icoa-cli 1.0.0

package/refs/ROPgadget.txt

@@ -0,0 +1,67 @@
+ROPgadget Quick Reference
+=========================
+
+BASIC USAGE
+  ROPgadget --binary binary             Find all gadgets
+  ROPgadget --binary binary --depth 10  Deeper search
+
+FILTERING
+  ROPgadget --binary binary --only "pop|ret"     Only pop/ret
+  ROPgadget --binary binary --only "mov|ret"      Only mov/ret
+  ROPgadget --binary binary --filter "leave"       Exclude leave
+
+SEARCHING
+  ROPgadget --binary binary --string "/bin/sh"    Find string
+  ROPgadget --binary binary --opcode "c3"         Find by opcode
+  ROPgadget --binary binary --re "pop .* ; ret"   Regex search
+
+AUTO ROP CHAIN
+  ROPgadget --binary binary --ropchain            Auto-generate chain
+
+COMMON GADGETS TO FIND
+  # x86-64 function call setup
+  pop rdi ; ret          # 1st argument
+  pop rsi ; ret          # 2nd argument
+  pop rdx ; ret          # 3rd argument
+  pop rax ; ret          # syscall number
+  syscall ; ret          # syscall
+
+  # x86 (32-bit)
+  pop eax ; ret
+  pop ebx ; ret
+  int 0x80               # syscall
+
+  # Stack pivot
+  xchg rax, rsp ; ret
+  leave ; ret
+
+  # Write-what-where
+  mov [rdi], rax ; ret
+  mov qword ptr [rsi], rdi ; ret
+
+ROPPER (alternative tool)
+  ropper -f binary                    Find gadgets
+  ropper -f binary --search "pop rdi" Search specific
+  ropper -f binary --chain execve     Auto chain
+
+PWNTOOLS ROP
+  from pwn import *
+  e = ELF("./binary")
+  rop = ROP(e)
+
+  rop.find_gadget(["pop rdi", "ret"])
+  rop.find_gadget(["pop rsi", "pop r15", "ret"])
+  rop.find_gadget(["ret"])           # ret gadget for alignment
+
+  # Build chain
+  rop.raw(ret_gadget)               # Stack alignment
+  rop.call("puts", [got_puts])      # Call puts(GOT[puts])
+  rop.call("main")                  # Return to main
+  chain = rop.chain()
+
+COMMON CTF ROP PATTERNS
+  # ret2libc (x86-64)
+  1. Leak libc address (puts GOT via puts PLT)
+  2. Calculate libc base
+  3. Find system() and "/bin/sh" in libc
+  4. pop rdi; ret → "/bin/sh" → system()

package/refs/base64.txt

@@ -0,0 +1,63 @@
+Base64 & Encoding Quick Reference
+=================================
+
+BASE64
+  Alphabet: A-Z a-z 0-9 + / (padding: =)
+  Encodes 3 bytes → 4 characters
+  Decodes 4 characters → 3 bytes
+
+  # Command line
+  echo -n "text" | base64          Encode
+  echo "dGV4dA==" | base64 -d     Decode (Linux)
+  echo "dGV4dA==" | base64 -D     Decode (macOS)
+  base64 file > encoded.txt       Encode file
+  base64 -d encoded.txt > file    Decode file
+
+  # Python
+  import base64
+  base64.b64encode(b"text")       → b"dGV4dA=="
+  base64.b64decode(b"dGV4dA==")   → b"text"
+
+  # URL-safe Base64
+  base64.urlsafe_b64encode(data)  Uses - and _ instead of + and /
+  base64.urlsafe_b64decode(data)
+
+BASE32
+  Alphabet: A-Z 2-7 (padding: =)
+  echo -n "text" | base32
+  base64.b32encode(b"text")
+  base64.b32decode(b"ORSXG5A=")
+
+HEX
+  echo -n "text" | xxd -p         Encode to hex
+  echo "74657874" | xxd -r -p     Decode from hex
+  bytes.fromhex("74657874")       Python decode
+  b"text".hex()                   Python encode
+
+URL ENCODING
+  # Python
+  from urllib.parse import quote, unquote
+  quote("hello world")            → "hello%20world"
+  unquote("hello%20world")        → "hello world"
+
+ROT13
+  echo "text" | tr 'a-zA-Z' 'n-za-mN-ZA-M'
+  import codecs; codecs.decode("grkg", "rot_13")
+
+BINARY
+  # Python
+  bin(65)                          → "0b1000001"
+  int("1000001", 2)               → 65
+  ''.join(format(b, '08b') for b in data)   Bytes to binary
+
+ASCII TABLE (key values)
+  0x00  NULL       0x20  SPACE      0x30  '0'
+  0x09  TAB        0x41  'A'        0x61  'a'
+  0x0a  LF (\n)    0x5a  'Z'        0x7a  'z'
+  0x0d  CR (\r)    0x7e  '~'        0x7f  DEL
+
+CTF TIPS
+  - Try "Magic" in CyberChef to auto-detect encoding
+  - Flags often have multiple layers: Base64(Hex(XOR(flag)))
+  - Look for patterns: "==" at end = base64, all hex chars = hex
+  - base64 length is always multiple of 4

package/refs/bash.txt

@@ -0,0 +1,79 @@
+Bash Scripting Quick Reference
+==============================
+
+VARIABLES
+  NAME="value"           Set variable (no spaces around =)
+  echo $NAME             Use variable
+  echo "${NAME}_suffix"  Variable in string
+  readonly VAR="val"     Constant
+
+CONDITIONALS
+  if [ condition ]; then
+    commands
+  elif [ condition ]; then
+    commands
+  else
+    commands
+  fi
+
+  # String comparisons
+  [ "$a" = "$b" ]        Equal
+  [ "$a" != "$b" ]       Not equal
+  [ -z "$a" ]            Empty string
+  [ -n "$a" ]            Non-empty string
+
+  # Numeric comparisons
+  [ $a -eq $b ]          Equal
+  [ $a -ne $b ]          Not equal
+  [ $a -lt $b ]          Less than
+  [ $a -gt $b ]          Greater than
+
+  # File tests
+  [ -f file ]            Regular file exists
+  [ -d dir ]             Directory exists
+  [ -r file ]            Readable
+  [ -x file ]            Executable
+
+LOOPS
+  for i in 1 2 3; do echo $i; done
+  for f in *.txt; do cat "$f"; done
+  for ((i=0; i<10; i++)); do echo $i; done
+  while read line; do echo "$line"; done < file
+  while true; do cmd; sleep 1; done
+
+FUNCTIONS
+  myfunc() {
+    echo "Arg1: $1, Arg2: $2"
+    return 0
+  }
+  myfunc "hello" "world"
+
+ARRAYS
+  arr=(one two three)
+  echo ${arr[0]}          First element
+  echo ${arr[@]}          All elements
+  echo ${#arr[@]}         Length
+
+STRING OPERATIONS
+  ${#var}                 String length
+  ${var:0:5}              Substring (offset:length)
+  ${var/old/new}          Replace first match
+  ${var//old/new}         Replace all matches
+  ${var%.ext}             Remove suffix
+  ${var#prefix}           Remove prefix
+
+SPECIAL VARIABLES
+  $0                      Script name
+  $1, $2, ...             Arguments
+  $#                      Number of arguments
+  $@                      All arguments
+  $?                      Last exit code
+  $$                      Current PID
+  $!                      Last background PID
+
+USEFUL PATTERNS
+  cmd || echo "failed"    Run on failure
+  cmd && echo "ok"        Run on success
+  $(command)              Command substitution
+  $((1 + 2))              Arithmetic
+  cmd &                   Background process

package/refs/binwalk.txt

@@ -0,0 +1,43 @@
+Binwalk Quick Reference
+=======================
+
+BASIC USAGE
+  binwalk file                   Scan for embedded files
+  binwalk -e file                Extract embedded files
+  binwalk -Me file               Recursive extraction
+  binwalk -D ".*" file           Extract all file types
+  binwalk -E file                Entropy analysis
+  binwalk -A file                Instruction scan
+  binwalk -W file1 file2         Compare files (hexdiff)
+
+EXTRACTION OPTIONS
+  binwalk -e file                Extract to ./_file.extracted/
+  binwalk -C /tmp/out -e file    Extract to custom directory
+  binwalk --dd="png:png" file    Extract specific type
+
+ENTROPY
+  binwalk -E file                Show entropy graph
+  binwalk -E -J file             Save entropy plot as PNG
+
+FILTERING
+  binwalk -y "jpeg" file         Only show JPEG signatures
+  binwalk -x "jpeg" file         Exclude JPEG signatures
+  binwalk -R "\x89PNG" file      Raw byte search
+
+COMMON CTF PATTERNS
+  # Firmware analysis
+  binwalk -Me firmware.bin
+
+  # Find hidden files in image
+  binwalk -e image.png
+
+  # Check for appended data
+  binwalk suspicious_file
+
+  # Extract filesystem from firmware
+  binwalk -e -C ./extracted firmware.bin
+
+RELATED TOOLS
+  foremost file                  Carve files by header/footer
+  foremost -t all -i file        Carve all known types
+  foremost -o output/ -i file    Output directory

package/refs/bs4.txt

@@ -0,0 +1,61 @@
+BeautifulSoup Quick Reference
+=============================
+
+INSTALLATION
+  pip install beautifulsoup4
+
+BASIC USAGE
+  from bs4 import BeautifulSoup
+
+  soup = BeautifulSoup(html, "html.parser")
+  soup = BeautifulSoup(html, "lxml")
+
+FINDING ELEMENTS
+  soup.find("tag")                First matching tag
+  soup.find_all("tag")           All matching tags
+  soup.find("div", class_="x")   By class
+  soup.find("div", id="main")    By id
+  soup.find("a", href=True)      Has attribute
+  soup.select("div.class")       CSS selector
+  soup.select("#id")             By ID selector
+  soup.select("div > p")         Direct children
+
+ELEMENT PROPERTIES
+  tag.text                 Text content
+  tag.string               Direct string content
+  tag.get_text(strip=True) Stripped text
+  tag["href"]              Attribute value
+  tag.get("href", "")      Attribute with default
+  tag.attrs                All attributes (dict)
+  tag.name                 Tag name
+
+NAVIGATION
+  tag.parent               Parent element
+  tag.children             Direct children
+  tag.descendants          All descendants
+  tag.next_sibling         Next sibling
+  tag.previous_sibling     Previous sibling
+
+COMMON CTF PATTERNS
+  # Extract all links
+  for a in soup.find_all("a"):
+      print(a.get("href"))
+
+  # Extract form fields
+  form = soup.find("form")
+  for inp in form.find_all("input"):
+      print(inp.get("name"), inp.get("value"))
+
+  # Extract hidden fields
+  hidden = soup.find_all("input", type="hidden")
+  for h in hidden:
+      print(h["name"], h["value"])
+
+  # Extract table data
+  for row in soup.find_all("tr"):
+      cells = [td.text for td in row.find_all("td")]
+      print(cells)
+
+  # Find comments
+  from bs4 import Comment
+  comments = soup.find_all(string=lambda t: isinstance(t, Comment))

package/refs/checksec.txt

@@ -0,0 +1,57 @@
+Checksec & Binary Protections Quick Reference
+==============================================
+
+CHECKSEC
+  checksec ./binary              Check all protections
+  checksec --file=./binary       Same (explicit)
+
+PROTECTIONS EXPLAINED
+
+  RELRO (Relocation Read-Only)
+    No RELRO         GOT is writable — easy GOT overwrite
+    Partial RELRO    Some sections read-only after load
+    Full RELRO       GOT fully read-only — no GOT overwrite
+
+  Stack Canary
+    No canary found  Stack buffer overflow is straightforward
+    Canary found     Random value on stack — must leak or bypass
+
+  NX (No-Execute)
+    NX disabled      Can execute shellcode on stack/heap
+    NX enabled       Stack/heap not executable — use ROP/ret2libc
+
+  PIE (Position Independent Executable)
+    No PIE           Binary at fixed address — addresses known
+    PIE enabled      ASLR for binary — need info leak
+
+  ASLR (Address Space Layout Randomization)
+    Check:  cat /proc/sys/kernel/randomize_va_space
+    0 = off, 1 = partial, 2 = full
+    Disable: echo 0 > /proc/sys/kernel/randomize_va_space
+
+PWNTOOLS CHECKSEC
+  from pwn import *
+  e = ELF("./binary")
+  # Prints protections automatically
+
+  e.pie              True/False
+  e.canary           True/False
+  e.nx               True/False
+
+FILE COMMAND
+  file ./binary      Architecture, linking, stripped?
+
+READELF
+  readelf -h binary   ELF header
+  readelf -S binary   Section headers
+  readelf -l binary   Program headers
+  readelf -s binary   Symbol table
+  readelf -d binary   Dynamic section
+  readelf -r binary   Relocations
+
+COMMON CTF STRATEGY
+  No canary + No PIE + No NX    → Direct shellcode on stack
+  No canary + No PIE + NX       → ret2libc / ROP
+  Canary + No PIE + NX          → Leak canary, then ROP
+  Canary + PIE + NX             → Leak canary + PIE base, ROP
+  Full RELRO + all protections  → Look for format string / logic bugs

