Merge pull request #458 from DidierA/macos_echo

Fix echo -n on macOS

.gitignore

@@ -1,4 +1,5 @@
 .vs/*
+.vscode/*
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
@@ -24,6 +25,8 @@ __pycache__
 linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
 linPEAS/linpeas.sh
+linPEAS/builder/linpeas_base_tmp.sh
+build_lists/regexes.yaml
 sh2bin
 sh2bin/*
 .dccache

README.md

@@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
 
-- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 - **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
 
-- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**
 - **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 
 ## Quick Start

build_lists/sensitive_files.yaml

@@ -1271,6 +1271,8 @@ search:
     value:
         config:
           auto_check: True
+          exec:
+            - '(pwsh -Command "Save-AzContext -Path /tmp/az-context3489ht.json" && cat /tmp/az-context3489ht.json && rm /tmp/az-context3489ht.json) || echo_not_found "pwsh"'
 
         files:
           #- name: "credentials"
@@ -1379,13 +1381,54 @@ search:
                   - common
 
           - name: "AzureRMContext.json"
+            value:
+                bad_regex: "Id.*|Credential.*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "clouds.config"
+            value: 
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.json"
             value: 
                 bad_regex: ".*"
                 type: f
                 search_in: 
                   - common
           
-          - name: "ErrorRecords" #Azure logs can contain creentials
+          - name: "msal_token_cache.json"
+            value: 
+                bad_regex: ".*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_http_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_token_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "ErrorRecords" #Azure logs can contain crentials
             value: 
                 type: d
                 search_in: 
@@ -1419,6 +1462,26 @@ search:
                 search_in: 
                   - common
           
+          - name: "Google Cloud Directory Sync"
+            value: 
+                files:
+                  - name: "*.xml"
+                    value:
+                        bad_regex: "oAuth2RefreshToken.*|authCredentialsEncrypted.*"
+                type: d
+                search_in: 
+                  - common
+
+          - name: "Google Password Sync"
+            value: 
+                files:
+                  - name: "*.xml"
+                    value:
+                        bad_regex: "baseDN.*|authorizeUsername.*"
+                type: d
+                search_in: 
+                  - common
+          
   
   - name: Road Recon
     value:
@@ -1438,7 +1501,7 @@ search:
         config:
           auto_check: True
           exec:
-            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi
+            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi
         
         files:
           - name: "ipa"

linPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
 
-**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
+**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)**
 
-Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
+Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 
@@ -22,7 +22,7 @@ Check how to **select the checks you want to build [in your own linpeas followin
 
 Note that by default, in the releases pages of this repository, you will find a **linpeas with all the checks**.
 
-## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
 
 - **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
 - **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.

linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh

@@ -15,7 +15,7 @@
 
 if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
     print_2title "Searching Signature verification failed in dmesg"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
     (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh

@@ -0,0 +1,21 @@
+# Title: System Information - CVE_2021_3560
+# ID: SY_CVE_2021_3560
+# Author: Carlos Polop
+# Last Update: 07-10-2024
+# Description: CVE-2021-3560 - paper box from HTB
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
+   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
+   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
+    echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    echo ""
+fi
+

linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh

@@ -13,7 +13,7 @@
 # Small linpeas: 1
 
 print_2title "Operative system"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then

linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh

@@ -15,7 +15,7 @@
 
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi

linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh

@@ -15,7 +15,7 @@
 
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
     print_2title "USBCreator"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
 
     pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
     if [ -z "$pc_version" ]; then

linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "PATH"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
     echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 fi

linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh

@@ -15,7 +15,7 @@
 
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
   print_2title "Listing mounted tokens"
-  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+  print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
   ALREADY_TOKENS="IinItialVaaluE"
   for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
       TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -16,7 +16,7 @@
 if [ "$inContainer" ]; then
     echo ""
     print_2title "Container & breakout enumeration"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
     print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
     if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
         print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
@@ -34,7 +34,7 @@ if [ "$inContainer" ]; then
     print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
 
     print_3title "Breakout via mounts"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
     
     checkProcSysBreakouts
     print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
@@ -71,7 +71,7 @@ if [ "$inContainer" ]; then
     
     echo ""
     print_3title "Namespaces"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
     ls -l /proc/self/ns/
 
     if echo "$containerType" | grep -qi "kubernetes"; then
@@ -80,7 +80,7 @@ if [ "$inContainer" ]; then
         echo ""
         
         print_2title "Kubernetes Information"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
         
         
         print_3title "Kubernetes service account folder"
@@ -92,7 +92,7 @@ if [ "$inContainer" ]; then
         echo ""
 
         print_3title "Current sa user k8s permissions"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html"
         kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
           "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
             -X 'POST' -H 'Content-Type: application/json' \
@@ -102,7 +102,7 @@ if [ "$inContainer" ]; then
     echo ""
 
     print_2title "Container Capabilities"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape"
     if [ "$(command -v capsh || echo -n '')" ]; then 
       capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
     else

linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh

@@ -0,0 +1,46 @@
+# Title: Cloud - Azure Automation Account
+# ID: CL_Azure_automation_account
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure Automation Account Service Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_automation_acc,
+# Initial Functions: check_az_automation_acc
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
+
+if [ "$is_az_automation_acc" = "Yes" ]; then
+  print_2title "Azure Automation Account Service Enumeration"
+
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh

@@ -5,14 +5,17 @@
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
-# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
-# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
+printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.wiki\n"$NC
+echo ""
+
 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
@@ -22,8 +25,9 @@ print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
     # GCP Enumeration
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
 
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh

@@ -32,21 +32,39 @@ if [ "$is_az_vm" = "Yes" ]; then
   if [ "$az_req" ]; then
     print_3title "Instance details"
     exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+    echo ""
 
     print_3title "Load Balancer details"
     exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+    echo ""
+
+    print_3title "User Data"
+    exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null
+    echo ""
+
+    print_3title "Custom Data and other configs (root needed)"
+    (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED},"
+    echo ""
 
     print_3title "Management token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo ""
 
     print_3title "Graph token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo ""
     
     print_3title "Vault token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo ""
 
     print_3title "Storage token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+    echo ""
   fi
   echo ""
 fi

linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh

@@ -13,13 +13,12 @@
 # Small linpeas: 0
 
 
-API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 
 if [ "$is_az_app" = "Yes" ]; then
   print_2title "Azure App Service Enumeration"
-  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
 
-  HEADER="secret:$IDENTITY_HEADER"
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
 
   az_req=""
   if [ "$(command -v curl || echo -n '')" ]; then
@@ -33,13 +32,13 @@ if [ "$is_az_app" = "Yes" ]; then
   if [ "$az_req" ]; then
     print_3title "Management token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
+    echo
     print_3title "Graph token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
+    echo
     print_3title "Vault token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
+    echo
     print_3title "Storage token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
   fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "System timers"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
   (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
   echo ""
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
   if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
     echo "$t" | sed -${E} "s,.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh

@@ -15,7 +15,7 @@
 
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
   if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh

@@ -16,7 +16,7 @@
 #TODO: .socket files in MACOS are folders
 if ! [ "$IAMROOT" ]; then
   print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh

@@ -17,7 +17,7 @@
 if ! [ "$IAMROOT" ]; then
   if ! [ "$SEARCH_IN_FOLDER" ]; then
     print_2title "Unix Sockets Listening"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
     # Search sockets using netstat and ss
     unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
     if ! [ "$unix_scks_list" ];then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "D-Bus Service Objects list"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
   dbuslist=$(busctl list 2>/dev/null)
   if [ "$dbuslist" ]; then
     busctl list | while read l; do

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh

@@ -13,7 +13,7 @@
 # Small linpeas: 0
 
 print_2title "D-Bus config files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
 if [ "$PSTORAGE_DBUS" ]; then
   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
     for f in $d/*; do

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh

@@ -19,7 +19,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
     printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
   fi
-  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
 
   if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
     echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Processes with credentials in memory (root req)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
   if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
   if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
   if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
     print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
     binW="IniTialiZZinnggg"
     ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
       if [ -w "$bpath" ]; then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh

@@ -28,9 +28,9 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
       continue
     fi
     ppid_user=$(get_user_by_pid "$ppid")
-    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
+    if echo "$ppid_user" | grep -Eqv "$user|root$"; then
       echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
     fi
   done
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
     temp_file=$(mktemp)
     if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
       for i in $(seq 1 1210); do 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Systemd PATH"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
   systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
   WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
   echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   command -v crontab 2>/dev/null || echo_not_found "crontab"
   crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
   command -v incrontab 2>/dev/null || echo_not_found "incrontab"
@@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   atq 2>/dev/null
 else
   print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
 echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$MACPEAS" ]; then
     print_2title "Third party LaunchAgents & LaunchDemons"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
     ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
     echo ""
 
@@ -34,12 +34,12 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     echo ""
 
     print_2title "StartupItems"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
     echo ""
 
     print_2title "Login Items"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
     echo ""
 
@@ -48,7 +48,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     echo ""
 
     print_2title "Emond scripts"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
     ls -l /private/var/db/emondClients
     echo ""
   fi

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "Active Ports"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
 ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -16,7 +16,7 @@
 print_2title "Can I sniff with tcpdump?"
 timeout 1 tcpdump >/dev/null 2>&1
 if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sniffing"
     echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
 else echo_no
 fi

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "Checking Pkexec policy"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
 (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "My user"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh

@@ -15,7 +15,7 @@
 
 if [ "$MACPEAS" ];then
   print_2title "Keychains"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
   security list-keychains
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking sudo tokens"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
   echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";

linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   containerd=$(command -v ctr || echo -n '')
   if [ "$containerd" ] || [ "$DEBUG" ]; then
     print_2title "Checking if containerd(ctr) is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation"
     if [ "$containerd" ]; then
       echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
       ctr image list 2>&1

linPEAS/builder/linpeas_parts/7_software_information/Docker.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
   print_2title "Searching docker files (limit 70)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation"
   printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
     ls -l "$f" 2>/dev/null
     if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then

linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
   print_2title "Analyzing kcpassword files"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword"
   printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
     echo "$f" | sed -${E} "s,.*,${SED_RED},"
     base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"

linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh

@@ -18,7 +18,7 @@ klist_exists="$(command -v klist || echo -n '')"
 kinit_exists="$(command -v kinit || echo -n '')"
 if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
   print_2title "Searching kerberos conf files and tickets"
-  print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory"
 
   if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
   if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi

linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh

@@ -36,7 +36,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
       for f in $(find $d -name user.MYD 2>/dev/null); do
         if [ -r "$f" ]; then
           echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
-          grep -oaE "[-_\.\*a-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
+          grep -oaE "[-_\.\*a-zA-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
         fi
       done
       

linPEAS/builder/linpeas_parts/7_software_information/Runc.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   runc=$(command -v runc || echo -n '')
   if [ "$runc" ] || [ "$DEBUG" ]; then
     print_2title "Checking if runc is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation"
     if [ "$runc" ]; then
       echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
     fi

linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh

@@ -15,7 +15,7 @@
 
 if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching screen sessions"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   screensess=$(screen -ls 2>/dev/null)
   screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
   

linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh

@@ -18,7 +18,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
 tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
 if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching tmux sessions"$N
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   tmux -V
   printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
 

linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
   obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
   printf "%s\n" "$obmowbe" | while read l; do

linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting GROUP writable files (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   for g in $(groups); do
     iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
     if [ "$iwfbg" ] || [ "$DEBUG" ]; then

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SUID - Check easy privesc, exploits and write perms"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 if ! [ "$STRINGS" ]; then
   echo_not_found "strings"
 fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SGID"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$sgids_files" | while read s; do
   s=$(ls -lahtr "$s")

linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Files with ACLs (limited to 50)"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
 else

linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Capabilities"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ "$(command -v capsh || echo -n '')" ]; then
 
     print_3title "Current shell capabilities"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh

@@ -15,7 +15,7 @@
 
 if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
   print_2title "Users with capabilities"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ -f "/etc/security/capability.conf" ]; then
     grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
   else echo_not_found "/etc/security/capability.conf"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   print_2title "Checking misconfigurations of ld.so"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso"
   if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then 
     echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
     printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;

linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Files (scripts) in /etc/profile.d/"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files"
   if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
     (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
     check_critial_root_path "/etc/profile"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
 print_2title "Permissions in init, init.d, systemd, and rc.d"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd"
   if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
     check_critial_root_path "/etc/init/"
     check_critial_root_path "/etc/init.d/"

linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title ".sh files in path"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path"
   echo $PATH | tr ":" "\n" | while read d; do
     for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do
       if ! [ "$IAMROOT" ] && [ -O "$f" ]; then

linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh

@@ -19,7 +19,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
   print_2title "Searching possible password variables inside key folders (limit 140)"
   if ! [ "$SEARCH_IN_FOLDER" ]; then
     timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
-    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
+    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
   else
     timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
   fi
@@ -29,12 +29,12 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
   ##-- IF) Find possible conf files with passwords
   print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
   if ! [ "$SEARCH_IN_FOLDER" ]; then
-    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
   else
-    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
   fi
   printf "%s\n" "$ppicf" | while read f; do
-    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' \"$f\" 2>/dev/null; then
+    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null; then
       echo "$ITALIC $f$NC"
       grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
     fi

linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh

@@ -15,7 +15,7 @@
 
 if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
 print_2title "Writable log files (logrotten) (limit 50)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation"
   logrotate --version 2>/dev/null || echo_not_found "logrotate"
   lastWlogFolder="ImPOsSiBleeElastWlogFolder"
   logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)

linPEAS/builder/linpeas_parts/functions/check_aliyun_ecs.sh

@@ -13,8 +13,7 @@
 # Small linpeas: 1
 
 
-
-check_aliyun_ecs () {
+check_aliyun_ecs(){
   is_aliyun_ecs="No"
   if [ -f "/etc/cloud/cloud.cfg.d/aliyun_cloud.cfg" ]; then 
     is_aliyun_ecs="Yes"

linPEAS/builder/linpeas_parts/functions/check_az_app.sh

@@ -16,7 +16,7 @@
 check_az_app(){
   is_az_app="No"
 
