Skip to content

NoAuthZone/CTF-FlagFinder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
CTF-FlagFinder.ps1
CTF-FlagFinder.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

  _____ ______ ____      ____ __             ____ _          __         
 / ___//_  __// __/____ / __// /___ _ ___ _ / __/(_)___  ___/ /___  ____
/ /__   / /  / _/ /___// _/ / // _ `// _ `// _/ / // _ \/ _  // -_)/ __/
\___/  /_/  /_/       /_/  /_/ \_,_/ \_, //_/  /_//_//_/\_,_/ \__//_/   
                                    /___/

Version: 1.0
Author: NoAuthZone

Short description

CTF-FlagFinder is a PowerShell-based search tool for finding CTF/flag strings and similar secrets on Windows systems. It searches files (content & names), the registry, DNS cache, recycle bin, log files, ZIP and OOXML archives, and much more—including hidden areas, if desired.

Features (selection)

  • Content and name search in files (many formats, including file-less entries such as hosts)
  • Search in hidden/protected areas (e.g., AppData, C:\$Recycle.Bin)
  • Recursive scanning of ZIP and OOXML files (.docx, .xlsx)
  • Searching the registry (HKLM & HKCU) for possible flag strings (optional deep)
  • Evaluation of Windows event logs (Application, Security, System)
  • Reading of the DNS cache (ipconfig /displaydns)
  • Detection of multiple partitions (only one is searched by default; notification in case of multiple volumes)
  • Optional inclusion of all file types or restriction to typical text/configuration files

Standard search file types

By default, the following file types are searched (if -AllFiles is not set):
bak, bat, c, cfg, cpp, csv, db, go, html, ini, java, js, json, log, md, pcap, ps1, psd1, py, rb, reg, sqlite, txt, Without_file_type_extension, xml, yml, zip

Options / Parameters

-Path "Path"
Search path ( example: `-Path "C:\Users"` ). The command searches recursively under the specified path.
    
-IncludeHidden
Includes hidden files and protected directories (e.g., AppData, Recycle Bin).
    
-AllFiles
Searches all file types. Default: Only the predefined file types listed above are searched.
    
-FlagFormat "PATTERN"
Defines a custom flag or CTF pattern (e.g., "HTB", "FLAG", or a full regex).
Overrides the default pattern. Matching is case-insensitive.

-DeepReg 
Searches all registry paths (may take a very long time).
⚠️ Use with caution — this option significantly increases runtime.
    
-OutFile "flag.csv"
Writes the search results to the specified output .csv file (example: -OutFile "C:\results.csv").

Example Commands

# This command searches all files, including hidden ones, on the C: partition for the flag "RASTA", regardless of file type.
powershell -ep Bypass -File "C:\Users\Administrator\Documents\CTF-FlagFinder.ps1"  -Path "C:\"  -IncludeHidden  -FlagFormat "RASTA" -AllFiles
# This command disables PowerShell logging and searches the E: partition — including hidden directories such as AppData and the Recycle Bin
powershell -ep Bypass -File "C:\Users\Administrator\Documents\CTF-FlagFinder.ps1" ` -Path "E:\"  -IncludeHidden

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages