docs: remove em dashes; convert pseudo-links to real Markdown links; improve formatting

- Replace all em dashes with simple hyphens across repo\n- README: real links in Docs Index, badges and headings\n- HOWTO: clickable TOC, clean headings, hyphen usage\n- TOOLKIT: clickable TOC, cleaned bullets, crosslinks and examples\n- Dashboard and pack_report strings updated to avoid em dashes\n- .zshrc comment cleaned
2026-06-07 23:03:57 +02:00 · 2025-10-08 16:11:24 +02:00
parent 322ba960af
commit 1ec50d14a3
6 changed files with 162 additions and 163 deletions
@@ -1,4 +1,4 @@
-# HTB/OSCP helpers — source this from your ~/.zshrc
+# HTB/OSCP helpers - source this from your ~/.zshrc

 # Prompt (concise)
 autoload -Uz colors && colors
@@ -1,26 +1,26 @@
-# PentestPilot — HOWTO
+# PentestPilot - HOWTO

 ## Table of Contents
- Overview — #overview
- Install & Setup — #install--setup
- Core Env Vars — #core-env-vars
- Target Workflow — #target-workflow
- Automation & Orchestration — #automation--orchestration
- Dashboard (Status & Evidence) — #dashboard-status--evidence
- Manifest (State & Resume) — #manifest-state--resume
- AI Integrations — #ai-integrations
- Web Recon & Routing — #web-recon--routing
- Active Directory & SMB — #active-directory--smb
- Passwords & Wordlists — #passwords--wordlists
- Shells, Transfers, Privesc — #shells-transfers-privesc
- Tunnels & Port Forwards — #tunnels--port-forwards
- QoL Utilities — #qol-utilities
- Post‑Exploitation & Reporting — #post-exploitation--reporting
- Safety Notes — #safety-notes
- End‑to‑End Example — #end-to-end-example
- Troubleshooting — #troubleshooting
- Customization — #customization
- Appendix — Common Command Recipes — #appendix--common-command-recipes
+- [Overview](#overview)
+- [Install & Setup](#install--setup)
+- [Core Env Vars](#core-env-vars)
+- [Target Workflow](#target-workflow)
+- [Automation & Orchestration](#automation--orchestration)
+- [Dashboard (Status & Evidence)](#dashboard-status--evidence)
+- [Manifest (State & Resume)](#manifest-state--resume)
+- [AI Integrations](#ai-integrations)
+- [Web Recon & Routing](#web-recon--routing)
+- [Active Directory & SMB](#active-directory--smb)
+- [Passwords & Wordlists](#passwords--wordlists)
+- [Shells, Transfers, Privesc](#shells-transfers-privesc)
+- [Tunnels & Port Forwards](#tunnels--port-forwards)
+- [QoL Utilities](#qol-utilities)
+- [Post-Exploitation & Reporting](#post-exploitation--reporting)
+- [Safety Notes](#safety-notes)
+- [End-to-End Example](#end-to-end-example)
+- [Troubleshooting](#troubleshooting)
+- [Customization](#customization)
+- [Appendix - Common Command Recipes](#appendix--common-command-recipes)

 ## Overview
 - This toolkit streamlines OSCP/HTB workflows: discovery, web recon, AD, credential hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting, and AI‑assisted orchestration.
@@ -57,9 +57,9 @@ Notes:
 - Use `pipx` (or venv) for Python‑based tools to avoid site‑packages collisions.

 ## Core Env Vars
- `HTB_ROOT` (default: current repo path) — base for targets and scripts.
- `TARGET` — a current target convenience var set by `settarget`.
- `OUTDIR` — output directory for scans in the current target (set by `settarget`).
+- `HTB_ROOT` (default: current repo path) - base for targets and scripts.
+- `TARGET` - a current target convenience var set by `settarget`.
+- `OUTDIR` - output directory for scans in the current target (set by `settarget`).
 - Proxies: `HTTP_PROXY`/`HTTPS_PROXY` can be toggled via `proxy_toggle.sh on|off`.

