icoa-cli 1.0.0

package/refs/sqlmap.txt

@@ -0,0 +1,69 @@
+SQLMap Quick Reference
+=====================
+
+BASIC USAGE
+  sqlmap -u "http://target/page?id=1"
+  sqlmap -u "http://target/page?id=1" --dbs       List databases
+  sqlmap -u "http://target/page?id=1" -D db --tables    List tables
+  sqlmap -u "http://target/page?id=1" -D db -T tbl --dump   Dump table
+
+POST REQUEST
+  sqlmap -u "http://target/login" --data="user=a&pass=b"
+  sqlmap -u "http://target/login" --data="user=a&pass=b" -p user
+
+FROM FILE (Burp/ZAP request)
+  sqlmap -r request.txt
+
+DETECTION
+  --level=5             Increase test level (1-5)
+  --risk=3              Increase risk level (1-3)
+  -p param              Test specific parameter
+  --dbms=mysql          Specify DBMS
+  --technique=BEUSTQ    Specify techniques
+
+ENUMERATION
+  --current-user        Current database user
+  --current-db          Current database
+  --dbs                 List all databases
+  --tables              List tables
+  --columns             List columns
+  --dump                Dump data
+  --dump-all            Dump everything
+  --passwords           Enumerate password hashes
+  --privileges          User privileges
+
+AUTHENTICATION
+  --cookie="session=abc"          Cookie
+  --headers="Authorization: Bearer tok"   Header
+  --auth-type=basic --auth-cred=user:pass
+  --proxy=http://127.0.0.1:8080
+
+TECHNIQUES
+  B  Boolean-based blind
+  E  Error-based
+  U  Union query
+  S  Stacked queries
+  T  Time-based blind
+  Q  Inline queries
+
+OPTIONS
+  --batch              Auto-answer all questions
+  --threads=5          Parallel threads
+  --random-agent       Random User-Agent
+  --tamper=space2comment   Use tamper script
+  --os-shell           OS command shell
+  --sql-shell          SQL interactive shell
+  --file-read=/etc/passwd   Read file
+  --file-write=shell.php --file-dest=/var/www/shell.php
+
+COMMON CTF PATTERNS
+  # Basic enumeration
+  sqlmap -u "http://target/?id=1" --batch --dbs
+  sqlmap -u "http://target/?id=1" --batch -D ctf --tables
+  sqlmap -u "http://target/?id=1" --batch -D ctf -T flag --dump
+
+  # Bypass WAF
+  sqlmap -u URL --tamper=space2comment,between,randomcase
+
+  # Read flag file
+  sqlmap -u URL --file-read="/flag.txt"

package/refs/steghide.txt

@@ -0,0 +1,71 @@
+Steghide & Steganography Quick Reference
+=========================================
+
+STEGHIDE
+  # Embed data in image
+  steghide embed -cf image.jpg -ef secret.txt
+  steghide embed -cf image.jpg -ef secret.txt -p "password"
+
+  # Extract hidden data
+  steghide extract -sf image.jpg
+  steghide extract -sf image.jpg -p "password"
+
+  # Get info about embedded data
+  steghide info image.jpg
+
+  # Supported formats: JPEG, BMP, WAV, AU
+
+ZSTEG (PNG/BMP)
+  zsteg image.png                All checks
+  zsteg -a image.png             Try all combinations
+  zsteg image.png -b 1           Check LSB
+  zsteg image.png -E "b1,r,lsb" Extract specific channel
+
+STEGSOLVE (GUI)
+  java -jar stegsolve.jar
+  # Cycle through bit planes
+  # XOR / AND / OR images
+
+OTHER TOOLS
+  # strings — find readable text
+  strings file
+  strings -n 10 file             Min length 10
+  strings -e l file              Little-endian
+
+  # exiftool — metadata
+  exiftool image.jpg
+  exiftool -all= image.jpg       Remove all metadata
+
+  # pngcheck — PNG structure
+  pngcheck -v image.png
+
+  # foremost — file carving
+  foremost -i image.png -o ./output/
+
+  # outguess
+  outguess -r image.jpg output.txt
+  outguess -k "password" -r image.jpg output.txt
+
+LSB STEGANOGRAPHY (Python)
+  from PIL import Image
+
+  img = Image.open("steg.png")
+  px = img.load()
+  bits = ""
+  for y in range(img.height):
+      for x in range(img.width):
+          r, g, b = px[x, y][:3]
+          bits += str(r & 1)
+          bits += str(g & 1)
+          bits += str(b & 1)
+
+  msg = bytes(int(bits[i:i+8], 2) for i in range(0, len(bits), 8))
+  print(msg)
+
+COMMON CTF WORKFLOW
+  1. strings file           Look for readable text
+  2. exiftool file           Check metadata / comments
+  3. binwalk file            Check for embedded files
+  4. steghide info file      Check for steghide data
+  5. zsteg file (if PNG)     Check LSB channels
+  6. Compare with original   Visual / binary diff

