Provides access to CTF and cybersecurity tools on Debian systems, enabling analysis of challenges through crypto tools, disk forensics, traffic analysis, malware analysis, steganography, reverse engineering, and pwn tools.
Provides OSINT capabilities through GDAL geospatial data tools for analyzing geographic and location-based information.
Offers a sandboxed Python3 execution environment with common CTF libraries (pwntools, capstone, keystone, unicorn) for running security analysis scripts and exploit development.
Provides access to CTF and cybersecurity tools on Ubuntu systems, enabling analysis of challenges through crypto tools, disk forensics, traffic analysis, malware analysis, steganography, reverse engineering, and pwn tools.
Enables network traffic analysis through tshark and Wireshark tools for examining packet captures and forensic investigation of network communications.
mcp-ctf-server
MCP server that exposes common CTF and cybersecurity tools so LLMs can help with challenges in a controlled lab environment.
This is meant for capture-the-flag games and training only. Use it on systems and data you own or have explicit permission to test.
Features
Tools are grouped into categories and exposed as MCP tools:
Crypto:
gf-complete,pari-gp,rsactftool,gmp-utilsDisk / file forensics:
bulk-extractor,sleuthkit,afflib-tools,scalpel,pdfid,poppler-utils,binutils-multiarchTraffic forensics:
wireshark,tshark,tcpflow,tcpreplay,ngrep,dsniff,bro,suricataMalware analysis:
yara,yara-rules,clamav,upx,radare2Stego:
steghide,stegcracker,qpdf,sox,mediainfo,gifshuffleReverse engineering:
python3-capstone,python3-keystone,python3-unicorn,frida-tools,radare2Pwn:
python3-pwntools,one-gadget,ropgadget,seccomp-toolsOSINT:
exifprobe,gdal-binPython CTF sandbox: short Python3 snippets with common CTF libraries installed
Requirements
Debian or Ubuntu style system with
aptInternet access for installing packages
sudoaccessNode.js and npm (installed automatically by
setup.shif missing)
Quick start
Clone the repo and run the setup script:
After it finishes, you can run the server with:
or
The server speaks MCP over stdio.
MCP client configuration example
For a client that supports MCP configuration similar to Claude Desktop, you can add an entry like this in its config file:
Restart the client after editing the config.
Available tools
The server exposes these MCP tools:
crypto_toolsdisk_forensics_toolstraffic_forensics_toolsmalware_analysis_toolsstego_toolsreverse_engineering_toolspwn_toolsosint_toolspython_ctf_sandbox
Each category tool accepts:
The Python sandbox accepts:
Exact wiring of tool calls depends on your MCP client, but the structures above show the shape of the arguments.
Example calls
These examples show how an MCP client might call the tools. The actual format in your client UI may differ, but the arguments are the same.
1. Use rsactftool on a captured key file
Tool name: crypto_tools
Arguments:
2. Run tshark on a pcap
Tool name: traffic_forensics_tools
Arguments:
3. Scan a binary with radare2
Tool name: malware_analysis_tools
Arguments:
4. Try steghide on a JPEG
Tool name: stego_tools
Arguments:
5. Use the Python CTF sandbox with pwntools
Tool name: python_ctf_sandbox
Arguments:
The server will return combined stdout and stderr from the command or Python snippet.
Safety
This server simply exposes local binaries over MCP. The LLM using it can run these tools with the permissions of the user account that starts the server. Run it only in CTF labs or sandboxes where this is acceptable.
Do not connect it to production systems or networks you do not control.