls -la(show hidden files + permissions)cd,cd ..,cd ~file filename(identify real type)cat,less,head,tail(view content safely)
A strong beginner habit is: always run file on anything suspicious before opening it in an editor or assuming it’s “just text.”
B) Fast Searching (The Real Secret of Linux Flags)
Most Linux flags are found by searching—not by guessing. You search for patterns like “flag,” “pass,” “token,” “key,” “secret,” and also for file names that look like backups. Using grep and find correctly is a major skill upgrade.
Balanced command list (high impact):
- Search for “flag” inside all files:
grep -R "flag" . - Case-insensitive search:
grep -Ri "flag" . - Search for multiple keywords:
grep -Ri "pass\|password\|token\|secret\|key" . - Find files with “flag” in the name:
find . -name "*flag*" - Find recently modified files (useful in some labs):
find . -type f -mtime -2 - Find big files (flags sometimes buried in logs):
find . -type f -size +10M
Use this mental model: find locates targets, grep extracts answers.
C) Permissions + SUID (Why Some Challenges Feel “Weird”)
Linux privilege challenges often hide the solution in permissions. If a file is readable by everyone, it’s often intended. If it’s not readable, the challenge is about finding another path. SUID binaries are especially common in beginner-to-intermediate CTFs because they teach privilege mistakes safely.
Check who you are:
idgroups
Look for SUID binaries (common CTF trick):
find / -perm -4000 -type f 2>/dev/null
You’re not “hacking the OS” here—you’re learning how misconfigurations create real-world security issues.
D) Archives, Encodings, and “Weird Files”
CTFs love compressed and layered files. If something doesn’t open, it might be archived, encoded, or nested. Start by extracting and re-checking file type after each extraction.
Common extraction commands:
unzip file.ziptar -xf file.tartar -xvf file.tar.gz7z x file.7z(if installed)
Quick triage commands:
strings file | head(find readable hints)strings file | grep -i flagxxd file | head(peek at file header)
The “2026 CTF reality” is that simple triage wins more flags than advanced magic.
E) Networking Basics (When a Service Gives You a Port)
If a challenge gives you an IP and port, your goal is to understand what service is running. Many beginner flags are accessible just by connecting and reading output, or by sending a simple request.
Useful commands:
nc host port(connect and interact)curl -i http://host:port/(see headers + redirects)wget URL(download)nmap -sV host(service detection, if allowed)
A quick tip: curl -i often reveals cookies and redirect logic that matters later.
2) Web CTF Cheat Sheet (Recon → Inputs → Vulnerability Pattern)
Web CTF challenges are extremely popular because they mirror real web security problems. The reason beginners struggle is they jump straight to payloads without mapping the application. The correct approach is: recon first, then identify inputs, then test predictable patterns based on the input type.
A) Web Recon That Actually Matters
Before you attack anything, understand what the site is doing. Check source code, network calls, cookies, and hidden files. This step alone solves many beginner CTFs because flags are sometimes hidden in comments, JavaScript files, or exposed endpoints.
Fast recon checklist:
- View page source and search for hidden URLs or keys
- Open browser DevTools → Network tab → watch requests
- Check cookies and local storage
- Try
robots.txtandsitemap.xml - Look for
.jsfiles and read them (many flags hide there)
CTFs often reward curiosity. If a site loads app.js, don’t ignore it—open it and read it.
B) Input Patterns (Know What a Parameter “Means”)
Most web flags are found through input mistakes. When you see id=, file=, page=, or redirect=, you can often predict what type of weakness to test.
Common parameter → common issue mapping:
id=123→ IDOR / SQLi testingpage=home→ LFI / template logicfile=report.pdf→ path traversal / LFIurl=http://...→ SSRF possibilitynext=/dashboard→ open redirect checks
This is how pros work: they don’t guess random payloads; they follow patterns.
C) Cookies, Sessions, and JWT (Where Many “Easy Flags” Live)
CTFs love putting flags or admin roles in cookies because it teaches why trusting client-side data is dangerous. If you see cookies that look like base64 or JSON, decode them. If you see a JWT token, decode it to inspect claims like role, admin, user_id, and expiration.
What to look for:
- Cookies like
admin=false - base64-looking strings ending with
= - JWT pattern:
header.payload.signature(three parts separated by dots)
If the challenge is beginner-level, the answer is often in “what the browser already received,” not in complicated exploitation.
D) The “Safe Start” Tests for Common Web Vulns
Instead of dropping a huge payload list, start with minimal tests that reveal behavior:
- SQLi: add
'and see if errors or output changes - XSS: test if HTML is rendered (e.g.,
<b>test</b>) - Auth bypass: try direct access to
/adminor changeuser_id - File upload: check allowed extensions and whether uploaded files become accessible
The goal is not to spam payloads. The goal is to observe how input is processed.
3) Crypto CTF Cheat Sheet (Encoding First, Then “Real Crypto”)
Crypto challenges scare beginners because the word “crypto” sounds like complex math. In beginner CTFs, most crypto tasks are actually encoding layers, weak hashing, or simple XOR. Your first job is to determine whether the challenge is about reversible encoding or key-based encryption.
A) Encoding vs Hashing vs Encryption (Simple But Critical)
- Encoding is reversible formatting (base64, hex, URL encoding).
- Hashing is one-way (MD5/SHA). But weak hashes can be cracked if the original data is a common password.
- Encryption is reversible with a key (AES/RSA), but CTF versions usually contain mistakes.
Once you classify the type, you stop wasting time.
B) Recognize Encodings Quickly
A lot of “crypto” flags are just multiple encoding layers. That’s why decoding is often step one. If you decode something and it becomes readable text or another encoded format, keep going.
Common encoding clues:
- Base64: letters/numbers/
+/often with=at end - Hex: only 0–9 and a–f
- URL encoding:
%2F,%3D, etc. - ROT13: readable letters but shifted
C) XOR (CTF Favorite)
XOR appears everywhere because it’s simple and teaches key reuse mistakes. Many beginner XOR tasks can be solved if you suspect a known flag prefix like flag{ and work backwards.
XOR clue list:
- repeated patterns
- same key reused
- output looks like random bytes but consistent length
D) RSA (Beginner Intuition)
If you see values like n, e, and c, you’re likely looking at RSA. Beginner RSA challenges usually provide a weakness: small exponent, shared modulus, leaked prime, or something that makes it solvable.
Your takeaway: RSA in beginner CTFs is usually “broken RSA,” not real RSA security.
4) Forensics CTF Cheat Sheet (Files, PCAP, Metadata, Stego)
Forensics challenges reward slow, careful thinking. Instead of attacking, you investigate. Your first goal is to identify file type, then extract what’s inside, then search for hidden artifacts.
A) File Type First (Always)
CTF authors love trick files. A .png might be a ZIP. A .txt might contain binary data. Always check with file and then inspect headers if needed.
Then do the simplest extraction steps, because many forensics tasks are “open the container within the container.”
B) Metadata and Strings (Easy Wins)
Before running heavy tools, check metadata and readable strings. It’s the fastest path to flags in beginner forensics.
Fast checks:
strings file | grep -i flag- image metadata (EXIF)
- document metadata (PDF/Office)
C) PCAP Quick Strategy
PCAPs often contain HTTP traffic, DNS, and sometimes transferred files. Your job is to identify what happened: what domains were requested, what files were downloaded, what credentials were used (only in legal labs).
A good PCAP workflow:
- filter HTTP first
- identify downloads
- export objects if possible
- look for suspicious POST data
D) Steganography (Start Simple)
Stego is often overhyped. In many beginner stego challenges, the flag is in metadata, appended data, or a hidden archive.
Start with:
- metadata
strings- file type checks
- appended archive detection
Only after that go deep into stego tooling.
5) OSINT CTF Cheat Sheet (Usernames, Images, Domains)
OSINT CTFs simulate investigation using public information. The best OSINT approach is structured: start broad, narrow down, confirm using multiple signals. Your goal isn’t to “guess the person.” It’s to locate a clue the challenge creator intentionally exposed.
A) Username Workflow
If given a username, search it exactly, then check where it appears, then follow links. Many OSINT flags are hidden in bio links, repositories, or old posts.
B) Image Workflow
For images, check metadata and reverse search where allowed. Pay attention to background details: signs, landscapes, unique shapes. In CTFs, tiny details are deliberately placed.
C) Domain Workflow
For domains, look at DNS and certificate records (often helpful). Historical snapshots can reveal older pages that include the clue.
One-Page CTF Quick Checklist (2026)
- Identify challenge type and input (file/URL/port/ciphertext/username)
- Do simple checks first (file type, strings, metadata, source, headers, cookies)
- For Linux:
ls -la,file,grep -Ri,find,strings - For Web: source + DevTools, parameters, cookies/JWT decode, basic behavior tests
- For Crypto: encoding first, then XOR/hash/RSA weaknesses
- For Forensics: file type → extract → strings/metadata → PCAP workflow
- For OSINT: username → image → domain; confirm clues with multiple signals
- If stuck: change the angle, take notes, avoid random tool-spamming
FAQs:
What is CTF in cybersecurity?
CTF stands for Capture The Flag—security challenges where you solve puzzles to find a hidden flag string (often like flag{...}).
Do I need Kali Linux for CTF?
Not necessarily. Many beginner CTFs can be solved using a standard Linux setup and browser tools. Kali helps, but skill and workflow matter more.
What should I learn first for CTF?
Linux searching + web fundamentals + basic decoding. Those three solve a large share of beginner flags.
Is using writeups cheating?
Writeups are learning tools. The best method is: try first, take notes, then read a writeup to learn what you missed and apply the same method to the next challenge.
About The Author
