功能描述

Automatically generate professional CTF writeups from solving sessions with flag detection, challenge categorization, and proper markdown formatting

使用说明 (SKILL.md)

CTF Writeup Generator

Name: CTF Writeup Generator
Author: akhmittra

Description

This skill helps CTF players, security researchers, and cybersecurity educators automatically generate professional writeups from their solving sessions. It intelligently detects flag formats, categorizes challenges, structures the writeup with proper headings, and includes code blocks with syntax highlighting.

Perfect for:

Creating platform-specific writeups (HackTheBox, TryHackMe, OffSec, etc.)
Documenting Jeopardy-style CTF solutions
Generating educational content for training materials
Building a portfolio of security research

When to Use

Use this skill when the user:

Says "generate a CTF writeup"
Mentions "document my CTF solution"
Asks to "create a writeup for [challenge name]"
References completing a CTF challenge and needs documentation
Wants to format their solving process professionally
Needs to extract and format flags from their notes

Features

Flag Format Detection

Automatically detects and validates common CTF flag formats:

CTF{...}, FLAG{...}, flag{...}
Platform-specific: HTB{...}, THM{...}, SHAASTRA{...}, picoCTF{...}
Custom regex patterns for competition-specific formats
Case-sensitive validation support

Challenge Categories

Automatically categorizes based on keywords and tools used:

Web Exploitation: SQL injection, XSS, CSRF, authentication bypass
Binary Exploitation: Buffer overflow, ROP, format strings, heap exploitation
Reverse Engineering: Binary analysis, decompilation, obfuscation
Cryptography: Classical ciphers, modern crypto, hash cracking
Forensics: Steganography, memory forensics, network analysis, disk imaging
OSINT: Information gathering, social media analysis
PWN: Exploitation, shellcode, privilege escalation
Miscellaneous: Mixed or unique challenge types

Structured Output

Generates properly formatted markdown writeups with:

Challenge metadata (name, category, difficulty, points)
Executive summary
Reconnaissance findings
Step-by-step solution with code blocks
Tools used section
Flag submission
Key learnings and takeaways
Optional: Additional resources and references

Code Formatting

Proper syntax highlighting for:

Python, Bash, JavaScript, C/C++
Assembly (x86, ARM)
SQL queries
Command-line tools output
Network packet analysis

Instructions

When a user requests a CTF writeup, follow this workflow:

Gather Information Ask the user for:
- Challenge name
- Platform/CTF name (e.g., "HackTheBox", "Shaastra CTF")
- Category (or detect from description)
- Difficulty level (Easy/Medium/Hard or points value)
- Flag format if non-standard
- Their solving process/notes
Process the Content
- Extract technical steps from their description
- Identify tools and commands used
- Detect flag format and validate
- Categorize the challenge
- Structure the flow logically

Generate the Writeup Create a markdown document with this structure:

# [Challenge Name] - [Platform] CTF Writeup

**Author**: [Author name or handle]  
**Date**: [Current date]  
**Category**: [Category]  
**Difficulty**: [Difficulty]  
**Points**: [Points if applicable]

## Summary

[2-3 sentence overview of the challenge and solution approach]

## Challenge Description

[Original challenge description if provided]

## Reconnaissance

[Initial enumeration and information gathering]

## Solution

### Step 1: [Phase name]

[Detailed explanation with commands/code]

```bash
# Commands used

Step 2: [Next phase]

[Continue with logical progression]

Tools Used

Tool 1: Purpose
Tool 2: Purpose

Flag

FLAG{...}

Key Takeaways

Learning point 1
Learning point 2

References

[Relevant links]

Validate and Enhance
- Check flag format matches the platform
- Ensure code blocks have proper syntax highlighting
- Add explanatory comments to complex commands
- Include alternative approaches if mentioned
Save the Writeup Save the generated writeup to a markdown file named: [platform]_[challenge-name]_writeup.md

Example Usage

User: "I just solved the 'Binary Bash' challenge from Shaastra CTF. It was a buffer overflow where I had to overwrite the return address. The flag was Shaastra{buff3r_0v3rfl0w_m4st3r}. Can you generate a writeup?"

Agent Response:

Asks for additional details (tools used, exact exploit steps)
Generates a professional writeup with:
- Proper challenge metadata
- Binary exploitation category
- Step-by-step buffer overflow explanation
- Code blocks with assembly/C code
- GDB commands used
- Flag in correct format
- Learning points about memory safety

Platform-Specific Templates

HackTheBox

Include machine IP, OS, and difficulty rating
Add user/root flag sections
Include attack path diagram if complex

OffSec/OSCP

Focus on enumeration methodology
Document privilege escalation chains
Include proof screenshots references

Jeopardy CTF

List point values and solve times
Include team strategy if relevant
Categorize by challenge type

Advanced Features

Multi-Tool Integration

Reference other skills for specific tasks:
- ghidra-skill for reverse engineering analysis
- burpsuite-skill for web exploitation
- volatility-skill for memory forensics

Writeup Templates

Support for different writeup styles:

Academic: Detailed with theoretical background
Speedrun: Concise with just essential steps
Tutorial: Beginner-friendly with extra explanations
Portfolio: Professional format for job applications

Export Formats

Standard Markdown (.md)
PDF via pandoc
HTML with custom CSS
Platform-specific formats (HTB Academy, Medium, dev.to)

Security Considerations

Never include actual credentials or sensitive API keys
Sanitize paths that might reveal system information
Respect competition rules (don't publish during active CTF)
Add spoiler warnings for recent challenges
Verify flag sharing is allowed by platform

Configuration

Users can customize via environment variables:

# Set default author name
export CTF_AUTHOR="akm626"

# Set default CTF platform
export CTF_PLATFORM="HackTheBox"

# Set preferred writeup style
export CTF_WRITEUP_STYLE="tutorial"

# Enable automatic screenshot embedding
export CTF_AUTO_SCREENSHOTS=true

Dependencies

Basic markdown processor (built-in)
Optional: pandoc (for PDF export)
Optional: pygments (for enhanced syntax highlighting)

Tips for Best Results

Provide detailed solving notes - the more context, the better
Include command outputs when relevant
Mention dead-ends and why they failed (valuable learning)
Reference CVEs and tool documentation
Add your unique insights and methodology
Keep flag formats consistent with the platform

Example Writeup Structure

For a web exploitation challenge:

# SQL Injection Master - Shaastra CTF 2026

**Author**: akm626  
**Date**: February 08, 2026  
**Category**: Web Exploitation  
**Difficulty**: Medium  
**Points**: 300

## Summary

This challenge involved exploiting a SQL injection vulnerability in a login form to extract database contents and retrieve the flag. The application used client-side filtering which was easily bypassed.

## Challenge Description

[Original description...]

## Reconnaissance

Initial enumeration revealed a PHP-based login portal running on Apache. Basic directory fuzzing found:

