Methodology assistant · HTB & CTF labs

A second pair of eyes for your next move.

Shellify watches your findings as you enumerate and suggests the methodology steps you might be missing — at exactly the level of detail you want. Built for HTB, PG Practice, and CTF platforms.

3 depthsconceptual → operational
120+methodology playbooks
HTB · PG · CTFplatform-aware suggestions
Sign in to shellifyEarly access

Send yourself a one-time link or continue with a connected account. No passwords — sign in if you've already been given access.

Work email
or continue with SSO
Shellify is in early access. Sign in if you've already been added, or request an invite. Built for HTB, PG Practice, and CTF platforms only.
[ inside the workspace ]

Drop in your nmap output. Get back the next three things to try.

Findings on the left, hypotheses on the right. Slide the hint level when you want more detail — never more than you asked for.

~/engagements/lame.htb · 10.10.10.3 · Linux · Easy
Next steps3
Hint level · checklist
ExploitHighInvestigate Samba 3.0.20 username map script

CVE-2007-2447 — usermap_script in Samba 3.0.20 allows shell metacharacters in the username field, leading to unauthenticated RCE.

SMBRCEunauth
EnumMedList anonymous FTP contents for foothold artifacts

vsftpd is patched, but anonymous browse may expose creds, configs, or upload paths usable later. Cheap to check.

FTPrecon
EnumMedEnumerate SMB shares with null session

Your null-session finding hints at lax ACLs. Check for writable shares, dropped scripts, or share names that suggest service users.

SMBrecon
[ how it works ]

Your pace, your depth.

The same suggestion, three depths of guidance. Stay conceptual to build intuition. Open up the checklist when you're ready to move. Go operational only when you're genuinely stuck — the goal is to learn, not just to pop the box.

Old Samba builds had a code-injection class of bug in the way they handled the username field during certain authentication paths. The general direction: any input that ends up in a shell call without sanitization is worth poking at.
[ what's in the box ]

A workspace built around hypotheses, not commands.

01

Findings, not chat history

Structured: services, creds, exploits, paths. Add a finding once and every suggestion can reference it instead of re-explaining.

02

Tried & dismissed tracking

Mark suggestions as tried so they fall out of view. Dismiss the ones that don't fit. The panel always shows what's still worth trying.

03

Three hint depths

Conceptual for learning. Checklist for hands-on. Operational for the exact incantation. You decide on a per-suggestion basis.

04

Per-engagement scope

Lame, Legacy, Devel — each box gets its own findings, attempts and notes. Switch with one click; nothing bleeds across.

05

Hypotheses, not answers

Suggestions explain the why before the how. The goal is to build your methodology instincts — not hand you a script to paste.

06

Cross-session history

Findings, attempts, and progress sync to your account. Pick up a box tomorrow exactly where you left off today.