Skip to content

worldtreeboy/OSEP-Command-Builder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OSEP Command Builder

Python Flask Commands Categories Version

A self-contained, offline pentest command cheat sheet built for OSEP-style engagements. Set your IP, port, domain, and credentials once in the variable bar and every {{PLACEHOLDER}} across all 535 commands (in 26 categories) updates live. One click copies any command, a whole multi-step chain, or an entire category to your clipboard.

Everything runs locally in a tiny Flask app — no internet, no telemetry, bound to 127.0.0.1 only.


Features

  • Live variable substitution — fill in YOUR IP (LHOST), target, domain, user, hash, pivot host, etc. and every command rewrites instantly. Filled values are highlighted; any variable you leave blank stays visible as a red {{PLACEHOLDER}}.
  • 🔑 Credential vault — stash creds as you loot them and load any one into the variable bar with a single click (see below).
  • One-click copy — copy a single command, a whole ordered chain, or an entire category.
  • Live search — filter all commands and notes as you type (rubeus, ntlmrelayx, ligolo, xp_cmdshell, …).
  • Two themes — a modern Gemini theme and a high-contrast Classic black terminal look.
  • Persistent — your variables, credentials, and theme are saved in the browser (localStorage) and survive restarts.
  • Offline & private — pure Python + vanilla JS, localhost only, no external requests.

Quick start

Windows

Double-click start.bat. It installs Flask if needed, starts the server, and opens your browser at http://127.0.0.1:5000.

Linux / WSL / macOS

./start.sh

(or bash start.sh)

Manual

pip install -r requirements.txt
python app.py

Then open http://127.0.0.1:5000.

To use a different port:

PORT=8080 python app.py

How it works

  • Variable bar (sticky, top): fill in your attacker IP, target IP/host/port, domain, DC IP, base DN, username, password, NTLM hash, pivot host, and internal subnet.
  • Every command below updates instantly. Keep Target hostname distinct from Target IP — Kerberos SPNs need the short hostname, never the IP.
  • copy — copies one filled-in command.
  • copy chain — copies every step of a multi-step chain, in order.
  • copy all — copies every command in a category.
  • search — filters all commands/notes live.
  • reset defaults — restores the starting values.

Variables

Key Label Example
LHOST Your IP (LHOST) 192.168.45.172
LPORT Listener port 443
LGPORT Ligolo port 11601
WEB Your HTTP port 8001
RHOST Target IP 10.10.10.10
THOST Target hostname dc01
RPORT Target port 80
DOMAIN Domain corp.com
DCIP DC IP (-dc-ip) 10.10.10.10
BASEDN Base DN (LDAP) DC=corp,DC=com
USER Username Administrator
PASS Password Password123!
NTHASH NTLM hash 00000000000000000000000000000000
PIVOT Pivot host IP 172.16.1.10
SUBNET Internal subnet 172.16.1.0/24

Credential vault

As you loot creds during an engagement, stash them in the 🔑 Credential Vault (just under the variable bar):

  • Add a cred by hand — domain / username / password / NT hash / host / note.
  • Paste & import — drop in raw output and it auto-extracts credentials (duplicates are skipped). It understands:
    • secretsdump / SAM / pwdump lines — Administrator:500:aad3b4…:5bdd6a…:::
    • cleartext lines — CORP.COM\jdoe:Summer2024!
    • a lone NT hash on its own line
    • whole command lines — e.g. evil-winrm -i 10.0.0.5 -u Administrator -H 5bdd6a… (pulls out user / hash / password / domain / host)
    • impacket target syntax — corp.com/administrator@10.10.10.10 — and Rubeus /user: /rc4:
  • use — one click loads that cred into the variable bar (USER, DOMAIN, NTHASH, PASS), so every command instantly rewrites to use it. The active cred is highlighted, and editing a variable by hand clears the highlight.
  • copy the hash or password, click a host to set it as the Target IP, delete a single cred, or clear all. Everything persists in localStorage.