-  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
+  if [ -d "/opt/microsoft" ] && env | grep -iq "azure"; then
     is_az_app="Yes"
   fi
 }

linPEAS/builder/linpeas_parts/functions/check_az_automation_acc.sh

@@ -0,0 +1,22 @@
+# Title: Cloud - check_az_automation_acc
+# ID: check_az_automation_acc
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the script is running in Azure App Service
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $is_az_automation_acc
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+check_az_automation_acc(){
+  is_az_automation_acc="No"
+
+  if env | grep -iq "azure" && env | grep -iq "AutomationServiceEndpoint"; then
+    is_az_automation_acc="Yes"
+  fi
+}

linPEAS/builder/linpeas_parts/functions/check_az_vm.sh

@@ -8,7 +8,7 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $is_az_vm
+# Generated Global Variables: $is_az_vm, $meta_response
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -16,10 +16,28 @@
 check_az_vm(){
   is_az_vm="No"
 
+  # 1. Check if the Azure log directory exists
   if [ -d "/var/log/azure/" ]; then
     is_az_vm="Yes"
-  
-  elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
+
+  # 2. Check if 'reddog.microsoft.com' is found in /etc/resolv.conf
+  elif grep -q "search reddog.microsoft.com" /etc/resolv.conf 2>/dev/null; then
     is_az_vm="Yes"
+
+  else
+    # 3. Try querying the Azure Metadata Service for more wide support (e.g. Azure Container Registry tasks need this)
+    if command -v curl &> /dev/null; then
+      meta_response=$(curl -s --max-time 2 \
+        "http://169.254.169.254/metadata/identity/oauth2/token")
+      if echo "$meta_response" | grep -q "Missing"; then
+        is_az_vm="Yes"
+      fi
+    elif command -v wget &> /dev/null; then
+      meta_response=$(wget -qO- --timeout=2 \
+        "http://169.254.169.254/metadata/identity/oauth2/token")
+      if echo "$meta_response" | grep -q "Missing"; then
+        is_az_vm="Yes"
+      fi
+    fi
   fi
-}
+}

linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh

@@ -16,7 +16,7 @@
 
 check_tencent_cvm () {
   is_tencent_cvm="No"
-  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
+  if grep -qi Tencent /etc/cloud/cloud.cfg 2>/dev/null; then
       is_tencent_cvm="Yes"
   fi
 }

linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh

@@ -188,6 +188,9 @@ if [ $? -ne 0 ] ; then
 	fi
 fi
 
+# on macOS the built-in echo does not support -n, use /bin/echo instead
+if [ "$MACPEAS" ] ; then alias echo=/bin/echo ; fi
+
 print_title(){
   if [ "$DEBUG" ]; then
     END_T1_TIME=$(date +%s 2>/dev/null)
@@ -343,7 +346,7 @@ print_support () {
     ${GREEN}/---------------------------------------------------------------------------------\\
     |                             ${BLUE}Do you like PEASS?${GREEN}                                  |
     |---------------------------------------------------------------------------------|
-    |         ${YELLOW}Get the latest version${GREEN}    :     ${RED}https://github.com/sponsors/carlospolop${GREEN} |
+    |         ${YELLOW}Learn Cloud Hacking${GREEN}       :     ${RED}https://training.hacktricks.wiki${GREEN}         |
     |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@hacktricks_live${GREEN}                        |
     |         ${YELLOW}Respect on HTB${GREEN}            :     ${RED}SirBroccoli            ${GREEN}                 |
     |---------------------------------------------------------------------------------|
@@ -362,7 +365,7 @@ printf ${BLUE}"          $SCRIPTNAME-$VERSION ${YELLOW}by carlospolop\n"$NC;
 echo ""
 printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC"
 echo ""
-printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC
+printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC
 echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
 echo "  RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
 echo "  RED: You should take a look to it" | sed "s,RED,${SED_RED},"

linPEAS/builder/src/linpeasBaseBuilder.py

@@ -66,7 +66,7 @@ class LinpeasBaseBuilder:
             self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n"
             self.linpeas_base += f'print_title "{section_name}"\n'
 
-            # Sort checks alphabetically to get them in the same order of they are in the folder
+            # Sort checks alphabetically to get them in the same order as they are in the folder
             section_info["checks"] = sorted(section_info["checks"], key=lambda x: int(os.path.basename(x.path).split('_')[0]) if os.path.basename(x.path).split('_')[0].isdigit() else 99)
             for check in section_info["checks"]:
                 for func in check.initial_functions:
@@ -193,8 +193,9 @@ class LinpeasBaseBuilder:
     
     def get_funcs_deps(self, module, all_funcs):
         """Given 1 module and the list of modules return the functions recursively it depends on"""
-            
-        for func in module.functions_used:
+        
+        module_funcs = list(set(module.initial_functions + module.functions_used))
+        for func in module_funcs:
             func_module = self.find_func_module(func)
             #print(f"{module.id} has found {func} in {func_module.id}") #To find circular dependencies
             if not func_module.is_function:

linPEAS/builder/src/linpeasBuilder.py

@@ -365,7 +365,7 @@ class LinpeasBuilder:
                     rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
             if "sudo:" in rb.text:
                 if len(b) <= 3:
-                    sudoVB.append("[^a-ZA-Z0-9]"+b+"$") # Less false possitives applied to small names
+                    sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names
                 else:
                     sudoVB.append(b+"$")
             if "suid:" in rb.text:

parsers/README.md

@@ -38,7 +38,7 @@ There is a **maximun of 3 levels of sections**.
           }
         ],
         "infos": [
-          "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+          "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
         ]
       },
       "infos": []
@@ -65,7 +65,7 @@ There is a **maximun of 3 levels of sections**.
           }
         ],
         "infos": [
-          "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+          "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
         ]
       },
       "infos": []

winPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 
-Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
 ## Quick Start
 Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.

