Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/0x-unkwn0wn/simterm/llms.txt

Use this file to discover all available pages before exploring further.

The post-exploitation phase begins the moment you gain a foothold on a host. From here the operation shifts from network noise to local work: exploring the virtual filesystem, collecting loot, escalating to root, and — if the mission requires it — exfiltrating the objective file. Offline analysis commands (cracking, reversing, decoding) run in this phase too, spending clock ticks without adding network trace.

Virtual Filesystem Commands

These commands become available once you have a user shell on the current host. They operate on the campaign-defined virtual filesystem (TargetNode.filesystem).
CommandAliasesPurpose
ls [path]dir [path]List a directory or file
cd [path]Change the current working directory
pwdShow the current working directory
cat <path>read <path>, type <path>Read a file and collect any loot it contains
exfil <path>Exfiltrate the mission objective file and complete the level
find [text]Search file and directory names across the entire tree
whoamiShow the current user name
idShow uid/gid of the current session
privescescalate, rootAttempt local privilege escalation
lootcredsShow all collected credentials and notes

Notes on filesystem commands

  • cat collects loot (credentials, skill bonuses, privesc keys, foothold tokens) the first time you read a file. Re-reading the same path prints the content but does not award loot again.
  • Files with root: true in the campaign data are permission-denied until you have root. cat and exfil will print Permission denied if you are still at user level.
  • cat on a binary file prints a note that the file is not printable and suggests strings / disasm instead. No loot is awarded from a raw cat on a binary.
  • Files with an encoding set (Base64 or Xor) show the encoded blob and a hint to decode with the appropriate command. Loot is collected only after successful decoding.
  • exfil completes the mission level only if the path matches the campaign’s configured objective. Exfiltrating a non-objective file prints an error.
  • cd with no argument changes to /. ls with no argument lists the current directory.

Local Privilege Escalation

privesc / escalate / root

Attempts local privilege escalation to root. There are two paths: Safe path (deterministic): If you have collected the privesc_key loot from the current host (typically a credential file, SSH key, or config with privesc_key: true), escalation succeeds every time with no randomness. The engine uses this path automatically when privesc_unlocked is true. Probabilistic path: Without a privesc key, the engine computes a success probability from your skill level, the host’s configured root_difficulty, and the active defense penalty. A failed attempt adds trace noise and the attempt can be retried.
privesc
Before calling privesc, explore the filesystem with ls, find, and cat. Look for files whose loot includes a privesc_key. Collecting the key unlocks the deterministic path and guarantees root — no RNG, no wasted clock on failed attempts.

Local Privesc Enumeration Commands

These commands reveal the local_privesc vector defined for the current host (if one exists), which also enables the deterministic privesc path. Each tool covers specific LocalKind values; running the wrong one for the host’s vector type logs that nothing was found.
CommandPurpose
linpeasBroad local enumeration — covers every LocalKind variant
sudo -lReveals LocalKind::Sudo
suidReveals LocalKind::Suid
sysinfoReveals LocalKind::Kernel
LocalKind::Cron is only covered by linpeas — there is no dedicated cron-specific command. When unsure which vector type the host has, run linpeas first.

Offline Analysis, Reversing, and Decoding

These commands run locally after you have a foothold. They spend clock ticks but do not add network noise (except local enumeration, which adds a small amount of trace). They operate on files in the virtual filesystem.
CommandAliasesPurpose
john <path>hashcat <path>Crack a looted hash file (must cat the file first)
strings <path>Show printable strings from a reversible binary
disasm <path>objdump <path>, r2 <path>Show campaign-authored pseudo-disassembly
solve <path> <secret>Submit the secret extracted from a binary
base64 <path>Decode a Base64-encoded VFS file
xor <path> <key>Decode an XOR-encoded VFS file with the supplied key

john / hashcat

Cracks a hash file offline. The file must have been read with cat first (so the hash is in your loot inventory). Success probability depends on your accumulated skill, the hash’s configured strength, and whether you have a wordlist. Hashes marked needs_wordlist: true cannot be cracked at all without one — find and cat a wordlist file from the network first.
john /etc/shadow.bak

strings

Dumps printable strings from a binary file. Some strings are decoys; at least one contains a clue for the secret. Use this as the first step in the reversing workflow.
strings /opt/authd

disasm / objdump / r2

Shows the campaign-authored pseudo-disassembly of a binary, which reveals the comparison or logic that validates the secret. Read this alongside strings to identify the value to submit with solve.
disasm /opt/authd

solve <path> <secret>

Submits the secret you extracted from the binary. The check is case-insensitive. On success the binary’s reward (a skill bonus, credential, foothold token, or privesc key) is granted and the binary is marked solved.
solve /opt/authd AX29

base64 / xor

Decodes a VFS file whose content is encoded. After successful decoding the file’s loot (if any) is collected, just as with a normal cat. For xor, you must supply the correct key; an incorrect key produces garbage output and no loot.
base64 /home/op/config.b64
xor /etc/c2.cfg k3y

Achievements

CommandAliasesPurpose
logroslogro, achievements, achievementList all unlocked and pending campaign achievements
The logros command shows which achievements have been unlocked during the current campaign run and which remain pending. Achievements are defined in campaign data and can be unlocked by reaching specific game states, exploiting particular findings, or through declarative campaign command effects.
logros
achievements

Build docs developers (and LLMs) love