knowledge-base

name: knowledge-base description: Query, create, update, and organize reusable penetration testing knowledge under .pentester/knowledge. Manually triggered via /pentester:knowledge-base.

Knowledge Base

This skill is used to query, create, update, and organize long-term knowledge entries within .pentester/knowledge/.

When to Use

User requests "query knowledge base", "record knowledge", "document experience", "organize tool usage", "add new knowledge entry"
User requests organizing /Volumes/External HD/References/github/ or other external reference libraries into .pentester/knowledge/ as reusable indexes
Reusable vulnerability verification methods, tool troubleshooting steps, or report remediation suggestions emerge during testing
Extracting general knowledge from target/${IP}/solutions.md or .pentester/solutions.md
Before executing a PTES phase, need to reuse historical methodology, command templates, or judgment criteria
Before generating a report, need to query standardized vulnerability descriptions, impact statements, or remediation suggestions

Knowledge Sources

Read in priority order:

.pentester/knowledge/INDEX.md — quick entry location
.pentester/knowledge/README.md — knowledge base conventions and categories
.pentester/knowledge/<category>/*.md — structured knowledge entries
.pentester/solutions.md — historical solutions, usable as extraction source
target/${IP}/solutions.md — single-target experience, usable as extraction source
.pentester/PTES.md and .pentester/sections/ — PTES phase flow reference

Category	Path	Purpose
Recon	`.pentester/knowledge/recon/`	Asset discovery, port scanning, service identification, OSINT, DNS, web enumeration
Vulnerability Analysis	`.pentester/knowledge/vuln-analysis/`	Vulnerability identification, false positive elimination, CVSS scoring, CVE verification, impact assessment
Exploitation	`.pentester/knowledge/exploitation/`	Exploitation conditions, PoC, payload, exploitation failure troubleshooting, access paths
Post Exploitation	`.pentester/knowledge/post-exploitation/`	Privilege escalation, credential collection, persistence, lateral movement, data impact analysis
Tooling	`.pentester/knowledge/tooling/`	Tool commands, installation methods, container environment, proxy, dependency issues
Reporting	`.pentester/knowledge/reporting/`	Vulnerability descriptions, impact statements, remediation suggestions, retest methods, evidence templates
Defensive	`.pentester/knowledge/defensive/`	Detection strategies, log signatures, mitigation measures, hardening baselines

Query Process

Step 1: Understand the Request

Identify user intent:

Query existing knowledge
Add new knowledge entry
Update existing entry
Extract knowledge from field records
Recommend methods for current PTES phase
Generate standardized descriptions or remediation suggestions for reports

If the user does not provide a clear topic, first ask a brief question to confirm the topic or category.

Step 2: Search the Knowledge Base

Prioritize index lookup:

Read .pentester/knowledge/INDEX.md
Search for relevant entries by keyword
If the index has no match, search .pentester/knowledge/**/*.md
If necessary, query .pentester/solutions.md and target/*/solutions.md

Step 3: Answer with Source References

Answers should include:

Relevant knowledge entry paths
Directly executable or reusable steps
Applicable conditions and limitations
Evidence storage locations
Risk warnings

If the knowledge base has no relevant content, clearly state that nothing was found and optionally suggest creating a new entry.

Create Entry Process

Step 1: Classify

Select a category directory based on content:

recon/
vuln-analysis/
exploitation/
post-exploitation/
tooling/
reporting/
defensive/

Step 2: Generate Filename

Filenames must use lowercase hyphenated style:

<topic>-<short-description>.md

Examples:

vuln-analysis/spring4shell-verification.md
tooling/nmap-common-scan-profiles.md
reporting/sql-injection-remediation.md

Step 3: Use Template

Create entries based on .pentester/knowledge/TEMPLATE.md, at minimum including:

Metadata
Applicable scenarios
Prerequisites
Operational steps
Judgment criteria
Evidence recording
Risks and limitations
Remediation and mitigation suggestions
Reference sources

Step 4: Sanitize Sensitive Data

Must inspect and sanitize before writing:

Passwords, tokens, cookies, sessions, API keys
Private keys, certificates, internal network segments that should not be public
Client names, real usernames, emails, phone numbers
Unauthorized target information

Step 5: Update Index

After adding, renaming, moving, deleting, batch importing, or organizing entries, immediately update .pentester/knowledge/INDEX.md.

Index requirements:

.pentester/knowledge/INDEX.md must cover all Markdown entries under .pentester/knowledge/ except INDEX.md itself.
Coverage scope includes: README.md, TEMPLATE.md, DIRECTORY.md, TAGS.md, PTES-INDEX.md, all category directories, ctf-lab/, _archive/.
Each index entry format:

- [Title](relative/path.md) — one-line description

If a category previously only had a placeholder, remove it after adding the first entry.
If entries are moved or renamed, all old links must be corrected.
If entries are deleted or archived, remove from the original location index and reflect the archive location in the _archive/ index.
After batch organization, run an integrity check: verify that every .pentester/knowledge/**/*.md (excluding INDEX.md) has a corresponding link in INDEX.md.

Recommended integrity check command:

python3 - <<'PY'
from pathlib import Path
kb = Path('.pentester/knowledge')
idx = (kb / 'INDEX.md').read_text(encoding='utf-8', errors='ignore')
missing = []
for p in kb.rglob('*.md'):
    rel = p.relative_to(kb).as_posix()
    if rel == 'INDEX.md':
        continue
    if f']({rel})' not in idx:
        missing.append(rel)
print(f'missing: {len(missing)}')
for rel in missing:
    print(rel)
PY

Only when the result is missing: 0 is the index update considered complete.

Update Entry Process

Read the target knowledge entry
Preserve existing valuable content
Only append or modify necessary parts
Update the "Last Updated" date
If new risks, limitations, or references are involved, supplement the corresponding sections
Update .pentester/knowledge/INDEX.md
If tags, PTES phases, or directory structure changes are involved, sync TAGS.md, PTES-INDEX.md, DIRECTORY.md
Run index integrity check — must achieve missing: 0

External GitHub References Organization Process

When the user requests organizing /Volumes/External HD/References/github/, follow the rules below to ensure interruptible, resumable, and traceable processing.

Three-Stage Import Workflow

Organizing GitHub references into the knowledge base must explain status in three stages:

Raw import / material ingestion
- Actually import readable textual content from repositories into .pentester/knowledge/github-references/<repo>/<relative-path>.md.
- Preserve original content and attach source, import date, original file type, risk level, applicability scope, and authorization boundaries.
- After completing Stage 1, must remind the user: materials are in the knowledge base filesystem, but Stage 2 "Index/Checkpoint/Manifest" and Stage 3 "Refinement/Classification/Topicalization" are still required.
Index / Checkpoint / Manifest
- Generate IMPORT-INDEX.md and ASSETS-MANIFEST.md for each repository.
- Update the current directory process.md as a checkpoint record.
- Update .pentester/knowledge/INDEX.md or at least mount a top-level entry point, e.g., github-references/FULL-IMPORT-SUMMARY.md.
- After completing Stage 2, must remind the user: basic indexing is done, but Stage 3 "Refinement/Classification/Topicalization" is still required; otherwise materials are just raw archives, not equivalent to high-quality reusable knowledge.
Refinement / Classification / Topicalization
- De-duplicate and merge similar items from raw materials, refining into PTES-reusable topical knowledge.
- Output to appropriate directories, e.g., vuln-analysis/topics/, exploitation/, post-exploitation/, defensive/, reporting/, ctf-lab/.
- Topical entries must include: applicable scenarios, impact assessment, verification steps, evidence standards, risk boundaries, remediation suggestions, reference sources.
- CTF/lab/learning content must be labeled separately from real penetration testing knowledge.

Step-by-Step Rules

Read progress: First read process.md in the current working directory, confirm the "next resume" top-level directory; if the file does not exist, start from the first incomplete top-level directory.
Organization granularity: Treat "top-level directory / secondary folder" as the minimum completion unit. For example: record immediately after completing 0day/00-CVE_EXP/ — do not wait until the entire large repository is processed.
Write to process.md immediately after each secondary folder: Record path, file count, Markdown/script/YAML quantities, sample files, organization conclusions, risk boundaries, and whether imported into the knowledge base.
Update resume point after completing a top-level directory: Write the next top-level directory in process.md's "Next resume" section for easy continuation after interruption.
Sync to knowledge base is not just writing summaries: When the user requests "organize entire GitHub references into knowledge base", must actually import readable textual content into .pentester/knowledge/github-references/<repo>/<relative-path>.md, not just update github-references-organization-progress.md.
Full-text/original-level import rules:
- Import: .md, .markdown, .txt, .rst, .py, .sh, .rb, .php, .java, .js, .ts, .tsx, .go, .yml, .yaml, .json, .xml, .html, .css, .jsp, .http, .properties, .ini, .conf and other text content.
- Each import entry must attach: source path, import date, original file type, risk level, applicability scope, authorization boundaries, original content.
- Preserve original text for Markdown/RST source files; use code blocks to preserve original text for code/config/dictionary source files.
- Unreadable or binary content (images, PDF, ZIP, JAR, EXE, RAR, 7z, tar, doc/docx, site build artifacts, etc.) must not be written into body text, but must generate an asset manifest recording path, size, and type.
Import prioritization:
- P0/P1: Import at original level, with additional curated navigation.
- P2: CTF, labs, study notes must also be imported but must be labeled Training / CTF Lab.
- Build artifacts, .git/, node_modules/, site/ may be skipped or recorded only in manifest.
High-risk content handling: DoS, privilege escalation, WebShell, persistent backdoors, credentials, persistence, lateral movement, real exploitation PoC can be archived and imported as references, and must be prominently labeled "Authorized/Training/Research Only". When the user explicitly states it is for authorized testing, labs, CTF, internal exercises, or research environments, executable real steps may be provided; when authorization, target scope, or risk boundaries are not clearly defined, do not default to providing actionable steps usable against unauthorized third-party targets — confirm authorization and scope first.
Update indexes: After adding or modifying .pentester/knowledge/ entries, must update INDEX.md; sync TAGS.md, PTES-INDEX.md, DIRECTORY.md when necessary. For batch imports, maintain sub-directory indexes first, then refresh the main index after the batch completes.

Extract From Solutions Process

When extracting knowledge from .pentester/solutions.md or target/${IP}/solutions.md:

Distinguish "single-target case details" from "general methods"
Only write general methods to .pentester/knowledge/
Delete or sanitize target-specific sensitive information
Preserve source references, for example:

## Reference Sources

- Internal case: `target/${IP}/solutions.md`, sanitized

Do not delete original cases from .pentester/solutions.md

Safety Rules

Do not create attack procedures beyond authorization boundaries.
Do not save unsanitized sensitive information.
Offensive commands are written by default in container execution format: docker exec kali-target-${IP} <command>.
DoS, persistence, destructive exploitation, and credential operations must be labeled with risks and confirmation requirements.
Images, ZIP, EPUB, PDF must not enter .pentester/knowledge/; evidence or binary attachments should be saved to the corresponding target/${IP}/ directory.
When conflicting with PTES workflow, prioritize .pentester/ROLE.md compliance rules.

Post-Organization Checklist

After each knowledge base organization, import, move, archive, or deletion, must confirm:

New entries are placed in the correct category directory.
CTF/writeup/lab content is placed in ctf-lab/, not mixed with real penetration testing knowledge.
Duplicate or low-value entries have entered _archive/, with no direct loss of traceable information.
Sensitive information has been sanitized.
High-risk content has been labeled with "authorization and risk tags".
Images, ZIP, EPUB, PDF have not entered the knowledge base.
INDEX.md covers all knowledge entries.
DIRECTORY.md, TAGS.md, PTES-INDEX.md have been sync'd when necessary.
Index integrity check result is missing: 0.

Output

Based on the task, output:

Query task: Return matching entries, paths, summaries, applicable steps, and limitations.
Create task: State new file path, index update location, and entry summary.
Update task: State modified file path, modified sections, and whether the index was updated.
Miss: State nothing found, and suggest a category and entry name that could be created.