ClawHub

Ctf Forensics

Security checks across malware telemetry and agentic risk

Overview

This CTF forensics reference is mostly coherent, but it includes under-scoped instructions for credential extraction, live probing, forged DNSSEC responses, and evidence-modifying commands.

Install only if you want a CTF/lab forensics cheat sheet and will review commands before running them. Use isolated challenge data, avoid personal or third-party browser profiles and password vaults, do not run live network probing without explicit authorization, and work on copies of disk images rather than originals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section goes beyond passive forensic recovery and explicitly instructs the user to use recovered DNSSEC private keys to forge signed DNS responses. Even in a CTF/forensics context, publishing operational steps for weaponizing stolen signing keys materially enables real-world domain impersonation, cache poisoning, and traffic redirection.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The KeePass section goes beyond passive forensic analysis by instructing users to base64 and transmit a database off a remote system via netcat. That enables live collection and exfiltration of sensitive credential stores, which is dangerous even in a forensics-themed skill because it normalizes active data theft workflows rather than artifact analysis.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The git recovery section instructs users to dump an exposed .git directory from a live target using a third-party tool. While common in CTFs, this is an active collection technique against a network target and exceeds a narrowly forensic, artifact-only skill scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This section moves beyond passive forensic analysis and provides active live-target probing code that iteratively queries a domain to reconstruct secret data. In a CTF context this may be intended for challenge solving, but embedded in a general forensics skill it enables misuse against real infrastructure and creates legal and operational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow recommends `e2fsck -y` directly on the forensic image, which modifies filesystem metadata and can alter or destroy evidence. In a forensics skill, omission of a warning is especially risky because analysts may unknowingly perform destructive repair on the only copy of an image, compromising evidentiary integrity and reproducibility.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The browser credential decryption instructions directly recover stored passwords but provide no warning about handling highly sensitive credentials or limiting use to authorized forensic contexts. In practice, this materially lowers the barrier to credential theft and misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The KeePass workflow includes extraction, cracking, and credential review steps without any caution about the sensitivity of password vaults or the legality of accessing them. This is especially risky because the section also includes transfer and cracking guidance that can be repurposed for unauthorized credential access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Attaching to a live Python process with ptrace/pyrasite can expose secrets, alter process state, and affect system integrity, yet the section omits any caution about those risks. In a real environment, this can compromise evidence integrity and become an intrusive post-compromise technique.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This section gives actionable instructions and code for validating or cracking captured NTLMv2 authentication material, which can be directly applied to real-world credential attacks outside a CTF context. In a forensics/CTF skill this may be educational, but the lack of an authorization and real-credential handling warning increases misuse risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Timeroasting section provides a complete attack chain: RID enumeration, MS-SNTP hash extraction, conversion to crackable format, and Hashcat commands. Even in a CTF-forensics skill, this is highly transferable offensive tradecraft against Active Directory environments, and the absence of strict scope and authorization warnings makes it more dangerous.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This content instructs readers to extract a private key from a PKCS12 container and use it to decrypt captured RDP sessions, which can expose sensitive session contents, credentials, and user activity. In a CTF setting this may be relevant to challenge solving, but without privacy and authorization warnings it normalizes decryption of intercepted traffic.

Missing User Warnings

High
Confidence
93% confidence
Finding
The RADIUS section provides a straightforward workflow to extract a crackable hash, recover the shared secret, and decrypt obfuscated user passwords from packet captures. That creates a clear path to credential disclosure in real environments, and the skill context does not sufficiently constrain use to labs or training data.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The instructions advise rendering raw packet payloads containing ANSI escape sequences directly in a terminal via `more` or `less -r` without warning that escape codes can alter terminal state, rewrite display contents, set titles, or trigger confusing behavior. In a CTF-forensics context this is often done intentionally to reveal hidden content, but the guidance still encourages users to display untrusted control sequences on their own terminal, which is an unsafe practice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal