The exploitation phase converts findings into footholds. Simterm’s exploit engine is probabilistic for most vulnerabilities but fully deterministic for those markedDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/0x-unkwn0wn/simterm/llms.txt
Use this file to discover all available pages before exploring further.
Reliable — and you can tip the odds further by researching findings with searchsploit before firing. Once you have a foothold, the multi-host commands (netmap, pivot) let you move laterally across a network, and cleanup lets you erase your tracks at a cost.
Core Exploit Commands
| Command | Aliases | Purpose |
|---|---|---|
exploit <id> | run <id> | Attempt exploitation of a finding |
login | ssh | Use a reusable token if the host accepts it |
cleanup | covertracks, cleanlogs | Reduce trace with a clock cost and some risk |
exploit <id> / run <id>
Attempts to exploit the finding identified by <id> (as shown in intel). The outcome depends on the finding’s underlying vulnerability:
Reliableexploits are fully deterministic — if the finding is real, the exploit always succeeds, regardless of skill, confidence, or defense penalty. The engine logs that it is using a confirmed reliable vector.Unstableexploits are probabilistic. The success probability is computed from a base rate plus a weighted sum of your current confidence in the finding, your accumulated skill, and minus the normalized vulnerability difficulty and any active defense penalty. The engine shows the estimated probability before rolling.
searchsploit and try again if you have time.
On success, you gain a user-level foothold and the phase advances to Post.
login / ssh
Attempts a deterministic foothold using a reusable credential (foothold token) collected from a previous host. If the current target is configured to accept a specific token and you have it in your loot inventory, login gives you a user shell immediately — no exploit roll required. An authenticated session still leaves a small trace.
cleanup / covertracks / cleanlogs
Attempts to reduce your accumulated trace by re-routing the connection and purging logs. Each successful cleanup reduces trace by a fixed amount. However:
- Each call costs clock ticks.
- The success probability decreases with each cleanup attempt on the same mission. The first cleanup is fairly reliable; repeated cleanups become increasingly risky.
- A failed cleanup does not reduce trace — it adds a backfire penalty of extra noise instead.
cleanup strategically when you are approaching the detection limit and have clock to spare, not as a routine action after every command.
Multi-Host Commands
| Command | Aliases | Purpose |
|---|---|---|
netmap | lan, neighbors | Discover reachable internal hosts from a compromised node |
pivot <host> | jump <host> | Move your active context to a reachable internal host |
netmap / lan / neighbors
Scans the internal network from your current foothold and reveals the hostnames of reachable neighbors. You must have a foothold on the current host before netmap can run. The results list each discovered hostname alongside the pivot command to reach it.
pivot <host> / jump <host>
Switches your active operation context to the named internal host. The host must have been revealed by netmap and marked as reachable. Pivoting preserves all per-host state — footholds, discovered ports, findings, and loot — so returning to a previously compromised host picks up exactly where you left off.
Typical Lateral Movement Flow
Exploit the entry host
Use
exploit (or login) to gain a foothold on the entry node. Then use cat to read any credential files, especially those that contain foothold tokens for other hosts.Discover internal neighbors
Run
netmap to reveal reachable hosts on the internal network. The output lists each hostname and the pivot command to reach it.Move to the target host
Run
pivot <hostname> to shift your active context to the next host. You will start without a foothold on the new host and must reconnoiter and exploit it.Cleanup Tradeoffs
Cleanup is never free. Beyond the clock cost and the decreasing success rate, a backfire event during cleanup adds trace rather than reducing it. Keep a mental accounting:- Is the trace level close enough to the detection limit to justify the risk?
- Do you have enough clock remaining to absorb the cost and continue the mission?
- Is this your first cleanup attempt (safer) or your third (riskier)?
Endings and Choices
Some campaigns present a choice of endings after the final mission is complete. Thechoose command selects among them.
| Command | Aliases | Purpose |
|---|---|---|
choose <n> | deliver <n> | Select campaign ending number n when choices are available |
intel or the mission debrief to understand what each choice represents. The game will prompt you when an ending choice is pending.
If you are writing a campaign or replaying with autoplay, note that the engine’s autoplay path avoids
Unstable exploits to keep outcomes deterministic. For guaranteed completion without RNG, mark critical exploit paths as Reliable in the vulnerability definition or ensure the player can find the privesc_key loot for the safe privesc path.