Student Guide

The premise

When you ssh into a remote machine, every command you type from that moment on runs on the remote machine, not on yours. The remote machine has its own set of network interfaces, its own neighbours, and its own view of the world. To get further into the network, you have to keep hopping from one host to the next, each time inheriting that host's neighbourhood.

Hostbound makes that explicit. You start somewhere inside a procedurally generated network. Hidden somewhere else is the golden machine. You only have four moves that matter - ip a, ping, nmap, ssh - and one rule that decides everything:

You can only reach a host that shares one of your current host's directly-connected subnets. No routing. To cross subnets you must ssh to a host that has interfaces in both, and step from one of its NICs to another.

That is the entire lesson. Everything else is mechanics for getting good at it.

Getting started

Open Hostbound. The page boots into a new random world.
The screen has: a status bar across the top (your host, score, and the difficulty / mode badges), a map filling the middle, a terminal floating window in the upper-right (drag it by its title bar), and a thin footer with the Find-host box, the Network Options and Gold Machine buttons, and the network code.
Click anywhere on the terminal and type help. That prints every command. Your starting host is marked (YOU) on the map, with a small rubber-duck overlay.
Type ip a. Now you know what subnets you are sitting on.

That is the entire setup. The map fills in as you explore - nothing is shown that you have not yet discovered.

The four core commands

ip a

Lists this host's network interfaces. Each line looks like:

2: eth0: <UP,RUNNING>
    inet 10.42.7.6/29 net 10.42.7.0/29 scope global eth0

The net token is the network number - the address you'd use to scan that subnet with nmap. Hostbound puts it on the line on purpose, so you don't have to compute the mask by hand. lo is always listed; interfaces whose LAN has no other hosts are omitted (the equivalent of "no carrier"). Reading this list correctly is the most important habit you can build - it is the entire menu of where you can go this turn.

nmap

Two forms. Both are real nmap-flavoured:

Subnet ping-sweep: nmap -sn 10.42.7.0/29. Reveals every up host on that one subnet (the -sn is optional - nmap 10.42.7.0/29 works the same). The target must be the exact network address + mask of one of your connected LANs (see ip a) - a bare IP or wrong mask is rejected with a hint about the missing mask. There is a hidden interface-alias shortcut (nmap eth0) if you'd rather not type the CIDR.
Single-host scan: nmap -sV 10.42.7.5 (or nmap 10.42.7.5). Shows that one host's open ports and version banners. Every host has 22/tcp ssh; the golden machine uniquely advertises 1337/tcp ducky-vault GoldenVault 1.0 - a careful -sV sweep can confirm gold without a blind claim.

Run nmap -h for the full usage and an example with the canonical form.

ssh

Hops you to another host. The target must share one of your directly-connected subnets - exactly the rule above. ssh 10.42.7.5 works in any world; ssh atlas.com (a bare hostname) works only in IPv6 / dual-stack worlds, where every host has a unique name. Wrong subnet, wrong address, or wrong family and you get a "Connection refused" or "no route" line; you stay put.

exit takes you back to the previous host.

ping

Confirms a single host is up and reachable from where you stand. nmap is what you reach for to discover hosts; ping is what you use to check one. In Firewall mode some hosts and subnets silently drop ICMP - ping times out but nmap -sn still shows the host up. That contrast is part of the lesson.

The recon file

Every non-golden host has exactly one short text file in its home directory, named with a random English-looking word (e.g. flump.txt, m.txt, quibble.txt). Run ls to see it, cat <file> to print it, or nano <file> to open a full-screen read-only viewer.

The file body tells you two things:

Exactly how many ssh hops this host is from the golden machine.
One true octet (IPv4) or one true group (IPv6) of the golden machine's address.

The golden machine has no recon file at all. An empty home - ls shows nothing - is itself the tell that you have found it. (In Cybersecurity Mode the golden machine still carries its sellable .intel file, so its home is empty only outside that mode.)

Read the hop distance off your current host's file. ssh to a neighbour. Read its file. If the number went down, you are walking toward gold; if it went up, you are walking away. Each octet/group you pick up narrows the search. Following the falling number greedily is always a valid path to gold - the generator proves that before it lets the world ship.

The banner that prints on ssh login also gives you a coarse "Bearing: warmer / colder" cue, which is intentionally less precise than the file.

Claim and scoring

When you think you are on the golden machine, type claim or click the Gold Machine button in the footer.

Right host: a win panel opens with your stats and a closing screen. (See After the win.)
Wrong host: the terminal prints "Not the golden machine", your claims counter goes up by one, and you continue exactly where you were standing.

Two numbers are tracked, both shown in the scorebar. Lower is better for both:

Hops traversed - every successful ssh adds one. The bar also shows par, the shortest possible start-to-gold path for this world. Hops at or under par show in green; over par, red.
Claims made - every wrong claim adds one. The successful claim is not counted against you.

A run-clock starts when the game starts and freezes on the winning claim. Hitting par with zero wrong claims shows "Optimal run" on the win panel.

Reading the map

The map is fog-of-war. Each new LAN gets a permanent grid cell the first time you discover any host on it - and that cell never moves again. The map only ever grows: a new LAN extends the map outward; a new host inside a known LAN just makes that LAN's square a little bigger. You can rely on positions.

What the icons mean

Coloured pastel squares are LANs - each one labelled with "LAN n" and its CIDR. A square with a v4 and a v6 CIDR is a true dual-stack subnet. The colour is just for distinguishing one LAN from another.
Client icons (the small computer faces, six colours) are individual hosts. The host you are on has a small rubber-duck overlay and a (YOU) label.
Switch icon appears in a LAN once at least two of its hosts are known.
Multi-homed hosts straddle the shared edge or corner of their LAN squares - those are the bridges you cross subnets through. A host with 3+ shared NICs is a true router and sits at a 3-way corner.
NIC dots and link lines show which interface of a host connects to which switch.
Hop trail - a faint breadcrumb of your previous positions (unless you've turned on Hidden Host Mode).

Pan, zoom, minimap, locate

Pan: hold the right mouse button on the map and drag. Or click the canvas to focus it and use the arrow keys.
Zoom: mouse wheel over the map (keeps the point under the cursor fixed); or + / - on the focused canvas; or 0 to reset.
Minimap: a small inset in the bottom-right shows the whole discovered map with a rectangle marking your current view. Click it to recenter. It hides itself on small / tutorial maps.
Locate a host: the Find host box in the footer (left of Network Options) accepts any discovered hostname (typeahead from the datalist). Hit Enter; the map pans to that host and pulses a green ring around it for ~1.5 seconds. Useful once the map gets dense.

The host you are on is pinned every frame - it never jumps when the map grows around it.

Everything else in the terminal

Command	What it does
`where-am-i`	Reprints the current host, its interfaces, and your hop trail.
`describe` (alias `map`)	Narrates the discovered map as terminal text. Built for screen readers and for verifying what you know without zooming around.
`ls` / `cat` / `nano`	Read the host's recon file (and, in Cybersecurity Mode, its `.intel` file).
`clear`	Clear the terminal scrollback.
`help`	Full command list. Also reachable from the hamburger menu (Docs).

The terminal has command history (↑ / ↓), readline-style per-slot edits, and copy/paste. You can also open a draggable notepad from the hamburger menu or the Notepad button at the far left of the top status bar - useful for jotting hop counts and IP octets as you collect them.

Every world has a short code shown in the footer About bar - for example HB1-7DEMOFW0 or HB3-2CX5Z4M0. The code is the URL hash (index.html#HB1-7DEMOFW0) and reproduces the entire world byte-for-byte: family, difficulty, Firewalls bit, Hidden-Host bit, Cybersecurity bit, and the topology seed. There is no out-of-band knowledge needed - paste a code into the Load a network code menu and you get the same world.

