🐉 = installed by default on kali linux
Gobuster
Gobuster is a tool that finds hidden files and directories on websites using wordlists of common filenames. It's based on the dirbuster tool, but it's written in Go and I have found it to be much faster.
SqlMap 🐉
SqlMap can be pointed at a form field or api endpoint you think might be vulnerable to sql injection. It will try a number of automated attacks.
reverse shells cheat sheet
This cheat sheet lists a bunch of reverse web shells in php, python, and bash, along with some other languages.
sqli cheat sheet
This sqli cheat sheet on the PortSwigger site is one I reference almost any time I'm trying any sql injection.
GTFObins
GTFObins is a list of binaries that can be hacked to get root user.
RustScan
RustScan is a port scanning tool similar to nmap, but written in Rust. A full port scan with nmap can often take hours, while RustScan can run the same scan in a matter of minutes.
dCode
dCode is a code-cracking website with a huge database of codes and ciphers. I use it often for CTFs because it's easy to use and has a lot of really obscure codes.
CyberChef
CyberChef is another code-cracking website that can stack ciphers in case a ciphertext is encrypted/encoded multiple times.