chore(git): add .gitignore; purge accidentally tracked .ovpn and OS files

- Add comprehensive .gitignore: OS cruft, caches, archives, VPN/secret files, captures\n- Remove previously tracked .DS_Store and HTB.ovpn

.gitignore

@@ -0,0 +1,66 @@
+# OS
+.DS_Store
+Thumbs.db
+
+# Editors/IDE
+.vscode/
+.idea/
+
+# Python
+__pycache__/
+*.py[cod]
+*.pyo
+*.egg-info/
+.venv/
+venv/
+.env
+.env.*
+.python-version
+
+# Node/JS
+node_modules/
+
+# Logs & caches
+*.log
+logs/
+tmp/
+*.tmp
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.tox/
+.cache/
+
+# Coverage/build
+.coverage*
+coverage/
+htmlcov/
+dist/
+build/
+
+# Archives & captures
+*.zip
+*.tar
+*.tar.gz
+*.tgz
+*.7z
+*.gz
+*.rar
+*.pcap
+*.pcapng
+
+# VPN/Secrets & credentials
+*.ovpn
+*.key
+*.pem
+*.crt
+*.kdbx
+*.rdp
+*.pfx
+
+# Project-specific ignores
+# Do not commit bulky artifacts accidentally
+targets/*/www/*
+# Keep scan results, but ignore raw packet captures
+targets/*/scans/*.pcap*
+

HOWTO.md

@@ -1,6 +1,6 @@
-PentestPilot — HOWTO
+# PentestPilot — HOWTO
 
-Table of Contents
+## Table of Contents
 - Overview — #overview
 - Install & Setup — #install--setup
 - Core Env Vars — #core-env-vars
@@ -22,13 +22,13 @@ Table of Contents
 - Customization — #customization
 - Appendix — Common Command Recipes — #appendix--common-command-recipes
 
-Overview
+## Overview
 - This toolkit streamlines OSCP/HTB workflows: discovery, web recon, AD, credential hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting, and AI‑assisted orchestration.
 - Everything is CLI‑first, idempotent when possible, and resume‑aware via a per‑target manifest.
 - See: README.md:1 for the quick summary and TOOLKIT.md:1 for the command catalog.
  - Tips and conventions below assume a Linux attacker VM (Kali/Parrot/Ubuntu). Adjust paths for your OS.
 
-Install & Setup
+## Install & Setup
 1) Place the repo in your working directory (e.g., `~/hax/htb`).
 2) Load the shell profile so aliases and PATH work:
    echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc
@@ -56,13 +56,13 @@ Notes:
 - If a wrapper says a tool is missing, either install or skip that specific step.
 - Use `pipx` (or venv) for Python‑based tools to avoid site‑packages collisions.
 
-Core Env Vars
+## Core Env Vars
 - `HTB_ROOT` (default: current repo path) — base for targets and scripts.
 - `TARGET` — a current target convenience var set by `settarget`.
 - `OUTDIR` — output directory for scans in the current target (set by `settarget`).
 - Proxies: `HTTP_PROXY`/`HTTPS_PROXY` can be toggled via `proxy_toggle.sh on|off`.
 
-Target Workflow
+## Target Workflow
 1) Create a target workspace:
    settarget 10.10.10.10
    This creates `targets/<target>/{scans,loot,www,exploits}` and sets `OUTDIR`.
@@ -89,7 +89,7 @@ Quick Aliases
 - Dashboard: `dashboard` (status), `resumeall`, `techactions`
 - QoL: `proxyon`, `proxyoff`, `cleanupscans`, `tmux_init.sh`
 
-Automation & Orchestration
+## Automation & Orchestration
 - Minimal recon: `auto_recon.sh <target>`
 - Web recon (current TARGET): `web_recon.sh <target|--url URL>` → headers/tech/backup/dirb (+screenshots if `gowitness`)
 - Wide recon (list of hosts): `wide_web_recon.sh <hosts.txt>` → httpx + nuclei + screenshots
@@ -111,7 +111,7 @@ Advanced: Pipeline Semantics
 - Each phase records elapsed seconds and evidence file paths in manifest meta.
 - If a run fails midway, you can re‑invoke with `--resume` to continue where you left off.
 
-Dashboard (Status & Evidence)
+## Dashboard (Status & Evidence)
 - Command: `dashboard`  Options: `--no-color`, `--compact`, `--json`
 - Columns:
   - target, created, last (timestamp of last pipeline), urls (count)
@@ -123,7 +123,7 @@ Dashboard (Status & Evidence)
   - httpx JSON: `OUTDIR/httpx_<ts>.json` and `httpx_<ts>.summary.json`
   - nuclei JSON: `OUTDIR/httpx2nuclei_<ts>/nuclei.json` and `summary.json`
 
-Manifest (State & Resume)
+## Manifest (State & Resume)
 - Path: `targets/<target>/manifest.json`
 - Schema (high‑level):
   {
@@ -150,7 +150,7 @@ Manifest (State & Resume)
   - `taskstatus <target> <name>` — prints status; exit 0 if ok, 2 if running, 1 otherwise
   - `taskreset <target> <name>` — remove/reset a task entry
 
-AI Integrations
+## AI Integrations
 - Providers: OpenAI (OPENAI_API_KEY) or local Ollama (defaults chosen automatically).
 - Robust helpers: `bin/ai/_ai_utils.py:1` (retries, timeouts, prompt truncation)
 - Tools:
@@ -164,7 +164,7 @@ Troubleshooting AI:
 - If no OPENAI_API_KEY is set, the system falls back to Ollama (ensure it’s running).
 - You can reduce output size by setting smaller prompts and using `--compact` when calling dashboard.
 
-Web Recon & Routing
+## Web Recon & Routing
 - Pipeline: `httpx_to_nuclei.sh` → httpx alive list → nuclei with auto severity (based on URL count) → produces `.txt`, `.json`, `summary.json`.
 - Tech routing: `httpx_tech_route.py` flags:
   - `--tech` filter; `--severity` list; `--wpscan [--wpscan-limit N]`; `--extra [--extra-limit N]`; `--dry-run`
@@ -174,43 +174,43 @@ Web Recon & Routing
   - `httpx_presets.sh`: concurrency profiles; `httpx_probe.sh` for fast probes
   - `gobuster_dir.sh`, `gobuster_vhost.sh`; `dirbuster.sh` (ffuf); backup hunters, CORS/methods/TLS, LFI tester
 
-Active Directory & SMB
+## Active Directory & SMB
 - Impacket wrappers: `getnpusers_wrapper.sh`, `getspns_wrapper.sh`
 - `kerbrute_wrapper.sh` (user enum), `cme_quick.sh` (shares/sessions/loggedon), `rpc_quick.sh`
 - SMB `smbmap_quick.sh` and `smb_check_write.sh`
 
-Passwords & Wordlists
+## Passwords & Wordlists
 - `mutate_words.py`, `merge_dedupe.sh`, `wordlist_cleanup.sh` — build/clean wordlists
 - `spray_http_basic.sh` — cautious HTTP Basic Auth spray (respect lockout policies)
 
-Shells, Transfers, Privesc
+## Shells, Transfers, Privesc
 - Shells: reverse one‑liners (`revsh.py`), listener (`listener.sh`), TTY upgrade tips
 - Transfers: `http_serve.sh` or `serve.py` (with web upload), `smb_server.sh`, `dl_oneshots.sh`, `push_http.sh`
 - Linux privesc: `linux_quick_enum.sh`, `suid_scan.sh`, `caps_scan.sh`
 - Windows privesc: `privesc_quick.ps1`, `find_unquoted_services.ps1`, `find_path_writable.ps1`, `win_share_enum.ps1`
 
-Tunnels & Port Forwards
+## Tunnels & Port Forwards
 - `chisel_server.sh` / `chisel_client.sh` — reverse tunnels
 - `autossh_socks.sh` — resilient SOCKS proxy
 - `socat_forward.sh` and `port_forward.sh` — local/remote forwards
 
-QoL Utilities
+## QoL Utilities
 - `cleanup_scans.sh` — prune old scan files
 - `proxy_toggle.sh` — set/unset HTTP(S) proxy env vars
 - `tmux_init.sh` — quick tmux workspace
 - `extract_urls.py` — harvest URLs from files (logs/notes)
 
-Post‑Exploitation & Reporting
+## Post‑Exploitation & Reporting
 - `linux_loot.sh` — safe, size‑capped artifacts collector (config via env: `MAX_SIZE`, `INCLUDE_*`)
 - `windows_loot.ps1` — conservative Windows loot collector (zip fallback)
 - `pack_report.sh` — compiles a markdown with summaries and file listings
 
-Safety Notes
+## Safety Notes
 - Use only with explicit authorization.
 - Many steps are safe by default (no brute force). Be mindful of account lockout policies when using auth‑related tooling.
 - For “unsafe” or exploit‑heavy checks, consider separate gated wrappers and explicit flags.
 
-End‑to‑End Example
+## End‑to‑End Example
 1) Set up target and notes:
    settarget target.htb
    notesinit
@@ -225,18 +225,18 @@ End‑to‑End Example
 6) Resume across multiple targets later:
    resumeall
 
-Troubleshooting
+## Troubleshooting
 - Tool missing: wrappers fail gracefully and log hints. Install optional tools (httpx, nuclei, gobuster, gowitness, wpscan, droopescan, joomscan, magescan, impacket).
 - Manifest stuck in running: `manifest.py taskreset <target> <name>`.
 - No colors in dashboard: add `--no-color` or your terminal might not support ANSI.
 
-Customization
+## Customization
 - Adjust tags/severity in `httpx_to_nuclei.sh:1` and `httpx_tech_route.py:1`.
 - Extend tech presets and quick wrappers in `bin/web/`.
 - Tweak agent behaviors in `bin/ai/agent_orchestrator.py:1`.
  - Add your own manifest keys via `manifest.py set <target> key value` for custom dashboards.
 
-Appendix — Common Command Recipes
+## Appendix — Common Command Recipes
 - Directory brute (gobuster): gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
 - Vhost brute: gobuster_vhost.sh http://$TARGET/ subdomains-top1million-5000.txt 100
 - Probe techs: httpx_probe.sh hosts.txt > live.txt

HTB.ovpn

@@ -1,87 +0,0 @@
-client
-dev tun
-proto tcp
-remote edge-eu-free-2.hackthebox.eu 443
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-remote-cert-tls server
-comp-lzo
-verb 3
-data-ciphers-fallback AES-128-CBC
-data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM
-tls-cipher "DEFAULT:@SECLEVEL=0"
-auth SHA256
-key-direction 1
-<ca>
------BEGIN CERTIFICATE-----
-MIICDjCCAcCgAwIBAgIQAY7iX+I6dfaVWaMJXidIRTAFBgMrZXAwZDELMAkGA1UE
-BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEs
-MCoGA1UEAxMjSFRCIFZQTjogUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
-MjQwNDE1MTUyODM4WhcNMzQwNDE1MTUyODM4WjBeMQswCQYDVQQGEwJHUjEVMBMG
-A1UEChMMSGFjayBUaGUgQm94MRAwDgYDVQQLEwdTeXN0ZW1zMSYwJAYDVQQDEx1I
-VEIgVlBOOiBldS1mcmVlLTIgSXNzdWluZyBDQTAqMAUGAytlcAMhANRtLwPdgQ/j
-oGEo7GTBqm6rNN83vgRsVqMf9cP83KlMo4GNMIGKMA4GA1UdDwEB/wQEAwIBhjAn
-BgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMA8GA1UdEwEB
-/wQFMAMBAf8wHQYDVR0OBBYEFD2YUNtsvUD2ynIAtfr1Uk1NjYz8MB8GA1UdIwQY
-MBaAFNQHZnqD3OEfYZ6HWsjFzb9UPuDRMAUGAytlcANBAKYH1gYc72heLF8mu2vo
-8FAcozEtFv+2g1OFvahcSoPrn7kbUcq8ebGb+o6wbgrVm8P/Y/c3h5bmnw5y8V3t
-9gw=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB8zCCAaWgAwIBAgIQAY7Mx8YFd9iyZFCrz3LiKDAFBgMrZXAwZDELMAkGA1UE
-BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEs
-MCoGA1UEAxMjSFRCIFZQTjogUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwIBcN
-MjQwNDExMTA1MDI4WhgPMjA1NDA0MTExMDUwMjhaMGQxCzAJBgNVBAYTAkdSMRUw
-EwYDVQQKEwxIYWNrIFRoZSBCb3gxEDAOBgNVBAsTB1N5c3RlbXMxLDAqBgNVBAMT
-I0hUQiBWUE46IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCowBQYDK2VwAyEA
-FLTHpDxXnmG/Xr8aBevajroVu8dkckNnHeadSRza9CCjazBpMA4GA1UdDwEB/wQE
-AwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMA8G
-A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNQHZnqD3OEfYZ6HWsjFzb9UPuDRMAUG
-AytlcANBABl68VB0oo0rSGZWt6L+LNMnyHEJl+CQ+FTjQfzE6oqEMAvJTzdjMyeG
-OOUNlQYwGRVajOauFa/IMvDsTBXOgw8=
------END CERTIFICATE-----
-</ca>
-<cert>
------BEGIN CERTIFICATE-----
-MIIBxjCCAXigAwIBAgIQAZQTnGxLc3eYzWO9SnM9sjAFBgMrZXAwXjELMAkGA1UE
-BhMCR1IxFTATBgNVBAoTDEhhY2sgVGhlIEJveDEQMA4GA1UECxMHU3lzdGVtczEm
-MCQGA1UEAxMdSFRCIFZQTjogZXUtZnJlZS0yIElzc3VpbmcgQ0EwHhcNMjQxMjI5
-MTgxMDA2WhcNMzQxMjI5MTgxMDA2WjBKMQswCQYDVQQGEwJHUjEVMBMGA1UEChMM
-SGFjayBUaGUgQm94MRAwDgYDVQQLEwdTeXN0ZW1zMRIwEAYDVQQDEwltcC0yNzQ1
-NjQwKjAFBgMrZXADIQDiwraGYtEpx63P6AMDQgczmsx4WO9iVPGTkVRRkyHrmqNg
-MF4wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
-ATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFD2YUNtsvUD2ynIAtfr1Uk1NjYz8
-MAUGAytlcANBANAkGgddoR9WIbfv3C8gIPx6ivEyq1Tlo354JG/y+lv015bOjrmy
-aL7cF4ILRaPTbxWeBfVeVQOwLrz4rCBwsg0=
------END CERTIFICATE-----
-</cert>
-<key>
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIAA2VTVH7CjQQECTQGg/FAy+5uJ6fGSRN5vAbeK3qawi
------END PRIVATE KEY-----
-</key>
-<tls-crypt>
-#
-# 2048 bit OpenVPN static key
-#
------BEGIN OpenVPN Static key V1-----
-85341e27fb3510f97f3455db449ea6c4
-bf6b87e90802ced4c36feaa162ddd218
-9df22b9895d5770fd942b745b8d5532b
-716fa58ac45e0f59b589ae1bc7ad11c7
-633c0c811b2ff682a35da172f6b32452
-410c971b8d422502aa012a37422d63bc
-8ce669f3f1ded38144e3df1d0b689ae3
-5fa92a5f23600fba10da3ce71163e128
-bbac0bc5a922c16f3803f9dc36be960a
-6cb371df43583fef525aa529ef2615b9
-95d7acd479cf90eada71684bec3c70e3
-2f2d25a66732544c5bc5f225d01940b7
-b66cf57327a3331ec7550e915bdc68a9
-4949a88a101f2d3383268fd32ffece1d
-7d8d62d679707ae0c4d36a582b4a2a8f
-24ee9da8eefa18339cd8d6425dceef89
------END OpenVPN Static key V1-----
-</tls-crypt>

README.md

@@ -1,11 +1,20 @@
-PentestPilot
+# PentestPilot
 
-- Overview
-- Script‑driven toolkit to accelerate common OSCP/HTB workflows: discovery, web recon, AD, password hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting.
-- AI agents and orchestrators automate reconnaissance and organize results. Works with OpenAI (OPENAI_API_KEY) or local Ollama.
-- New? Start with HOWTO.md:1 for step‑by‑step usage, dashboard details, and resumeable pipelines.
+AI‑assisted pentest recon and orchestration toolkit with resumeable pipelines, a rich terminal dashboard, and tech‑aware routing.
 
-Quick Start (Dashboard in ~3–5 minutes)
+[![Made for Pentesters](https://img.shields.io/badge/made_for-pentesters-111827?style=for-the-badge)](#)
+[![AI‑Ready](https://img.shields.io/badge/AI-Ready-10B981?style=for-the-badge)](#)
+[![Resumeable Pipelines](https://img.shields.io/badge/Pipelines-Resumeable-2563EB?style=for-the-badge)](#)
+[![Dashboard](https://img.shields.io/badge/Dashboard-Color%20%7C%20JSON-7C3AED?style=for-the-badge)](#)
+
+## Overview
+Script‑driven toolkit to accelerate common OSCP/HTB workflows: discovery, web recon, AD, password hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting.
+
+AI agents and orchestrators automate reconnaissance and organize results. Works with OpenAI (OPENAI_API_KEY) or local Ollama.
+
+New? Start with HOWTO.md:1 for step‑by‑step usage, dashboard details, and resumeable pipelines.
+
+## Quick Start (Dashboard in ~3–5 minutes)
 - Clone/open the repo and load the shell profile:
   echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc && exec zsh
 - Minimal deps (Debian/Ubuntu):
@@ -56,11 +65,11 @@ Features at a Glance
 Dependencies
 - Recommended: nmap, ffuf, httpx, nuclei, gobuster, gowitness, subfinder|amass, sqlmap, wpscan, droopescan, joomscan, magescan, impacket, ldap-utils, snmp, ripgrep, jq, python3 requests, socat, chisel
 
-Documentation
+## Documentation
 - HOWTO.md:1 — in‑depth “how to” with recommended tools, pipeline semantics, dashboard legend, manifest schema, and examples.
 - TOOLKIT.md:1 — command catalog grouped by category with references back to HOWTO.
 
-Docs Index (quick links)
+### Docs Index (quick links)
 - HOWTO: Overview — HOWTO.md#overview
 - Install & Setup — HOWTO.md#install--setup
 - Core Env Vars — HOWTO.md#core-env-vars

TOOLKIT.md

@@ -1,8 +1,8 @@
-PentestPilot — Quick Reference
+# PentestPilot — Quick Reference
 
 For step‑by‑step usage, pipeline semantics, dashboard features, and resume behavior, read HOWTO.md:1. This file focuses on a clickable, categorized command index with succinct usage. Most entries accept TARGET via env if a positional argument is omitted.
 
-Table of Contents
+## Table of Contents
 - Setup — #setup
 - Core Workflow — #core-workflow
 - Enumeration — #enumeration-requires-target
@@ -25,13 +25,13 @@ Table of Contents
 - Hashes — #hashes-binhashes
 - Tips — #tips
 
-Setup
+## Setup
 - Keep this repo in a working folder, e.g., htb/.
 - Source the shell helpers from your main zshrc:
   echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc
 - Open a new shell or run: source .zshrc.htb
 
-Core Workflow
+## Core Workflow
 - settarget <ip_or_host>
   - Creates targets/<target> with scans, loot, www, exploits.
   - Sets OUTDIR to the target’s scans directory.
@@ -41,7 +41,7 @@ Core Workflow
  - notesinit → scaffold notes.md in target directory
  - notesattach → append scan artifacts summary to notes
 
-Enumeration (requires TARGET)
+## Enumeration (requires TARGET)
 - nq        → Quick nmap: scripts + versions
 - nf        → Full TCP: -p- then service/version
 - nu        → UDP top 200
@@ -58,7 +58,7 @@ Individual scripts (bin/)
 - ftp_enum.sh <ip>
 - snmp_enum.sh <ip> [community]
 
-Automation (bin/automation/) — see HOWTO: Automation & Orchestration, Dashboard, Manifest
+## Automation (bin/automation/) — see HOWTO: Automation & Orchestration, Dashboard, Manifest
 - auto_recon.sh <target> [--no-udp]
 - parse_nmap_open_ports.sh <*.gnmap>
 - report_summary.py <*.gnmap ...>
@@ -96,7 +96,7 @@ dashboard --compact
 resumeall
 ```
 
-Web helpers (bin/web/) — see HOWTO: Web Recon & Routing
+## Web helpers (bin/web/) — see HOWTO: Web Recon & Routing
 - dirbuster.sh <url> [wordlist] [exts] — ffuf directory fuzz
 - vhost_ffuf.sh <base-url> <domain> [wordlist] — virtual hosts
 - param_fuzz.sh <url-with-FUZZ> [wordlist] — parameter discovery
@@ -144,7 +144,7 @@ gobuster_vhost.sh http://$TARGET/ /usr/share/wordlists/seclists/Discovery/DNS/su
 gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
 ```
 
-Reverse shells (bin/shells/)
+## Reverse shells (bin/shells/)
 - revsh.py <lhost> <lport> — prints common one-liners
 - listener.sh <port> — rlwrap + nc/ncat listener
 - tty_upgrade.sh — quick TTY tips
@@ -161,7 +161,7 @@ revsh.py YOUR_IP 4444
 tty_upgrade.sh
 ```
 
-File transfer (bin/transfer/)
+## File transfer (bin/transfer/)
 - http_serve.sh [port] — simple Python HTTP server
 - serve.py [port] — HTTP server with web upload (POST /upload)
 - push_http.sh <file> <http://host:port/upload> — upload to serve.py
@@ -181,7 +181,7 @@ push_http.sh loot.txt http://YOUR_IP:8000/upload
 smb_server.sh share ./loot
 ```
 
-Crypto / Text (bin/crypto/)
+## Crypto / Text (bin/crypto/)
 - encoders.py b64e|b64d|urle|urld|hex|unhex|xor|rot
 - jwt_show.py <jwt> — decode header/payload (no verify)
 
@@ -191,7 +191,7 @@ encoders.py b64e 'secret'; encoders.py urle 'a b'
 jwt_show.py eyJhbGciOi...
 ```
 
-Privilege Escalation (bin/privesc/)
+## Privilege Escalation (bin/privesc/)
 - linux_quick_enum.sh — basic local recon
 - suid_scan.sh — list SUID/SGID
 - caps_scan.sh — list file capabilities
@@ -202,7 +202,7 @@ linux_quick_enum.sh
 caps_scan.sh
 ```
 
-Misc (bin/misc/)
+## Misc (bin/misc/)
 - cyclic.py create <len> | offset <needle> — pattern + offset
 - port_forward.sh — wrappers for ssh -L/-R/-D
  - extract_urls.py <file...>
@@ -214,7 +214,7 @@ port_forward.sh -L 8080:127.0.0.1:80 user@host
 extract_urls.py notes.md
 ```
 
-AI (bin/ai/) — see HOWTO: AI Integrations
+## AI (bin/ai/) — see HOWTO: AI Integrations
 - ask.py [-m model] [-s system] "prompt" | - (stdin)
 - wordlist_from_context.py <target> [context-file|-]
  - orchestrate_web.py <hosts.txt>
@@ -237,7 +237,7 @@ orchestrate_web.py hosts.txt
 agent web hosts.txt
 ```
 
-Active Directory (bin/ad/)
+## Active Directory (bin/ad/)
 - getnpusers_wrapper.sh <domain/user:pass> <dc_ip> [userlist.txt]
 - getspns_wrapper.sh <domain/user:pass> <dc_ip>
 - ldap_quick_users.sh <ip> <baseDN> [user pass]
@@ -254,7 +254,7 @@ kerbrute_wrapper.sh domain users.txt 10.10.10.5
 cme_quick.sh $TARGET user pass
 ```
 
-Passwords (bin/passwords/)
+## Passwords (bin/passwords/)
 - mutate_words.py word1 [word2 ...] | -
 - spray_http_basic.sh <url> <users.txt> <password>
  - merge_dedupe.sh <file1> [file2 ...] — dedup merged lists
@@ -269,7 +269,7 @@ wordlist_cleanup.sh merged.txt 8 64 > cleaned.txt
 spray_http_basic.sh http://$TARGET/protected users.txt Winter2025!
 ```
 
-Windows (bin/windows/)
+## Windows (bin/windows/)
 - privesc_quick.ps1 — run on target
 - win_share_enum.ps1 -Target <host>
  - find_unquoted_services.ps1 — potential service path issues
@@ -283,7 +283,7 @@ powershell -ep bypass -f bin/windows/win_share_enum.ps1 -Target $TARGET
 powershell -ep bypass -f bin/windows/find_unquoted_services.ps1
 ```
 
-Post-Exploitation (bin/post/)
+## Post-Exploitation (bin/post/)
 - linux_loot.sh — targeted loot collector with size caps
  - windows_loot.ps1 — targeted loot collector (PowerShell)
  - pack_report.sh <target> — merge loot/scans into markdown report
@@ -294,7 +294,7 @@ LOOT_DIR=/tmp/loot MAX_SIZE=10485760 INCLUDE_DB=1 bin/post/linux_loot.sh
 bin/post/pack_report.sh $TARGET
 ```
 
-DNS (bin/dns/)
+## DNS (bin/dns/)
 - zone_transfer.sh <domain> [ns]
 - subenum.sh <domain>
  - gobuster_dns.sh <domain> [wordlist] [threads]
@@ -305,7 +305,7 @@ zone_transfer.sh target.htb
 gobuster_dns.sh target.htb /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 100
 ```
 
-Scanning (bin/scan/)
+## Scanning (bin/scan/)
 - naabu_quick.sh <target> [flags]
 - masscan_top.sh <target> [rate]
 
@@ -315,7 +315,7 @@ naabu_quick.sh $TARGET -p 1-65535
 masscan_top.sh $TARGET 20000
 ```
 
-Tunnels (bin/tunnel/)
+## Tunnels (bin/tunnel/)
 - chisel_server.sh <port>
 - chisel_client.sh <host:port> R:<lport>:<rhost>:<rport>
 - autossh_socks.sh <user@host> [lport]
@@ -328,7 +328,7 @@ chisel_server.sh 8000 &
 chisel_client.sh YOUR_IP:8000 R:8080:127.0.0.1:80
 ```
 
-Pwn (bin/pwn/)
+## Pwn (bin/pwn/)
 - pwntools_template.py — starter exploit template
 
 Examples
@@ -336,7 +336,7 @@ Examples
 python3 bin/pwn/pwntools_template.py REMOTE=1 HOST=$TARGET PORT=31337
 ```
 
-Hashes (bin/hashes/)
+## Hashes (bin/hashes/)
 - extract_ntlm_from_secretsdump.py <file> [out]
  - john_pfx.sh <file.pfx> — john format for PFX
 
@@ -346,7 +346,7 @@ extract_ntlm_from_secretsdump.py secretsdump.out ntlm.txt
 john_pfx.sh cert.pfx > pfx.hash
 ```
 
-Tips
+## Tips
 - OUTDIR controls where scans are saved; set by settarget.
 - Most scripts accept TARGET via env if argument omitted.
 - If a tool isn’t installed (ffuf, getcap, ldapsearch, snmpwalk), install it or adjust the command.