Some Commands for CTF
- Command Line
- Snippets
- /bin/cat $(find / -name flag.txt)
Display content of all files named flag.txt
- echo '<hex_string>' | awk '{ print (length($0) % 2 == 0) ? $0 : 0$0; }' | xxd -p -r > <output_file>
Create a binary file from a hex string
- echo "obase=16; <decimal_number>" | BC_LINE_LENGTH=0 bc | awk '{ print (length($0) % 2 == 0) ? $0 : 0$0; }'
Convert decimal number to zero-padded hex representation
- cat <file> | head -n <line_number> | tail -1
Get n-th line
- egrep "^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$"
Regex for Base64 encoded text
- tr
Utility for translating, or deleting, or squeezing repeated characters
- awk '{ printf $2 }'
Print n-th word in line
- ascii_char=$(printf "$(printf %x <decimal_ascii_code>)" | xxd -p -r)
Convert decimal ASCII code to char
- echo 'hello world' | grep -oP 'hello \K(world)'
\K is a lookbehind alternative, telling the engine to start capturing only after it
- cat <json_file> | | python -m json.tool
Pretty print JSON file
- /bin/cat $(find / -name flag.txt)
- Standard Input and Output
- { echo "name"; echo 'a_reAllY_s3cuRe_p4s$word_56b977';} | cat
Echo two lines by including them in curly brackets. No need to escape the dollar sign since string is enclosed within single quotes
- cat <(python -c "print(('A' * 76) + '\x08\x87\x04\x08')") - | ./authme
Redirect into executable stdin, then keep stdin open
- (python -c "print(('A' * 76) + '\x08\x87\x04\x08')"; cat) | ./authme
Redirect into executable stdin, then keep stdin open
- coproc <process>
Start a command as a background job, setting up pipes connected to both its stdin and stdout
- { echo "name"; echo 'a_reAllY_s3cuRe_p4s$word_56b977';} | cat
- Snippets
- Crypto
- Ciphers
- <solve substitution cipher>
Solve substitution ciphers
- <solve Vigenere cipher>
Solve Vigenere ciphers
- <solve substitution cipher>
- OpenSSL
- openssl x509 -in <c.cer> -inform <format> -text -noout
Examine certificate content
- openssl rsa -in <private_key_file> -text
Examine RSA private key
- openssl rsa -pubin -in <public_key_file> -text
Examine RSA public key
- openssl req -in <csr> -text -noout
View certificate signing request (CSR) details
- openssl pkcs12 -info -in <pfx file>
View PKCS#12 details
- openssl pkcs12 -in <input_pfx_file> -clcerts -nokeys -out <output_certificate_file>
Extract certificates from PKCS#12 file
- openssl genrsa -out <output_key_name> <size>
Generate RSA private key pair
- openssl req -addext <extension> -outform pem -out <out_csr_name> -key <input_csr_key> -new
Generate CSR with extension
- openssl x509 -req -in <child_csr> -CA <parent_certificate> -CAkey <parent_key> -CAcreateserial -out <output_child_name> -days <validity_days> -sha256 -extfile <extension>
Sign child CSR with parent
- openssl pkcs12 -export -inkey <key_file> -in <cert_file> -certfile <parent_certs> -out <output_name>
Create PKCS#12 file
- openssl x509 -in <c.cer> -inform <format> -text -noout
- RSA
- <factorize large numbers - factordb>
See link
- <factorize large numbers - alpertron>
See link
- yafu "factor(<number>)"
Factorize numbers
- RsaCtfTool.py --publickey <key.pub> --private
Attack RSA, attempt to find private key
- RsaCtfTool.py --createpub --e <e> --n <n>
Create public key from parameters
- RsaCtfTool.py --publickey "<wildcard>" --private --verbose
Attempt to break multiple public keys with common factor attacks or individually
- RsaCtfTool.py --publickey <public_key_file> --private --uncipher <ciphertext_file>
Decrypt binary file by attacking public key
- <factorize large numbers - factordb>
- Ciphers
- Decoders
- Base64
- base64 -d
Decode Base64 format
- base64 -d
- Base64
- Executables
- ASLR
- <disable ASLR for a Windows binary>
Disable ASLR for a Windows Binary:
- <disable ASLR for a Windows binary>
- Buffer Overflow
- cyclic <number>
Generate a unique sequence of elements to help exploit buffer overflows
- cyclic -n 8 <number>
Generate a unique sequence of elements to help exploit buffer overflows in a 64-bit executable
- cyclic -l <lookup_value>
Search for the location of the given value in the cyclic pattern
- cyclic -n 8 -l <lookup_value>
Search for the location of the given value in the cyclic pattern, given a 64-bit executable
- cyclic <number>
- Daemon
- xinetd -d -dontfork -f <config_file>
Allow connecting to an executable via the network
- xinetd -d -dontfork -f <config_file>
- Exploit
- ROPgadget --binary <binary> --ropchain
Create a ROP gadget for a given binary
- ROPgadget --binary <binary> --ropchain --badbytes <bad_bytes>
Create a ROP gadget for a given binary, without including certain bytes
- ROPgadget --binary <binary> --ropchain
- GCC
- gcc <file.c> -o <file>
Compile C program
- gcc <file.c> -o <file> -O3
Compile C program with the highest optimizations
- gcc -masm=intel -m32 <file.c> -o <file>
Compile and assemble with 32-bit Intel syntax
- gcc -masm=intel -m32 -c <file.s> -o <file.o>
Compile and assemble pure assembly file with 32-bit Intel syntax - create object file
- gcc <file.c> -o <file>
- Linker
- LD_PRELOAD=<library> <executable>
A list of additional, user-specified, ELF shared objects to be loaded before all others.
- LD_DEBUG=all
Output verbose debugging information about operation of the dynamic linker
- LD_PRELOAD=<library> <executable>
- Radare2
- r2 <executable>
Analyze binary in order to reverse engineer it
- r2 -c=H <executable>
Open R2 in WebUI
- aa
Perform initial analysis of the executable
- afl
List functions
- s <location>
Seek location (can be function name, address etc.)
- pdf
Print Disassembly (of) Function
- V
Enter visual mode
- VV
Outside visual mode, use VV to enter graph view
- afn <new function name> <old function>
Rename function
- e asm.pseudo = true
Replace the assembler code by a pseudo code which is simpler to read
- pdc
Attempt to decompile function
- afvn <new_name> <identifier>
Rename local variable
- p
Change view
- Ps <project_name>
Save project
- Po <project_name>
Load project
- pcp <length> @ <address>
Print buffer in python-compatible mode
- f
List all the flags from the selected flagspace
- is
Retrieve symbol information
- agf > graph.txt
Export graph into text file
- bf <object>
Change the block size to value specified by an object
- oo+
Move to write mode
- r2 <executable>
- Tracing
- strace <executable>
strace intercepts system calls make by the glibc and other libraries directly into the Linux Kernel
- ltrace <executable>
ltrace intercepts library calls and system calls made by your application to C libraries such as the glibc
- strace <executable>
- checksec
- checksec.sh -f <file>
Check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source)
- checksec.sh -f <file>
- libc
- /path/to/libc-database/find <function1> <offset1> <function 2> <offset 2> ... <function x> <offset x>
Given several function offsets, find the correct libc version that matches them
- /path/to/libc-database/find <function1> <offset1> <function 2> <offset 2> ... <function x> <offset x>
- ASLR
- Forensics
- Android
- apktool -d <file>
Decompose Android APK file
- apktool -d <file>
- Audio
- sox <audio_file> -n spectrogram
Dump audio file spectrogram.
- sox <audio_file> -n spectrogram
- Binaries
- strings <file>
Extract strings from binary
- file <filename>
Determine file type
- foremost <binary>
Recover files based on their headers, footers, and internal data structures
- ksv <binary> <Kaitai-format-file>
Visualize a binary format using Kaitai
- dd skip=<start_offset> count=<count> if=<input_file> of=<output_file> bs=1
Extract bytes from binary file
- xxd -g1 <binary_file>
Command line hex viewer
- xxd -s <offset> -l <length> <binary>
Display hex view of binary between and
- printf <bytes> | dd conv=notrunc of=<binary> bs=1 seek=<offset>
Patch a binary at offset with
- binwalk <binary>
Analyse binary files for embeded files and executable code
- binwalk --dd=".*" <file_name>
Extract any file type using Binwalk (not just known types)
- binwalk -R "<string>" <binary>
Search for locations of string in binary
- strings <file>
- Diff
- cmp -l <file1> <file2>
Detail the binary difference between two files
- cmp -l --ignore-initial=<skip1>:<skip2> <file1> <file2>
Compare two files byte by byte, ignore initial offsets
- cmp -l <file1> <file2>
- ESE
- esedbinfo <file>
Display information about ESE file
- esedbexport -T <table> <file>
Dump ESE table
- esedbinfo <file>
- File Systems
- debugfs <file_system>
Simple-to-use RAM-based file system specially designed for debugging purposes
- fls <file_system>
Lists the files and directory names in a file system.
- icat <file_system> <inode_id>
Outputs the contents of a file in a disk image to STDOUT
- mount <file_system> <mount_path>
Mount file system to local mount path
- getfattr <file>
Get extended attributes of filesystem objects
- ewfmount <file_system> <mount path>
Mount data stored in EWF files
- debugfs <file_system>
- Images
- exiftool <image>
Extract EXIF information from image
- zbarimg <img_with_qr_code>
Decode QR Code from image
- pngcheck <img>
pngcheck verifies the integrity of PNG files
- pngcheck -v -f <image.png>
pngcheck verifies the integrity of PNG files
- exiftool <image>
- PDFs
- pdf-parser.py -v <file>
Inspect PDF files and find malformed elements
- pdftotext <file>
PDF to text
- pdf-parser.py -v <file>
- Steganography
- zsteg <image>
Detect stegano-hidden data in PNG & BMP
- <reveal hidden text with GIMP>
Reveal hidden text in an image
- <reveal hidden text with StegSolve>
Reveal hidden text in an image
- steghide extract -sf <file> -p <password>
Extract hidden files embedded into media files using steghide
- zsteg <image>
- Android
- GDB
- Commands
- gdb <program>
Run program with GDB
- gdb <program> <core_dump>
Open a core dump for a given program with GDB
- gdb -ex <command>
Execute commands fromt the command line
- run
Start your program under GDB.
- quit
Quit execution
- continue
Resume program execution, at the address where your program last stopped
- break <function>
Set breakpoint
- info break
List breakpoints
- delete <breakpoint>
Delete breakpoint
- step
Continue running your program until control reaches a different source line, then stop it and return control to GDB
- stepi
Execute one machine instruction, then stop and return to the debugger
- next
Continue to the next source line in the current (innermost) stack frame (step over)
- nexti
Execute one machine instruction, but if it is a function call, proceed until the function returns
- finish
Continue running until just after function in the selected stack frame returns. Print the returned value (if any)
- print <expression>
Print an expression
- x /<nfu> <addr>
Examine memory
- info variables
Print all global and static variable names
- info locals
Print all local variables of current stack frame
- info args
Print all local arguments of current stack frame
- list
Print lines from a source file
- disassemble
Show disassembly
- backtrace
A summary of the call stack - one line per frame
- frame <n>
Move to a specific frame from the backtrace to view locals or arguments
- info threads
Show current status of all threads in process
- thread apply all <command>
Apply command to all threads
- thread <ThreadNumber>
Make thread number ThreadNumber the current thread
- until
Continue running until a source line past the current line, in the current stack frame, is reached.
- info address <address>
Show info about a specific address
- info proc mappings
Report the memory address space ranges accessible in the program
- readelf
Show info about ELF file
- printf "%s", <address>
Print an ASCII string
- dprintf <address>, <format string>, <variables...>
Combines a breakpoint with formatted printing of the program’s data
- gdb <program>
- PEDA
- hexdump <address> <count>
Display hex-view of address content
- hexdump <address> <count>
- Settings
- set print pretty on
Cause GDB to print structures in an indented format with one member per line
- set print array-indexes on
Print the index of each element when displaying arrays
- set output-radix <base>
Set the default base for numeric display
- set print elements <number-of-elements>
Set a limit on how many elements of an array GDB will print
- dump <binary> memory <filename.bin> <start_addr> <end_addr>
Dumps a memory range to a file
- set disassembly-flavor intel
Set disassemmbly syntax to Intel style
- display/i $pc
Display the machine instruction about to be executed each time execution stops
- set print pretty on
- Commands
- Network and Web
- Fetch
- curl <address>
Fetch documents/files from servers
- curl --cookie "<cookie_name>=<cookie_value>" <uri>
Fetch documents/files from servers, send a cookie as input
- curl <url> -X POST --data "<param1>=<val1>&<param2>=<val2>"
Fetch documents/files from servers with a POST request
- curl <url> -H 'Content-Type: application/json; charset=UTF-8' --data-binary '{"<param1>":"<val1>"}'
Fetch documents/files from servers with a JSON request
- curl -d "<param1>=<data1>" --data-urlencode "<param2>=<value2_to_be_encoded>" -X POST <url>
Fetch documents/files from servers, encode part of the request
- curl -I <url>
Fetch headers only
- curl <address>
- Flask
- {{config}}
Template Injection: Dump Flask configuration
- {{session}}
Template Injection: Dump Flask session
- flask_session_cookie_manager3.py decode -s <secret> -c <cookie>
Decode Flask cookie
- flask_session_cookie_manager3.py encode -s <secret> -t <new_object>
Encode Flask cookie
- {{config}}
- HTTP
- GET / HTTP/1.0
Raw HTTP GET request
- <HTTP GET with Cookie>
Raw HTTP GET with Cookie
- GET / HTTP/1.0
- Logins
- Netcat
- nc -lvp <port>
Opening listening port
- nc -lvp <port>
- PHP
- php://filter/read=convert.base64-encode/resource
Base64-encode resource
- php://filter/read=convert.base64-encode/resource
- Path Scanners
- dirsearch.py -u <url> -e <extension>
Brute force directories and files in websites
- dirsearch.py -u <url> -e <extension>
- SMB
- smbclient -L <ip> -U <user>%<password>
List Samba Details
- smbclient //<ip>/<folder> -U <user>%<password> -m SMB2 -t 120
Access SMB share folder
- smbmap -H <ip> -u <user> -p <password>
List Samba Details
- smbget -U <user> -D smb://<ip>/<path>
Get file over SMB
- smbclient -L <ip> -U <user>%<password>
- SSH
- ssh <user>@<host>
SSH to host
- ssh <user>@<host> -p <port>
SSH to host on custom port
- ssh -i <private_key> <user>@<host>
Connect to SSH using private key
- ssh -N -L <port>:<bind_addr>:<bind_port> <user>@<host>
SSH Port Tunneling
- sshpass -p <password>
Allows using plaintext SSH password
- ssh <user>@<host>
- TLS
- nmap -p 443 --script ssl-cert <hostname>
View certificate details
- curl <url> -k
Fetch HTTPS URL while ignoring certificate verification
- sslscan <host>
Scan host for TLS vulnerabilities
- nmap -p 443 --script ssl-cert <hostname>
- Transfer Files
- scp username@from_host:file.txt /local/directory/
Copy file from a remote host to local host
- scp file.txt username@to_host:/remote/directory/
Copy file from local host to a remote host
- scp username@from_host:file.txt /local/directory/
- Wireshark
- frame contains "<string>"
Display frames which contain a given string
- File->Export Objects->HTTP
Export files from the HTTP layer
- frame contains "<string>"
- tshark
- <Follow all streams>
Follow all streams using a tshark script:
- tshark -r <pcap> -Y "data.len != 0" -T json -e tcp.stream -e data.data
Receive JSON-encoded structure of all TCP packets which contain data
- tshark -r <file.pcap>
View PCAP file
- tshark -nr <capture> -Y '<filter>'
Display all frames from a network capture which comply with filter
- <Scan all streams>
Scan all streams using a tshark script
- tshark -r <pcap_file> -o "ssl.debug_file:ssldebug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:<ip>,<port>,http,<key_file>" -qz follow,ssl,ascii,<stream_number>
Decode TLS stream
- tshark -r <pcap_file> -o "ssl.debug_file:ssldebug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:<ip>,<port>,http,<key_file>" -o "tcp.desegment_tcp_streams: TRUE" -o "tcp.no_subdissector_on_error: FALSE" --export-objects "http,<output_folder>"
Export HTTPS objects
- tshark -r <pcap> -o "tcp.desegment_tcp_streams: TRUE" -o "tcp.no_subdissector_on_error: FALSE" --export-objects "http,exported_objects"
Extract HTTP objects
- tshark -qz io,phs -r <pcap>
Display Protocol Statistics
- <Follow all streams>
- Fetch
- Passwords
- john
- unshadow <passwd_file> <shadow_file>
Combine the passwd and shadow files so John can use them
- zip2john <zip_file>
Encode a zip file's password in a format John can crack
- jwt2john.py <jwt>
Convert JWT to a format John can crack
- john <password_file>
Attempt to crack password
- john <password_file> --show
Display a password after cracking it
- john <password_file> --wordlist=<word_list>
Attempt to crack password using a dictionary attack
- unshadow <passwd_file> <shadow_file>
- john
- Python
- Decompile
- uncompyle6 <file.pyc>
Decompile Python executable
- uncompyle6 <file.pyc>
- Sandbox
- "".__class__.mro()[2].__subclasses__()[59]
Bypass sandbox restrictions to access built in types
- "".__class__.mro()[2].__subclasses__()[59]
- Decompile
- SQL
- sqlmap
- sqlmap -u <url>
Automate the process of detecting and exploiting SQL injection flaws
- sqlmap -u <url> --dbs
Discover databases in case an SQL vulnerability is previously found
- sqlmap -u <url> --tables -D <db>
Discover tables in case an SQL vulnerability is previously found
- sqlmap -u <url> --columns -D <db> -T <table>
Discover columns in case an SQL vulnerability is previously found
- sqlmap -u <url> --dump -D <db> -T <table>
Dump table in case an SQL vulnerability is previously found
- sqlmap.py -u <url> --method POST --data <data> -p <field_to_attack>
Automate the process of detecting and exploiting SQL injection flaws using a POST form
- sqlmap -u "<url>*"
Use an "Arbitrary Injection Point" for an SQL Injection attack
- sqlmap -u <url> --random-agent
Don't use the SQLMap user agent when performing SQL Injections
- sqlmap -u <url>
- sqlmap
- System
- Core Dump
- ulimit -c unlimited
Set the maximum size of core dump files created to unlimited
- echo <path> > /proc/sys/kernel/core_pattern
Set the location to save a core dump
- ulimit -c unlimited
- Core Dump