CTF_CheatSheet/README.md

# CTF_CheatSheet


## Stage 1 - Lay of the Land

### enumeration

* Passive Recon
  * Shodan
  * Wayback Machine
  * The Harvester

* Active Recon
  * Nmap
  * Masscan
  * Network discovery
  * RPCClient
  * Enum4all

* List all the subdirectories and files
  * Gobuster
  * Backup File Artifacts Checker

* Web Vulnerabilities
  * Repository Github
  * Burp
  * Web Checklist
  * Nikto
  * Payment functionality
  

* Basic Scan
```
sudo nmap -sSV -p- IP -oA nmap/initial -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
```
  * -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
  * -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
  * -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
  * -iL INPUTFILE tells Nmap to use the provided file as inputs


* CTF Scan
```
nmap -sV -sC -oA nmap/basic IP
```
  * -sV : Probe open ports to determine service/version info
  * -sC : to enable the script
  * -oA : to save the results

After this quick command you can add "-p-" to run a full scan while you work with the previous result
```
nmap -sV -sC -oA -p- nmap/initial IP
```

* Aggressive Nmap
```
nmap -A -T4 scanme.nmap.org
```
  * -A: Enable OS detection, version detection, script scanning, and traceroute
  * -T4: Defines the timing for the task (options are 0-5 and higher is faster)


* Masscan

```bash
masscan IP -p 1-65535 --rate 100 -oX masscan.xml
```


* Using DirBuster or GoBuster

```bash
  ./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10
  -u url
  -w wordlist
  -t threads

  More subdomain :
  ./gobuster -m dns -w subdomains.txt -u google.com -i

  gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/
```


## Stage 2 - F

### Get a Shell

To check if the shell is a tty shell, just enter tty command like the following.

```bash
tty
```
not a tty

```bash
tty
```
/dev/pts/0

Here are some commands which will enable you to spawn a tty shell:
Python:

This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.
```
python -c "import pty;pty.spawn('/bin/bash')"
```
 |Methord   |  Command  |
 |----------|-----------|
  |* Echo: |  echo 'os.system('/bin/bash')'|
 | * sh:   | /bin/sh -i|
|  * Bash:  | /bin/bash -i|
 | * Perl:  | perl -e 'exec "/bin/sh";'|
 | * Ruby: |  ruby: exec "/bin/sh"|
 | * Lua:  |  lua: os.execute('/bin/sh')|
 | * From within vi:  | :!bash , :set shell=/bin/bash:shell |
 | * From within nmap:  |   !sh  |
Initial commit 2021-12-14 15:34:46 +00:00			`# CTF_CheatSheet`

Started the Sheet 2021-12-15 15:44:08 +00:00
			`## Stage 1 - Lay of the Land`

Added More 2 2021-12-15 16:00:50 +00:00			`### enumeration`
Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* Passive Recon`
			`* Shodan`
			`* Wayback Machine`
			`* The Harvester`
Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* Active Recon`
			`* Nmap`
			`* Masscan`
			`* Network discovery`
			`* RPCClient`
			`* Enum4all`
Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* List all the subdirectories and files`
			`* Gobuster`
			`* Backup File Artifacts Checker`

			`* Web Vulnerabilities`
			`* Repository Github`
			`* Burp`
			`* Web Checklist`
			`* Nikto`
			`* Payment functionality`

Started the Sheet 2021-12-15 15:44:08 +00:00

Added More 2 2021-12-15 16:00:50 +00:00			`* Basic Scan`
Added more Stuff 2021-12-15 15:49:53 +00:00			```
Started the Sheet 2021-12-15 15:44:08 +00:00			`sudo nmap -sSV -p- IP -oA nmap/initial -T4`
			`sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv`
			```
Updated Sheet More 2021-12-23 21:35:51 +00:00			`* -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports`
			`* -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)`
			`* -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"`
			`* -iL INPUTFILE tells Nmap to use the provided file as inputs`

Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* CTF Scan`
Added more Stuff 2021-12-15 15:49:53 +00:00			```
Updated Sheet More 2021-12-23 21:35:51 +00:00			`nmap -sV -sC -oA nmap/basic IP`
Added More 2 2021-12-15 16:00:50 +00:00			```
2021-12-23 21:40:13 +00:00			`* -sV : Probe open ports to determine service/version info`
			`* -sC : to enable the script`
			`* -oA : to save the results`

Started the Sheet 2021-12-15 15:44:08 +00:00			`After this quick command you can add "-p-" to run a full scan while you work with the previous result`
Added More 2 2021-12-15 16:00:50 +00:00			```
			`nmap -sV -sC -oA -p- nmap/initial IP`
			```
Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* Aggressive Nmap`
Added more Stuff 2021-12-15 15:49:53 +00:00			```
Started the Sheet 2021-12-15 15:44:08 +00:00			`nmap -A -T4 scanme.nmap.org`
			```
2021-12-23 21:40:13 +00:00			`* -A: Enable OS detection, version detection, script scanning, and traceroute`
			`* -T4: Defines the timing for the task (options are 0-5 and higher is faster)`

Started the Sheet 2021-12-15 15:44:08 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* Masscan`
Started the Sheet 2021-12-15 15:44:08 +00:00
			```bash
			`masscan IP -p 1-65535 --rate 100 -oX masscan.xml`
			```

Added more Stuff 2021-12-15 15:49:53 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			`* Using DirBuster or GoBuster`
Added more Stuff 2021-12-15 15:49:53 +00:00
Added More 2 2021-12-15 16:00:50 +00:00			```bash
			`./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10`
			`-u url`
			`-w wordlist`
			`-t threads`

			`More subdomain :`
			`./gobuster -m dns -w subdomains.txt -u google.com -i`

			`gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/`
Added more Stuff 2021-12-15 15:49:53 +00:00			```


More Updating 2021-12-23 21:43:47 +00:00			`## Stage 2 - F`
Updated Sheet More 2021-12-23 21:35:51 +00:00
			`### Get a Shell`

			`To check if the shell is a tty shell, just enter tty command like the following.`

			```bash
			`tty`
			```
			`not a tty`

			```bash
			`tty`
			```
			`/dev/pts/0`

			`Here are some commands which will enable you to spawn a tty shell:`
			`Python:`

			`This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.`
			```
			`python -c "import pty;pty.spawn('/bin/bash')"`
			```
More Updating 2021-12-23 21:43:47 +00:00			`\|Methord \| Command \|`
			`\|----------\|-----------\|`
			`\|* Echo: \| echo 'os.system('/bin/bash')'\|`
			`\| * sh: \| /bin/sh -i\|`
			`\| * Bash: \| /bin/bash -i\|`
			`\| * Perl: \| perl -e 'exec "/bin/sh";'\|`
			`\| * Ruby: \| ruby: exec "/bin/sh"\|`
			`\| * Lua: \| lua: os.execute('/bin/sh')\|`
			`\| * From within vi: \| :!bash , :set shell=/bin/bash:shell \|`
			`\| * From within nmap: \| !sh \|`
Updated Sheet More 2021-12-23 21:35:51 +00:00
2021-12-23 21:40:13 +00:00