 ## Target Workflow
@@ -70,16 +70,16 @@ Notes:
   - `notesinit` scaffolds `notes.md` in the target directory.
   - `notesattach` appends a scan artifacts summary to notes.
 3) Directories:
-   - `targets/<target>/scans` — scanner logs, json, summaries
-   - `targets/<target>/loot`  — collected artifacts
-   - `targets/<target>/notes.md` — your engagement notes
-   - `targets/<target>/manifest.json` — per‑target state (see Manifest below)
+   - `targets/<target>/scans` - scanner logs, json, summaries
+   - `targets/<target>/loot`  - collected artifacts
+   - `targets/<target>/notes.md` - your engagement notes
+   - `targets/<target>/manifest.json` - per-target state (see Manifest below)
 4) Common recipes (see Appendix for more):
   - Quick nmap: nq → review `scans/*_quick_*.nmap`
   - Full TCP then service: nf → review `phase1`/`phase2` outputs
   - UDP quick check: nu → review common UDP services
   - Web checks: headers/methods/tech → dirbuster/param_fuzz → sqli_quick
-   - SMB/LDAP: smb_enum.sh / ldap_enum.sh — save listings in `scans/`
+   - SMB/LDAP: smb_enum.sh / ldap_enum.sh - save listings in `scans/`

 Quick Aliases
 - Nmap: `nq` (quick), `nf` (full TCP), `nu` (UDP top)
@@ -97,13 +97,13 @@ Quick Aliases
  - DNS subenum (if domain) → httpx (balanced) → nuclei (auto severity) → tech route → optional WPScan
  - Resume (default) consults `manifest.json` and skips completed steps.
  - Writes evidence JSON + summaries (httpx/nuclei) into OUTDIR and manifest.
- Agents (AI‑aware): `bin/ai/agent_orchestrator.py:1`
-  - `agent full <domain|hosts.txt>` — small state machine for the full pipeline; retries resume passes, then runs `tech_actions.py --run`.
-  - `agent web <hosts.txt> [--force]` — httpx → nuclei → screenshots → AI plan (resume‑aware subtasks)
-  - `agent ad <host> [--force]` — enum4linux/smbmap/rpc (resume‑aware)
-  - `agent notes <target> [--force]` — notes init + attach (resume‑aware)
-  - `agent post <target> [--force]` — linux_loot + report pack (resume‑aware)
- Resume all targets: `resume_all.py` — loops over targets/* and resumes incomplete `full_pipeline` runs.
+- Agents (AI-aware): `bin/ai/agent_orchestrator.py:1`
+  - `agent full <domain|hosts.txt>` - small state machine for the full pipeline; retries resume passes, then runs `tech_actions.py --run`.
+  - `agent web <hosts.txt> [--force]` - httpx -> nuclei -> screenshots -> AI plan (resume-aware subtasks)
+  - `agent ad <host> [--force]` - enum4linux/smbmap/rpc (resume-aware)
+  - `agent notes <target> [--force]` - notes init + attach (resume-aware)
+  - `agent post <target> [--force]` - linux_loot + report pack (resume-aware)
+- Resume all targets: `resume_all.py` - loops over targets/* and resumes incomplete `full_pipeline` runs.

 Advanced: Pipeline Semantics
 - `--resume` (default) skips steps whose manifest task status is `ok`.
@@ -115,10 +115,10 @@ Advanced: Pipeline Semantics
 - Command: `dashboard`  Options: `--no-color`, `--compact`, `--json`
 - Columns:
  - target, created, last (timestamp of last pipeline), urls (count)
-  - dns, httpx, nuclei, tech, wp — per‑phase status with elapsed seconds
-  - sev — severity counts (e.g., c:1 h:3 m:2)
-  - top‑techs — top techs from httpx tech summary (e.g., wordpress:3, drupal:1)
-  - bar — colorized severity proportion bar (critical/high/medium/low)
+  - dns, httpx, nuclei, tech, wp - per-phase status with elapsed seconds
+  - sev - severity counts (e.g., c:1 h:3 m:2)
+  - top-techs - top techs from httpx tech summary (e.g., wordpress:3, drupal:1)
+  - bar - colorized severity proportion bar (critical/high/medium/low)
 - Evidence sources (auto‑persisted by pipeline):
  - httpx JSON: `OUTDIR/httpx_<ts>.json` and `httpx_<ts>.summary.json`
  - nuclei JSON: `OUTDIR/httpx2nuclei_<ts>/nuclei.json` and `summary.json`
@@ -142,23 +142,23 @@ Advanced: Pipeline Semantics
    }
  }
 - CLI: `bin/automation/manifest.py:1`
-  - `init <target>` — create manifest
-  - `set|get <target> <key> [value]` — set or read top‑level values
-  - `addlist <target> <key> <file|a,b,c>` — append to a list
-  - `show <target>` — print JSON
-  - `task <target> <name> start|ok|fail [meta-json]` — update tasks (status, timestamps, meta)
-  - `taskstatus <target> <name>` — prints status; exit 0 if ok, 2 if running, 1 otherwise
-  - `taskreset <target> <name>` — remove/reset a task entry
+- `init <target>` - create manifest
+- `set|get <target> <key> [value]` - set or read top-level values
+- `addlist <target> <key> <file|a,b,c>` - append to a list
+- `show <target>` - print JSON
+- `task <target> <name> start|ok|fail [meta-json]` - update tasks (status, timestamps, meta)
+- `taskstatus <target> <name>` - prints status; exit 0 if ok, 2 if running, 1 otherwise
+- `taskreset <target> <name>` - remove/reset a task entry

 ## AI Integrations
 - Providers: OpenAI (OPENAI_API_KEY) or local Ollama (defaults chosen automatically).
 - Robust helpers: `bin/ai/_ai_utils.py:1` (retries, timeouts, prompt truncation)
 - Tools:
-  - `ask.py` — quick prompts
-  - `commands_planner.py` — converts a goal/context into ready‑to‑run toolkit commands
-  - `orchestrate_web.py` — probes (httpx) and asks AI for a recon plan
-  - `review_findings.py` — summarizes notes into risks + next steps
-  - `agent_orchestrator.py` — orchestrates web/full/ad/notes/post tasks and updates manifest
+- `ask.py` - quick prompts
+- `commands_planner.py` - converts a goal/context into ready-to-run toolkit commands
+- `orchestrate_web.py` - probes (httpx) and asks AI for a recon plan
+- `review_findings.py` - summarizes notes into risks + next steps
+  - `agent_orchestrator.py` - orchestrates web/full/ad/notes/post tasks and updates manifest
 Troubleshooting AI:
 - If calls fail, `_ai_utils.py` retries with exponential backoff.
 - If no OPENAI_API_KEY is set, the system falls back to Ollama (ensure it’s running).
@@ -180,8 +180,8 @@ Troubleshooting AI:
 - SMB `smbmap_quick.sh` and `smb_check_write.sh`

 ## Passwords & Wordlists
- `mutate_words.py`, `merge_dedupe.sh`, `wordlist_cleanup.sh` — build/clean wordlists
- `spray_http_basic.sh` — cautious HTTP Basic Auth spray (respect lockout policies)
+- `mutate_words.py`, `merge_dedupe.sh`, `wordlist_cleanup.sh` - build/clean wordlists
+- `spray_http_basic.sh` - cautious HTTP Basic Auth spray (respect lockout policies)

 ## Shells, Transfers, Privesc
 - Shells: reverse one‑liners (`revsh.py`), listener (`listener.sh`), TTY upgrade tips
@@ -190,20 +190,20 @@ Troubleshooting AI:
 - Windows privesc: `privesc_quick.ps1`, `find_unquoted_services.ps1`, `find_path_writable.ps1`, `win_share_enum.ps1`

 ## Tunnels & Port Forwards
- `chisel_server.sh` / `chisel_client.sh` — reverse tunnels
- `autossh_socks.sh` — resilient SOCKS proxy
- `socat_forward.sh` and `port_forward.sh` — local/remote forwards
+- `chisel_server.sh` / `chisel_client.sh` - reverse tunnels
+- `autossh_socks.sh` - resilient SOCKS proxy
+- `socat_forward.sh` and `port_forward.sh` - local/remote forwards

 ## QoL Utilities
- `cleanup_scans.sh` — prune old scan files
- `proxy_toggle.sh` — set/unset HTTP(S) proxy env vars
- `tmux_init.sh` — quick tmux workspace
- `extract_urls.py` — harvest URLs from files (logs/notes)
+- `cleanup_scans.sh` - prune old scan files
+- `proxy_toggle.sh` - set/unset HTTP(S) proxy env vars
+- `tmux_init.sh` - quick tmux workspace
+- `extract_urls.py` - harvest URLs from files (logs/notes)

 ## Post‑Exploitation & Reporting
- `linux_loot.sh` — safe, size‑capped artifacts collector (config via env: `MAX_SIZE`, `INCLUDE_*`)
- `windows_loot.ps1` — conservative Windows loot collector (zip fallback)
- `pack_report.sh` — compiles a markdown with summaries and file listings
+- `linux_loot.sh` - safe, size-capped artifacts collector (config via env: `MAX_SIZE`, `INCLUDE_*`)
+- `windows_loot.ps1` - conservative Windows loot collector (zip fallback)
+- `pack_report.sh` - compiles a markdown with summaries and file listings

 ## Safety Notes
 - Use only with explicit authorization.
@@ -236,7 +236,7 @@ Troubleshooting AI:
 - Tweak agent behaviors in `bin/ai/agent_orchestrator.py:1`.
 - Add your own manifest keys via `manifest.py set <target> key value` for custom dashboards.

-## Appendix — Common Command Recipes
+## Appendix - Common Command Recipes
 - Directory brute (gobuster): gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
 - Vhost brute: gobuster_vhost.sh http://$TARGET/ subdomains-top1million-5000.txt 100
 - Probe techs: httpx_probe.sh hosts.txt > live.txt
@@ -66,26 +66,26 @@ Dependencies
 - Recommended: nmap, ffuf, httpx, nuclei, gobuster, gowitness, subfinder|amass, sqlmap, wpscan, droopescan, joomscan, magescan, impacket, ldap-utils, snmp, ripgrep, jq, python3 requests, socat, chisel

 ## Documentation
- HOWTO.md:1 — in‑depth “how to” with recommended tools, pipeline semantics, dashboard legend, manifest schema, and examples.
- TOOLKIT.md:1 — command catalog grouped by category with references back to HOWTO.
+- See [HOWTO](HOWTO.md) for in-depth usage, recommended tools, pipeline semantics, dashboard legend, manifest schema, and examples.
+- See [TOOLKIT](TOOLKIT.md) for a categorized command catalog with examples and links back to HOWTO.

 ### Docs Index (quick links)
- HOWTO: Overview — HOWTO.md#overview
- Install & Setup — HOWTO.md#install--setup
- Core Env Vars — HOWTO.md#core-env-vars
- Target Workflow — HOWTO.md#target-workflow
- Automation & Orchestration — HOWTO.md#automation--orchestration
- Dashboard (Status & Evidence) — HOWTO.md#dashboard-status--evidence
- Manifest (State & Resume) — HOWTO.md#manifest-state--resume
- AI Integrations — HOWTO.md#ai-integrations
- Web Recon & Routing — HOWTO.md#web-recon--routing
- Active Directory & SMB — HOWTO.md#active-directory--smb
- Passwords & Wordlists — HOWTO.md#passwords--wordlists
- Shells, Transfers, Privesc — HOWTO.md#shells-transfers-privesc
- Tunnels & Port Forwards — HOWTO.md#tunnels--port-forwards
- QoL Utilities — HOWTO.md#qol-utilities
- Post‑Exploitation & Reporting — HOWTO.md#post-exploitation--reporting
- Troubleshooting — HOWTO.md#troubleshooting
+- [HOWTO: Overview](HOWTO.md#overview)
+- [Install & Setup](HOWTO.md#install--setup)
+- [Core Env Vars](HOWTO.md#core-env-vars)
+- [Target Workflow](HOWTO.md#target-workflow)
+- [Automation & Orchestration](HOWTO.md#automation--orchestration)
+- [Dashboard (Status & Evidence)](HOWTO.md#dashboard-status--evidence)
+- [Manifest (State & Resume)](HOWTO.md#manifest-state--resume)
+- [AI Integrations](HOWTO.md#ai-integrations)
+- [Web Recon & Routing](HOWTO.md#web-recon--routing)
+- [Active Directory & SMB](HOWTO.md#active-directory--smb)
+- [Passwords & Wordlists](HOWTO.md#passwords--wordlists)
+- [Shells, Transfers, Privesc](HOWTO.md#shells-transfers-privesc)
+- [Tunnels & Port Forwards](HOWTO.md#tunnels--port-forwards)
+- [QoL Utilities](HOWTO.md#qol-utilities)
+- [Post-Exploitation & Reporting](HOWTO.md#post-exploitation--reporting)
+- [Troubleshooting](HOWTO.md#troubleshooting)