Command categories

26 categories, 535 commands:

# Category Commands
00 Host Discovery & Recon 16
01 Service / Protocol Enumeration 67
02 Mail Attacks — SMTP / IMAP / POP3 30
03 Kali: Servers & Listeners 7
04 Payload Generation & Delivery 17
05 Meterpreter: Session Control 17
06 File Transfer (download to target) 6
07 File Transfer (exfil from target) 5
08 Execution & AppLocker / CLM Bypass 10
09 Credential Dumping (Windows) 19
10 File / Secret Hunting 16
11 Windows Privilege Escalation 20
12 Linux Privilege Escalation 13
13 Linux Shared-Library / LD_PRELOAD Hijack 7
14 AMSI / Defender / Logging Evasion 15
15 Active Directory Enumeration 19
16 NetExec (nxc) Module Reference 67
17 Kerberos / Pass-the-Hash / Delegation 78
18 MSSQL Exploitation 15
19 NTLM Relay / Poisoning 7
20 Tunneling / Pivoting (Ligolo-ng + chisel) 23
21 Web Enum / Dir Busting 7
22 Brute Forcing (Hydra) 4
23 Reverse Shells & Payloads 7
24 Lateral Movement / Access 30
25 Misc / Utilities 13

Configuration

Setting How
Port PORT=8080 python app.py (defaults to 5000)
Bind address Hard-bound to 127.0.0.1 (localhost only) by design
Edit commands Change commands.json and refresh the page — no restart needed

JSON API

The full dataset is available for scripting:

curl http://127.0.0.1:5000/api/commands

Returns { "vars": [...], "groups": [...] }.


Project structure

File Purpose
app.py Flask server + variable definitions
commands.json The command dataset (26 categories, 535 commands)
templates/index.html Page shell
static/app.js Live substitution, credential vault, copy, search
static/style.css Gemini + Classic themes
start.bat / start.sh One-click launchers
requirements.txt Just Flask

Adding your own commands

commands.json is a list of category objects. Each has an id, an accent color, a title, an optional HTML intro, and a list of cmds. A command is either a single entry or a multi-step chain:

{
  "id": "mycat",
  "accent": "cyan",
  "title": "MY CATEGORY",
  "intro": "<b>Optional</b> HTML shown under the header.",
  "cmds": [
    { "c": "nxc smb {{RHOST}} -u {{USER}} -H {{NTHASH}}", "note": "pass-the-hash" },
    {
      "type": "chain",
      "label": "example chain",
      "intro": "Optional HTML intro for the chain.",
      "cmds": [
        { "c": "step one {{LHOST}}", "note": "first" },
        { "c": "step two {{RHOST}}", "note": "second" }
      ]
    }
  ]
}

Use {{KEY}} anywhere in a c string and it becomes a live, substituted variable. Available accents: cyan, green, pink, yellow, purple, red, orange.


Security & disclaimer

This tool ships no exploits — it is a reference that fills in commands with your own values. It is intended for authorized security testing, CTFs, and exam preparation only. You are responsible for having explicit permission to test any system you target. The server binds to 127.0.0.1 and makes no outbound connections.


Changelog

v1.20

  • NetExec (nxc) reference expanded (category 16, 42 → 67 commands): SMB null/guest/anonymous enum, --computers / --local-groups / --disks / --filter-shares; a new files, spider & host audit chain (spider_plus, --spider, --get-file / --put-file, wcc); krbtgt-only --ntds plus KeePass / mRemoteNG / Veeam loot modules; a new LDAP — AD hunting chain (--gmsa, delegation, --password-not-required, --admin-count, get-desc-users, laps); and nopac / spooler / webdav / timeroast.
  • Ligolo pivoting — collapsed three duplicate listener_add entries into one with a full note (runs on Kali, the reverse direction, and both address sides).
  • Totals now 26 categories, 535 commands.

v1.10

  • New Mail Attacks — SMTP / IMAP / POP3 category (02): user/mailbox enumeration, credential spraying, open-relay testing, authenticated phishing, and authenticated looting of IMAP folders (BODY.PEEK) and POP3 mailboxes (RETR), plus curl one-shots. Now 26 categories, 505 commands.

v1.00

  • Initial release: 25 categories, 475 commands with live {{VARIABLE}} substitution.
  • One-click copy for single commands, chains, and whole categories.
  • Live search, Gemini/Classic themes, localStorage persistence.
  • 🔑 Credential vault — store creds and one-click load them into the variable bar; import from secretsdump/SAM/pwdump output, cleartext lines, lone hashes, or full command lines.

About

Offline Flask pentest command cheat sheet — 475 OSEP commands, live variable substitution, and a credential vault.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors