Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/0x-unkwn0wn/simterm/llms.txt

Use this file to discover all available pages before exploring further.

The exploitation phase converts findings into footholds. Simterm’s exploit engine is probabilistic for most vulnerabilities but fully deterministic for those marked Reliable — and you can tip the odds further by researching findings with searchsploit before firing. Once you have a foothold, the multi-host commands (netmap, pivot) let you move laterally across a network, and cleanup lets you erase your tracks at a cost.

Core Exploit Commands

CommandAliasesPurpose
exploit <id>run <id>Attempt exploitation of a finding
loginsshUse a reusable token if the host accepts it
cleanupcovertracks, cleanlogsReduce trace with a clock cost and some risk

exploit <id> / run <id>

Attempts to exploit the finding identified by <id> (as shown in intel). The outcome depends on the finding’s underlying vulnerability:
  • Reliable exploits are fully deterministic — if the finding is real, the exploit always succeeds, regardless of skill, confidence, or defense penalty. The engine logs that it is using a confirmed reliable vector.
  • Unstable exploits are probabilistic. The success probability is computed from a base rate plus a weighted sum of your current confidence in the finding, your accumulated skill, and minus the normalized vulnerability difficulty and any active defense penalty. The engine shows the estimated probability before rolling.
A false-positive finding has no underlying vulnerability. Attempting to exploit one fails, costs extra trace (25 noise from the alarmed service), and marks the finding as failed. A failed exploit on a real vulnerability also costs extra trace (18 noise) and marks the finding as failed, but does not consume the finding slot — you can investigate further with searchsploit and try again if you have time. On success, you gain a user-level foothold and the phase advances to Post.
exploit 1
run 3

login / ssh

Attempts a deterministic foothold using a reusable credential (foothold token) collected from a previous host. If the current target is configured to accept a specific token and you have it in your loot inventory, login gives you a user shell immediately — no exploit roll required. An authenticated session still leaves a small trace.
login

cleanup / covertracks / cleanlogs

Attempts to reduce your accumulated trace by re-routing the connection and purging logs. Each successful cleanup reduces trace by a fixed amount. However:
  • Each call costs clock ticks.
  • The success probability decreases with each cleanup attempt on the same mission. The first cleanup is fairly reliable; repeated cleanups become increasingly risky.
  • A failed cleanup does not reduce trace — it adds a backfire penalty of extra noise instead.
Use cleanup strategically when you are approaching the detection limit and have clock to spare, not as a routine action after every command.
cleanup

Multi-Host Commands

CommandAliasesPurpose
netmaplan, neighborsDiscover reachable internal hosts from a compromised node
pivot <host>jump <host>Move your active context to a reachable internal host

netmap / lan / neighbors

Scans the internal network from your current foothold and reveals the hostnames of reachable neighbors. You must have a foothold on the current host before netmap can run. The results list each discovered hostname alongside the pivot command to reach it.
netmap

pivot <host> / jump <host>

Switches your active operation context to the named internal host. The host must have been revealed by netmap and marked as reachable. Pivoting preserves all per-host state — footholds, discovered ports, findings, and loot — so returning to a previously compromised host picks up exactly where you left off.
pivot relay
jump db-server

Typical Lateral Movement Flow

1

Exploit the entry host

Use exploit (or login) to gain a foothold on the entry node. Then use cat to read any credential files, especially those that contain foothold tokens for other hosts.
2

Discover internal neighbors

Run netmap to reveal reachable hosts on the internal network. The output lists each hostname and the pivot command to reach it.
3

Move to the target host

Run pivot <hostname> to shift your active context to the next host. You will start without a foothold on the new host and must reconnoiter and exploit it.
4

Use foothold tokens where possible

If you collected a reusable token from the previous host and the new host accepts_token, run login instead of the full exploit chain to enter deterministically and quietly.

Cleanup Tradeoffs

Cleanup is never free. Beyond the clock cost and the decreasing success rate, a backfire event during cleanup adds trace rather than reducing it. Keep a mental accounting:
  • Is the trace level close enough to the detection limit to justify the risk?
  • Do you have enough clock remaining to absorb the cost and continue the mission?
  • Is this your first cleanup attempt (safer) or your third (riskier)?

Endings and Choices

Some campaigns present a choice of endings after the final mission is complete. The choose command selects among them.
CommandAliasesPurpose
choose <n>deliver <n>Select campaign ending number n when choices are available
Use intel or the mission debrief to understand what each choice represents. The game will prompt you when an ending choice is pending.
choose 1
deliver 2
If you are writing a campaign or replaying with autoplay, note that the engine’s autoplay path avoids Unstable exploits to keep outcomes deterministic. For guaranteed completion without RNG, mark critical exploit paths as Reliable in the vulnerability definition or ensure the player can find the privesc_key loot for the safe privesc path.

Build docs developers (and LLMs) love