 Safety
 - Intended for systems you have explicit permission to test. Scripts default to safe, passive checks unless you opt‑in to aggressive actions.
@@ -1,29 +1,29 @@
-# PentestPilot — Quick Reference
+# PentestPilot - Quick Reference

 For step‑by‑step usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted.

 ## Table of Contents
- Setup — #setup
- Core Workflow — #core-workflow
- Enumeration — #enumeration-requires-target
- Automation — #automation-binautomation--see-howto-automation--orchestration-dashboard-manifest
- Web helpers — #web-helpers-binweb--see-howto-web-recon--routing
- Reverse shells — #reverse-shells-binshells
- File transfer — #file-transfer-bintransfer
- Crypto / Text — #crypto--text-bincrypto
- Privilege Escalation — #privilege-escalation-binprivesc
- Misc — #misc-binmisc
- AI — #ai-binai--see-howto-ai-integrations
- Active Directory — #active-directory-binad
- Passwords — #passwords-binpasswords
- Windows — #windows-binwindows
- Post‑Exploitation — #post-exploitation-binpost
- DNS — #dns-bindns
- Scanning — #scanning-binscan
- Tunnels — #tunnels-bintunnel
- Pwn — #pwn-binpwn
- Hashes — #hashes-binhashes
- Tips — #tips
+- [Setup](#setup)
+- [Core Workflow](#core-workflow)
+- [Enumeration](#enumeration-requires-target)
+- [Automation](#automation-binautomation--see-howto-automation--orchestration-dashboard-manifest)
+- [Web helpers](#web-helpers-binweb--see-howto-web-recon--routing)
+- [Reverse shells](#reverse-shells-binshells)
+- [File transfer](#file-transfer-bintransfer)
+- [Crypto / Text](#crypto--text-bincrypto)
+- [Privilege Escalation](#privilege-escalation-binprivesc)
+- [Misc](#misc-binmisc)
+- [AI](#ai-binai--see-howto-ai-integrations)
+- [Active Directory](#active-directory-binad)
+- [Passwords](#passwords-binpasswords)
+- [Windows](#windows-binwindows)
+- [Post-Exploitation](#post-exploitation-binpost)
+- [DNS](#dns-bindns)
+- [Scanning](#scanning-binscan)
+- [Tunnels](#tunnels-bintunnel)
+- [Pwn](#pwn-binpwn)
+- [Hashes](#hashes-binhashes)
+- [Tips](#tips)

 ## Setup
 - Keep this repo in a working folder, e.g., htb/.
@@ -53,12 +53,12 @@ Individual scripts (bin/)
 - nmap_full.sh <target> [--rate 5000]
 - nmap_udp.sh <target> [--top 200]
 - smb_enum.sh <ip> [user] [pass]
- ldap_enum.sh <ip> [user] [pass] — auto-detect baseDNs
+- ldap_enum.sh <ip> [user] [pass] - auto-detect baseDNs
 - nfs_enum.sh <ip>
 - ftp_enum.sh <ip>
 - snmp_enum.sh <ip> [community]

-## Automation (bin/automation/) — see HOWTO: Automation & Orchestration, Dashboard, Manifest
+## Automation (bin/automation/) (see HOWTO: [Automation & Orchestration](HOWTO.md#automation--orchestration), [Dashboard](HOWTO.md#dashboard-status--evidence), [Manifest](HOWTO.md#manifest-state--resume))
 - auto_recon.sh <target> [--no-udp]
 - parse_nmap_open_ports.sh <*.gnmap>
 - report_summary.py <*.gnmap ...>
@@ -70,11 +70,11 @@ Individual scripts (bin/)
 - full_pipeline.sh <domain|hosts.txt> [--resume|--force]
 - manifest.py (init|set|get|addlist|show|task|taskstatus|taskreset) <target> [...]
 - dashboard.py [--json]
- resume_all.py — resume full pipeline across all targets
- - tech_actions.py <target> [--run] — suggest/run next steps based on httpx techs
- - cleanup_scans.sh [dir] [days] [--force] — prune old scan files
+- resume_all.py - resume full pipeline across all targets
+ - tech_actions.py <target> [--run] - suggest/run next steps based on httpx techs
+ - cleanup_scans.sh [dir] [days] [--force] - prune old scan files
 - proxy_toggle.sh on|off [http://host:port]
- - tmux_init.sh [session] — starter tmux layout
+ - tmux_init.sh [session] - starter tmux layout

 See also in HOWTO.md:
 - Automation & Orchestration
@@ -96,24 +96,24 @@ dashboard --compact
 resumeall
 ```

-## Web helpers (bin/web/) — see HOWTO: Web Recon & Routing
- dirbuster.sh <url> [wordlist] [exts] — ffuf directory fuzz
- vhost_ffuf.sh <base-url> <domain> [wordlist] — virtual hosts
- param_fuzz.sh <url-with-FUZZ> [wordlist] — parameter discovery
- lfi_tester.py <url-with-PLACEHOLDER> — basic LFI checks
- tech_detect.sh <url> — headers + tech hints
- http_headers.sh <url> — raw headers
- url_titles.py <url1> [url2 ...] — titles and codes
- crawl_words.py <url> [depth] — extract words for wordlists
- sqli_quick.sh <url> <param> — sqlmap wrapper
- - backup_hunter.sh <base-url> [paths.txt] — find common backups/configs
- - git_dumper.sh <base-url> [outdir] — mirror exposed .git and restore
- - cors_tester.py <url> [origin] — test ACAO/ACAC
- - methods.sh <url> — show allowed methods (OPTIONS)
- - clone_site.sh <url> [outdir] — wget mirror
- - tls_scan.sh <host:443> — openssl-based TLS info
- - robots_grabber.sh <base-url> — show Disallow entries
- - webdav_detect.sh <url> — OPTIONS + PROPFIND
+## Web helpers (bin/web/) (see HOWTO: [Web Recon & Routing](HOWTO.md#web-recon--routing))
+- dirbuster.sh <url> [wordlist] [exts] - ffuf directory fuzz
+- vhost_ffuf.sh <base-url> <domain> [wordlist] - virtual hosts
+- param_fuzz.sh <url-with-FUZZ> [wordlist] - parameter discovery
+- lfi_tester.py <url-with-PLACEHOLDER> - basic LFI checks
+- tech_detect.sh <url> - headers + tech hints
+- http_headers.sh <url> - raw headers
+- url_titles.py <url1> [url2 ...] - titles and codes
+- crawl_words.py <url> [depth] - extract words for wordlists
+- sqli_quick.sh <url> <param> - sqlmap wrapper
+ - backup_hunter.sh <base-url> [paths.txt] - find common backups/configs
+ - git_dumper.sh <base-url> [outdir] - mirror exposed .git and restore
+ - cors_tester.py <url> [origin] - test ACAO/ACAC
+ - methods.sh <url> - show allowed methods (OPTIONS)
+ - clone_site.sh <url> [outdir] - wget mirror
+ - tls_scan.sh <host:443> - openssl-based TLS info
+ - robots_grabber.sh <base-url> - show Disallow entries
+ - webdav_detect.sh <url> - OPTIONS + PROPFIND
 - httpx_probe.sh <host|file>
 - nuclei_quick.sh <url|file> [tags]
 - gobuster_dir.sh <url> [wordlist] [exts] [threads]
@@ -145,9 +145,9 @@ gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
 ```

 ## Reverse shells (bin/shells/)
- revsh.py <lhost> <lport> — prints common one-liners
- listener.sh <port> — rlwrap + nc/ncat listener
- tty_upgrade.sh — quick TTY tips
+- revsh.py <lhost> <lport> - prints common one-liners
+- listener.sh <port> - rlwrap + nc/ncat listener
+- tty_upgrade.sh - quick TTY tips

 Examples
 ```
@@ -162,11 +162,11 @@ tty_upgrade.sh
 ```

 ## File transfer (bin/transfer/)
- http_serve.sh [port] — simple Python HTTP server
- serve.py [port] — HTTP server with web upload (POST /upload)
- push_http.sh <file> <http://host:port/upload> — upload to serve.py
- dl_oneshots.sh <lhost> <port> <filename> — download one-liners
- smb_server.sh [share] [path] — impacket SMB server
+- http_serve.sh [port] - simple Python HTTP server
+- serve.py [port] - HTTP server with web upload (POST /upload)
+- push_http.sh <file> <http://host:port/upload> - upload to serve.py
+- dl_oneshots.sh <lhost> <port> <filename> - download one-liners
+- smb_server.sh [share] [path] - impacket SMB server

 Examples
 ```
@@ -183,7 +183,7 @@ smb_server.sh share ./loot

 ## Crypto / Text (bin/crypto/)
 - encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot
- jwt_show.py <jwt> — decode header/payload (no verify)
+- jwt_show.py <jwt> - decode header/payload (no verify)

 Examples
 ```
@@ -192,9 +192,9 @@ jwt_show.py eyJhbGciOi...
 ```

 ## Privilege Escalation (bin/privesc/)
- linux_quick_enum.sh — basic local recon
- suid_scan.sh — list SUID/SGID
- caps_scan.sh — list file capabilities
+- linux_quick_enum.sh - basic local recon
+- suid_scan.sh - list SUID/SGID
+- caps_scan.sh - list file capabilities

 Examples
 ```
@@ -203,8 +203,8 @@ caps_scan.sh
 ```

 ## Misc (bin/misc/)
- cyclic.py create <len> | offset <needle> — pattern + offset
- port_forward.sh — wrappers for ssh -L/-R/-D
+- cyclic.py create <len> | offset <needle> - pattern + offset
+- port_forward.sh - wrappers for ssh -L/-R/-D
 - extract_urls.py <file...>

 Examples
@@ -214,13 +214,13 @@ port_forward.sh -L 8080:127.0.0.1:80 user@host
 extract_urls.py notes.md
 ```

-## AI (bin/ai/) — see HOWTO: AI Integrations
+## AI (bin/ai/) (see HOWTO: [AI Integrations](HOWTO.md#ai-integrations))
 - ask.py [-m model] [-s system] "prompt" | - (stdin)
 - wordlist_from_context.py <target> [context-file|-]
 - orchestrate_web.py <hosts.txt>
 - review_findings.py <notes.md> [extra]
 - commands_planner.py "goal" [context]
- - agent_orchestrator.py <task> — multi-agent runner (web|notes|post|ad)
+ - agent_orchestrator.py <task> - multi-agent runner (web|notes|post|ad)

 See also in HOWTO.md:
 - AI Integrations
@@ -241,7 +241,7 @@ agent web hosts.txt
 - getnpusers_wrapper.sh <domain/user:pass> <dc_ip> [userlist.txt]
 - getspns_wrapper.sh <domain/user:pass> <dc_ip>
 - ldap_quick_users.sh <ip> <baseDN> [user pass]
- - rpc_quick.sh <host> [user pass] — rpcclient lsa/users/groups
+ - rpc_quick.sh <host> [user pass] - rpcclient lsa/users/groups
 - kerbrute_wrapper.sh <domain> <users.txt> [dc-ip]
 - cme_quick.sh <host> [user pass]

@@ -257,9 +257,9 @@ cme_quick.sh $TARGET user pass
 ## Passwords (bin/passwords/)
 - mutate_words.py word1 [word2 ...] | -
 - spray_http_basic.sh <url> <users.txt> <password>
- - merge_dedupe.sh <file1> [file2 ...] — dedup merged lists
+ - merge_dedupe.sh <file1> [file2 ...] - dedup merged lists
 - wordlist_cleanup.sh <wordlist> [min] [max]
- - hash_id.sh <hash> — simple guess when hashid missing
+ - hash_id.sh <hash> - simple guess when hashid missing

 Examples
 ```
@@ -270,11 +270,11 @@ spray_http_basic.sh http://$TARGET/protected users.txt Winter2025!
 ```

 ## Windows (bin/windows/)
- privesc_quick.ps1 — run on target
- win_share_enum.ps1 -Target <host>
- - find_unquoted_services.ps1 — potential service path issues
- - find_path_writable.ps1 — writable PATH dirs
- - windows_loot.ps1 — targeted loot collector
+ - privesc_quick.ps1 - run on target
+ - win_share_enum.ps1 -Target <host>
+ - find_unquoted_services.ps1 - potential service path issues
+ - find_path_writable.ps1 - writable PATH dirs
+ - windows_loot.ps1 - targeted loot collector

 Examples
 ```
@@ -284,9 +284,9 @@ powershell -ep bypass -f bin/windows/find_unquoted_services.ps1
 ```

 ## Post-Exploitation (bin/post/)
- linux_loot.sh — targeted loot collector with size caps
- - windows_loot.ps1 — targeted loot collector (PowerShell)
- - pack_report.sh <target> — merge loot/scans into markdown report
+ - linux_loot.sh - targeted loot collector with size caps
+ - windows_loot.ps1 - targeted loot collector (PowerShell)
+ - pack_report.sh <target> - merge loot/scans into markdown report

 Examples
 ```
@@ -329,7 +329,7 @@ chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80
 ```

 ## Pwn (bin/pwn/)
- pwntools_template.py — starter exploit template
+ - pwntools_template.py - starter exploit template

 Examples
 ```
@@ -338,7 +338,7 @@ python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337

 ## Hashes (bin/hashes/)
 - extract_ntlm_from_secretsdump.py <file> [out]
- - john_pfx.sh <file.pfx> — john format for PFX
+ - john_pfx.sh <file.pfx> - john format for PFX

 Examples
 ```
@@ -154,9 +154,9 @@ def print_header():
    # Build ASCII header
    t = agg['targets']; c = agg['completed']; p = agg['pending']
    s = agg['sev']
-    title = f" Pentest Dashboard — targets:{t} completed:{c} pending:{p} "
+    title = f" Pentest Dashboard - targets:{t} completed:{c} pending:{p} "
    line = '+' + '-'*(len(title)) + '+'
-    sev_line = f" severities — C:{s['critical']} H:{s['high']} M:{s['medium']} L:{s['low']} "
+    sev_line = f" severities - C:{s['critical']} H:{s['high']} M:{s['medium']} L:{s['low']} "
    sev_bar = sev_line
    print(line)
    print('|' + title + '|')
@@ -15,7 +15,7 @@ mkdir -p "$lootdir"

 echo "[+] Generating report: $report"
 {
-  echo "# Post-Exploitation Report — $target"
+echo "# Post-Exploitation Report - $target"
  echo "\nGenerated: $(date)"
  echo "\n## Summaries"
  [[ -f "$lootdir/summary.txt" ]] && { echo "\n### System Summary"; sed -n '1,120p' "$lootdir/summary.txt"; }
@@ -33,4 +33,3 @@ echo "[+] Generating report: $report"
 } > "$report"

 echo "[+] Report saved: $report"
-