Exegol - a fully featured and community-driven hacking environment

TL;DR: Exegol is a community-driven hacking environment, powerful and yet simple enough to be used by anyone in day to day engagements.

Exegol is a fully configured docker with many useful additional tools, resources (scripts and binaries for privesc, credential theft etc.) and some configuration (oh-my-zsh, history, aliases, colorized output for some tools). It can be used in pentest engagements, bugbounty, CTF, HackTheBox, OSCP lab & exam and so on. Exegol's original fate was to be a ready-to-hack docker in case of emergencies during engagements.

The main features of Exegol are:

  • wrench Tools: many tools that are either installed manually or with apt, pip, go etc. Some of those tools are in kali, some are not. Exegol doesn't come with only ultra-famous tools, you will find ones that the community loves to use, even if it's in dev/new/not famous. Some tools are pre-configured and/or customized (colored output, custom NtChallengeResponse in Responder, custom queries in BloodHound, ...)
  • bulb Resources: many resources can be useful during engagements. Those resources are not referred to as "tools" since they need to be run on a pwned target, and not on the attacker machine (e.g. mimikatz, rubeus, ...).
  • scroll History: a populated history file that allows exegol users to save time and brain space by not having to remember every tool option and argument or checking the "help" every time.
  • rocket Aliases: a file containing aliases that can be handful when using manually installed tools, or doing common operations.
  • mag_right Usage : a powerful Python3 wrapper used to manage Exegol container and image very easily (handles docker operations like docker pulldocker builddocker rundocker startdocker stopdocker psdocker rmdocker inspect).

Below is an example of a Zerologon attack operated with Exegol. Example

Below is an example of a ACE abuse/RBCD attack operated with Exegol Example

fast_forward Quick start

Bear in mind that the install process can be long as it downloads a ~6GB image.

git clone https://github.com/ShutdownRepo/Exegol
cd Exegol
python3 -m pip install --user --requirement requirements.txt
python3 exegol.py start

mag_right Usage

A powerful Python wrapper allows to manage Exegol without having to know docker-fu.

  • Install (pull or build) an image : exegol install
  • Create/start/enter a container : exegol start
  • Stop a container : exegol stop
  • Remove a container or an image : exegol remove
  • Get help and advanced usage : exegol --help


By default, Exegol will start with display sharing allowing GUI-based programs to run, here is an example with BloodHound.


closed_lock_with_key Credentials

Some tools are pre-configured with the following credentials

Element User Password
wso-webshell (PHP) exegol4thewin
neo4j database neo4j exegol4thewin
bettercap ui bettercap exegol4thewin
trilium trilium exegol4thewin

pushpin Pre-requisites

You need python3, python3-pip, git, docker whale, and 15GB of free storage (What did you expect? A fully featured pentesting environment for less than 2GB? If you've got ideas I'm all ears).

wrench Tools

The tools installed in Exegol are mostly installed from sources in order to have the latest version when deploying Exegol. Some installs are made with go, pip, apt, gem etc. You will find most of the tools in /opt/tools.

bulb Resources

In addition to the many tools pre-installed and configured for some, you will find many useful pre-fetched resources like scripts and binaries in /opt/resources. There some pre-EoP enumeration scripts (EoP: Escalation of Privileges) and other useful binaries like Rubeus or mimikatz.

scroll History

When I hack, I often rely on my history. I don't have to remember command line options, syntax and such. This history is filled with commands that I used in engagements, bugbounties, ctf, oscp and so on. Of course, the values are placeholders that need to be changed with the appropriate ones in your context. The history is easily usable with oh-my-zshzsh-autosuggestions, and fzf

rocket Aliases

Since many tools are manually installed in /opt/tools/, aliases could be heplful to use these without having to change directory manually. Other aliases are set to save time while hacking (http-serverphp-serverurlencode,ipa, ...).

loudspeaker Credits & thanks

Credits and thanks go to every infosec addicts that contribute and share but most specifically to @th1b4ud for the base "Kali Linux in 3 seconds with Docker".

movie_camera Introducing Exegol (in french w/ english subs)

Original repository: https://github.com/ShutdownRepo/Exegol

July 19, 2021
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center


Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2]


tr, fr