```bash
ffuf -w common.txt -u http://target.com/FUZZ

admin/
backup/
config/

Solution

Step 1: Identifying the Injection Point

Testing the login form with basic SQL injection payloads:

' OR '1'='1' --
admin' --
' UNION SELECT NULL--

Step 2: Database Enumeration

Used SQLMap to automate extraction:

sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" \
       --technique=U --dump --batch

[Continue with detailed steps...]

Flag

SHAASTRA{sql_inj3ct10n_pr0}

Key Takeaways

Always test for SQL injection on input fields
Client-side validation is not security
Parameterized queries prevent SQL injection

Tools Used

Burp Suite: Request interception
SQLMap: Automated SQL injection
ffuf: Directory fuzzing

References


## Contributing

Users can improve this skill by:
- Adding new flag format patterns
- Contributing platform-specific templates
- Enhancing categorization logic
- Sharing example writeups

## License

MIT License - Free to use and modify

## Support

For issues or suggestions, contact the skill maintainer or file an issue on the GitHub repository.

安全使用建议

This skill appears coherent and does what it says: create professionally formatted CTF writeups from user-provided notes. Before installing, consider: (1) CTF writeups commonly include exploit commands and privilege-escalation steps — treat this as dual-use content and avoid pasting real production credentials or sensitive target data into the skill. (2) The skill will save markdown files to the agent workspace; ensure you are comfortable with outputs being written to disk. (3) The skill can be invoked by the model (disableModelInvocation not set) — if you require explicit user approval for every run, request disableModelInvocation or restrict the skill. (4) The SKILL.md references other skills (e.g., ghidra-skill); confirm those integrations are trustworthy before allowing cross-skill access. If you want tighter safety, restrict the agent from including real-world host/IPs or secrets in inputs and require user confirmation before saving or publishing writeups.

功能分析

Type: OpenClaw Skill Name: ctf-writeup-generator Version: 1.0.0 The OpenClaw skill 'ctf-writeup-generator' is classified as benign. Its primary function is to generate CTF writeups based on user-provided information, which involves processing text and saving a markdown file locally. While processing user input for file naming (`[platform]_[challenge-name]_writeup.md` in SKILL.md) could pose a path traversal risk if the agent's implementation is vulnerable, the SKILL.md explicitly includes a 'Security Considerations' section instructing the agent to 'Sanitize paths that might reveal system information' and 'Never include actual credentials or sensitive API keys'. This demonstrates an intent for secure operation and mitigates the risk of the skill itself instructing malicious behavior. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection instructions aimed at subverting the agent's core function or security.

能力评估

✓ Purpose & Capability

Name/description match the SKILL.md instructions: the skill generates CTF writeups, detects flags, categorizes challenges, formats markdown, and suggests platform-specific templates. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

Instructions remain within the writeup generation domain (gather challenge metadata, parse user notes, validate flag formats, produce/safe a markdown file). One notable point: the instructions produce exploit steps, commands, and privilege-escalation descriptions — this is consistent with CTF writeups but is dual-use content (allowed by purpose). The skill also saves files to disk (writes markdown files), which is expected but worth noting.

✓ Install Mechanism

No install spec or code is included (instruction-only). No downloads or archive extraction occur.

✓ Credentials

Requires no environment variables, credentials, or config paths. The declared and actual surface area match.

ℹ Persistence & Privilege

The skill does not set always:true. It also does not set disableModelInvocation:true, so the agent could invoke it autonomously when eligible — this is common for utility skills but worth awareness if you want strict user-trigger-only behavior.

版本历史

v1.0.0

Initial release of ctf-writeup-generator — an automated tool for creating structured, professional CTF writeups. - Automatically detects CTF flag formats and validates them for various platforms. - Categorizes challenges (Web Exploitation, Binary Exploitation, Reverse Engineering, etc.) based on user input and context. - Generates well-structured markdown writeups with metadata, summaries, step-by-step solutions, and syntax-highlighted code blocks. - Includes built-in support for platform-specific templates and export formats. - Allows customization via environment variables (author, platform, writeup style). - Highlights security considerations, such as data sanitization and respecting CTF rules.

元数据

Slug ctf-writeup-generator

版本 1.0.0

许可证 —

累计安装 4

当前安装数 4

历史版本数 1

常见问题