DOOM
GREY HACK HACKTOOL — COMMAND REFERENCE
A comprehensive reference for all Doom commands and features. Use the sidebar to browse commands by category or search for specific commands. Navigate guides for in-depth tutorials.
90+
COMMANDS
8
CATEGORIES
7
GUIDE SECTIONS
MP
MULTIPLAYER ONLY
QUICK ACCESS
▶ GETTING STARTED
Install Doom, set up repositories, configuration overview.
▶ HACKING GUIDE
hack, hacklib, bounce exploits, escalation and sessions.
▶ MACROS
Create and run macro files, special commands, #jump, #if.
▶ PIPED COMMANDS
Use | to chain commands, $p variable, clip and grep patterns.
▶ PROXY SETUP
Stay anonymous — proxy chains, dpath, and dcall management.
▶ EXPLOIT SYSTEM
Library scanning, shells/computers/files, zero-day payloads.
EXPLOIT CHAIN
proxy -c
→
map [ip]
→
hack -shell -any [ip] [port]
→
escalate
→
pass -r
→
clean
COMMANDS
GETTING STARTED
Doom is only available for Grey Hack multiplayer. It can be requested and used by anyone — new player or veteran, guild member or solo.
1. JOIN THE DISCORD
To obtain the tool, first join the official Doom Discord server:
https://discord.gg/nF58jBwVSJ
Open a Ticket in the server and request a personal in-game repository IP. This IP is personal — keep it safe and never leave it noted anywhere in-game.
2. ADD THE REPOSITORY
Escalate to root first, then add the repository IP you received:
sudo -s
apt-get addrepo [YOUR_REPO_IP]
apt-get update
apt-get install doom /root
CRITICAL
After downloading, immediately remove the repository IP from your apt source to keep it safe.apt-get delrepo [YOUR_REPO_IP]
apt-get update
3. ADD YOUR HACKSHOP
Before doing anything else, add your hackshop IP (received during tutorial/email creation). Doom uses it to download and update required libraries.
apt-get addrepo [HACKSHOP_IP]
apt-get update
4. RUN DOOM
From a root terminal, simply run:
doom
On first run, Doom will prompt you to set an encryption key — this is your password used to encrypt sensitive files including the dcall payload. Choose something memorable but secure.
Doom will also check for
metaxploit.so and crypto.so libraries and offer to download them. A dfiles/ folder and eventually a doomDB/ folder will be created in the same directory as the Doom binary.5. FILES STRUCTURE
/root/
doom ← the binary
dfiles/
calls/ ← custom call scripts
macros/ ← macro files
logs/ ← dtop logs
wifi/ ← captured wifi .cap files
monitor/ ← doomspy downloaded logs
unseclibs/ ← dlib weak libraries
seclibs/ ← slib secure libraries
doomDB/ ← library data & password dicts
6. CONFIGURATION
Open the configuration menu with:
config
Key settings to understand:
| SETTING | DESCRIPTION |
|---|---|
| RESUME RESULTS | When enabled, shows only one result of the same type (e.g., one guest shell instead of three). Reduces clutter. |
| DATABASE LINK | Keep enabled. Doom will use and populate the database for library info and passwords. |
| REMOTE DATABASE | Configure if you want multiple Doom installs to share the same database via SSH. |
| METAXPLOIT / CRYPTO PATH | Recommended to move these libs to your dfiles folder rather than /lib to prevent them from being exploited. |
| DCALL INJECT | If a target crashes when uploading dcall, enable this to create it on-target instead. |
| DCALL NAME | Set a custom name for your dcall file to avoid conflicts with other Doom users. |
| CUSTOM LOG PATH | Path to a template file used when corrupting target logs. |
| INTERNAL DICT | Doom builds a brute-force dictionary at startup. Disable after running sys -ph -internal once to speed up startup. |
PROMPTS & NAVIGATION
MAIN PROMPT
The main prompt is your home PC. It shows:
—[DOOM]—[P2]—[MAIN]—{PUBLIC_IP}—{LOCAL_IP}—[/current/path]||——[user]:~$
PROMPT FIELDS
[P2] — number of proxy sessions in chainPUBLIC_IP — your network's public IP
LOCAL_IP — your device's LAN IP
/current/path — active path used for relative commands
[user] — current user
TARGET PROMPTS
When connected to a target, sessions stack in a chain. The prompt shows the current target session:
—[DOOM]—[P4]—[SHELL]—{TARGET_PUB}—{TARGET_LAN}—[/root]||——[root]:~$
SESSION TYPES
SHELL — full access, can run scripts, hack, connect, upload binariesCOMPUTER — most commands available, no script execution or hacks
FILE — limited, can read/copy/delete/list files
PCOMPUTER — partial computer object (from bounce exploits)
[MC] — metaxploit and/or crypto cached for this session
NAVIGATION COMMANDS
| COMMAND | ACTION |
|---|---|
| main | Close all sessions, return to main prompt |
| back / close / 0 | Close current session, go back to previous one |
| backc | Close all regular target sessions, keep proxy sessions open |
CONTEXT COMMANDS
Run commands on a different target context without switching prompt:
// Run Terminal.exe on home system while on a target prompt
>main Terminal.exe
// Run on a named alias session
>s1 open /var/system.log
To set an alias on the current cached session:
rcache -a s1
GAME EXPLOIT SYSTEM
The exploit system revolves around vulnerabilities in library files. Each library version has a unique set of memory/value pairs that can be exploited to get shells, computer objects, files, or trigger special effects.
LIBRARY SCANNING
Scanning discovers the memory/value pairs of a library version. Doom saves all data to doomDB — subsequent interactions skip the scan entirely. Doom scans automatically when it first interacts with an unknown library version.
TIP
Use libdata [libname] to view saved scan data. Use scan -u to force an update of saved data.SESSION TYPES
| TYPE | CAPABILITIES |
|---|---|
| SHELL | Full access — scripts, hacking, uploading binaries, connecting to other targets, escalating privileges. Highest utility. |
| COMPUTER | Read/write files, interact with system, change permissions. Cannot run scripts or perform new hacks. |
| FILE | Read, copy, delete, list file system. Most limited but still useful for data extraction. |
BOUNCE EXPLOIT
A bounce exploit occurs when a router library vulnerability returns a COMPUTER object. By passing a
[lanIP] as an extra parameter to hack/hacklib, the returned computer object belongs to that LAN device instead of the router itself — allowing you to target machines with no open ports.// Attack router and bounce to target at 192.168.1.2
hack 170.110.50.20 0 192.168.1.2
// or using hacklib from inside the network
hacklib kernel_router.so 192.168.1.2
DVAR TIP
dvar -a bounce hacklib -computer -any// Then use: bounce 192.168.0.2
Finding a Bounce Library
1. Connect to a proxy via proxy -q
2. Run map to find a LAN IP (e.g. 192.168.1.2)
3. Run hacklib 192.168.1.2 and try each library
4. Any COMPUTER result with that LAN IP = bounce exploit
5. Download the lib with dlib -a /lib/[libname]
2. Run map to find a LAN IP (e.g. 192.168.1.2)
3. Run hacklib 192.168.1.2 and try each library
4. Any COMPUTER result with that LAN IP = bounce exploit
5. Download the lib with dlib -a /lib/[libname]
ZERO-DAY EXPLOITS (PAYLOAD)
Zero-day exploits use debug mode credentials to access a library's internals and extract data through payload vulnerabilities. Use debuglib to scan for zero-days and payload to exploit them. Credentials are managed with zcred.
WARNING
Using debuglib remotely on a PC can leave logs. Use it from a proxy to avoid traces.HACKING GUIDE
HACK COMMAND
Hack performs remote attacks using an IP and port. When using public IP, the router forwards the connection to the service. From inside a network you can use LAN IPs directly.
// Full attack on all vulnerabilities (recommended first time)
hack 170.110.50.20 0
// Attack a specific service port
hack 170.110.50.20 22
// Use domain URL
hack www.site.com 0
// Bounce to internal target
hack 170.110.50.20 0 192.168.1.2
// Auto-connect to first root shell found
hack -shell -root 170.110.50.20 0
// Auto-connect to any shell
hack -shell -any 170.110.50.20 0
// Scan and list entry points
hack -l 170.110.50.20
DVAR TIP
dvar -a shell hack -shell -any// Then use: shell 115.124.207.47 22
HACKLIB COMMAND
Hacklib attacks library files directly — it can only be used from an existing shell session on the target.
// Attack all vulnerabilities (selection menu)
hacklib
// Attack specific library
hacklib libssh.so
// Direct attack on specific vulnerability
hacklib -l
// Auto-connect to root computer via bounce
hacklib -computer -root init.so 192.168.1.2
ESCALATE PRIVILEGES
From a guest shell, escalate uploads dcall and attempts a dictionary brute-force attack on the root password. Works reliably against NPCs; less effective against players with strong passwords.
// From guest shell
escalate
If you only have COMPUTER or FILE access, try extracting data first:
pass -u // user passwords
pass -m // email credentials
pass -b // bank credentials
REVERSE SHELL SOCIAL ENGINEERING
For targets with no open ports, use the rshell + funny game email approach:
1. Get target's email via bounce exploit + pass -m
2. Install rshell server on a router: rshell -i then rshell -s
3. Login to an employee email: mail -m [email] [passwd]
4. Send a funny game email to target with your rshell server IP + port 1222
5. When target runs the game, check: rshell -l
6. Connect to the new rshell session
2. Install rshell server on a router: rshell -i then rshell -s
3. Login to an employee email: mail -m [email] [passwd]
4. Send a funny game email to target with your rshell server IP + port 1222
5. When target runs the game, check: rshell -l
6. Connect to the new rshell session
DLIB — LIBRARY MANAGEMENT
Store and quickly upload weak libraries to targets for exploitation:
dlib -a /lib/init.so // add library to dlib store
dlib -l // list stored libs
dlib -u // upload menu (select lib to upload to target)
dlib -u init.so // upload specific lib
MACROS
Macros are text files stored in
../dfiles/macros/ where each line is a Doom command. Run them with @macroname.CREATING MACROS
// Create a new macro file
macro -n mymacro
// Or open an existing one
macro -o mymacro
// List all macros
macro -l
MACRO PARAMS
Pass parameters when running a macro. Inside the file, use
$1, $2, etc:// Macro file: attack.macro
hack -shell -any $1 0
escalate
dfile /var/$2 /root
echo File $2 downloaded from $1
// Run it
@attack 170.150.55.20 system.log
MACRO BREAKS
| TYPE | DESCRIPTION |
|---|---|
| Auto Break | Triggered if a session command (hack, hacklib, escalate, rshell, rcache) fails. Prevents commands running on wrong target. |
| Manual Break | Triggered by the break command. Useful in conditional logic. |
SPECIAL MACRO COMMANDS
| COMMAND | DESCRIPTION |
|---|---|
| #jump | Creates a jump point. On auto break, macro jumps here instead of stopping. Auto break also calls backc first. |
| #onbreak | Marks the jump point for manual break command (without auto backc). |
| #command | Prefix any command with # — it only executes IF the command directly before it caused an auto break. Ignored otherwise. |
| #hold | Pauses macro and prompts user to continue or stop. Useful when you need to take a manual action mid-macro. |
| #if ... #endif | Block-style conditional. Commands inside only execute if condition is true. |
| #loop N ... #endloop | Block-style loop. Use $n for index. Cleaner than the inline loop command for complex iterations. |
| #macro name ... #endmacro | Define an inline macro callable within the same file. Use 1$, 2$ for params. |
| // comment | Lines starting with // are ignored (comments). |
FULL EXAMPLE
// Try root shell first, fall back to any shell
hack -shell -root 170.110.50.20 0
#hack -shell -any 170.110.50.20 0
escalate
dfile /home/user/file.txt /root
rm /home/user/file.txt
clean
#jump
proxy -clean
PIPED COMMANDS
Chain commands with
| to pass the response of one command to the next. The piped response is always a string accessible via $p.// Basic pipe
cat /etc/passwd | echo $p
// Save response to clip variable
map 170.120.55.10 | clip m $p
// Use saved variable later
echo $m
NOTES
• If a piped command fails, there is no response and the next command using $p will not execute• When piped, some commands behave differently (suppress their normal output)
• Piped response is always a string
CLIP COMMAND
Store values in single-letter variables (a-z, excluding $p and $n which are reserved):
clip a MY TEXT HERE // store text
clip a -a MORE TEXT // append to existing
clip a -s MORE TEXT // append with space
clip a -l MORE TEXT // append on new line
clip -clear // clear all variables
clip -null a b c // set a, b, c to null
echo $a // use the variable
GREP FOR DATA EXTRACTION
// Find first line containing pattern
grep -n1 root /etc/passwd
// Return first line matching pattern, pipe it
map | grep -n1 *192.168.0.2 -v $p | echo ip: $p
// Return line by number
grep -i 1 /etc/passwd // first line
grep -i -1 /etc/passwd // last line
// Count lines
grep -c /etc/passwd
IF COMMAND
if $a : echo not null
if $a == true : echo is true
if $a != null : echo a is NOT NULL ? echo a IS NULL
if $a == blue : @mymacro ? echo not blue
PROXY CHAIN TIP
Use piped commands and dvars to create powerful one-liners:
// Connect to 2 saved + 2 quick proxies
dvar -a pcon proxy -c 2 && proxy -q && proxy -q
// Run: pcon
PROXY & DCALL
IMPORTANT
Before doing any hacking, ALWAYS use proxies to protect yourself and stay hidden. Skip this and risk getting hacked back by players.PROXY SETUP
Doom uses random NPC routers as proxies — they're easy to hack and their admins don't trigger traces from router logs.
// Add 4 proxies to your saved list (max 10)
proxy -a 4
// Connect to all saved proxies
proxy -c
// Connect to 2 saved proxies
proxy -c 2
// Connect to a quick random proxy (not saved)
proxy -q
// Restore last proxy sessions from cache
proxy -p
// Clean logs and doom files from proxy chain
proxy -clean
RECOMMENDED ROUTINE
proxy -c 2 (2 saved proxies)proxy -q (random quick proxy)
proxy -q (another random quick proxy)
This gives you a 4-hop chain. The end proxies are random and won't be reused, making monitoring extremely difficult.
DCALL
dcall is Doom's payload file — unique to your installation. Many shell commands require it to be uploaded to the target first. By default, Doom uploads it to
/home/guest automatically.When
/home/guest doesn't have write permission or doesn't exist (common with PvP targets), you need to configure a custom upload path using dpath:// Add a custom path for dcall upload
dpath -a /tmp
// List and activate a saved path
dpath -l
// Or activate directly
dpath -l /tmp
Alternatively, use inject -dcall to create dcall on-target instead of uploading it, or enable the DCALL INJECT option in config.
RCACHE — SESSION CACHE
Every shell/computer/file session you obtain is cached. Use rcache to reconnect or set aliases:
rcache // list all cached sessions
rcache -a s1 // alias current session as 's1'
rcache s1 // reconnect to 's1'
rcache -clear // clear all cached sessions
rcache -s // list currently connected sessions
DOOM Tool Created By: @GSQ
Site Created By: @ChaoticCrumb