The hamburger menu has:

New random network - rolls a fresh code at the current difficulty / family / FW / HHM / CS settings.
Load a network code - paste any HB1- / HB2- / HB3- / HB4- code.
Restart this network - same code, fresh play (hops / claims / clock reset).
Copy Share Link / Copy Challenge Link - puts <base>#<code> on the clipboard.
Today's network - the daily-seed code (everyone playing on the same date and address family gets the same world).

The four code prefixes:

HB1- pure IPv4 - every LAN is v4.
HB2- pure IPv6 - every LAN is a unique ULA /64.
HB3- dual-stack - each LAN is independently v4-only, v6-only, or true dual-stack. Some hosts are dual-stack bridges; crossing a family boundary always requires hopping one.
HB4- custom sandbox - your instructor has dialled specific topology parameters (par hop count, branches, loops, family, density). Difficulty does not apply to a sandbox world; the badge shows Custom.

Difficulty and modes

Difficulty

The Difficulty badge in the top-right cycles through Casual / Normal / Hard / Brutal / Extreme. Each level dials the par hop count and how many branches, loops, and 3+-NIC routers the generator produces:

Casual - par 2, no branches, no loops. Two hops and you're at the gold. A first-five-minutes world.
Normal - par 2-4, a few branches, no loops.
Hard - par 4-6, several branches, maybe one loop.
Brutal - par 6-8, many branches, 1-2 loops.
Extreme - par 10-13, many branches, 3-4 loops. ~120 hosts. A real puzzle.

Each level also offers variable subnet sizes (Casual is all /24; harder levels mix in /30, /29, /28 and a big /22 or /16 so reading masks matters) and pulls addresses from the entire routable IPv4 range (RFC1918 happens, but is no longer the default).

The same topology seed at a different difficulty is a different world - difficulty is mixed into the seed.

Address mode (IPv4 / IPv6 / Dual)

The IPv4 badge in the top-right cycles to IPv6 and to Dual-stack. The mode only steers new codes - loading an HB2- code always plays as IPv6, regardless of which mode is currently selected.

IPv4 - dotted-quad addresses, net 10.42.7.0/29 in ip a.
IPv6 - ULA addresses inside fd00::/8, every LAN a unique /64; nmap's example, the recon clue, and ping all switch to v6.
Dual-stack - per-LAN family. The hop one past the start is forced single-v6 so every dual run crosses a v4↔v6 boundary one hop in. Some LANs are true dual-stack: the square shows two CIDRs and every host on it has both an inet and an inet6 line. Crossing v4↔v6 always requires hopping a dual-stack bridge - sameLan blocks v4↔v6 pings and ssh from a single-family NIC. That is the teaching.

Firewalls

Toggle from Network Options ▸ Firewalls (or the orange FW badge in the top bar once it's on). Some hosts and off-spine subnets silently drop ICMP and / or refuse ssh - the host shows up in nmap but ssh says "Connection refused" and ping times out. The puzzle: find a different unfiltered same-LAN peer and route around. The generator proves a parallel path always exists before letting a Firewall world ship, so every Firewall world is solvable. Toggling the badge regenerates the world (Firewalls is a generator-gate, not a runtime overlay).

Hidden Host Mode

The HHM / HHM Hard badge (top bar, left of the Difficulty badge) cycles three states:

Off - full fog-of-war map + breadcrumb of your hop trail. The default.
HHM (teal) - icons still appear as you discover them; only the breadcrumb is hidden. You can't just retrace your own path.
HHM Hard (indigo) - only the LAN squares (with their labels) and your current host render. Host icons, ports, switches, and your hop trail are all hidden, so the rest of the topology has to be deduced from ip a, nmap, and describe. The win-screen shows the full map either way - you'll see your route once you've claimed.

HHM does not change the world, only what you see. Topology, distances, and the recon files are unaffected.

