Every mission operates against one or more target hosts. A host definition collects everything the engine needs to simulate the kill chain: what services are exposed, what vulnerabilities exist behind them, what the filesystem looks like once the player has a foothold, and what escalation routes lead to root. All of this is declared as data inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/0x-unkwn0wn/simterm/llms.txt
Use this file to discover all available pages before exploring further.
TargetNode — no Rust required.
TargetNode struct fields
| Field | Type | Default | Description |
|---|---|---|---|
hostname | string | required | Fully-qualified hostname (e.g. web-01.lab.local). |
ip | string | required | IP address shown during recon. |
os | string | required | OS string shown by uname and sysinfo. |
services | Service list | required | Exposed services discovered during scanning. |
vulnerabilities | Vulnerability list | required | Hidden vulnerabilities. Players never read these directly. |
filesystem | FsNode list | [] | Virtual filesystem, accessible in the post-exploitation phase. |
accepts_token | Some("token") or None | None | Foothold token accepted by login for a deterministic entry. |
local_privesc | Some(LocalPrivesc) or None | None | Local escalation vector discoverable by enumeration commands. |
Service
Services are the enumeration targets discovered after initial scanning. Theirname determines which enumeration tools and categories apply.
| Field | Type | Description |
|---|---|---|
port | u16 | Port number. |
name | string | Service name. Controls enumeration category (see table below). |
version | string | Version string shown during enumeration. |
requires | Some("token") or None | If set, the service can be discovered but cannot be enumerated until the player holds that foothold token. |
Service name → enumeration category
| Service names | Enumeration category |
|---|---|
http, https, http-proxy, http-alt | Web |
smb, netbios, netbios-ssn, microsoft-ds | SMB |
ssh | SSH / login |
mysql, pgsql, postgresql, redis, mongodb, mssql, oracle | Database |
| everything else | Generic |
nikto, gobuster, and sqlmap; SMB to enum4linux; SSH/login to hydra (intentionally noisy); databases to sqlmap; unknown services to probe.
Vulnerability
Vulnerabilities are the actual attack surface. They are always hidden from the player — the player reasons about them through enumeration results and tool output, then attempts to exploit what they have found.| Field | Type | Default | Description |
|---|---|---|---|
id | string | required | Internal identifier (not shown directly to the player). |
name | string | required | Human-readable name (shown in enumeration output). |
affected_service | u16 | required | Port of the service this vulnerability belongs to. Must exist in services. |
difficulty | u8 | required | Exploitation difficulty, 1..=10. |
stealth_cost | u8 | required | Trace added to the detection meter when exploiting. |
reliability | Reliable or Unstable | Unstable | Whether exploitation is deterministic once identified. |
Reliability
| Value | When to use |
|---|---|
Reliable | Deterministic once identified. Use for credentials, no-auth bugs, LFI, SQL injection, and simple bypasses. |
Unstable | Probabilistic. Use for fragile RCE, deserialization, memory corruption, SSRF, races, and timing-dependent vectors. |
reliability is omitted it defaults to Unstable. Mark early-mission entry vectors Reliable so players aren’t blocked by bad RNG at low detection budgets.
Local privilege escalation
local_privesc models a host-side escalation vector that enumeration tools can discover. Once found, it enables the privesc command as a deterministic route to root — equivalent to having found a privesc_key file in the filesystem.
| Field | Type | Description |
|---|---|---|
kind | LocalKind | Type of escalation vector (see below). |
note | string | Hint shown to the player on discovery. |
LocalKind values
| Value | Discovery command | Description |
|---|---|---|
Sudo | sudo -l | An abusable sudo rule (GTFOBin). |
Suid | suid | An abusable SUID binary. |
Kernel | sysinfo | A vulnerable kernel or OS version. |
Cron | linpeas | A root cron job with a writable script. |
linpeas discovers all four kinds. The specific commands listed above each find only their own category.