CTF Pentest Checklist#
The aim of CTF Pentest Checklist is to generate a checklist for CTFs/Pentests. While studying CS in SMU, and also studying offensive security on the side, I’ve learnt the importance of a checklist. A checklist helps to ensure that all basic checks were done, all the i’s were dotted, and all the t’s were crossed.
However, with that said, one could always argue for the usage of automated tools, or even AI, which defeats the point of a checklist. In my opinion, this argument itself defeats the point of education- What’s the point of using automated tools if I don’t even know what I’m running? It defeats the point of education, and learning. And worse still, just blindly running it leaves you at the mercy of the tool itself. What if you’ve run some malicious code? If it’s on just a local, self-hosted asset then it’ll be fine- your own computer information was leaked, but in the first place, Windows Defender does a good enough job of preventing most attacks and vulnerabilities, so you should be fine (I use WSL and not a pure linux distribution because my surface pro is an old model, is 5 years old, and already takes 10 minutes to build a simple docker container, so I’ll rather not tempt fate by installing a new distro). Additionally, I have a poor opinion of even using AI to generate anything important. I had a conversation with a friend who was telling me about his entire “Workflow”. Naturally, I thought it was a CI/CD workflow and given that that’s one of the modules in SMU (which I’m currently taking and also doing a DevOps Project on with a local K8 setup), I thought I could learn some tips. Turns out it was just an AI workflow, and when I pressed for further details about whether it implemented any DevOps practices (such as codescanning tools for DevSecOps, or maybe some Chaos Engineering in Production to test system recovery), I got scant details, and an admittance that he had no clue how it worked under the hood.
Therefore, this Checklist stands for what I think to be important- Just a checklist. The planned features include:
- Further customisation of steps (This will be a constant WIP as I do more boxes/take more exams etc)
- Some sort of report export function which just entails pressing the export function to generate a PDF to show which steps have been done, and what screenshots were attached to said step
- Maybe the ability to add some text to each step, but honestly this is a huge maybe simply because I was never trained in frontend development. My knowledge of JS is really basic
- Adding a docker-compose.yaml since it’s easy to do, though I don’t really think it’s needed since you can just use the web version and check the code yourself to see that no calls can or are made to external APIs…
What is already included is literally
- A checklist (You can click the boxes and the task strikes out and also fades to grey)
- A progress bar (The colors could use somework, I admit I use GPT for color combinations…)
- A tool bar at the side (No clue whether it works though, I didn’t add enough dummy tasks to check)
Check it out here!