test: skip long peass checks in PR-tests for workflow-chain validation

This reverts commit 386ef0642a.

.github/chack-agent/pr-merge-schema.json

@@ -0,0 +1,18 @@
+{
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "decision": {
+      "type": "string",
+      "enum": ["merge", "comment"]
+    },
+    "message": {
+      "type": "string"
+    },
+    "confidence": {
+      "type": "string",
+      "enum": ["low", "medium", "high"]
+    }
+  },
+  "required": ["decision", "message", "confidence"]
+}

.github/workflows/CI-PR_from_dev.yml

@@ -1,26 +0,0 @@
-name: CI-PR_from_dev
-
-on:
-  push:
-    branches:
-      - winpeas_dev
-      - linpeas_dev
-
-  workflow_dispatch:
-
-jobs:     
-  create_pull_request:
-    runs-on: ubuntu-latest
-    
-    steps:
-      # checkout
-      - name: Checkout
-        uses: actions/checkout@v2
-    
-      # PR     
-      - name: Pull Request
-        uses: repo-sync/pull-request@v2
-        with:
-          destination_branch: "master"
-          github_token: ${{ secrets.PULL_REQUEST_TOKEN }}
-      

.github/workflows/CI-master_tests.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -36,11 +36,11 @@ jobs:
             
       # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -48,23 +48,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
         
       # Execute all unit tests in the solution
-      #- name: Execute unit tests
-      #  run: dotnet test $env:Solution_Path
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build & update all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -220,6 +220,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -230,6 +231,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Build linpeas binaries
       - name: Build linpeas binaries 
@@ -362,7 +366,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       
       # Build linpeas
       - name: Build macpeas
@@ -469,11 +473,11 @@ jobs:
     
     - name: Get current date
       id: date
-      run: echo "::set-output name=date::$(date +'%Y%m%d')"
+      run: echo "date=$(date +'%Y%m%d')" >> "$GITHUB_OUTPUT"
     
     - name: Generate random
       id: random_n
-      run: echo "::set-output name=some_rand::$(openssl rand -hex 4)"
+      run: echo "some_rand=$(openssl rand -hex 4)" >> "$GITHUB_OUTPUT"
     
     # Create the release
     - name: Create Release

.github/workflows/PR-tests.yml

@@ -8,6 +8,8 @@ on:
     paths-ignore:
       - '.github/**'
 
+  workflow_dispatch:
+
 jobs:
   Build_and_test_winpeas_pr:
     runs-on: windows-latest
@@ -20,7 +22,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -30,11 +32,11 @@ jobs:
             
       # Add MSBuild to the PATH
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -42,19 +44,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
+
+      # Execute unit tests in the solution
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -105,15 +111,15 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
       # Setup go
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v6
         with:
-          go-version: 1.17.0-rc1
-          stable: false
+          go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -124,6 +130,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Run linpeas help as quick test
       - name: Run linpeas help
@@ -152,9 +161,11 @@ jobs:
         run: linPEAS/linpeas_fat.sh -o software_information -a
       
       - name: Run linpeas interesting_perms_files
+        if: ${{ false }}
         run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
       
       - name: Run linpeas interesting_files
+        if: ${{ false }}
         run: linPEAS/linpeas_fat.sh -o interesting_files -a
 
   Build_and_test_macpeas_pr:
@@ -162,7 +173,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -198,4 +209,5 @@ jobs:
         run: linPEAS/linpeas_fat.sh -o users_information -a
       
       - name: Run macpeas software_information
+        if: ${{ false }}
         run: linPEAS/linpeas_fat.sh -o software_information -a

