OSCP+ · OSWE · OSEP · OSDA · OSWA · PNPT · CPTS · HTB CPTS · Docker · Kubernetes · Terraform · CI/CD
⭐ If this saved you time, please leave a star. It's the simplest way to support this work.
5040 commands across 53 categories and 320 subcategories — bilingual interface (English + Türkçe).
Runs 100% locally. No account, no telemetry, no cloud — your data never leaves your machine.
- Offensive Security + DevSecOps — full penetration-testing lifecycle and container / Kubernetes / IaC / CI-CD security
- Full CRUD — Add, edit, and delete your own categories, subcategories, and commands
- Fuzzy command palette —
Ctrl+Kopens a ranked search across every command, every category, and each individual machine & write-up (search by name / IP / OS / tags), plus jump-to actions (Favorites, Write-ups, Machines, History) - One-click copy on every command block; multi-line commands copy as a single chained script
- Command history — every copied command is logged locally with a timestamp, for reporting and quick re-copy
- Dark / Light theme — follows your OS preference, with a manual toggle
- Safe placeholders — All IPs and sensitive values use
<TARGET_IP>,<ATTACKER_IP>,<DOMAIN>, etc. - Variable Fill Bar + Quick IP Changer with saved profiles — fill
<PLACEHOLDER>values once and auto-apply them to every command; save a named profile per target box and switch instantly - Multi-select tag filter by
essential/tool/advanced(chips combine), plus Favorites (id-stable, survive reordering) - MITRE ATT&CK tags — ~1,160 offensive commands are mapped to 72 ATT&CK techniques (every id verified against attack.mitre.org), shown as chips linking to the technique page, with a sidebar ATT&CK facet to filter by technique. Mapping is generated by a curated, idempotent tagger (
npm run tag:attack) that only tags offensive commands — DevSecOps/ops/detection commands stay untagged. Commands can also carry reference links (HackTricks, GTFOBins, docs) - Script basket — collect commands from anywhere into an ordered scratch buffer, reorder them, then copy or export as one runnable
.shscript (placeholders resolved) - Machines — a full box-solving workspace: 12 situation-aware playbooks plus rich metadata (platform · difficulty · status · tags), user/root flag capture, time-to-own tracking, a dashboard (aggregate stats + search/filter/sort) with a Kanban board view (drag cards between status columns), a structured services table with one-click nmap import (paste
-sCVoutput → parsed rows) and quick-scan chips, a credential vault (structured, per-secret copy, validity toggle), an activity timeline that auto-logs every command you copy while a box is the active target, evidence (paste/drop screenshots), an editable checklist, per-phase "copy all", a live Report tab built from the machine's current data (export MD/HTML/PDF or save to Write-ups), and an AD engagement mode (attach hosts, draggable node-link schematic with progress rings, per-host checklists/loot/notes) - Write-ups — split live-preview Markdown editor with a formatting toolbar, an offline CVSS 3.1 base-score calculator (insert score/severity/vector), 8 professional report templates and 13 insertable sections (findings table, CVSS scale, attack narrative, ATT&CK map, remediation matrix, tooling, timeline, scope/RoE, evidence, references…), rich Markdown (nested lists, strikethrough, autolinked URLs, per-block code copy), tables, task lists, auto TOC, reading time, list search / tag-filter / sort / pin, a linked machine that auto-fills target placeholders, image upload (paste & drag-and-drop) and MD / HTML / PDF export — both HTML and Markdown are fully self-contained (images inlined as data URIs)
- Notes — per-category sticky notes
- Deep links & PWA — bookmarkable views (
#machines,#cat/<id>), installable, works offline - Runs with or without a server — the full app also builds to a static, server-less bundle (