package/refs/struct.txt

@@ -0,0 +1,61 @@
+Python struct Module Quick Reference
+====================================
+
+IMPORT
+  import struct
+
+PACK (Python → bytes)
+  struct.pack("<I", 0x41414141)    Little-endian uint32
+  struct.pack(">I", 0x41414141)    Big-endian uint32
+  struct.pack("<Q", addr)          Little-endian uint64
+  struct.pack("<HH", 0x1234, 0x5678)  Two uint16
+
+UNPACK (bytes → Python)
+  struct.unpack("<I", data)        → (value,)  tuple
+  struct.unpack("<II", data)       → (val1, val2)
+  val = struct.unpack("<I", data)[0]  Single value
+
+FORMAT CHARACTERS
+  Byte order:
+    <         Little-endian
+    >         Big-endian
+    !         Network (big-endian)
+    =         Native
+
+  Types:
+    b / B     int8 / uint8      (1 byte)
+    h / H     int16 / uint16    (2 bytes)
+    i / I     int32 / uint32    (4 bytes)
+    l / L     int32 / uint32    (4 bytes)
+    q / Q     int64 / uint64    (8 bytes)
+    f         float             (4 bytes)
+    d         double            (8 bytes)
+    s         char[]            (N bytes)
+    x         padding           (1 byte)
+
+SIZE
+  struct.calcsize("<IHH")         Calculate packed size
+
+COMMON CTF PATTERNS
+  # Read binary header
+  with open("file", "rb") as f:
+      magic = struct.unpack("<I", f.read(4))[0]
+      size = struct.unpack("<H", f.read(2))[0]
+
+  # Parse ELF header fields
+  data = open("binary", "rb").read()
+  e_entry = struct.unpack("<Q", data[0x18:0x20])[0]
+
+  # Build payload with addresses
+  payload = b""
+  payload += struct.pack("<Q", 0x400000)   # return addr
+  payload += struct.pack("<Q", 0x601020)   # GOT entry
+
+  # Unpack multiple values
+  fields = struct.unpack("<IIHH", data[:12])
+  id, flags, type, size = fields
+
+  # Iterate over array of structs
+  ENTRY_SIZE = struct.calcsize("<IIQ")
+  for i in range(0, len(data), ENTRY_SIZE):
+      a, b, c = struct.unpack("<IIQ", data[i:i+ENTRY_SIZE])