winPEAS/winPEASbat/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
-Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
+Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)
 
 ### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)
 

winPEAS/winPEASbat/winPEAS.bat

@@ -63,7 +63,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
 systeminfo
 ECHO.
 CALL :T_Progress 2
@@ -147,12 +147,20 @@ ECHO.
 CALL :T_Progress 1
 
 :LAPSInstallCheck
-CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?"
+CALL :ColorLine " %E%33m[+]%E%97m Legacy Microsoft LAPS installed?"
 ECHO.   [i] Check what is being logged
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
 ECHO.
 CALL :T_Progress 1
 
+:WindowsLAPSInstallCheck
+CALL :ColorLine " %E%33m[+]%E%97m Windows LAPS installed?"
+ECHO.   [i] Check what is being logged: 0x00 Disabled, 0x01 Backup to Entra, 0x02 Backup to Active Directory
+REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies\LAPS" /v BackupDirectory 2>nul
+REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS" /v BackupDirectory 2>nul
+ECHO.
+CALL :T_Progress 1
+
 :LSAProtectionCheck
 CALL :ColorLine " %E%33m[+]%E%97m LSA protection?"
 ECHO.   [i] Active if "1"
@@ -182,7 +190,7 @@ CALL :T_Progress 1
 :UACSettings
 CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
 ECHO.   [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
 ECHO.
 CALL :T_Progress 1
@@ -233,7 +241,7 @@ CALL :T_Progress 1
 :InstalledSoftware
 CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
 ECHO.   [i] Some weird software? Check for vulnerabilities in unknow software installed
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
 ECHO.
 dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
 reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@@ -244,7 +252,7 @@ CALL :T_Progress 2
 
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
 IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
@@ -252,7 +260,7 @@ CALL :T_Progress 1
 :WSUS
 CALL :ColorLine " %E%33m[+]%E%97m WSUS"
 ECHO.   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
 reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
 ECHO.
 CALL :T_Progress 1
@@ -260,7 +268,7 @@ CALL :T_Progress 1
 :RunningProcesses
 CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
 ECHO.   [i] Something unexpected is running? Check for vulnerabilities
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
 tasklist /SVC
 ECHO.
 CALL :T_Progress 2
@@ -281,7 +289,7 @@ CALL :T_Progress 3
 :RunAtStartup
 CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
 ECHO.   [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup
 ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@@ -305,7 +313,7 @@ CALL :T_Progress 2
 :AlwaysInstallElevated
 CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
 ECHO.   [i] If '1' then you can install a .msi file with admin privileges ;)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 ECHO.
@@ -369,7 +377,7 @@ CALL :T_Progress 1
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
 ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
 net user %username%
@@ -443,7 +451,7 @@ ECHO.
 
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
     for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 )
@@ -452,7 +460,7 @@ CALL :T_Progress 1
 
 :CheckRegistryModificationAbilities
 CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
 ECHO.
 CALL :T_Progress 1
@@ -461,7 +469,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
 ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
 		ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@@ -476,7 +484,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
 ECHO.   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
 ECHO.   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
 ECHO.
 CALL :T_Progress 1
@@ -485,7 +493,7 @@ CALL :T_Progress 1
 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
 cmdkey /list
 ECHO.
 CALL :T_Progress 2
@@ -493,14 +501,14 @@ CALL :T_Progress 2
 :DPAPIMasterKeys
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
 powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
 CALL :T_Progress 2
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
 ECHO.   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 ECHO.
 ECHO.Looking inside %appdata%\Microsoft\Credentials\
 ECHO.
@@ -573,7 +581,7 @@ CALL :T_Progress 2
 
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2
@@ -581,7 +589,7 @@ CALL :T_Progress 2
 :RegFilesCredentials
 CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
 ECHO.   [i] Searching specific files that may contains credentials.
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
 ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
 CALL :T_Progress 2

winPEAS/winPEASexe/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
-Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 
 [![youtube](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI)
 

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-0836.cs

@@ -1,105 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_0836
-    {
-        private const string name = "CVE-2019-0836";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4493475, 4498375, 4499154, 4505051, 4503291,
-                        4507458, 4512497, 4517276, 4522009, 4520011,
-                        4524153, 4525232, 4530681, 4534306, 4537776,
-                        4540693, 4550930, 4556826, 4561649, 4567518,
-                        4565513, 4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4493470, 4499418, 4494440, 4534271, 4534307,
-                        4537764, 4537806, 4540670, 4541329, 4550929,
-                        4550947, 4556813, 4561616, 4567517, 4565511,
-                        4571694, 4577015
-                    });
-
-                    break;
-
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4493474, 4493436, 4499162, 4499181, 4502112,
-                        4505055, 4503279, 4503289, 4509476, 4507450,
-                        4507467, 4512474, 4512507, 4516059, 4516068,
-                        4522011, 4520010, 4524151, 4525245, 4530711,
-                        4534296, 4537765, 4540705, 4550939, 4556804,
-                        4561605, 4567516, 4565499, 4571689, 4577021
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4493441, 4493440, 4499147, 4499179, 4505062,
-                        4503281, 4503284, 4509477, 4507455, 4507465,
-                        4512494, 4512516, 4516066, 4522012, 4520004,
-                        4520006, 4524150, 4525241, 4530714, 4534276,
-                        4534318, 4537789, 4537816, 4540681, 4541330,
-                        4554342, 4550927, 4556812, 4561602, 4567515,
-                        4565508, 4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4493464, 4493437, 4499167, 4499183, 4505064,
-                        4503286, 4503288, 4509478, 4507435, 4507466,
-                        4512501, 4512509, 4516045, 4516058, 4522014,
-                        4519978, 4520008, 4524149, 4525237, 4530717,
-                        4534293, 4534308, 4537762, 4537795, 4540689,
-                        4541333, 4554349, 4550922, 4550944, 4556807,
-                        4561621, 4567514, 4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4493509, 4495667, 4494441, 4497934, 4501835,
-                        4505056, 4501371, 4503327, 4509479, 4505658,
-                        4507469, 4511553, 4512534, 4512578, 4522015,
-                        4519338, 4520062, 4524148, 4523205, 4530715,
-                        4534273, 4534321, 4532691, 4537818, 4538461,
-                        4541331, 4554354, 4549949, 4550969, 4551853,
-                        4561608, 4567513, 4558998, 4559003, 4565349,
-                        4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-0841.cs

