Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0x-unkwn0wn/simterm/llms.txt
Use this file to discover all available pages before exploring further.
The post-exploitation phase begins the moment you gain a foothold on a host. From here the operation shifts from network noise to local work: exploring the virtual filesystem, collecting loot, escalating to root, and — if the mission requires it — exfiltrating the objective file. Offline analysis commands (cracking, reversing, decoding) run in this phase too, spending clock ticks without adding network trace.
Virtual Filesystem Commands
These commands become available once you have a user shell on the current host. They operate on the campaign-defined virtual filesystem (TargetNode.filesystem).
| Command | Aliases | Purpose |
|---|
ls [path] | dir [path] | List a directory or file |
cd [path] | | Change the current working directory |
pwd | | Show the current working directory |
cat <path> | read <path>, type <path> | Read a file and collect any loot it contains |
exfil <path> | | Exfiltrate the mission objective file and complete the level |
find [text] | | Search file and directory names across the entire tree |
whoami | | Show the current user name |
id | | Show uid/gid of the current session |
privesc | escalate, root | Attempt local privilege escalation |
loot | creds | Show all collected credentials and notes |
Notes on filesystem commands
cat collects loot (credentials, skill bonuses, privesc keys, foothold tokens) the first time you read a file. Re-reading the same path prints the content but does not award loot again.
- Files with
root: true in the campaign data are permission-denied until you have root. cat and exfil will print Permission denied if you are still at user level.
cat on a binary file prints a note that the file is not printable and suggests strings / disasm instead. No loot is awarded from a raw cat on a binary.
- Files with an
encoding set (Base64 or Xor) show the encoded blob and a hint to decode with the appropriate command. Loot is collected only after successful decoding.
exfil completes the mission level only if the path matches the campaign’s configured objective. Exfiltrating a non-objective file prints an error.
cd with no argument changes to /. ls with no argument lists the current directory.
Local Privilege Escalation
privesc / escalate / root
Attempts local privilege escalation to root. There are two paths:
Safe path (deterministic): If you have collected the privesc_key loot from the current host (typically a credential file, SSH key, or config with privesc_key: true), escalation succeeds every time with no randomness. The engine uses this path automatically when privesc_unlocked is true.
Probabilistic path: Without a privesc key, the engine computes a success probability from your skill level, the host’s configured root_difficulty, and the active defense penalty. A failed attempt adds trace noise and the attempt can be retried.
Before calling privesc, explore the filesystem with ls, find, and cat. Look for files whose loot includes a privesc_key. Collecting the key unlocks the deterministic path and guarantees root — no RNG, no wasted clock on failed attempts.
Local Privesc Enumeration Commands
These commands reveal the local_privesc vector defined for the current host (if one exists), which also enables the deterministic privesc path. Each tool covers specific LocalKind values; running the wrong one for the host’s vector type logs that nothing was found.
| Command | Purpose |
|---|
linpeas | Broad local enumeration — covers every LocalKind variant |
sudo -l | Reveals LocalKind::Sudo |
suid | Reveals LocalKind::Suid |
sysinfo | Reveals LocalKind::Kernel |
LocalKind::Cron is only covered by linpeas — there is no dedicated cron-specific command. When unsure which vector type the host has, run linpeas first.
Offline Analysis, Reversing, and Decoding
These commands run locally after you have a foothold. They spend clock ticks but do not add network noise (except local enumeration, which adds a small amount of trace). They operate on files in the virtual filesystem.
| Command | Aliases | Purpose |
|---|
john <path> | hashcat <path> | Crack a looted hash file (must cat the file first) |
strings <path> | | Show printable strings from a reversible binary |
disasm <path> | objdump <path>, r2 <path> | Show campaign-authored pseudo-disassembly |
solve <path> <secret> | | Submit the secret extracted from a binary |
base64 <path> | | Decode a Base64-encoded VFS file |
xor <path> <key> | | Decode an XOR-encoded VFS file with the supplied key |
john / hashcat
Cracks a hash file offline. The file must have been read with cat first (so the hash is in your loot inventory). Success probability depends on your accumulated skill, the hash’s configured strength, and whether you have a wordlist. Hashes marked needs_wordlist: true cannot be cracked at all without one — find and cat a wordlist file from the network first.
strings
Dumps printable strings from a binary file. Some strings are decoys; at least one contains a clue for the secret. Use this as the first step in the reversing workflow.
disasm / objdump / r2
Shows the campaign-authored pseudo-disassembly of a binary, which reveals the comparison or logic that validates the secret. Read this alongside strings to identify the value to submit with solve.
solve <path> <secret>
Submits the secret you extracted from the binary. The check is case-insensitive. On success the binary’s reward (a skill bonus, credential, foothold token, or privesc key) is granted and the binary is marked solved.
base64 / xor
Decodes a VFS file whose content is encoded. After successful decoding the file’s loot (if any) is collected, just as with a normal cat. For xor, you must supply the correct key; an incorrect key produces garbage output and no loot.
base64 /home/op/config.b64
xor /etc/c2.cfg k3y
Achievements
| Command | Aliases | Purpose |
|---|
logros | logro, achievements, achievement | List all unlocked and pending campaign achievements |
The logros command shows which achievements have been unlocked during the current campaign run and which remain pending. Achievements are defined in campaign data and can be unlocked by reaching specific game states, exploiting particular findings, or through declarative campaign command effects.