| name | pentest-hacktricks-finder |
| description | Support skill for HackTricks technique research, payload ideas, bypasses, prerequisites, caveats, and edge-case behavior across web, network, cloud, and application security topics. Use as owner only when research is the current blocker. |
HackTricks Search Skill
Purpose
Use this skill to reliably discover and extract the most relevant HackTricks pages for a given technique, vulnerability class, bypass, or exploitation workflow across the main and cloud HackTricks properties, then pull the exact sections needed (payloads, prerequisites, caveats, and defensive notes).
Keep this as a support skill for technique, payload, bypass, and edge-case research unless the current owner phase is explicitly research.
HackTricks can be inconsistently indexed across search engines. This skill therefore defines two search backends:
- Primary: Exa-based web search with strict site scoping.
- Secondary: DuckDuckGo dorks with strict site scoping and noise reduction.
- Verification: GitHub repository search against the upstream HackTricks repositories.
Use the secondary backend when:
- Exa results are sparse or irrelevant.
- You need very tight matching by title/path/keyword.
- You want reproducible dork sets for common vuln classes.
Scope Guardrails
Only target content under:
https://hacktricks.wiki/
https://book.hacktricks.wiki/en/
https://cloud.hacktricks.wiki/
https://github.com/HackTricks-wiki/hacktricks
https://github.com/HackTricks-wiki/hacktricks-cloud
Treat hacktricks.wiki as the current canonical host for the main wiki and book.hacktricks.wiki as the legacy path when both appear. Avoid unrelated mirrors, translations, or cached copies unless explicitly requested.
Inputs
- Topic: a short phrase describing the target, example: “DOM XSS bypass”, “XXE parameter entities”, “CSRF SameSite bypass”.
- Optional: vuln class (XSS, XXE, CSRF, SSRF, SSTI, IDOR, Smuggling, Deserialization, Cloud).
- Optional: constraints (framework, language, cloud provider, WAF, browser).
Workflow
- Search: Execute Exa first. If results are shallow, use DDG dorks or Exa to query DDG.
- Verify: Cross-check the result against the related upstream GitHub repository when possible:
https://github.com/HackTricks-wiki/hacktricks for hacktricks.wiki and legacy book.hacktricks.wiki
https://github.com/HackTricks-wiki/hacktricks-cloud for cloud.hacktricks.wiki
- Fetch: Use the
web_fetch tool for HackTricks URLs. DO NOT use read_file.
- Extract: Focus on:
- Payloads and variants
- Preconditions / limitations (e.g., IMDSv2, TTL, Hop Limit)
- Bypass techniques
- Detection / hardening notes
- Pivot: If a page is an index or high-level overview (like
cloud-ssrf.html), perform a follow-up search or fetch sub-pages mentioned in the text for specific payloads (e.g., ECS vs EC2).
- Double-check: If the wiki result looks incomplete, outdated, or ambiguous, search the matching GitHub repository directly for the same slug, title, or unique phrase and compare the repository source to the rendered page.
- Return:
- The selected URLs
- The extracted payloads / steps
- Any prerequisites and constraints
Backend A: Exa Search (Primary)
Generic pattern
web_search_exa({
query: "site:hacktricks.wiki OR site:book.hacktricks.wiki/en OR site:cloud.hacktricks.wiki <topic>",
include: ["https://hacktricks.wiki/*", "https://book.hacktricks.wiki/en/*", "https://cloud.hacktricks.wiki/*"]
})
Tighten results (recommended)
web_search_exa({
query: "site:hacktricks.wiki OR site:book.hacktricks.wiki/en OR site:cloud.hacktricks.wiki (<high-entropy keywords>) (<bypass|payload|trick|technique>)",
include: ["https://hacktricks.wiki/*", "https://book.hacktricks.wiki/en/*", "https://cloud.hacktricks.wiki/*"]
})
Notes:
- Prefer 1–3 high-entropy tokens over long keyword chains (page slugs, function names, CVE IDs, unique headings).
- If Exa returns index pages, pivot to deeper subpages under the same directory.
Backend B: DuckDuckGo Dorking (Secondary)
DuckDuckGo query semantics are not identical to Google “dorking”. Adjust how you construct queries:
- Do not assume implicit AND across space-separated terms. Use high-entropy anchors (slugs, quoted phrases, intitle/inurl).
- DuckDuckGo can relax constraints and show “related results” if an operator-heavy query yields few/no hits. When this happens, tighten with slugs/quotes rather than adding generic keywords.
+term is a relevance boost, not a strict requirement.
- Prefer
site: + inurl: / intitle: + quoted phrase + negative filters over boolean-style chains.
Supported operators you should rely on:
- Quotes for exact phrases
- Exclusion
-term and -site:example.com
site:, inurl:, intitle:, filetype: (limited set)
Baseline template (DDG-correct)
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/ <high-entropy tokens> -inurl:/print -inurl:/index -inurl:/tags
Targeted Search Playbooks (Slug-first)
These playbooks are designed to work well with DuckDuckGo by anchoring on stable HackTricks slugs and directories.
XSS playbook
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/pentesting-web/xss-cross-site-scripting/ (csp OR waf OR bypass OR payload) -inurl:/print -inurl:/index
XXE playbook
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/pentesting-web/ inurl:xxe-xee-xml-external-entity (DTD OR "parameter entity" OR payload) -inurl:/print -inurl:/index
SSRF playbook (Including Cloud)
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/pentesting-web/ssrf-server-side-request-forgery/ (metadata OR cloud OR "169.254" OR "169.254.170.2" OR bypass) -inurl:/print -inurl:/index
Cloud Pentesting Playbook (AWS/GCP/Azure)
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/ (pentesting-web OR pentesting-cloud) (aws OR gcp OR azure) (ssrf OR privilege OR "metadata-service" OR iam) -inurl:/print -inurl:/index
Backend C: GitHub Repository Verification
Use GitHub as a double-check source when search results are inconsistent, the wiki page is sparse, or you need the authoritative upstream text.
Main wiki repository
repo:HackTricks-wiki/hacktricks <topic OR slug OR unique phrase>
Cloud wiki repository
repo:HackTricks-wiki/hacktricks-cloud <topic OR slug OR unique phrase>
Verification notes:
- Prefer the repository file or rendered markdown that matches the wiki slug.
- Use the repository to confirm naming, section order, and edge-case details when search engines disagree.
- If the wiki and repository diverge, treat the repository as the source of truth for the upstream text and note the mismatch.
SSTI playbook
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/pentesting-web/ssti-server-side-template-injection/ (payload OR bypass OR sandbox) -inurl:/print -inurl:/index
IDOR playbook
(site:hacktricks.wiki OR site:book.hacktricks.wiki OR site:cloud.hacktricks.wiki) inurl:/en/pentesting-web/ (idor OR "insecure direct object reference" OR "broken access control") -inurl:/print -inurl:/index
Verification Checklist (Before Fetch)
- URL is on one of the HackTricks properties and matches the intended technique.
- If the wiki page is on
hacktricks.wiki, confirm whether it also exists in github.com/HackTricks-wiki/hacktricks.
- If the wiki page is on
cloud.hacktricks.wiki, confirm whether it also exists in github.com/HackTricks-wiki/hacktricks-cloud.
- The slug matches the intended vuln class (or at least the intended technique).
- The page is not an index-only aggregator when you need payload detail.
- If DuckDuckGo returns “related results”, reduce generic terms and increase specificity (slug + quoted phrase).
Fetch and Extraction
After selecting URLs, always use web_fetch. Extract:
- Section headers that contain payloads, bypasses, PoCs
- Any prerequisites (versions, libraries, browser constraints)
- Any “gotchas” (encoding, parsing differences, WAF behaviors, Cloud-specific hurdles like IMDSv2 tokens)
Return results in a minimal structure:
{
"topic": "<topic>",
"selected_urls": [
"https://hacktricks.wiki/...",
"https://book.hacktricks.wiki/en/..."
],
"extracted": [
{
"url": "https://hacktricks.wiki/...",
"sections": ["<header 1>", "<header 2>"],
"payloads_or_steps": ["<payload/step 1>", "<payload/step 2>"],
"constraints": ["<constraint 1>", "<constraint 2>"]
}
]
}
Notes for Pentesters
- Prefer subtree-restricted searches first (example: xss-cross-site-scripting, ssrf-server-side-request-forgery).
- Pivot Strategy: If a page mentions an environment variable (e.g.,
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI), look for the section explaining how to leak it.
- IMDSv2 Note: Always check if a payload requires a
PUT request for a token (IMDSv2) or if it's a simple GET (IMDSv1).
- When you find a strong index page, pivot to deeper subpages under the same directory for payload detail.