@@ -1,82 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_0841
-    {
-        private const string name = "CVE-2019-0841";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4493474, 4493436, 4499162, 4499181, 4502112,
-                        4505055, 4503279, 4503289, 4509476, 4507450,
-                        4507467, 4512474, 4512507, 4516059, 4516068,
-                        4522011, 4520010, 4524151, 4525245, 4530711,
-                        4534296, 4537765, 4540705, 4550939, 4556804,
-                        4561605, 4567516, 4565499, 4571689, 4577021
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4493441, 4493440, 4499147, 4499179, 4505062,
-                        4503281, 4503284, 4509477, 4507455, 4507465,
-                        4512494, 4512516, 4516066, 4522012, 4520004,
-                        4520006, 4524150, 4525241, 4530714, 4534276,
-                        4534318, 4537789, 4537816, 4540681, 4541330,
-                        4554342, 4550927, 4556812, 4561602, 4567515,
-                        4565508, 4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4493464, 4493437, 4499167, 4499183, 4505064,
-                        4503286, 4503288, 4509478, 4507435, 4507466,
-                        4512501, 4512509, 4516045, 4516058, 4522014,
-                        4519978, 4520008, 4524149, 4525237, 4530717,
-                        4534293, 4534308, 4537762, 4537795, 4540689,
-                        4541333, 4554349, 4550922, 4550944, 4556807,
-                        4561621, 4567514, 4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4493509, 4495667, 4494441, 4497934, 4501835,
-                        4505056, 4501371, 4503327, 4509479, 4505658,
-                        4507469, 4511553, 4512534, 4512578, 4522015,
-                        4519338, 4520062, 4524148, 4523205, 4530715,
-                        4534273, 4534321, 4532691, 4537818, 4538461,
-                        4541331, 4554354, 4549949, 4550969, 4551853,
-                        4561608, 4567513, 4558998, 4559003, 4565349,
-                        4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1064.cs

@@ -1,102 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1064
-    {
-        private const string name = "CVE-2019-1064";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4503267, 4503294, 4509475, 4507459, 4507460,
-                        4512495, 4512517, 4516044, 4516061, 4522010,
-                        4519998, 4524152, 4525236, 4530689
-                    });
-
-                    break;
-
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4503279, 4503289, 4509476, 4507450, 4507467,
-                        4512474, 4512507, 4516059, 4516068, 4522011,
-                        4520010, 4524151, 4525245, 4530711, 4534296,
-                        4537765, 4540705, 4550939, 4556804, 4561605,
-                        4567516, 4565499, 4571689, 4577021
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4503284, 4503281, 4509477, 4507455, 4507465,
-                        4512494, 4512516, 4516066, 4522012, 4520004,
-                        4520006, 4524150, 4525241, 4530714, 4534276,
-                        4534318, 4537789, 4537816, 4540681, 4541330,
-                        4554342, 4550927, 4556812, 4561602, 4567515,
-                        4565508, 4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4503286, 4503288, 4509478, 4507435, 4507466,
-                        4512501, 4512509, 4516045, 4516058, 4522014,
-                        4519978, 4520008, 4524149, 4525237, 4530717,
-                        4534293, 4534308, 4537762, 4537795, 4540689,
-                        4541333, 4554349, 4550922, 4550944, 4556807,
-                        4561621, 4567514, 4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4503327, 4501371, 4509479, 4505658, 4507469,
-                        4511553, 4512534, 4512578, 4522015, 4519338,
-                        4520062, 4524148, 4523205, 4530715, 4534273,
-                        4534321, 4532691, 4537818, 4538461, 4541331,
-                        4554354, 4549949, 4550969, 4551853, 4561608,
-                        4567513, 4558998, 4559003, 4565349, 4571748,
-                        4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4503293, 4501375, 4505903, 4507453, 4512508,
-                        4512941, 4515384, 4517211, 4522016, 4517389,
-                        4522355, 4524147, 4524570, 4530684, 4528760,
-                        4532695, 4532693, 4535996, 4540673, 4541335,
-                        4551762, 4554364, 4549951, 4550945, 4556799,
-                        4560960, 4567512, 4565483, 4559004, 4565351,
-                        4566116, 4574727, 4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1130.cs

@@ -1,109 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1130
-    {
-        private const string name = "CVE-2019-1130";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4507458, 4512497, 4517276, 4522009, 4520011,
-                        4524153, 4525232, 4530681, 4534306, 4537776,
-                        4540693, 4550930, 4556826, 4561649, 4567518,
-                        4565513, 4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4507460, 4507459, 4512495, 4512517, 4516044,
-                        4516061, 4522010, 4519998, 4524152, 4525236,
-                        4530689
-                    });
-
-                    break;
-
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4507460, 4507459, 4512495, 4512517, 4516044,
-                        4516061, 4522010, 4519998, 4524152, 4525236,
-                        4530689
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4507455, 4507465, 4512494, 4512516, 4516066,
-                        4522012, 4520004, 4520006, 4524150, 4525241,
-                        4530714, 4534276, 4534318, 4537789, 4537816,
-                        4540681, 4541330, 4554342, 4550927, 4556812,
-                        4561602, 4567515, 4565508, 4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4507435, 4507466, 4512501, 4512509, 4516045,
-                        4516058, 4522014, 4519978, 4520008, 4524149,
-                        4525237, 4530717, 4534293, 4534308, 4537762,
-                        4537795, 4540689, 4541333, 4554349, 4550922,
-                        4550944, 4556807, 4561621, 4567514, 4565489,
-                        4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4507469, 4505658, 4511553, 4512534, 4512578,
-                        4522015, 4519338, 4520062, 4524148, 4523205,
-                        4530715, 4534273, 4534321, 4532691, 4537818,
-                        4538461, 4541331, 4554354, 4549949, 4550969,
-                        4551853, 4561608, 4567513, 4558998, 4559003,
-                        4565349, 4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4507453, 4505903, 4512508, 4512941, 4515384,
-                        4517211, 4522016, 4517389, 4522355, 4524147,
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1253.cs

@@ -1,86 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1253
-    {
-        private const string name = "CVE-2019-1253";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4516068, 4516059, 4522011, 4520010, 4524151,
-                        4525245, 4530711, 4534296, 4537765, 4540705,
-                        4550939, 4556804, 4561605, 4567516, 4565499,
-                        4571689, 4577021
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4516066, 4522012, 4520004, 4520006, 4524150,
-                        4525241, 4530714, 4534276, 4534318, 4537789,
-                        4537816, 4540681, 4541330, 4554342, 4550927,
-                        4556812, 4561602, 4567515, 4565508, 4571741,
-                        4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4516058, 4516045, 4522014, 4519978, 4520008,
-                        4524149, 4525237, 4530717, 4534293, 4534308,
-                        4537762, 4537795, 4540689, 4541333, 4554349,
-                        4550922, 4550944, 4556807, 4561621, 4567514,
-                        4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4512578, 4522015, 4519338, 4520062, 4524148,
-                        4523205, 4530715, 4534273, 4534321, 4532691,
-                        4537818, 4538461, 4541331, 4554354, 4549949,
-                        4550969, 4551853, 4561608, 4567513, 4558998,
-                        4559003, 4565349, 4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4515384, 4517211, 4522016, 4517389, 4522355,
-                        4524147, 4524570, 4530684, 4528760, 4532695,
-                        4532693, 4535996, 4540673, 4541335, 4551762,
-                        4554364, 4549951, 4550945, 4556799, 4560960,
-                        4567512, 4565483, 4559004, 4565351, 4566116,
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1315.cs

