What if your trusted collaboration traffic is also a C2 blind spot?
Collaboration traffic has long been one of those firewall exceptions everyone understands. Users need calls to work. UDP has to get out. Vendor ranges change. TLS inspection breaks things. So the rule gets written, the proxy bypass goes in, and the traffic becomes trusted.
Whether you’re running one Kali VM across multiple HTB machines, client engagements, or exam attempts — you’ve probably felt the friction. Stale tools from a bad upgrade. Shell history from three engagements ago. That one /etc/hosts entry you forgot to clean up before starting a new client. BackTrack and Kali served me well for fifteen years, but the single-box model wasn’t built for the way modern operators actually work: concurrent engagements, strict data separation, reproducible environments, and zero tolerance for “it worked on my box.”
Every operator has the same dirty secret: a graveyard of unsaved scan output.
You ran NetExec against a subnet. Sprayed creds, got hits, saw Pwn3d! flash by. And then you realized you didn’t save it. Or you used --log but named it something useless and now it’s buried in the wrong directory alongside four other files with names you don’t recognize.
After adding a second Windows VM (DF-windows-jump on VLAN 20) alongside the existing DF-windows (VLAN 22) in my PivotLab range config, DF-windows kept ending up with DF-windows-jump’s IP address. Every deploy, ludus range status would initially show the correct DHCP IP for DF-windows, then it would silently flip to 10.2.20.221 – the static IP belonging to DF-windows-jump.
The hostname never changed. The static IP (10.2.22.60) was never applied. Deleting and redeploying didn’t help. Changing templates (win2019 to win2022) didn’t help. The collision persisted across every combination I tried.
Your terminal history is a biography.
Scroll through it and you’ll see exactly how someone thinks, what they prioritize, and where their attention actually lives.
Mine reads like this: move fast, automate relentlessly, tune the machine forever.
Fifteen years in offensive security, boiled down to a .zshrc file, a stack of carefully chosen tools, and a handful of non-negotiable habits.
This isn’t about fancy dotfiles for show — it’s the working setup that’s carried me through many engagements: the aliases born from repetition, the functions that collapse entire workflows, the integrations that turn raw output into instant insight.