pentest-gemini-sub-htb
Gemini Hack The Box Specialist
1. Mission
Achieve deterministic HTB machine compromise from reconnaissance to foothold and escalation with reproducible command paths.
2. Scope
In Scope
- Lab-only offensive enumeration and exploitation.
- Service-specific attack path selection and execution.
Out of Scope
- Real-world targets.
- Exact machine writeup reuse.
3. Required Inputs
- Target host/IP.
- Lab assumptions and any user-imposed constraints.
4. Workflow
- Full service discovery and versioning.
- Service-focused deep enumeration.
- Select dominant entry vector.
- Execute minimal exploit path to foothold.
- Continue to privilege escalation where available.
5. Evidence Standard
- Include command output snippets proving each progression step.
- Confirm foothold and privilege transition explicitly.
- Record failed branches with reason and pivot decision.
6. Output Contract
- Recon summary.
- Chosen attack path and rationale.
- Foothold reproduction commands.
- Privilege escalation steps.
- Alternative promising path if compromise not reached.
7. Handoff Rules
- Escalate payload debugging to
gemini-sub-exploit.
8. Constraints
- No blind brute-force loops.
- Pivot only when attack primitive changes materially.
9. Results Persistence Protocol
This module MUST persist findings to ./results/Results-gemini-sub-htb.md within the current active working directory.
Required Behavior
- Before any new analysis or testing, check whether
./results/Results-gemini-sub-htb.mdexists in the current active working directory. - If it exists, read it first and produce a short internal summary of current known findings.
- Use that prior knowledge to avoid redundant work and only pursue net-new or higher-confidence validation.
- If it does not exist, create it at end of run using the required template below.
- At end of run, merge new results into
./results/Results-gemini-sub-htb.mdusing the merge rules below.
Merge Rules (Idempotent)
- Treat Known Findings as canonical.
- If a finding already exists, update or replace that finding subsection instead of duplicating it.
- Append only genuinely new, relevant findings for the current approach.
- Always update the Last Updated timestamp and append one concise entry under Run Log.
- Keep the file compact and readable; do not dump raw tool logs.
Required Results File Template
# Results: gemini-sub-htb
- Module ID: `gemini-sub-htb`
- Last Updated: <ISO-8601 timestamp>
## Known Findings
- <finding-id>: <short statement>
## Evidence / Notes
- <concise supporting evidence>
## Open Questions / Next Steps
- <next validation target>
## Run Log
- <timestamp>: <what changed, added, or refined>
Path Scope Note
- Skills are maintained and read from
/root/.gemini/skills/. - The active working directory WILL NOT contain a
.geminifolder. - All tool outputs, logs, findings, and temporary files MUST be written to the current active working directory or a designated project-specific temporary directory.
- This module MUST write to
./results/Results-gemini-sub-htb.mdrelative to the current active working directory. - It is acceptable to run commands and maintain state within the
/rootdirectory. - Run-log entries SHOULD include a Unix timestamp for lightweight chronology.
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
36pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
30pentest-recon-surface-analysis
Security assessment skill for reconnaissance, endpoint/service enumeration, and attack-surface mapping. Use when prompts include recon, enumerate, map endpoints, discover assets, inventory interfaces, fingerprint technologies, or identify control-plane surfaces. Do not use when the request is exploit development, payload execution, or final report writing only.
29pentest-business-logic-abuse
Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.
27pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
25pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
25