@@ -1,100 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1315
-    {
-        private const string name = "CVE-2019-1315";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4520011, 4525232, 4530681, 4534306, 4537776,
-                        4540693, 4550930, 4556826, 4561649, 4567518,
-                        4565513, 4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4519998, 4519979, 4525236, 4530689
-                    });
-
-                    break;
-
-                case 15063:
-
-                    supersedence.AddRange(new int[] {
-                        4520010, 4525245, 4530711, 4534296, 4537765,
-                        4540705, 4550939, 4556804, 4561605, 4567516,
-                        4565499, 4571689, 4577021
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4520004, 4520006, 4525241, 4530714, 4534276,
-                        4534318, 4537789, 4537816, 4540681, 4541330,
-                        4554342, 4550927, 4556812, 4561602, 4567515,
-                        4565508, 4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4520008, 4519978, 4525237, 4530717, 4534293,
-                        4534308, 4537762, 4537795, 4540689, 4541333,
-                        4554349, 4550922, 4550944, 4556807, 4561621,
-                        4567514, 4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4519338, 4520062, 4523205, 4530715, 4534273,
-                        4534321, 4532691, 4537818, 4538461, 4541331,
-                        4554354, 4549949, 4550969, 4551853, 4561608,
-                        4567513, 4558998, 4559003, 4565349, 4571748,
-                        4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4517389, 4522355, 4524570, 4530684, 4528760,
-                        4532695, 4532693, 4535996, 4540673, 4541335,
-                        4551762, 4554364, 4549951, 4550945, 4556799,
-                        4560960, 4567512, 4565483, 4559004, 4565351,
-                        4566116, 4574727, 4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1385.cs

@@ -1,83 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1385
-    {
-        private const string name = "CVE-2019-1385";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4525241, 4530714, 4534276, 4534318, 4537789,
-                        4537816, 4540681, 4541330, 4554342, 4550927,
-                        4556812, 4561602, 4567515, 4565508, 4571741,
-                        4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4525237, 4530717, 4534293, 4534308, 4537762,
-                        4537795, 4540689, 4541333, 4554349, 4550922,
-                        4550944, 4556807, 4561621, 4567514, 4565489,
-                        4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4523205, 4530715, 4534273, 4534321, 4532691,
-                        4537818, 4538461, 4541331, 4554354, 4549949,
-                        4550969, 4551853, 4561608, 4567513, 4558998,
-                        4559003, 4565349, 4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1388.cs

@@ -1,89 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1388
-    {
-        private const string name = "CVE-2019-1388";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4525232, 4530681, 4534306, 4537776, 4540693,
-                        4550930, 4556826, 4561649, 4567518, 4565513,
-                        4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4525236, 4530689
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4525241, 4530714, 4534276, 4534318, 4537789,
-                        4537816, 4540681, 4541330, 4554342, 4550927,
-                        4556812, 4561602, 4567515, 4565508, 4571741,
-                        4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4525237, 4530717, 4534293, 4534308, 4537762,
-                        4537795, 4540689, 4541333, 4554349, 4550922,
-                        4550944, 4556807, 4561621, 4567514, 4565489,
-                        4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4523205, 4530715, 4534273, 4534321, 4532691,
-                        4537818, 4538461, 4541331, 4554354, 4549949,
-                        4550969, 4551853, 4561608, 4567513, 4558998,
-                        4559003, 4565349, 4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2019-1405.cs

@@ -1,101 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2019_1405
-    {
-        private const string name = "CVE-2019-1405";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4525232, 4530681, 4534306, 4537776, 4540693,
-                        4550930, 4556826, 4561649, 4567518, 4565513,
-                        4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4525236, 4530689
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4525241, 4530714, 4534276, 4534318, 4537789,
-                        4537816, 4540681, 4541330, 4554342, 4550927,
-                        4556812, 4561602, 4567515, 4565508, 4571741,
-                        4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4525237, 4530717, 4534293, 4534308, 4537762,
-                        4537795, 4540689, 4541333, 4554349, 4550922,
-                        4550944, 4556807, 4561621, 4567514, 4565489,
-                        4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4523205, 4530715, 4534273, 4534321, 4532691,
-                        4537818, 4538461, 4541331, 4554354, 4549949,
-                        4550969, 4551853, 4561608, 4567513, 4558998,
-                        4559003, 4565349, 4571748, 4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4524570, 4530684, 4528760, 4532695, 4532693,
-                        4535996, 4540673, 4541335, 4551762, 4554364,
-                        4549951, 4550945, 4556799, 4560960, 4567512,
-                        4565483, 4559004, 4565351, 4566116, 4574727,
-                        4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2020-0668.cs

@@ -1,98 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2020_0668
-    {
-        private const string name = "CVE-2020-0668";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4537776, 4540693, 4550930, 4556826, 4561649,
-                        4567518, 4565513, 4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4537764, 4537806, 4540670, 4541329, 4550929,
-                        4550947, 4556813, 4561616, 4567517, 4565511,
-                        4571694, 4577015
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4537789, 4537816, 4540681, 4541330, 4554342,
-                        4550927, 4556812, 4561602, 4567515, 4565508,
-                        4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4537762, 4537795, 4540689, 4541333, 4554349,
-                        4550922, 4550944, 4556807, 4561621, 4567514,
-                        4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4532691, 4537818, 4538461, 4541331, 4554354,
-                        4549949, 4550969, 4551853, 4561608, 4567513,
-                        4558998, 4559003, 4565349, 4571748, 4570333,
-                        4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4532693, 4535996, 4540673, 4541335, 4551762,
-                        4554364, 4549951, 4550945, 4556799, 4560960,
-                        4567512, 4565483, 4559004, 4565351, 4566116,
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4532693, 4535996, 4540673, 4541335, 4551762,
-                        4554364, 4549951, 4550945, 4556799, 4560960,
-                        4567512, 4565483, 4559004, 4565351, 4566116,
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2020-0683.cs

