🟩HTB Cheet Sheet
Hack The Box Cheet Sheet
Basic Commands
Command | Description |
General | |
| Connect to VPN |
| Show our IP address |
| Show networks accessible via the VPN |
| SSH to a remote server |
| FTP to a remote server |
tmux | |
| Start tmux |
| tmux: default prefix |
| tmux: new window |
| tmux: switch to window ( |
| tmux: split pane vertically |
| tmux: split pane horizontally |
| tmux: switch to the right pane |
Vim | |
| vim: open |
| vim: enter |
| vim: back to |
| vim: Cut character |
| vim: Cut word |
| vim: Cut full line |
| vim: Copy word |
| vim: Copy full line |
| vim: Paste |
| vim: Go to line number 1. |
| vim: Write the file 'i.e. save' |
| vim: Quit |
| vim: Quit without saving |
| vim: Write and quit |
Pentesting
Command | Description |
Service Scanning | |
| Run nmap on an IP |
| Run an nmap script scan on an IP |
| List various available nmap scripts |
| Run an nmap script on an IP |
| Grab banner of an open port |
| List SMB Shares |
| Connect to an SMB share |
| Scan SNMP on an IP |
| Brute force SNMP secret string |
Web Enumeration | |
| Run a directory scan on a website |
| Run a sub-domain scan on a website |
| Grab website banner |
| List details about the webserver/certificates |
| List potential directories in |
| View page source (in Firefox) |
Public Exploits | |
| Search for public exploits for a web application |
| MSF: Start the Metasploit Framework |
| MSF: Search for public exploits in MSF |
| MSF: Start using an MSF module |
| MSF: Show required options for an MSF module |
| MSF: Set a value for an MSF module option |
| MSF: Test if the target server is vulnerable |
| MSF: Run the exploit on the target server is vulnerable |
Using Shells | |
| Start a |
| Send a reverse shell from the remote server |
| Another command to send a reverse shell from the remote server |
| Start a bind shell on the remote server |
| Connect to a bind shell started on the remote server |
| Upgrade shell TTY (1) |
| Upgrade shell TTY (2) |
| Create a webshell php file |
| Execute a command on an uploaded webshell |
Privilege Escalation | |
| Run |
| List available |
| Run a command with |
| Switch to root user (if we have access to |
| Switch to a user (if we have access to |
| Create a new SSH key |
| Add the generated public key to the user |
| SSH to the server with the generated private key |
Transferring Files | |
| Start a local webserver |
| Download a file on the remote server from our local machine |
| Download a file on the remote server from our local machine |
| Transfer a file to the remote server with |
| Convert a file to |
| Convert a file from |
| Check the file's |
Commands
Command | Description |
| cURL GET request |
| cURL POST request |
| cURL POST request with data |
| base64 encode |
| base64 decode |
| hex encode |
| hex decode |
| rot13 encode |
| rot13 decode |
Deobfuscation Websites
Misc
Command | Description |
| Show HTML source code in Firefox |
Linux Commands
Command | Description |
| Opens man pages for the specified tool. |
| Prints the help page of the tool. |
| Searches through man pages' descriptions for instances of a given keyword. |
| Concatenate and print files. |
| Displays current username. |
| Returns users identity. |
| Sets or prints the name of the current host system. |
| Prints operating system name. |
| Returns working directory name. |
| The |
| Ip is a utility to show or manipulate routing, network devices, interfaces, and tunnels. |
| Shows network status. |
| Another utility to investigate sockets. |
| Shows process status. |
| Displays who is logged in. |
| Prints environment or sets and executes a command. |
| Lists block devices. |
| Lists USB devices. |
| Lists opened files. |
| Lists PCI devices. |
| Execute command as a different user. |
| The |
| Creates a new user or update default new user information. |
| Deletes a user account and related files. |
| Modifies a user account. |
| Adds a group to the system. |
| Removes a group from the system. |
| Changes user password. |
| Install, remove and configure Debian-based packages. |
| High-level package management command-line utility. |
| Alternative to |
| Install, remove and configure snap packages. |
| Standard package manager for Ruby. |
| Standard package manager for Python. |
| Revision control system command-line utility. |
| Command-line based service and systemd control manager. |
| Prints a snapshot of the current processes. |
| Query the systemd journal. |
| Sends a signal to a process. |