package/refs/curl.txt

@@ -0,0 +1,73 @@
+cURL Quick Reference
+====================
+
+BASIC REQUESTS
+  curl URL                       GET request
+  curl -v URL                    Verbose output
+  curl -s URL                    Silent mode
+  curl -o file URL               Save to file
+  curl -O URL                    Save with original name
+  curl -L URL                    Follow redirects
+  curl -I URL                    Headers only (HEAD)
+
+HTTP METHODS
+  curl -X GET URL
+  curl -X POST URL
+  curl -X PUT URL
+  curl -X DELETE URL
+  curl -X PATCH URL
+  curl -X OPTIONS URL
+
+POST DATA
+  # Form data
+  curl -X POST -d "user=admin&pass=123" URL
+
+  # JSON
+  curl -X POST -H "Content-Type: application/json" \
+       -d '{"user":"admin"}' URL
+
+  # File upload
+  curl -X POST -F "file=@localfile.txt" URL
+
+  # Raw data from file
+  curl -X POST -d @data.json URL
+
+HEADERS
+  curl -H "Authorization: Bearer TOKEN" URL
+  curl -H "Cookie: session=abc" URL
+  curl -H "User-Agent: Mozilla/5.0" URL
+  curl -H "Content-Type: application/xml" URL
+
+AUTHENTICATION
+  curl -u user:pass URL          Basic auth
+  curl -H "Authorization: Bearer TOKEN" URL
+
+COOKIES
+  curl -c cookies.txt URL        Save cookies
+  curl -b cookies.txt URL        Send cookies
+  curl -b "name=value" URL       Send specific cookie
+
+SSL / PROXY
+  curl -k URL                    Ignore SSL errors
+  curl --proxy http://127.0.0.1:8080 URL
+  curl --proxy socks5://127.0.0.1:1080 URL
+  curl --cacert cert.pem URL     Custom CA cert
+
+USEFUL OPTIONS
+  curl -w "%{http_code}" URL     Print status code
+  curl -w "%{time_total}" URL    Print response time
+  curl --max-time 5 URL          Timeout (seconds)
+  curl -A "custom-agent" URL     Set user-agent
+
+CTF PATTERNS
+  # Test for SSRF
+  curl "http://target/fetch?url=http://127.0.0.1:8080"
+
+  # Cookie tampering
+  curl -b "role=admin" URL
+
+  # Header injection
+  curl -H "X-Forwarded-For: 127.0.0.1" URL
+
+  # Rate-limit bypass
+  for i in $(seq 1 100); do curl -s URL; done

package/refs/cyberchef.txt

@@ -0,0 +1,78 @@
+CyberChef Quick Reference
+=========================
+
+CyberChef is an encoding/decoding/analysis Swiss army knife.
+Online: https://gchq.github.io/CyberChef/
+CLI: npm install -g cyberchef-cli
+
+COMMON ENCODINGS
+  Base64 Encode/Decode
+  Base32 Encode/Decode
+  Hex Encode/Decode
+  URL Encode/Decode
+  HTML Entity Encode/Decode
+  Decimal (from/to)
+  Binary (from/to)
+  Octal (from/to)
+
+CRYPTO OPERATIONS
+  AES Encrypt/Decrypt
+  DES Encrypt/Decrypt
+  XOR (with key)
+  ROT13 / ROT47
+  Vigenère Encode/Decode
+  Caesar Cipher
+  Atbash Cipher
+  Rail Fence Cipher
+  Substitution Cipher
+
+HASHING
+  MD5 / SHA1 / SHA256 / SHA512
+  HMAC
+  CRC-16 / CRC-32
+
+DATA FORMAT
+  From/To Hex
+  From/To Base64
+  From/To Binary
+  Parse IP / URL
+  Parse JSON / XML / CSV
+
+ANALYSIS
+  Frequency Analysis
+  Entropy
+  Magic (auto-detect encoding)
+  Strings
+  Disassemble
+
+USEFUL RECIPES (for CTF)
+
+  # Multi-layer decode
+  Base64 → Hex → XOR
+
+  # ROT13
+  ROT13("Uryyb") → "Hello"
+
+  # XOR brute force
+  XOR Brute Force (key length 1)
+
+  # Magic (auto-detect)
+  Drag data → "Magic" operation → auto-detects encoding
+
+  # Extract strings
+  "Strings" operation with min length
+
+COMMAND LINE (cyberchef-cli)
+  echo "SGVsbG8=" | cyberchef "from_base64"
+  echo "48656c6c6f" | cyberchef "from_hex"
+  echo "Hello" | cyberchef "to_base64"
+  echo "data" | cyberchef "xor({'key':'secret'})"
+
+COMMON CTF WORKFLOW
+  1. Paste unknown data into CyberChef
+  2. Use "Magic" to auto-detect encoding
+  3. Chain operations (drag & drop)
+  4. Common chains:
+     - Base64 → Gunzip → output
+     - Hex → From Hex → XOR → output
+     - URL Decode → Base64 → output