Cybersecurity Mode

The CS badge (purple, top bar) turns on a layered puzzle on top of the same SSH-perspective core. Some hosts now have a vulnerability (sudo-misconfig, default-password, weak-password, or unpatched-service). To ssh a vulnerable host you must be carrying the matching tool (priv-esc-kit, default-creds, hash-cracker, bof-exploit). nmap -sV annotates each up host with its vuln class (e.g. 22/ssh (?priv-esc)) so you can plan.

You acquire tools two ways:

Loot. Some hosts drop a tool the first time you ssh in - it goes straight into your inventory (inv).
The Darkweb. Every world has a hidden broker host. In Cybersecurity Mode each host's recon .txt file gains a second clue - the broker's hop distance plus one octet/group of its address - so you hunt the broker exactly the way you hunt the golden machine. Visiting it unlocks a full-screen shop where you spend credits on tools. Find credits by running cat <file>.intel on each host and selling the intel - either via the panel's SELL button or the terminal shortcut sell <file>.intel. Open the panel with the purple Darkweb footer button (appears once unlocked) or the matching main-menu item. Prices and intel values are in tens-of-thousands - this is a real economy.

To enter the Darkweb you must be standing on the broker host and run dw enter - that is the only dw subcommand that bypasses the unlock gate. From then on, dw opens the panel from anywhere.

The generator constructively proves CS solvability with the starting inventory (a per-difficulty kit) and the loot it has placed, so every world is still beatable. Easy levels (Casual) skip the CS pass entirely; Brutal and Extreme start you with an empty inventory and force you through The Darkweb economy.

After the win: the encrypted note

Win on any difficulty and the win panel shows an encrypted note about the next difficulty level. There is no hint about the cipher - identifying and cracking it by hand is the puzzle. The ladder goes Caesar → Pigpen → Polybius → Rail Fence → Vigenère across the five difficulties. Decode each one and the message tells you which cipher is on the next rung. Decode Extreme and you have the final reward.

The win panel is dismissable - click the ×, hit Esc, or press Keep exploring. Reopening it (the Gold Machine button) shows the frozen stats from your first winning claim; post-win exploration doesn't rescore.

Accessibility

High-Visibility Mode - hamburger menu (Theme ▸). Larger type, higher contrast, bolder text. Persists across reloads.
Theme - Light / Dark / Auto (Auto follows your OS). Persists across reloads.
describe (or map) prints the discovered map as terminal text - the terminal is real DOM, so a screen reader can read it.
Keyboard navigation on the map - click the canvas to focus it, then arrows pan, + / - zoom, 0 resets.

These two preferences are the only things Hostbound persists for you across reloads. Everything else - game progress, the current code, the current difficulty / family / FW / HHM / CS toggles - resets on reload. Reopening a code restarts that same world fresh. (Instructors: the Admin passphrase also persists once unlocked - see the faculty guide and its Clear Local Settings note.)

Tutorial

Hamburger menu → Tutorial. A non-blocking coach card walks you through eight steps on a fixed small Casual world: welcome, ip a, nmap -sn, ssh, ls / cat, descend, claim, recap. Every step listens for the real command in the real terminal and auto-advances when you type it - the Next button is always available too if you'd rather read ahead. End tutorial drops you back to a normal random world. The tutorial is in-memory only - it is not flagged as "seen" anywhere.

Tips that pay off

Read ip a on every new host. Multiple NICs mean you are on a bridge - that is your fastest way to cross subnets.
Don't claim blind on Hard+. Use nmap -sV on a candidate; the golden machine uniquely advertises 1337/tcp ducky-vault.
The hop distance falls along the path. If your hop count went up after an ssh, you crossed a branch or a loop, not the spine - exit back and try a different neighbour.
Use the notepad. Octet by octet, the golden IP becomes visible. Writing them down is faster than re-reading cat output.
In Firewall mode, trust nmap over ping. A host that pings out can still be reachable via ssh, and vice versa.
In Cybersecurity Mode, scan first. Reading the vulnerability class from nmap -sV tells you which tool you'll need before you walk into a "Permission denied".