| Puts a process into background. |
| Lists all processes that are running in the background. |
| Puts a process into the foreground. |
| Command-line utility to transfer data from or to a server. |
| An alternative to |
| Starts a Python3 web server on TCP port 8000. |
| Lists directory contents. |
| Changes the directory. |
| Clears the terminal. |
| Creates an empty file. |
| Creates a directory. |
| Lists the contents of a directory recursively. |
| Move or rename files or directories. |
| Copy files or directories. |
| Terminal based text editor. |
| Returns the path to a file or link. |
| Searches for files in a directory hierarchy. |
| Updates the locale database for existing contents on the system. |
| Uses the locale database to find contents on the system. |
| Pager that is used to read STDOUT or files. |
| An alternative to |
| Prints the first ten lines of STDOUT or a file. |
| Prints the last ten lines of STDOUT or a file. |
| Sorts the contents of STDOUT or a file. |
| Searches for specific results that contain given patterns. |
| Removes sections from each line of files. |
| Replaces certain characters. |
| Command-line based utility that formats its input into multiple columns. |
| Pattern scanning and processing language. |
| A stream editor for filtering and transforming text. |
| Prints newline, word, and byte counts for a given input. |
| Changes permission of a file or directory. |
| Changes the owner and group of a file or directory. |
Ffuf
Command | Description |
| ffuf help |
| Directory Fuzzing |
| Extension Fuzzing |
| Page Fuzzing |
| Recursive Fuzzing |
| Sub-domain Fuzzing |
| VHost Fuzzing |
| Parameter Fuzzing - GET |
| Parameter Fuzzing - POST |
| Value Fuzzing |
Wordlists
Command | Description |
| Directory/Page Wordlist |
| Extensions Wordlist |
| Domain Wordlist |
| Parameters Wordlist |
Misc
Command | Description |
| Add DNS entry |
| Create Sequence Wordlist |
| curl w/ POST |
MSFconsole Commands
Command | Description |
| Show all exploits within the Framework. |
| Show all payloads within the Framework. |
| Show all auxiliary modules within the Framework. |
| Search for exploits or modules within the Framework. |
| Load information about a specific exploit or module. |
| Load an exploit or module (example: use windows/smb/psexec). |
| Load an exploit by using the index number displayed after the search command. |
| Your local host’s IP address reachable by the target, often the public IP address when not on a local network. Typically used for reverse shells. |
| The remote host or the target. set function Set a specific value (for example, LHOST or RHOST). |
| Set a specific value globally (for example, LHOST or RHOST). |
| Show the options available for a module or exploit. |
| Show the platforms supported by the exploit. |
| Specify a specific target index if you know the OS and service pack. |
| Specify the payload to use. |
| Specify the payload index number to use after the show payloads command. |
| Show advanced options. |
| Automatically migrate to a separate process upon exploit completion. |
| Determine whether a target is vulnerable to an attack. |
| Execute the module or exploit and attack the target. |
| Run the exploit under the context of the job. (This will run the exploit in the background.) |
| Do not interact with the session after successful exploitation. |
| Specify the payload encoder to use (example: exploit –e shikata_ga_nai). |
| Display help for the exploit command. |
| List available sessions (used when handling multiple shells). |
| List all available sessions and show verbose fields, such as which vulnerability was used when exploiting the system. |
| Run a specific Meterpreter script on all Meterpreter live sessions. |
| Kill all live sessions. |
| Execute a command on all live Meterpreter sessions. |
| Upgrade a normal Win32 shell to a Meterpreter console. |
| Create a database to use with database-driven attacks (example: db_create autopwn). |
| Create and connect to a database for driven attacks (example: db_connect autopwn). |
| Use Nmap and place results in a database. (Normal Nmap syntax is supported, such as –sT –v –P0.) |
| Delete the current database. |
| Delete database using advanced options. |
Meterpreter Commands
Command | Description |
| Open Meterpreter usage help. |
| Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory. |
| Show the system information on the compromised target. |
| List the files and folders on the target. |
| Load the privilege extension for extended Meterpreter libraries. |
