Stats
Actions
Tags
From corploc-skills
Use when setting up or managing pentest environments with Exegol, launching offensive security containers, configuring VPN/network for engagements, or when the user mentions Exegol, pentest lab, HTB, CTF environment setup
How this skill is triggered — by the user, by Claude, or both
Slash command
/corploc-skills:exegol-pentestThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Exegol is a Docker-based pentest environment with 100+ pre-installed offensive tools, managed via a Python CLI wrapper. It replaces traditional Kali VMs with fast, reproducible, disposable containers.
Exegol is a Docker-based pentest environment with 100+ pre-installed offensive tools, managed via a Python CLI wrapper. It replaces traditional Kali VMs with fast, reproducible, disposable containers.
Core concept: exegol start <name> <image> creates a ready-to-hack container in seconds. All tools, resources, and configurations are pre-loaded.
For the complete CLI reference, images list, and resource catalog, see exegol-reference.md in this skill directory.
When NOT to use: For defensive/blue team tooling, forensics-only workflows, or general Docker questions unrelated to security testing.
| Task | Command |
|---|---|
| Start interactive container | exegol start mypentest full |
| Start with workspace | exegol start client1 full -w ./engagement/ |
| Start with current dir | exegol start client1 full -cwd |
| Start with VPN | exegol start htb full --vpn ~/vpn/lab.ovpn |
| Start with logging | exegol start client1 full -l -w ./engagement/ |
| Run single command | exegol exec mypentest 'nmap -sV 10.10.10.1' |
| Run GUI tool in background | exegol exec -b mypentest burpsuite |
| Temp container for one-off | exegol exec --tmp full 'whatweb http://target' |
| List containers/images | exegol info |
| Stop container | exegol stop mypentest |
| Remove container | exegol remove mypentest |
| Install an image | exegol install full |
| Update everything | exegol update |
| Image | Use Case |
|---|---|
full | General pentest, full toolkit (50GB+) |
ad | Active Directory / internal pentest |
web | Web application testing |
light | Quick recon, limited disk space |
osint | OSINT / reconnaissance only |
free | Same as full but community edition (delayed releases) |
# Standard engagement setup with workspace and logging
exegol start <engagement-name> <image> -w /path/to/engagement/ -l
# Example: Internal AD pentest
exegol start acme-internal ad -w ./acme-corp/ -l
# Example: Web app pentest
exegol start webapp-audit web -w ./webapp-audit/ -l
# Example: HTB lab with VPN
exegol start htb full --vpn ~/vpn/htb-lab.ovpn -w ./htb/
| Scenario | Config |
|---|---|
| Host network (default) | No flag needed, shares host interfaces |
| VPN to target network | --vpn ~/path/to/config.ovpn |
| VPN with credentials | --vpn config.ovpn --vpn-auth creds.txt |
| Isolated container | --network disable |
| Container-to-container | --network docker |
| Port forwarding | -p 8080:8080 -p 4444:4444 |
# WiFi / network sniffing (needs NET_ADMIN)
exegol start wifi full --cap NET_ADMIN -d /dev/bus/usb/
# USB device access (Proxmark, Rubber Ducky, etc.)
exegol start hw full -d /dev/ttyACM0
# Full privilege (use sparingly)
exegol start lab full --privileged
# Create container with AD image
exegol start internal ad -w ./client-engagement/ -l --vpn client-vpn.ovpn
# Inside container:
neo4j start # Start Neo4j for BloodHound
bloodhound-ce # Launch BloodHound CE (port 1030)
crackmapexec smb 10.0.0.0/24 # Network discovery
responder -I eth0 # LLMNR/NBT-NS poisoning
bloodhound-python -d domain.local -u user -p pass -c All # Collect AD data
Default credentials inside container:
| Service | User | Password |
|---|---|---|
| Neo4j | neo4j | exegol4thewin |
| BloodHound CE | via web UI | exegol4thewin |
| Empire | empireadmin | exegol4thewin |
# Create container with web image
exegol start webapp web -w ./webapp-audit/ -l
# Inside container:
burpsuite # Launch Burp Suite (proxy on 8080)
nuclei -u https://target.com # Automated vuln scanning
sqlmap -u "http://target/page?id=1" # SQL injection testing
ffuf -u http://target/FUZZ -w /opt/resources/... # Directory fuzzing
exegol start recon osint -w ./recon/
# Inside container:
subfinder -d target.com # Subdomain enumeration
httpx -l subdomains.txt # HTTP probing
theHarvester -d target.com -b all # Email/domain harvesting
Resources are available at /opt/resources inside every container:
| Resource | Path | Purpose |
|---|---|---|
| LinPEAS | /opt/resources/linux/linPEAS/ | Linux privesc enumeration |
| WinPEAS | /opt/resources/windows/winPEAS/ | Windows privesc enumeration |
| Mimikatz | /opt/resources/windows/mimikatz/ | Windows credential extraction |
| Chisel | /opt/resources/linux/chisel/ | TCP/UDP tunneling |
| ligolo-ng | /opt/resources/linux/ligolo-ng/ | Network pivoting |
| SharpHound | /opt/resources/windows/SharpHound/ | AD collection |
| PrintSpoofer | /opt/resources/windows/PrintSpoofer/ | Windows privesc |
| GodPotato | /opt/resources/windows/GodPotato/ | Windows privesc |
| netcat (static) | /opt/resources/linux/nc | Reverse shells |
# Serve resources to target via HTTP
cd /opt/resources && python3 -m http.server 8888
# Or transfer specific tool
python3 -m http.server -d /opt/resources/linux/linPEAS/ 8888
Run parallel containers for different phases or targets:
# Recon container
exegol start recon-phase osint -w ./engagement/recon/
# Attack container with VPN
exegol start attack full --vpn client.ovpn -w ./engagement/attack/ -l
# C2 container
exegol start c2 full -p 443:443 -p 80:80 -w ./engagement/c2/ -l
Switch between containers by spawning new shells:
exegol start attack # Opens new shell in existing "attack" container
# Add credentials found during engagement
exh add creds -u 'admin' -p 'P@ssw0rd!' -d 'ACME.LOCAL'
exh add creds -u 'svc_sql' -H 'aad3b435b51404eeaad3b435b51404ee:...' -d 'ACME.LOCAL'
# Set active credentials as environment variables
exh set creds
# Add discovered hosts
exh add hosts --ip 10.10.10.1 -n dc01 -r "Domain Controller"
exh add hosts --ip 10.10.10.5 -n web01 -r "IIS Web Server"
# View current context
exh show
# Bulk import
exh import creds --file found_creds.csv --format CSV
# Enable logging at container creation
exegol start engagement full -l -w ./engagement/
# Logs are stored in /workspace/logs/ (asciinema format by default)
# Replay a session:
asciinema play /workspace/logs/session.cast
Logging methods:
asciinema (default) — records terminal sessions, replayablescript — raw terminal recordingPersonal configs persist across all containers via ~/.exegol/my-resources/:
| Path | Purpose |
|---|---|
bin/ | Custom tools (auto-added to $PATH) |
setup/zsh/aliases | Custom shell aliases |
setup/zsh/history | Custom command history |
setup/python3/requirements.txt | Python packages to auto-install |
setup/apt/packages.list | APT packages to auto-install |
setup/bloodhound/customqueries_merge/ | BloodHound custom queries |
setup/firefox/policies.json | Firefox extensions, bookmarks |
setup/load_user_setup.sh | Custom setup script (runs on first start) |
| Mistake | Fix |
|---|---|
| Trying to modify container config after creation | Container options are set at creation only. Remove and recreate. |
Forgetting -l for logging | Always use -l on real engagements for evidence |
Using --privileged everywhere | Use specific --cap flags instead (e.g., --cap NET_ADMIN) |
| Not setting workspace | Always use -w to persist data outside the container |
| Running out of disk space | full image is 50GB+. Use light or ad/web for focused work |
| VPN not working | VPN auto-switches to docker network mode. Check with exegol info <container> |
| GUI apps not displaying | Ensure X11 is not disabled. On macOS, install XQuartz. |
Guides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.
npx claudepluginhub corploc/claude-code-plugins --plugin corploc-skills