npm run build:static) backed by an in-browser IndexedDB store, ready to publish on GitHub Pages (see Static build) - Export / Import your database as JSON; a content validator keeps the seed data structurally sound (wired into CI)
- Mobile responsive sidebar navigation, accessible (keyboard-operable, ARIA, reduced-motion)
- TR / EN bilingual interface
- Docker ready & hardened — single-command deploy, runs non-root with a healthcheck, binds to
127.0.0.1, optional HTTP Basic Auth, magic-byte-validated uploads
| # | Category | Commands | Description |
|---|---|---|---|
| 1 | 🔍 Target Profiling & Network Mapping | 171 | Enumerate targets through passive intelligence gathering, active scanning, and service… |
| 2 | ⚡ Weakness Identification & Scanning | 47 | Identify known vulnerabilities and misconfigurations across network services and web ap… |
| 3 | 🌐 Web Attack Techniques | 136 | Exploit web application vulnerabilities including directory traversal, injection, file… |
| 4 | 🗃️ Database Exploitation via Injection | 101 | Detect and exploit SQL injection vulnerabilities to extract data, escalate privileges,… |
| 5 | 📜 Browser-Side Exploitation | 47 | Exploit cross-site scripting, cross-site request forgery, and DOM-based vulnerabilities… |
| 6 | 🖥️ Payload Engineering & Delivery | 47 | Generate reverse shells, bind shells, web shells, and custom payloads for various platf… |
| 7 | 🐚 Shells, Listeners & Stabilization | 61 | Establish reverse shells, bind shells, and web shells across platforms, then upgrade to… |
| 8 | ⬆️ Windows Privilege Escalation | 105 | Escalate privileges on Windows hosts through service misconfigurations, token abuse, cr… |
| 9 | 🐧 Linux Privilege Escalation | 121 | Escalate privileges on Linux systems through SUID binaries, sudo misconfigurations, cap… |
| 10 | 🔑 Credential Attacks & Hash Cracking | 146 | Perform online brute force, offline hash cracking, credential dumping, and password spr… |
| 11 | 🛡️ Defense Evasion & AV Bypass | 49 | Bypass antivirus, AMSI, AppLocker, Constrained Language Mode, and other security contro… |
| 12 | 🔀 Network Pivoting & Traffic Routing | 69 | Route traffic through compromised hosts to reach internal networks using SSH tunnels, S… |
| 13 | 🔧 Metasploit Operations | 110 | Metasploit Framework for exploitation, post-exploitation, and pivoting |
| 14 | 🏢 Active Directory Reconnaissance | 71 | Enumerate Active Directory domains, users, groups, trusts, and attack paths |
| 15 | 🎯 Active Directory Exploitation | 78 | Attack Active Directory with Kerberos, NTLM relay, delegation, and persistence techniques |
| 16 | 48 | Move laterally across the network using remote execution and Windows protocols | |
| 17 | ☁️ AWS Cloud Security Testing | 65 | Enumerate and exploit AWS cloud services, IAM, S3, EC2, and more |
| 18 | 📁 File Transfer Arsenal | 53 | Techniques for transferring files to and from targets across different protocols |
| 19 | 🔐 Protocol Tunneling & Firewall Evasion | 29 | Bypass firewalls and deep packet inspection using protocol tunneling techniques |
| 20 | 🎣 Social Engineering & Phishing | 34 | Phishing infrastructure, credential harvesting, and social engineering tools |
| 21 | 💣 Exploit Research & Development | 44 | Find, adapt, compile, and develop exploits for penetration testing |
| 22 | 🧩 Engagement Methodology & Playbook | 73 | Structured pentest workflow, service checklists, and engagement methodology |
| 23 | 🐳 Container & Infrastructure Testing | 78 | Test Docker, Kubernetes, and CI/CD pipeline security |
| 24 | 🕸️ NetExec / CrackMapExec | 80 | NetExec (nxc) and CrackMapExec for Active Directory enumeration, lateral movement, and… |
| 25 | 🐕 BloodHound & SharpHound | 39 | BloodHound AD attack path analysis, SharpHound collection, and useful Cypher queries fo… |
| 26 | 📜 ADCS — Certificate Services Attacks | 22 | Active Directory Certificate Services exploitation — ESC1 through ESC8 using Certipy, C… |
| 27 | 🔌 Network Service Exploitation | 127 | Service-specific exploitation techniques for common ports found during OSCP-style engag… |
| 28 | ⚡ PowerShell for Pentesters | 51 | PowerShell commands for Active Directory enumeration, exploitation, and post-exploitati… |
| 29 | 🐍 Impacket Toolsuite | 34 | Comprehensive Impacket tools for Windows/AD protocol attacks, credential dumping, and l… |
| 30 | 🐱 Mimikatz Commands | 25 | Mimikatz credential extraction, Kerberos ticket manipulation, and Windows credential at… |
| 31 | 🪟 Windows Post-Exploitation | 55 | Windows post-exploitation — situational awareness, persistence, data gathering, and pri… |
| 32 | 🐧 Linux Post-Exploitation | 35 | Linux post-exploitation — situational awareness, credential hunting, persistence, and l… |
| 33 | 📡 Wireless Security Testing | 19 | WiFi security testing — WPA/WPA2 cracking, WPS attacks, evil twin, and wireless reconna… |
| 34 | 🔶 Burp Suite | 41 | Burp Suite web application security testing — proxy setup, scanning, intruder attacks,… |
| 35 | 💉 MSFVenom Payload Reference | 28 | Comprehensive msfvenom payload generation for various platforms, formats, and encoders. |
| 36 | 🐳 Docker — Engine & CLI | 224 | Day-to-day Docker operations: image build/manage, container lifecycle, volumes, network… |
| 37 | 🛡️ Docker Security | 220 | Securing Docker: image scanning, Dockerfile hardening, runtime security, secrets, rootl… |
| 38 | ☸️ Kubernetes — kubectl Operations | 222 | Operating Kubernetes with kubectl: workloads, services, config, debugging, contexts, an… |
| 39 | 🔐 Kubernetes Security | 215 | Securing and attacking Kubernetes: RBAC, Pod Security, network policies, admission cont… |
| 40 | 🏗️ Terraform / IaC Core | 190 | Terraform workflow: init, plan, apply, state management, workspaces, modules, providers… |
| 41 | 🔎 IaC Security Scanning | 190 | Static analysis and policy enforcement for infrastructure-as-code: Terraform, CloudForm… |
| 42 | ⚙️ Ansible Automation | 189 | Ansible for configuration management and automation: ad-hoc commands, playbooks, invent… |
| 43 | 🔁 CI/CD Pipeline Security | 192 | Securing CI/CD pipelines: GitHub Actions / GitLab CI hardening, secrets scanning, SAST/… |
| 44 | ⛓️ Software Supply Chain Security | 136 | Supply chain integrity: SBOM generation, artifact signing, provenance/attestation, and… |
| 45 | 🗝️ Secrets Management | 139 | Managing and protecting secrets: HashiCorp Vault, SOPS, sealed-secrets, cloud secret ma… |
| 46 | 🦅 Cloud-Native Runtime Security | 137 | Runtime threat detection and enforcement for containers and hosts using eBPF-based and… |
| 47 | 🌩️ Cloud Security Posture (Multi-Cloud) | 197 | Auditing cloud posture across AWS, Azure, and GCP with CSPM and IAM tooling. |
| 48 | ⎈ Helm & Package Management | 110 | Helm chart operations and security: install, upgrade, templating, repositories, and cha… |
| 49 | 🔗 Service Mesh & Network Security | 108 | Service mesh operations and zero-trust networking: Istio, Linkerd, Cilium, and mTLS. |
| 50 | 📊 Observability & Detection Engineering | 136 | Security observability and detection: log pipelines, SIEM queries, and detection-as-cod… |
| 51 | 📱 Mobile Application Security | 40 | Android and iOS application security testing: static reversing, dynamic instrumentation… |
| 52 | 🤖 LLM / AI Security | 32 | Testing LLM-powered applications: prompt injection and jailbreaks, automated red-team s… |
| 53 | 🟣 Purple Team & Detection Validation | 24 | Adversary emulation and detection validation: Atomic Red Team, MITRE Caldera, ATT&CK ma… |
git clone https://github.com/halilibrahimd27/cheat-sheet.git
cd cheat-sheet
docker compose up -dOpen http://localhost:8899 in your browser.
