ORTBOT: A Red Teamer's Command Reference That Fits in Your Terminal
Hook
When you're inside a compromised network with a reverse shell and spotty internet, browsing documentation isn't an option—you need commands memorized or cached locally.
Context
Red team operations and penetration testing exist in a unique operational context: you're often working from restricted shells, limited network access, or air-gapped environments where consulting online resources is impossible or inadvisable. While comprehensive platforms like HackTricks and Metasploit documentation offer detailed explanations and constantly updated techniques, they require reliable internet access and time to navigate through verbose content.
ORTBOT addresses this by providing a deliberately minimalist, command-focused reference that practitioners can clone once and reference offline indefinitely. It's structured as a single comprehensive markdown document covering everything from basic Linux file manipulation to advanced Windows privilege escalation. The repository emerged from a practical need: having a lightweight, searchable command reference that works in terminal-based markdown readers during engagements when every second counts and network access is either monitored or unavailable.
Technical Insight
ORTBOT's architecture is intentionally flat—it's a markdown knowledge base organized hierarchically by domain rather than a software tool with executable components. The main document uses a table-of-contents structure with anchor links, making it instantly searchable with standard text tools like grep, ripgrep, or even basic Ctrl+F in terminal markdown viewers.
The document's organization reveals deliberate design choices. Commands are grouped by operational context rather than alphabetically, reflecting how practitioners actually work. For example, the Linux section flows from reconnaissance (system enumeration, network mapping) to privilege escalation to post-exploitation, mirroring a typical attack chain. Each command includes inline comments explaining purpose and output:
# Enumerate SUID binaries for privilege escalation
find / -perm -4000 -type f 2>/dev/null
# Check for world-writable directories
find / -writable -type d 2>/dev/null
# Extract credentials from configuration files
grep -r "password" /var/www/html 2>/dev/null
This format prioritizes copy-paste readiness over explanation. Unlike tutorial-style documentation, ORTBOT assumes you already know why you'd search for SUID binaries—it just reminds you of the exact syntax when your memory fails under pressure.
The Windows section demonstrates cross-platform thinking by including both CMD and PowerShell variants:
# List all services and their binary paths
Get-WmiObject win32_service | Select Name, DisplayName, PathName
# Equivalent CMD approach
wmic service get name,displayname,pathname,startmode
# Find unquoted service paths (privilege escalation vector)
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\" | findstr /i /v """
This dual-command approach reflects operational reality: you don't always control which shell you land in, so having both variants readily available saves critical time during exploitation windows.
The networking section includes protocol-specific commands spanning packet analysis, VPN manipulation, and remote access configuration. Commands for extracting OpenVPN credentials, manipulating iptables rules, and performing ARP spoofing sit alongside basic connectivity troubleshooting—acknowledging that red teamers often need to fix network issues to maintain access.
# Extract private keys from OpenVPN configuration
grep -A 20 "<ca>" /etc/openvpn/client.conf
# Capture packets matching specific patterns
tcpdump -i eth0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# SSH tunneling for pivoting
ssh -D 9050 -f -C -q -N user@compromised-host
The penetration testing section aggregates tool-specific syntax for Metasploit, Nmap, Hydra, John the Ripper, and other Kali Linux staples. Rather than reproducing tool documentation, it captures the most frequently used command patterns and parameter combinations that practitioners actually deploy in engagements.
Gotcha
ORTBOT's greatest strength—being a static snapshot—is also its fundamental limitation. Command syntax evolves, operating systems update their security models, and tools introduce new flags while deprecating old ones. There's no indication of when commands were documented or which OS versions they target. A command that works perfectly on Ubuntu 18.04 might fail or behave dangerously differently on Ubuntu 22.04.
The repository also lacks critical context about operational security and legality. It presents commands without discussing when their use is appropriate, what logs they generate, or how defensive systems might detect them. A junior practitioner could easily misuse these commands in unauthorized contexts or during authorized engagements without proper scoping, creating legal liability. The document provides no guidance on rules of engagement, scope management, or the ethical framework surrounding offensive security operations. Additionally, there's no maintenance activity visible—the repository appears to be a one-time knowledge dump rather than a living document that evolves with the threat landscape.
Verdict
Use ORTBOT if you need a lightweight, offline-capable command reference for penetration testing engagements, want a single searchable document you can grep through in restricted shells, or are building your own personalized command library and need a solid starting template. It's particularly valuable for air-gapped environments, exam scenarios like OSCP where documentation access is limited, or as a cached backup when internet connectivity is unreliable. Skip it if you need up-to-date tool documentation with version-specific syntax, require detailed explanations of underlying concepts and security implications, want automated scripts rather than manual commands, or are a beginner who needs ethical context and guidance on appropriate use. For active engagements with reliable internet, more comprehensive resources like HackTricks provide better depth and currency.
