# CTF_CheatSheet


## Stage 1 - Lay of the Land

### enumeration

* Passive Recon
  * Shodan
  * Wayback Machine
  * The Harvester

* Active Recon
  * Nmap
  * Masscan
  * Network discovery
  * RPCClient
  * Enum4all

* List all the subdirectories and files
  * Gobuster
  * Backup File Artifacts Checker

* Web Vulnerabilities
  * Repository Github
  * Burp
  * Web Checklist
  * Nikto
  * Payment functionality
  


* Basic Scan
```
sudo nmap -sSV -p- IP -oA nmap/initial -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
```
  * -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
  * -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
  * -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
  * -iL INPUTFILE tells Nmap to use the provided file as inputs


* CTF Scan
```
nmap -sV -sC -oA nmap/basic IP

• -sV : Probe open ports to determine service/version info
• -sC : to enable the script
• -oA : to save the results
```
After this quick command you can add "-p-" to run a full scan while you work with the previous result
```
nmap -sV -sC -oA -p- nmap/initial IP
```

* Aggressive Nmap
```
nmap -A -T4 scanme.nmap.org

• -A: Enable OS detection, version detection, script scanning, and traceroute
• -T4: Defines the timing for the task (options are 0-5 and higher is faster)
```

* Masscan

```bash
masscan IP -p 1-65535 --rate 100 -oX masscan.xml
```


* Using DirBuster or GoBuster

```bash
  ./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10
  -u url
  -w wordlist
  -t threads

  More subdomain :
  ./gobuster -m dns -w subdomains.txt -u google.com -i

  gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/
```


## Stage 2 - Attacking

### Get a Shell





To check if the shell is a tty shell, just enter tty command like the following.

```bash
tty
```
not a tty

```bash
tty
```
/dev/pts/0

Here are some commands which will enable you to spawn a tty shell:
Python:

This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.
```
python -c "import pty;pty.spawn('/bin/bash')"
```
 
Echo:
```
echo 'os.system('/bin/bash')'
```
 
sh:
```
/bin/sh -i
```
 
Bash:
```
/bin/bash -i
```
 
Perl:
```
perl -e 'exec "/bin/sh";'
```
 
Ruby:
```
ruby: exec "/bin/sh"
```
 
Lua:
```
lua: os.execute('/bin/sh')
```
 
From within vi:
```
:!bash

:set shell=/bin/bash:shell
```
 
From within nmap:
```
!sh
```