package/refs/sympy.txt

@@ -0,0 +1,77 @@
+SymPy Quick Reference
+=====================
+
+INSTALLATION
+  pip install sympy
+
+BASIC USAGE
+  from sympy import *
+
+NUMBER THEORY (CTF Crypto)
+  # Modular inverse
+  mod_inverse(e, phi)         e^(-1) mod phi
+
+  # GCD / Extended GCD
+  gcd(a, b)
+  gcdex(a, b)                Returns (x, y, g) where ax + by = g
+
+  # Factorization
+  factorint(n)                Factor integer → {prime: exp}
+  isprime(n)                  Primality test
+  nextprime(n)                Next prime after n
+  prevprime(n)                Previous prime
+
+  # Chinese Remainder Theorem
+  crt([m1, m2], [r1, r2])    Solve x ≡ ri (mod mi)
+
+  # Discrete logarithm
+  discrete_log(n, a, b)      Find x: b^x ≡ a (mod n)
+
+  # Euler's totient
+  totient(n)                  φ(n)
+
+  # Legendre/Jacobi symbol
+  legendre_symbol(a, p)
+  jacobi_symbol(a, n)
+
+  # Square root mod p
+  sqrt_mod(a, p)              √a mod p
+  sqrt_mod(a, p, all_roots=True)
+
+POLYNOMIALS
+  x = Symbol('x')
+  p = x**3 + 2*x + 1
+  roots = solve(p, x)        Find roots
+  factor(p)                   Factor polynomial
+
+  # Polynomial over finite field
+  from sympy import GF
+  F = GF(p)                   Field of integers mod p
+
+MATRICES
+  M = Matrix([[1, 2], [3, 4]])
+  M.det()                     Determinant
+  M.inv()                     Inverse
+  M * M                       Multiplication
+  M.eigenvals()               Eigenvalues
+  M.rref()                    Row echelon form
+
+SOLVING EQUATIONS
+  x, y = symbols('x y')
+  solve(x**2 - 4, x)          → [-2, 2]
+  solve([x + y - 5, x - y - 1], [x, y])
+
+COMMON RSA PATTERNS
+  # Factor n when p and q are close
+  from sympy import integer_nthroot
+  s = integer_nthroot(n, 2)[0]
+  # Then search near s for factors
+
+  # Recover d from (e, phi)
+  d = mod_inverse(e, phi)
+  m = pow(c, d, n)
+
+  # Wiener's attack (small d)
+  # Use continued fraction expansion
+  from sympy import continued_fraction_iterator, Rational
+  cf = list(continued_fraction_iterator(Rational(e, n)))

package/refs/tshark.txt

@@ -0,0 +1,65 @@
+Tshark Quick Reference
+======================
+
+BASIC USAGE
+  tshark -r file.pcap            Read pcap file
+  tshark -i eth0                 Live capture
+  tshark -c 100 -i eth0          Capture 100 packets
+
+DISPLAY FILTERS
+  tshark -r f.pcap -Y "http"               HTTP only
+  tshark -r f.pcap -Y "tcp.port==80"       Port 80
+  tshark -r f.pcap -Y "ip.addr==10.0.0.1"  Specific IP
+  tshark -r f.pcap -Y "dns"                DNS only
+  tshark -r f.pcap -Y "tcp.flags.syn==1"   SYN packets
+  tshark -r f.pcap -Y "http.request"       HTTP requests
+  tshark -r f.pcap -Y "http.response"      HTTP responses
+  tshark -r f.pcap -Y "ftp"                FTP traffic
+  tshark -r f.pcap -Y "smtp"               SMTP (email)
+
+FIELD EXTRACTION
+  tshark -r f.pcap -T fields -e frame.number -e ip.src -e ip.dst
+  tshark -r f.pcap -T fields -e http.request.uri
+  tshark -r f.pcap -T fields -e dns.qry.name
+  tshark -r f.pcap -T fields -e data.data
+
+OUTPUT FORMATS
+  tshark -r f.pcap -T json       JSON output
+  tshark -r f.pcap -T fields     Tab-separated fields
+  tshark -r f.pcap -V            Verbose (full decode)
+  tshark -r f.pcap -x            Hex dump
+
+CAPTURE FILTERS
+  tshark -i eth0 -f "port 80"           Port 80
+  tshark -i eth0 -f "host 10.0.0.1"     Specific host
+  tshark -i eth0 -f "tcp"               TCP only
+
+STATISTICS
+  tshark -r f.pcap -z conv,tcp          TCP conversations
+  tshark -r f.pcap -z endpoints,ip      IP endpoints
+  tshark -r f.pcap -z http,tree         HTTP statistics
+  tshark -r f.pcap -z io,stat,1         I/O graph data
+
+STREAM FOLLOWING
+  tshark -r f.pcap -z follow,tcp,ascii,0    Follow TCP stream 0
+  tshark -r f.pcap -z follow,http,ascii,0   Follow HTTP stream
+
+EXPORT
+  tshark -r f.pcap --export-objects http,./output/
+  tshark -r f.pcap -w filtered.pcap -Y "http"
+
+COMMON CTF PATTERNS
+  # Extract HTTP POST data
+  tshark -r f.pcap -Y "http.request.method==POST" \
+         -T fields -e http.file_data
+
+  # Find credentials
+  tshark -r f.pcap -Y "ftp.request.command==PASS" \
+         -T fields -e ftp.request.arg
+
+  # DNS exfil
+  tshark -r f.pcap -Y "dns.qry.name" \
+         -T fields -e dns.qry.name | sort -u
+
+  # Extract files
+  tshark -r f.pcap --export-objects http,./extracted/