package/refs/exiftool.txt

@@ -0,0 +1,50 @@
+ExifTool Quick Reference
+========================
+
+BASIC USAGE
+  exiftool file                  Show all metadata
+  exiftool -s file               Short tag names
+  exiftool -G file               Show group names
+  exiftool -json file            JSON output
+  exiftool -a -u file            All tags, including unknown
+
+SPECIFIC TAGS
+  exiftool -ImageWidth file      Single tag
+  exiftool -GPSLatitude file     GPS location
+  exiftool -Comment file         Comments
+  exiftool -Author file          Author
+  exiftool -CreateDate file      Creation date
+
+WRITE METADATA
+  exiftool -Comment="text" file  Set comment
+  exiftool -Author="name" file   Set author
+  exiftool -all= file            Remove ALL metadata
+  exiftool -overwrite_original file   Don't create backup
+
+BATCH OPERATIONS
+  exiftool *.jpg                 All JPEGs
+  exiftool -r directory/         Recursive
+  exiftool -ext jpg directory/   Only .jpg files
+
+COMPARE
+  exiftool -a -u file1 file2     Compare metadata
+
+COMMON CTF PATTERNS
+  # Check for hidden data in comments
+  exiftool -Comment image.jpg
+  exiftool -UserComment image.jpg
+
+  # Check GPS coordinates (physical location clue)
+  exiftool -GPSPosition image.jpg
+
+  # Check for steganography hints
+  exiftool -all image.png | grep -i "comment\|software\|description"
+
+  # Thumbnail extraction
+  exiftool -b -ThumbnailImage image.jpg > thumb.jpg
+
+  # Check if image was edited
+  exiftool -Software -ModifyDate image.jpg
+
+  # Hidden data in XMP
+  exiftool -xmp:all image.png

package/refs/ffuf.txt

@@ -0,0 +1,73 @@
+FFUF (Fuzz Faster U Fool) Quick Reference
+==========================================
+
+BASIC USAGE
+  ffuf -w wordlist.txt -u http://target/FUZZ
+
+DIRECTORY FUZZING
+  ffuf -w /usr/share/wordlists/dirb/common.txt \
+       -u http://target/FUZZ
+
+  ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
+       -u http://target/FUZZ
+
+FILE FUZZING
+  ffuf -w wordlist.txt -u http://target/FUZZ.php
+  ffuf -w wordlist.txt -u http://target/FUZZ -e .php,.html,.txt,.bak
+
+PARAMETER FUZZING
+  ffuf -w params.txt -u "http://target/page?FUZZ=test"
+  ffuf -w values.txt -u "http://target/page?param=FUZZ"
+
+POST DATA FUZZING
+  ffuf -w wordlist.txt -u http://target/login \
+       -X POST -d "user=admin&password=FUZZ" \
+       -H "Content-Type: application/x-www-form-urlencoded"
+
+HEADER FUZZING
+  ffuf -w wordlist.txt -u http://target/ \
+       -H "X-Custom-Header: FUZZ"
+
+SUBDOMAIN FUZZING
+  ffuf -w subdomains.txt -u http://FUZZ.target.com
+  ffuf -w subdomains.txt -u http://target.com \
+       -H "Host: FUZZ.target.com"
+
+VHOST FUZZING
+  ffuf -w vhosts.txt -u http://target.com \
+       -H "Host: FUZZ" -fs 4242
+
+FILTERING
+  -fc 404              Filter by status code
+  -fc 404,403          Multiple codes
+  -fs 4242             Filter by response size
+  -fw 12               Filter by word count
+  -fl 5                Filter by line count
+  -fr "Not Found"      Filter by regex
+  -mc 200              Match only status 200
+  -ms 1234             Match by size
+
+OPTIONS
+  -t 50                Threads (default 40)
+  -rate 100            Requests per second limit
+  -timeout 5           Timeout in seconds
+  -r                   Follow redirects
+  -c                   Colorize output
+  -o output.json       Save output
+  -of json             Output format
+  -v                   Verbose
+  -s                   Silent (only results)
+
+RECURSIVE
+  ffuf -w wordlist.txt -u http://target/FUZZ \
+       -recursion -recursion-depth 2
+
+MULTIPLE WORDLISTS
+  ffuf -w users.txt:USER -w passes.txt:PASS \
+       -u http://target/login \
+       -X POST -d "user=USER&pass=PASS" \
+       -mode clusterbomb
+
+MODES
+  clusterbomb          All combinations (default for multi)
+  pitchfork            Paired (line by line)