.github/workflows/chack-agent-pr-triage.yml

@@ -0,0 +1,208 @@
+name: Chack-Agent PR Triage
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  chack_agent_triage:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+      pr_number: ${{ steps.gate.outputs.pr_number }}
+      pr_title: ${{ steps.gate.outputs.pr_title }}
+      pr_body: ${{ steps.gate.outputs.pr_body }}
+      base_ref: ${{ steps.gate.outputs.base_ref }}
+      head_ref: ${{ steps.gate.outputs.head_ref }}
+      base_sha: ${{ steps.gate.outputs.base_sha }}
+      head_sha: ${{ steps.gate.outputs.head_sha }}
+      decision: ${{ steps.parse.outputs.decision }}
+      message: ${{ steps.parse.outputs.message }}
+
+    steps:
+      - name: Resolve PR context
+        id: gate
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_number="${PR_NUMBER}"
+          if [ -z "$pr_number" ] && [ -n "$HEAD_BRANCH" ]; then
+            pr_number="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')"
+          fi
+          if [ -z "$pr_number" ]; then
+            echo "No pull request found for this workflow_run; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          author="$(gh pr view "$pr_number" --json author --jq .author.login)"
+          if [ "$author" != "carlospolop" ]; then
+            echo "PR author is $author; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          pr_title="$(gh pr view "$pr_number" --json title --jq .title)"
+          pr_body="$(gh pr view "$pr_number" --json body --jq .body)"
+          base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
+          head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
+          base_sha="$(gh pr view "$pr_number" --json baseRefOid --jq .baseRefOid)"
+          head_sha="$(gh pr view "$pr_number" --json headRefOid --jq .headRefOid)"
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "pr_title<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_title" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "pr_body<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_body" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
+          echo "base_sha=$base_sha" >> "$GITHUB_OUTPUT"
+          echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR merge ref
+        uses: actions/checkout@v5
+        with:
+          ref: refs/pull/${{ steps.gate.outputs.pr_number }}/merge
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+
+      - name: Pre-fetch base and head refs
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        run: |
+          git fetch --no-tags origin \
+            ${{ steps.gate.outputs.base_ref }} \
+            +refs/pull/${{ steps.gate.outputs.pr_number }}/head
+
+      - name: Set up Node.js for Codex
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        uses: actions/setup-node@v5
+        with:
+          node-version: "20"
+
+      - name: Install Codex CLI
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        run: |
+          npm install -g @openai/codex
+          codex --version
+
+      - name: Run Chack Agent
+        id: run_chack
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        uses: carlospolop/chack-agent@master
+        with:
+          provider: codex
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: Chack-Agent PR Triage
+          system_prompt: |
+            You are Chack Agent, an elite PR reviewer for PEASS-ng.
+            Be conservative: merge only if changes are simple, safe, and valuable accoding to the uers give guidelines.
+            If in doubt, comment with clear questions or concerns.
+            Remember taht you are an autonomouts agent, use the exec tool to run the needed commands to list, read, analyze, modify, test...
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_steps_manager_init_first\": true}"
+          output_schema_file: .github/chack-agent/pr-merge-schema.json
+          user_prompt: |
+            You are reviewing PR #${{ steps.gate.outputs.pr_number }} for ${{ github.repository }}.
+
+            Decide whether to merge or comment. Merge only if all of the following are true:
+            - Changes are simple and safe (no DoS, no long operations, no backdoors).
+            - Changes follow common PEASS syntax and style without breaking anything and add useful checks or value.
+            - Changes simplify code or add new useful checks without breaking anything.
+
+            If you don't have any doubts, and all the previous conditions are met, decide to merge.
+            If you have serious doubts, choose "comment" and include your doubts or questions.
+            If you decide to merge, include a short rationale.
+
+            Pull request title and body:
+            ----
+            ${{ steps.gate.outputs.pr_title }}
+            ${{ steps.gate.outputs.pr_body }}
+
+            Review ONLY the changes introduced by the PR:
+              git log --oneline ${{ steps.gate.outputs.base_sha }}...${{ steps.gate.outputs.head_sha }}
+
+            Output JSON only, following the provided schema:
+            .github/chack-agent/pr-merge-schema.json
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+
+      - name: Parse Chack Agent decision
+        id: parse
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        env:
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
+        run: |
+          python3 - <<'PY'
+          import json
+          import os
+
+          raw = (os.environ.get('CHACK_MESSAGE', '') or '').strip()
+          decision = 'comment'
+          message = 'Chack Agent did not provide details.'
+          try:
+            data = json.loads(raw or '{}')
+            if isinstance(data, dict):
+              decision = data.get('decision', 'comment')
+              message = data.get('message', '').strip() or message
+            else:
+              message = raw or message
+          except Exception:
+            message = raw or message
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as handle:
+            handle.write(f"decision={decision}\n")
+            handle.write("message<<EOF\n")
+            handle.write(message + "\n")
+            handle.write("EOF\n")
+          PY
+
+  merge_or_comment:
+    runs-on: ubuntu-latest
+    needs: chack_agent_triage
+    if: ${{ github.event.workflow_run.conclusion == 'success' && needs.chack_agent_triage.outputs.should_run == 'true' && needs.chack_agent_triage.outputs.decision != '' }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Merge PR when approved
+        if: ${{ needs.chack_agent_triage.outputs.decision == 'merge' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ needs.chack_agent_triage.outputs.pr_number }}
+        run: |
+          gh api \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
+            -f merge_method=squash \
+            -f commit_title="Auto-merge PR #${PR_NUMBER} (Chack Agent)"
+
+      - name: Comment with doubts
+        if: ${{ needs.chack_agent_triage.outputs.decision == 'comment' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.chack_agent_triage.outputs.pr_number }}
+          CHACK_MESSAGE: ${{ needs.chack_agent_triage.outputs.message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CHACK_MESSAGE,
+            });