The container publishes only to
127.0.0.1:8899by default and persists data in a Docker volume — your custom commands survive restarts and updates.
git clone https://github.com/halilibrahimd27/cheat-sheet.git
cd cheat-sheet
npm install
npm startOpen http://localhost:3000 in your browser.
By default the server binds to
127.0.0.1(localhost only). See Configuration to expose it on your network safely.
The whole app can run with no backend at all: an in-browser adapter
(public/local-backend.js) mirrors the REST API against
IndexedDB, so your data still persists locally in the browser. This is what makes
it publishable to GitHub Pages.
npm run build:static # emits a self-contained ./docs folderThen push and, in your repo, go to Settings → Pages → Source: Deploy from a branch → main / /docs.
Your cheat sheet is live at https://<user>.github.io/<repo>/.
The static build bundles the seed into
docs/seed-data.js, uses relative paths (works under a project subpath), and stores everything (categories, notes, write-ups, machines, uploaded screenshots as inline data URIs) in IndexedDB. Export/Import still work. Re-runnpm run build:staticafter changingseed.jsor the frontend.
If you already have the app running and want to pull the latest seed commands:
git pull
# Then hit the reset endpoint (this will overwrite your custom data!)
curl -X POST http://localhost:8899/api/resetWarning: Reset overwrites your data. Export a backup first via the ⬇ Export button.
All configuration is via environment variables (a .env is not auto-loaded — pass them inline or via your process manager / Docker):
| Variable | Default | Description |
|---|---|---|
PORT |
3000 |
Port to listen on |
HOST |
127.0.0.1 |
Bind address. Set to 0.0.0.0 to expose on your network (the Docker image does this; the port mapping is the boundary there). |
AUTH_USER |
admin |
Basic Auth username (only used when AUTH_PASS is set) |
AUTH_PASS |
(unset) | When set, all requests require HTTP Basic Auth. The browser prompts once and the SPA keeps working. |
JSON_LIMIT |
12mb |
Max request body size (covers image uploads + full DB import) |
See .env.example for a copy-paste template.
This is a local-first, single-user tool. Defaults are chosen so it is safe out of the box:
- Binds to
127.0.0.1— not reachable from your network unless you explicitly setHOST=0.0.0.0. - Optional HTTP Basic Auth — set
AUTH_PASS(and optionallyAUTH_USER) before exposing it anywhere beyond localhost. If you bind to0.0.0.0without a password, the server logs a warning. - Hardened uploads — image uploads are validated by magic bytes (not the filename), capped at 5 MB, served with
X-Content-Type-Options: nosniffand a restrictive CSP. SVG is rejected (it can carry script). - Output escaping — all user-supplied text (category/command names, tags, write-ups) is HTML-escaped before rendering.
- Atomic writes — JSON files are written via a temp-file + rename with a
.bakfallback, so a crash mid-write can't corrupt your database. - Validated import —
/api/importrejects malformed payloads before touching your data.
Even with auth, treat
/api/resetand/api/importwith care — they overwrite data. Keep backups (⬇ Export).