package/refs/vim.txt

@@ -0,0 +1,74 @@
+Vim Quick Reference
+===================
+
+MODES
+  i                 Insert mode (before cursor)
+  a                 Insert mode (after cursor)
+  o                 New line below + insert
+  O                 New line above + insert
+  v                 Visual mode
+  V                 Visual line mode
+  Ctrl+v            Visual block mode
+  Esc / Ctrl+[      Normal mode
+  :                 Command mode
+
+NAVIGATION
+  h j k l           Left, Down, Up, Right
+  w / b             Next/prev word
+  0 / $             Line start/end
+  gg / G            File start/end
+  Ctrl+d / Ctrl+u   Half-page down/up
+  :N                Go to line N
+  %                 Jump to matching bracket
+  * / #             Search word under cursor fwd/back
+  f{char}           Jump to char on line
+
+EDITING
+  x                 Delete character
+  dd                Delete line
+  dw                Delete word
+  d$                Delete to end of line
+  yy                Yank (copy) line
+  yw                Yank word
+  p / P             Paste after/before
+  u                 Undo
+  Ctrl+r            Redo
+  .                 Repeat last change
+  >>  / <<          Indent / outdent
+  J                 Join lines
+  ~                 Toggle case
+  r{char}           Replace character
+
+SEARCH & REPLACE
+  /pattern          Search forward
+  ?pattern          Search backward
+  n / N             Next/prev match
+  :%s/old/new/g     Replace all in file
+  :%s/old/new/gc    Replace all with confirm
+  :s/old/new/g      Replace in current line
+
+FILE OPERATIONS
+  :w                Save
+  :q                Quit
+  :wq / :x / ZZ     Save and quit
+  :q!               Quit without saving
+  :e filename       Open file
+  :r filename       Insert file contents
+
+USEFUL COMMANDS
+  :set number       Show line numbers
+  :set nonumber     Hide line numbers
+  :set paste        Paste mode (no auto-indent)
+  :noh              Clear search highlight
+  :!command         Run shell command
+  :%!xxd            Hex editor mode
+  :%!xxd -r         Exit hex editor mode
+  :set encoding=utf-8   Set encoding
+
+MULTI-FILE
+  :bn / :bp         Next/prev buffer
+  :ls               List buffers
+  :sp file          Horizontal split
+  :vsp file         Vertical split
+  Ctrl+w w          Switch window
+  Ctrl+w q          Close window