.github/workflows/ci-master-failure-chack-agent-pr.yml

@@ -0,0 +1,195 @@
+name: CI-master Failure Chack-Agent PR
+
+on:
+  workflow_run:
+    workflows: ["CI-master_test"]
+    types: [completed]
+
+jobs:
+  chack_agent_fix_master_failure:
+    if: >
+      ${{ github.event.workflow_run.conclusion == 'failure' &&
+          github.event.workflow_run.head_branch == 'master' &&
+          !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI-master failures for run #') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read
+    env:
+      TARGET_BRANCH: master
+      FIX_BRANCH: chack-agent/ci-master-fix-${{ github.event.workflow_run.id }}
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    steps:
+      - name: Checkout failing commit
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+          token: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+
+      - name: Configure git author
+        run: |
+          git config user.name "chack-agent"
+          git config user.email "chack-agent@users.noreply.github.com"
+
+      - name: Create fix branch
+        run: git checkout -b "$FIX_BRANCH"
+
+      - name: Fetch failure summary and failed-step logs
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          failed_logs_file="$(pwd)/chack_failed_steps_logs.txt"
+          if gh run view "$RUN_ID" --repo "${{ github.repository }}" --log-failed > "$failed_logs_file"; then
+            if [ ! -s "$failed_logs_file" ]; then
+              echo "No failed step logs were returned by gh run view --log-failed." > "$failed_logs_file"
+            fi
+          else
+            echo "Failed to download failed step logs with gh run view --log-failed." > "$failed_logs_file"
+          fi
+          echo "FAILED_LOGS_PATH=$failed_logs_file" >> "$GITHUB_ENV"
+
+          gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs \
+            --paginate > /tmp/jobs.json
+          python3 - <<'PY'
+          import json
+
+          data = json.load(open('/tmp/jobs.json'))
+          lines = []
+          for job in data.get('jobs', []):
+            if job.get('conclusion') == 'failure':
+              lines.append(f"Job: {job.get('name')} (id {job.get('id')})")
+              lines.append(f"URL: {job.get('html_url')}")
+              for step in job.get('steps', []):
+                if step.get('conclusion') == 'failure':
+                  lines.append(f"  Step: {step.get('name')}")
+              lines.append("")
+
+          summary = "\n".join(lines).strip() or "No failing job details found."
+          with open('chack_failure_summary.txt', 'w') as handle:
+            handle.write(summary)
+          PY
+
+      - name: Create Chack Agent prompt
+        env:
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: |
+          {
+            echo "You are fixing a failing CI-master_test run in ${{ github.repository }}."
+            echo "The failing workflow run is: ${RUN_URL}"
+            echo "The failing commit SHA is: ${HEAD_SHA}"
+            echo "The target branch for the final PR is: ${TARGET_BRANCH}"
+            echo ""
+            echo "Failure summary:"
+            cat chack_failure_summary.txt
+            echo ""
+            echo "Failed-step logs file absolute path (local runner): ${FAILED_LOGS_PATH}"
+            echo "Read that file to inspect the exact failing logs."
+            echo ""
+            echo "Please identify the cause, apply an easy, simple and minimal fix, and update files accordingly."
+            echo "Run any fast checks you can locally (no network)."
+            echo "Leave the repo in a state ready to commit; changes will be committed and pushed automatically."
+          } > chack_prompt.txt
+
+      - name: Set up Node.js for Codex
+        uses: actions/setup-node@v5
+        with:
+          node-version: "20"
+
+      - name: Install Codex CLI
+        run: |
+          npm install -g @openai/codex
+          codex --version
+
+      - name: Run Chack Agent
+        id: run_chack
+        uses: carlospolop/chack-agent@master
+        with:
+          provider: codex
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: CI-master Failure Chack-Agent PR
+          system_prompt: |
+            Diagnose the failing gh actions workflow, propose the minimal and effective safe fix, and implement it.
+            Run only fast, local checks (no network). Leave the repo ready to commit.
+          prompt_file: chack_prompt.txt
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_steps_manager_init_first\": true}"
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+
+      - name: Commit and push fix branch if changed
+        id: push_fix
+        run: |
+          if git diff --quiet; then
+            echo "No changes to commit."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          git add -A
+          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+          git reset -- .github/workflows || true
+          git checkout -- .github/workflows || true
+          git clean -fdx -- .github/workflows || true
+          git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if git diff --cached --quiet; then
+            echo "No committable changes left after filtering."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+          if ! git push origin HEAD:"$FIX_BRANCH"; then
+            echo "Push failed (likely token workflow permission limits); skipping PR creation."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "pushed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Create PR to master
+        if: ${{ steps.push_fix.outputs.pushed == 'true' }}
+        id: create_pr
+        env:
+          GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+        run: |
+          pr_url=$(gh pr create \
+            --title "Fix CI-master_test failure (run #${{ github.event.workflow_run.id }})" \
+            --body "Automated Chack Agent fix for failing CI-master_test run: ${RUN_URL}" \
+            --base "$TARGET_BRANCH" \
+            --head "$FIX_BRANCH")
+          echo "url=$pr_url" >> "$GITHUB_OUTPUT"
+
+      - name: Comment on created PR with Chack Agent result
+        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.run_chack.outputs.final-message != '' }}
+        uses: actions/github-script@v7
+        env:
+          PR_URL: ${{ steps.create_pr.outputs.url }}
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const prUrl = process.env.PR_URL;
+            const match = prUrl.match(/\/pull\/(\d+)$/);
+            if (!match) {
+              core.info(`Could not parse PR number from URL: ${prUrl}`);
+              return;
+            }
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(match[1]),
+              body: process.env.CHACK_MESSAGE,
+            });