- Click any category in the sidebar to filter
- Use
Ctrl+Kto open search, type any keyword - Click Copy on any command block to copy to clipboard
- Toggle dark/light theme with the
◐button
Ctrl+K command palette · Ctrl+I Quick IP Changer · ? shortcuts · j/k navigate · Enter copy focused · g h/f/w/m go Home/Favorites/Write-ups/Machines · in the write-up editor Ctrl+B/Ctrl+I/Ctrl+K = bold/italic/link
- Click + New Category in the sidebar to create a category
- Click + Sub on a category header to add a subcategory
- Click + Cmd on a subcategory to add a new command
- Use
✎to edit and✕to delete any item
All commands use safe placeholders instead of real IPs:
| Placeholder | Meaning |
|---|---|
<TARGET_IP> |
Target machine IP |
<ATTACKER_IP> / <LHOST> |
Your attack machine IP |
<DOMAIN> |
Target domain name |
<PORT> / <LPORT> |
Port number |
<USERNAME> / <USER> |
Username |
<PASSWORD> / <PASS> |
Password |
<NETWORK>/<CIDR> |
Network range (e.g., 192.168.1.0/24) |
<TARGET_URL> |
Full target URL |
<DC_IP> |
Domain Controller IP |
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/categories |
List all categories |
POST |
/api/categories |
Create a category |
POST |
/api/categories/reorder |
Reorder categories by id list |
PUT |
/api/categories/:id |
Update a category |
DELETE |
/api/categories/:id |
Delete a category |
POST |
/api/categories/:id/subcategories |
Add subcategory |
PUT |
/api/categories/:id/subcategories/:subIdx |
Update subcategory |
DELETE |
/api/categories/:id/subcategories/:subIdx |
Delete subcategory |
POST |
.../subcategories/:subIdx/commands |
Add command |
PUT |
.../commands/:cmdIdx |
Update command |
DELETE |
.../commands/:cmdIdx |
Delete command |
GET/POST/PUT/DELETE |
/api/notes/:catId/:noteId? |
Per-category notes |
GET/POST/PUT/DELETE |
/api/writeups/:id? |
Write-ups |
GET/POST/PUT/DELETE |
/api/machines/:id? |
Machine tracker |
POST |
/api/upload |
Upload a write-up image (base64, magic-byte validated) |
GET |
/api/export |
Download full backup (JSON) |
POST |
/api/import |
Import from JSON (validated) |
POST |
/api/reset |
Reset to default commands |
GET |
/api/health |
Liveness probe (used by the Docker HEALTHCHECK) |
- Frontend: Vanilla HTML/CSS/JS (no framework, no build step)
- Backend: Node.js + Express (single dependency)
- Storage: JSON files (atomic writes, persisted via Docker volume)
- Fonts: Inter + JetBrains Mono (Google Fonts)
cheat-sheet/
├── docker-compose.yml # Docker orchestration
├── Dockerfile # Container build
├── package.json # Node.js dependencies
├── server.js # Express REST API (exports app; testable)
├── seed.js # Default commands (seed data)
├── .env.example # Configuration template
├── scripts/
│ ├── update-readme.js # Regenerate stats + category table from seed.js
│ ├── validate-content.js # Seed structure/quality validator (runs in CI)
│ ├── build-static.js # Emit ./docs — a server-less build for GitHub Pages
│ ├── tag-attack.js # Map offensive commands → MITRE ATT&CK ids (idempotent)
│ └── merge-category.js # Merge a category JSON into seed.js
├── test/ # API tests (node:test)
├── public/
│ ├── index.html # Main HTML
│ ├── style.css # Dark/Light theme styles
│ ├── app.js # Frontend logic + CRUD
│ ├── checklist-templates.js # Static HTB/THM/OSCP machine playbooks
│ ├── local-backend.js # In-browser IndexedDB API (static / offline build)
│ ├── manifest.json # PWA manifest
│ └── service-worker.js # Offline cache (stale-while-revalidate)
├── docs/ # Static build output (npm run build:static) — GitHub Pages
└── data/ # Persistent data (auto-generated, git-ignored)
This tool is intended for educational purposes only. All commands and techniques are meant for use in authorized penetration testing, CTF competitions, and security certification preparation. Always ensure you have proper authorization before testing any system.
Contributions are welcome! See CONTRIBUTING.md. In short:
- Fork the repository
- Create a feature branch (
git checkout -b feat/add-commands) - Add your commands to
seed.jsfollowing the existing structure (includedesc_trfor the Turkish description) - Run
npm testandnode scripts/update-readme.js - Submit a pull request
MIT License — Feel free to use, modify, and distribute. See LICENSE for full text.
| Time | How you can help |
|---|---|
| 5 seconds | Click the ⭐ Star button at the top |
| 30 seconds | Share on Twitter / LinkedIn / your Discord |
| 5 minutes | Open an issue for a missing command |
| 30 minutes | Submit a PR with new commands or fixes |
| 2 hours | Add a whole new category |
Star history:







