> For the complete documentation index, see [llms.txt](https://exploit-pack.gitbook.io/exploit-pack-manual-pages/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/stage-2.md).

# Stage 2

### Overview

Stage 2 is where a quiet, stealthy connection becomes a full working session. Think of Stage 1 as the agent’s handshake and Stage 2 as handing the operator the keys to a richly instrumented diagnostic workshop. When the agent moves to Stage 2, the environment changes from “observe and stay hidden” to “interact and confirm”.

### Purpose

Stage 2 is intended to:

* Provide deeper situational awareness of the target.
* Enable controlled data collection.
* Support diagnostic workflows that require more capabilities than a Stage 1 connection.

<figure><img src="/files/pHJO7b1qVovx6WkbGo4x" alt=""><figcaption></figcaption></figure>

### What changes

* The agent sheds its minimal, connection-only posture and adopts a broad set of capabilities that let the host see and interact with the target in much greater detail.
* From that point forward, the operator can perform deeper investigations, collect artifacts for analysis, and run operations.

### Stage 2 Capabilities

When Stage 2 is active, the operator has access to a set of advanced features, which include:

* **File transfer and management**: bidirectional transfer of files to and from the target for validated diagnostics.
* **System and environment enumeration**: collection of system data (OS version, architecture, available volumes).
* **Process inspection**: visibility into running processes.
* **Interactive operational control**: actions to support diagnostics.
* **User context and identity information**: reporting of the agent’s runtime user/context for audit and access decisions.
* **Persistence and resiliency controls**: mechanisms to maintain a session during testing.
* **User-facing UI changes**: non-destructive UI changes (for example, changing a wallpaper).

<figure><img src="/files/uZNJwFRnvmu6wuFeCmad" alt=""><figcaption></figcaption></figure>

### Some of the capabilities on Stage 2

Each agent has different capabilities, but some of them include:

* currentpath - Obtains the agent's current path&#x20;
* screenshot - Takes a screenshot from the target
* download\_file - Downloads files
* upload\_file - Uploads files from your CP home folder
* drives - Lists all drivers available
* listproc - Lists processes in the remote target&#x20;
* systeminfo - Information gathering&#x20;
* getuid - Obtains current agent user-ID&#x20;
* wallpaper - Changes the target's background
* dumpmem - Dumps the process memory by PID&#x20;
* migrate - Migrates the current agent to another PID
* infosys - Gets current system info
* salty - Encrypts all documents&#x20;
* watchdog - Spawns a watchdog that re-launches the agent. Also, If the agent process is killed, it will monitor and re-launch the watchdog as well
* watchdog\_stop - Stops the watchdog&#x20;
* hollow - Spawns a hollow process and loads the agent into it, i.e, hollow notepad.exe

<figure><img src="/files/bVpiJRL5KgmlhTvq0vO3" alt=""><figcaption></figcaption></figure>

### Activating Stage 2

The system transitions an agent from Stage 1 to Stage 2 through an upgrade operation. Once upgraded, the full set of Stage 2 features becomes available via the Control Pack interface or console. To initiate the upgrade, just write "stage2" on the console of Control Pack.

{% hint style="danger" %}
**Before using Stage 2 capabilities:**

1. **Always obtain a signed scope and authorisation** **document** for any target system. It should include dates, target identifiers, and allowed actions.
2. **Isolation**: perform high-risk operations (memory capture, persistence testing) only in segregated labs or on expressly authorised targets.
3. Confirm backup and restore points exist for production systems before any intrusive testing.
   {% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://exploit-pack.gitbook.io/exploit-pack-manual-pages/control-pack/stage-2.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.