@@ -1,98 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2020_0683
-    {
-        private const string name = "CVE-2020-0683";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4537776, 4540693, 4550930, 4556826, 4561649,
-                        4567518, 4565513, 4571692, 4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4537764, 4537806, 4540670, 4541329, 4550929,
-                        4550947, 4556813, 4561616, 4567517, 4565511,
-                        4571694, 4577015
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4537789, 4537816, 4540681, 4541330, 4554342,
-                        4550927, 4556812, 4561602, 4567515, 4565508,
-                        4571741, 4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4537762, 4537795, 4540689, 4541333, 4554349,
-                        4550922, 4550944, 4556807, 4561621, 4567514,
-                        4565489, 4571709, 4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4532691, 4537818, 4538461, 4541331, 4554354,
-                        4549949, 4550969, 4551853, 4561608, 4567513,
-                        4558998, 4559003, 4565349, 4571748, 4570333,
-                        4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4532693, 4535996, 4540673, 4541335, 4551762,
-                        4554364, 4549951, 4550945, 4556799, 4560960,
-                        4567512, 4565483, 4559004, 4565351, 4566116,
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4532693, 4535996, 4540673, 4541335, 4551762,
-                        4554364, 4549951, 4550945, 4556799, 4560960,
-                        4567512, 4565483, 4559004, 4565351, 4566116,
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2020-0796.cs

@@ -1,35 +0,0 @@
-using System.Linq;
-using System.Collections.Generic;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2020_0796
-    {
-        private const string name = "CVE-2020-0796";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 18362:
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4551762
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Msrc/CVE-2020-1013.cs

@@ -1,90 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace winPEAS._3rdParty.Watson.Msrc
-{
-    internal static class CVE_2020_1013
-    {
-        private const string name = "CVE-2020-1013";
-
-        public static void Check(VulnerabilityCollection vulnerabilities, int buildNumber, List<int> installedKBs)
-        {
-            var supersedence = new List<int>();
-
-            switch (buildNumber)
-            {
-                case 10240:
-
-                    supersedence.AddRange(new int[] {
-                        4577049
-                    });
-
-                    break;
-
-                case 14393:
-
-                    supersedence.AddRange(new int[] {
-                        4577015
-                    });
-
-                    break;
-
-                case 16299:
-
-                    supersedence.AddRange(new int[] {
-                        4577041
-                    });
-
-                    break;
-
-                case 17134:
-
-                    supersedence.AddRange(new int[] {
-                        4577032
-                    });
-
-                    break;
-
-                case 17763:
-
-                    supersedence.AddRange(new int[] {
-                        4570333, 4577069
-                    });
-
-                    break;
-
-                case 18362:
-
-                    supersedence.AddRange(new int[] {
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                case 18363:
-
-                    supersedence.AddRange(new int[] {
-                        4574727, 4577062
-                    });
-
-                    break;
-
-                case 19041:
-
-                    supersedence.AddRange(new int[] {
-                        4571756, 4577063
-                    });
-
-                    break;
-
-                default:
-                    return;
-            }
-
-            if (!supersedence.Intersect(installedKBs).Any())
-            {
-                vulnerabilities.SetAsVulnerable(name);
-            }
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Vulnerability.cs

@@ -1,18 +0,0 @@
-namespace winPEAS._3rdParty.Watson
-{
-    public class Vulnerability
-    {
-        public string Identification { get; }
-        public string[] KnownExploits { get; }
-        public bool Vulnerable { get; private set; }
-
-        public Vulnerability(string id, string[] exploits)
-        {
-            Identification = id;
-            KnownExploits = exploits;
-        }
-
-        public void SetAsVulnerable()
-            => Vulnerable = true;
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/VulnerabilityCollection.cs

@@ -1,111 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using winPEAS.Helpers;
-
-namespace winPEAS._3rdParty.Watson
-{
-    public class VulnerabilityCollection
-    {
-        private readonly List<Vulnerability> _vulnerabilities;
-
-        public void SetAsVulnerable(string id)
-            => _vulnerabilities.First(e => e.Identification == id).SetAsVulnerable();
-
-        public VulnerabilityCollection()
-        {
-            _vulnerabilities = Populate();
-        }
-
-        public void ShowResults()
-        {
-            foreach (Vulnerability vuln in _vulnerabilities.Where(i => i.Vulnerable))
-            {
-                Beaprint.BadPrint($" [!] {vuln.Identification} : VULNERABLE");
-
-                foreach (string exploit in vuln.KnownExploits)
-                {
-                    Beaprint.BadPrint($"  [>] {exploit}");
-                }
-
-                Console.WriteLine();
-            }
-
-            if (_vulnerabilities.Any(e => e.Vulnerable))
-            {
-                Beaprint.BadPrint($" [*] Finished. Found {_vulnerabilities.Count(i => i.Vulnerable)} potential vulnerabilities.\r\n");
-            }
-            else
-            {
-                Beaprint.GoodPrint(" [*] Finished. Found 0 vulnerabilities.\r\n");
-            }
-        }
-
-        private List<Vulnerability> Populate()
-        {
-            return new List<Vulnerability>()
-            {
-                new Vulnerability(
-                    id: "CVE-2019-0836",
-                    exploits: new string[] { "https://exploit-db.com/exploits/46718", "https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-0841",
-                    exploits: new string[] { "https://github.com/rogue-kdc/CVE-2019-0841", "https://rastamouse.me/tags/cve-2019-0841/" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1064",
-                    exploits: new string[] { "https://www.rythmstick.net/posts/cve-2019-1064/" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1130",
-                    exploits: new string[] { "https://github.com/S3cur3Th1sSh1t/SharpByeBear" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1253",
-                    exploits: new string[] { "https://github.com/padovah4ck/CVE-2019-1253", "https://github.com/sgabe/CVE-2019-1253" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1315",
-                    exploits: new string[] { "https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1385",
-                    exploits: new string[] { "https://www.youtube.com/watch?v=K6gHnr-VkAg" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1388",
-                    exploits: new string[] { "https://github.com/jas502n/CVE-2019-1388" }
-                    ),
-
-                new Vulnerability(
-                    id: "CVE-2019-1405",
-                    exploits: new string[] { "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/", "https://github.com/apt69/COMahawk" }
-                    ),
-                new Vulnerability(
-                    id: "CVE-2020-0668",
-                    exploits: new string[] { "https://github.com/itm4n/SysTracingPoc" }
-                    ),
-                new Vulnerability(
-                    id: "CVE-2020-0683",
-                    exploits: new string[] { "https://github.com/padovah4ck/CVE-2020-0683", "https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/cve-2020-0683.ps1" }
-                    ),
-                new Vulnerability(
-                    id: "CVE-2020-1013",
-                    exploits: new string[] { "https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/" }
-                    ),
-                new Vulnerability(
-                    id: "CVE-2020-0796",
-                    exploits: new string[] { "https://github.com/danigargu/CVE-2020-0796 (smbghost)" }
-                    )
-            };
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs

@@ -1,80 +0,0 @@
-using System;
-using System.Collections.Generic;
-using winPEAS.Helpers;
-using winPEAS._3rdParty.Watson.Msrc;
-
-namespace winPEAS._3rdParty.Watson
-{
-
-    //////////////////////////////
-    ////// MAIN WATSON CLASS /////
-    //////////////////////////////
-    class Watson
-    {
-        public static void FindVulns()
-        {
-            Console.WriteLine(Beaprint.YELLOW + "  [?] " + Beaprint.LBLUE + "Windows vulns search powered by " + Beaprint.LRED + "Watson" + Beaprint.LBLUE + "(https://github.com/rasta-mouse/Watson)" + Beaprint.NOCOLOR);
-
-            // Supported versions
-            var supportedVersions = new Dictionary<int, string>()
-            {
-                { 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
-                { 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
-                { 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
-            };
-
-            // Get OS Build number
-            var buildNumber = Wmi.GetBuildNumber();
-            if (buildNumber != 0)
-            {
-                if (!supportedVersions.ContainsKey(buildNumber))
-                {
-                    Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
-                }
-
-                var version = supportedVersions[buildNumber];
-                Console.WriteLine(" [*] OS Version: {0} ({1})", version, buildNumber);
-            }
-            else
-            {
-                Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
-            }
-            
-            // List of KBs installed
-            Console.WriteLine(" [*] Enumerating installed KBs...");
-            var installedKBs = Wmi.GetInstalledKBs();
-
-#if DEBUG
-            Console.WriteLine();
-
-            foreach (var kb in installedKBs)
-            {
-                Console.WriteLine(" {0}", kb);
-            }
-
-            Console.WriteLine();
-#endif
-
-            // List of Vulnerabilities
-            var vulnerabilities = new VulnerabilityCollection();
-
-            // Check each one
-            CVE_2019_0836.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_0841.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1064.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1130.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1253.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1315.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1385.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1388.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2019_1405.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2020_0668.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2020_0683.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2020_1013.Check(vulnerabilities, buildNumber, installedKBs);
-            CVE_2020_0796.Check(vulnerabilities, buildNumber, installedKBs);
-
-            // Print the results
-            vulnerabilities.ShowResults();
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Wmi.cs

@@ -1,65 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Management;
-
-namespace winPEAS._3rdParty.Watson
-{
-    public class Wmi
-    {
-        public static List<int> GetInstalledKBs()
-        {
-            var KbList = new List<int>();
-
-            try
-            {
-                using (var searcher = new ManagementObjectSearcher(@"root\cimv2", "SELECT HotFixID FROM Win32_QuickFixEngineering"))
-                {
-                    using (var hotFixes = searcher.Get())
-                    {
-                        foreach (var hotFix in hotFixes)
-                        {
-                            var line = hotFix["HotFixID"].ToString().Remove(0, 2);
-
-                            if (int.TryParse(line, out int kb))
-                            {
-                                KbList.Add(kb);
-                            }
-                        }
-                    }
-                }
-            }
-            catch (ManagementException e)
-            {
-                Console.Error.WriteLine(" [!] {0}", e.Message);
-            }
-
-            return KbList;
-        }
-
-        public static int GetBuildNumber()
-        {
-            try
-            {
-                using (var searcher = new ManagementObjectSearcher(@"root\cimv2", "SELECT BuildNumber FROM Win32_OperatingSystem"))
-                {
-                    using (var collection = searcher.Get())
-                    {
-                        foreach (var num in collection)
-                        {
-                            if (int.TryParse(num["BuildNumber"] as string, out int buildNumber))
-                            {
-                                return buildNumber;
-                            }
-                        }
-                    }
-                }
-            }
-            catch (ManagementException e)
-            {
-                Console.Error.WriteLine(" [!] {0}", e.Message);
-            }
-
-            return 0;
-        }
-    }
-}

winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs

@@ -56,7 +56,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software");
                 SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
                 string format = "    ==>  {0} ({1})";
 
@@ -102,7 +102,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Autorun Applications");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
                 List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
 
                 foreach (Dictionary<string, string> app in apps)
@@ -189,7 +189,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries");
                 List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
 
                 foreach (Dictionary<string, string> sapp in scheduled_apps)
@@ -239,7 +239,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Device Drivers --Non Microsoft--");
                 // this link is not very specific, but its the best on hacktricks
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
 
                 foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
                 {

winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs

@@ -10,12 +10,22 @@ namespace winPEAS.Checks
         {
             Beaprint.GreatPrint("Cloud Information");
 
+            Dictionary<string, string> colorsTraining = new Dictionary<string, string>()
+                {
+                    { "training.hacktricks.wiki", Beaprint.ansi_color_good },
+                    { "Learn & practice cloud hacking in", Beaprint.ansi_color_yellow },
+                };
+            Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.wiki", colorsTraining);
+
             var cloudInfoList = new List<CloudInfoBase>
             {
                new AWSInfo(),
                new AzureInfo(),
+               new AzureTokensInfo(),
                new GCPInfo(),
-               new GCPJoinedInfo()
+               new GCPJoinedInfo(),
+               new GCDSInfo(),
+               new GPSInfo(),
             };
 
             foreach (var cloudInfo in cloudInfoList)
@@ -48,36 +58,31 @@ namespace winPEAS.Checks
 
                             foreach (var endpointData in endpointDataList)
                             {
-                                var colors = new Dictionary<string, string>
-                                {
-                                    { endpointData.EndpointName, Beaprint.GRAY }
-                                };
+                                string msgcolor = Beaprint.NOCOLOR;
 
                                 string message;
                                 if (!string.IsNullOrEmpty(endpointData.Data))
                                 {
                                     message = endpointData.Data;
                                     // if it is a JSON data, add additional newline so it's displayed on a separate line
-                                    if (message.StartsWith("{"))
+                                    if (message.StartsWith("{") || message.StartsWith("["))
                                     {
                                         message = $"\n{message}\n";
                                     }
 
                                     if (endpointData.IsAttackVector)
                                     {
-                                        colors.Add(message, Beaprint.ansi_color_bad);
-                                    }
-                                    else
-                                    {
-                                        colors.Add(message, Beaprint.ansi_color_gray);
+                                        msgcolor = Beaprint.ansi_color_bad;
                                     }
                                 }
                                 else
                                 {
                                     message = "No data received from the metadata endpoint";
+                                    msgcolor = Beaprint.ansi_color_gray;
                                 }
 
-                                Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
+                                Beaprint.ColorPrint($"{endpointData.EndpointName,-30}", Beaprint.ansi_users_active);
+                                Beaprint.ColorPrint(message, msgcolor);
                             }
 
                             Beaprint.GrayPrint("");