A Model Context Protocol (MCP) server providing comprehensive tools for CTF (Capture The Flag) challenges.
IMPORTANT: This tool is designed for authorized security testing only.
- ✅ Authorized Use: CTF competitions, penetration testing with written permission, security research, educational purposes
- ❌ Prohibited Use: Unauthorized access, malicious attacks, illegal activities
Before using this tool:
- Ensure you have proper authorization
- Read SECURITY.md for detailed security guidelines
- Review BEST_PRACTICES.md for usage recommendations
- Understand the risk levels of tools you plan to use
Risk Levels:
- 🟢 LOW: Information gathering (safe)
- 🟡 MEDIUM: Vulnerability detection (requires authorization)
- 🟠 HIGH: Exploitation tools (explicit authorization required)
- 🔴 CRITICAL: RCE/Deserialization payloads (written authorization required)
By using CTF-MCP, you agree to use it responsibly and legally.
- Base encoding (Base64, Base32, Base58, Base85)
- Classical ciphers (Caesar, Vigenere, Atbash, Affine, Rail Fence, Playfair, Hill)
- XOR operations and analysis
- Modern crypto (AES, DES, RC4)
- Hash functions and cracking
- RSA attacks (Wiener, Hastad, Common Modulus, Franklin-Reiter)
- Frequency analysis
- SQL Injection (Union, Error, Blind, Time-based)
- XSS payloads and filter bypass
- SSTI (Server-Side Template Injection)
- SSRF, XXE, Command Injection
- JWT attacks (None algorithm, Key confusion)
- Deserialization (PHP, Python Pickle, Java, Node.js)
- HTTP Smuggling, GraphQL, WebSocket
- OAuth, CORS, Cache Poisoning
- Shellcode generation (x64/x86)
- Cyclic pattern creation and offset finding
- ROP gadgets and chain building
- Format string exploits
- Heap exploitation (Tcache, Fastbin, House of Force/Spirit)
- Stack pivot techniques
- SROP (Sigreturn-oriented programming)
- Libc database and one_gadget
- Disassembly helpers
- String extraction
- Binary analysis
- File carving
- Memory analysis
- Network forensics
- Encoding/decoding utilities
- Steganography helpers
pip install -e .ctf-mcpfrom ctf_mcp.tools.crypto import CryptoTools
from ctf_mcp.tools.web import WebTools
from ctf_mcp.tools.pwn import PwnTools
crypto = CryptoTools()
web = WebTools()
pwn = PwnTools()
# Generate SQL injection payloads
print(web.sql_payloads("mysql", "union"))
# Base64 encode
print(crypto.base64_encode("Hello CTF"))
# Create cyclic pattern
print(pwn.pattern_create(100))Add to your MCP client configuration:
{
"mcpServers": {
"ctf-mcp": {
"command": "ctf-mcp"
}
}
}- Python 3.10+
- mcp >= 1.0.0
一个为 CTF(夺旗赛)挑战提供全面工具的 MCP(模型上下文协议)服务器。
重要提示:本工具仅用于授权的安全测试。
- ✅ 授权使用:CTF 竞赛、获得书面许可的渗透测试、安全研究、教育目的
- ❌ 禁止使用:未经授权的访问、恶意攻击、非法活动
使用本工具前:
- 确保您已获得适当的授权
- 阅读 SECURITY.md 了解详细的安全指南
- 查看 BEST_PRACTICES.md 了解使用建议
- 了解您计划使用的工具的风险级别
风险级别:
- 🟢 低风险:信息收集(安全)
- 🟡 中风险:漏洞检测(需要授权)
- 🟠 高风险:漏洞利用工具(需要明确授权)
- 🔴 严重风险:RCE/反序列化 payload(需要书面授权)
使用 CTF-MCP 即表示您同意负责任且合法地使用它。
- Base 编码 (Base64, Base32, Base58, Base85)
- 古典密码 (凯撒、维吉尼亚、Atbash、仿射、栅栏、Playfair、Hill)
- XOR 运算与分析
- 现代加密 (AES, DES, RC4)
- 哈希函数与破解
- RSA 攻击 (Wiener、Hastad、共模攻击、Franklin-Reiter)
- 频率分析
- SQL 注入 (联合查询、报错注入、布尔盲注、时间盲注)
- XSS 载荷与过滤器绕过
- SSTI (服务端模板注入)
- SSRF、XXE、命令注入
- JWT 攻击 (None 算法、密钥混淆)
- 反序列化 (PHP, Python Pickle, Java, Node.js)
- HTTP 走私、GraphQL、WebSocket
- OAuth、CORS、缓存投毒
- Shellcode 生成 (x64/x86)
- 循环模式创建与偏移查找
- ROP gadgets 与链构建
- 格式化字符串漏洞利用
- 堆利用 (Tcache, Fastbin, House of Force/Spirit)
- 栈迁移技术
- SROP (Sigreturn 导向编程)
- Libc 数据库与 one_gadget
- 反汇编辅助
- 字符串提取
- 二进制分析
- 文件雕复
- 内存分析
- 网络取证
- 编码/解码工具
- 隐写术辅助
pip install -e .ctf-mcpfrom ctf_mcp.tools.crypto import CryptoTools
from ctf_mcp.tools.web import WebTools
from ctf_mcp.tools.pwn import PwnTools
crypto = CryptoTools()
web = WebTools()
pwn = PwnTools()
# 生成 SQL 注入载荷
print(web.sql_payloads("mysql", "union"))
# Base64 编码
print(crypto.base64_encode("Hello CTF"))
# 创建循环模式
print(pwn.pattern_create(100))添加到你的 MCP 客户端配置:
{
"mcpServers": {
"ctf-mcp": {
"command": "ctf-mcp"
}
}
}- Python 3.10+
- mcp >= 1.0.0
Coff0xc
MIT License - see LICENSE