package/refs/volatility.txt

@@ -0,0 +1,41 @@
+Volatility Memory Forensics Quick Reference
+============================================
+
+VOLATILITY 3 (Python 3)
+  vol -f dump.raw windows.info         OS info
+  vol -f dump.raw windows.pslist       Process list
+  vol -f dump.raw windows.pstree       Process tree
+  vol -f dump.raw windows.cmdline      Command lines
+  vol -f dump.raw windows.netscan      Network connections
+  vol -f dump.raw windows.filescan     File objects
+  vol -f dump.raw windows.dumpfiles --pid PID   Dump files
+  vol -f dump.raw windows.hashdump     Password hashes
+  vol -f dump.raw windows.registry.hivelist    Registry hives
+  vol -f dump.raw windows.envars       Environment variables
+  vol -f dump.raw windows.malfind      Injected code
+
+VOLATILITY 2 (Python 2)
+  vol.py -f dump.raw imageinfo         Identify profile
+  vol.py -f dump.raw --profile=PROF pslist      Process list
+  vol.py -f dump.raw --profile=PROF pstree      Process tree
+  vol.py -f dump.raw --profile=PROF cmdline     Command lines
+  vol.py -f dump.raw --profile=PROF netscan     Network
+  vol.py -f dump.raw --profile=PROF filescan    Files
+  vol.py -f dump.raw --profile=PROF dumpfiles -D ./out/    Dump files
+  vol.py -f dump.raw --profile=PROF hashdump    Hashes
+  vol.py -f dump.raw --profile=PROF hivelist    Registry
+  vol.py -f dump.raw --profile=PROF clipboard   Clipboard
+  vol.py -f dump.raw --profile=PROF screenshot -D ./out/
+
+LINUX
+  vol -f dump.raw linux.bash           Bash history
+  vol -f dump.raw linux.pslist         Process list
+  vol -f dump.raw linux.lsof           Open files
+
+COMMON CTF WORKFLOW
+  1. vol -f dump.raw windows.info      Identify OS
+  2. vol -f dump.raw windows.pslist    Find suspicious processes
+  3. vol -f dump.raw windows.cmdline   Check what was run
+  4. vol -f dump.raw windows.netscan   Check connections
+  5. vol -f dump.raw windows.filescan | grep -i "flag\|secret\|key"
+  6. vol -f dump.raw windows.dumpfiles --pid PID

package/refs/z3.txt

@@ -0,0 +1,78 @@
+Z3 Solver Quick Reference
+=========================
+
+INSTALLATION
+  pip install z3-solver
+
+BASIC USAGE
+  from z3 import *
+
+  # Create solver
+  s = Solver()
+
+  # Declare variables
+  x = Int('x')              Integer variable
+  y = Int('y')
+  a = BitVec('a', 32)       32-bit bitvector
+  b = BitVec('b', 32)
+  r = Real('r')             Real number
+  flag = [BitVec(f'f{i}', 8) for i in range(20)]  # Array
+
+CONSTRAINTS
+  s.add(x + y == 10)        Add constraint
+  s.add(x > 0)              Inequality
+  s.add(x != y)             Not equal
+  s.add(And(x > 0, y > 0))  Logical AND
+  s.add(Or(x == 1, x == 2)) Logical OR
+  s.add(Not(x == 0))        Logical NOT
+  s.add(If(x > 0, y, z) == 5) Conditional
+
+SOLVING
+  if s.check() == sat:
+      m = s.model()
+      print(m[x])            Get value
+      print(m.eval(x + y))   Evaluate expression
+  else:
+      print("No solution")
+
+BITVECTOR OPERATIONS
+  a + b                 Addition
+  a - b                 Subtraction
+  a * b                 Multiplication
+  a & b                 Bitwise AND
+  a | b                 Bitwise OR
+  a ^ b                 Bitwise XOR
+  ~a                    Bitwise NOT
+  a << 2                Left shift
+  LShR(a, 2)            Logical right shift
+  a >> 2                Arithmetic right shift
+  RotateLeft(a, n)      Rotate left
+  RotateRight(a, n)     Rotate right
+  ZeroExt(n, a)         Zero extend
+  SignExt(n, a)         Sign extend
+  Extract(hi, lo, a)    Extract bits [hi:lo]
+  Concat(a, b)          Concatenate bitvectors
+
+COMMON CTF PATTERNS
+  # Solve for flag bytes (printable ASCII)
+  flag = [BitVec(f'f{i}', 8) for i in range(N)]
+  s = Solver()
+  for f in flag:
+      s.add(f >= 0x20, f <= 0x7e)
+
+  # Add challenge-specific constraints
+  s.add(flag[0] == ord('i'))  # icoa{...}
+
+  if s.check() == sat:
+      m = s.model()
+      result = ''.join(chr(m[f].as_long()) for f in flag)
+      print(result)
+
+  # Reverse a hash-like function
+  def transform(x):
+      return (x * 1337 + 42) & 0xFFFFFFFF
+
+  target = 0xDEADBEEF
+  x = BitVec('x', 32)
+  s = Solver()
+  s.add(transform(x) == target)