| Show all running processes and which accounts are associated with each process. |
| Migrate to the specific process ID (PID is the target process ID gained from the ps command). |
| Load incognito functions. (Used for token stealing and impersonation on a target machine.) |
| List available tokens on the target by user. |
| List available tokens on the target by group. |
| Impersonate a token available on the target. |
| Steal the tokens available for a given process and impersonate that token. |
| Stop impersonating the current token. |
| Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors. |
| Drop into an interactive shell with all available tokens. |
| Execute cmd.exe and interact with it. |
| Execute cmd.exe with all available tokens. |
| Execute cmd.exe with all available tokens and make it a hidden process. |
| Revert back to the original user you used to compromise the target. |
| Interact, create, delete, query, set, and much more in the target’s registry. |
| Switch to a different screen based on who is logged in. |
| Take a screenshot of the target’s screen. |
| Upload a file to the target. |
| Download a file from the target. |
| Start sniffing keystrokes on the remote target. |
| Dump the remote keys captured on the target. |
| Stop sniffing keystrokes on the remote target. |
| Get as many privileges as possible on the target. |
| Take control of the keyboard and/or mouse. |
| Run your current Meterpreter shell in the background. |
| Dump all hashes on the target. use sniffer Load the sniffer module. |
| List the available interfaces on the target. |
| Start sniffing on the remote target. |
| Start sniffing with a specific range for a packet buffer. |
| Grab statistical information from the interface you are sniffing. |
| Stop the sniffer. |
| Add a user on the remote target. |
| Add a username to the Domain Administrators group on the remote target. |
| Clear the event log on the target machine. |
| Change file attributes, such as creation date (antiforensics measure). |
| Reboot the target machine. |
File Transfer
Command | Description |
| Download a file with PowerShell |
| Execute a file in memory using PowerShell |
| Upload a file with PowerShell |
| Download a file using Bitsadmin |
| Download a file using Certutil |
| Download a file using Wget |
| Download a file using cURL |
| Download a file using PHP |
| Upload a file using SCP |
| Download a file using SCP |
| Invoke-WebRequest using a Chrome User Agent |
Nmap Options
Nmap Option | Description |
| Target network range. |
| Disables port scanning. |
| Disables ICMP Echo Requests |
| Disables DNS Resolution. |
| Performs the ping scan by using ICMP Echo Requests against the target. |
| Shows all packets sent and received. |
| Displays the reason for a specific result. |
| Disables ARP Ping Requests. |
| Scans the specified top ports that have been defined as most frequent. |
| Scan all ports. |
| Scan all ports between 22 and 110. |
| Scans only the specified ports 22 and 25. |
| Scans top 100 ports. |
| Performs an TCP SYN-Scan. |
| Performs an TCP ACK-Scan. |
| Performs an UDP Scan. |
| Scans the discovered services for their versions. |
| Perform a Script Scan with scripts that are categorized as "default". |
| Performs a Script Scan by using the specified scripts. |
| Performs an OS Detection Scan to determine the OS of the target. |
| Performs OS Detection, Service Detection, and traceroute scans. |
| Sets the number of random Decoys that will be used to scan the target. |
| Specifies the network interface that is used for the scan. |
| Specifies the source IP address for the scan. |
| Specifies the source port for the scan. |
| DNS resolution is performed by using a specified name server. |
Output Options
Nmap Option | Description |
| Stores the results in all available formats starting with the name of "filename". |
| Stores the results in normal format with the name "filename". |
| Stores the results in "grepable" format with the name of "filename". |
| Stores the results in XML format with the name of "filename". |
Performance Options
Nmap Option | Description |
| Sets the number of retries for scans of specific ports. |
| Displays scan's status every 5 seconds. |
| Displays verbose output during the scan. |
| Sets the specified time value as initial RTT timeout. |
| Sets the specified time value as maximum RTT timeout. |
| Sets the number of packets that will be sent simultaneously. |
| Specifies the specific timing template. |
Last updated