.github/workflows/pr-failure-chack-agent-dispatch.yml

@@ -0,0 +1,244 @@
+name: PR Failure Chack-Agent Dispatch
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  resolve_pr_context:
+    if: >
+      ${{ github.event.workflow_run.conclusion == 'failure' &&
+          !startsWith(github.event.workflow_run.head_commit.message || '', 'Fix CI failures for PR #') }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      issues: read
+    outputs:
+      number: ${{ steps.pr_context.outputs.number }}
+      author: ${{ steps.pr_context.outputs.author }}
+      head_repo: ${{ steps.pr_context.outputs.head_repo }}
+      head_branch: ${{ steps.pr_context.outputs.head_branch }}
+      should_run: ${{ steps.pr_context.outputs.should_run }}
+    steps:
+      - name: Resolve PR context
+        id: pr_context
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [ -z "$PR_NUMBER" ] && [ -n "$HEAD_BRANCH" ]; then
+            PR_NUMBER="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')"
+          fi
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No pull request found for workflow_run; skipping."
+            {
+              echo "number="
+              echo "author="
+              echo "head_repo="
+              echo "head_branch=${HEAD_BRANCH}"
+              echo "should_run=false"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          pr_author=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.user.login')
+          pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.repo.full_name')
+          pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.ref')
+          pr_labels=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER} \
+            --jq '.labels[].name')
+          if echo "$pr_labels" | grep -q "^chack-agent-fix-attempted$"; then
+            echo "chack-agent fix already attempted for PR #${PR_NUMBER}; skipping."
+            should_run=false
+          else
+            should_run=true
+          fi
+          {
+            echo "number=${PR_NUMBER}"
+            echo "author=${pr_author}"
+            echo "head_repo=${pr_head_repo}"
+            echo "head_branch=${pr_head_branch}"
+            echo "should_run=${should_run}"
+          } >> "$GITHUB_OUTPUT"
+
+  chack_agent_on_failure:
+    needs: resolve_pr_context
+    if: ${{ needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: write
+    env:
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    steps:
+      - name: Comment on PR with failure info
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const prNumber = Number(process.env.PR_NUMBER);
+            const body = `PR #${prNumber} had a failing workflow "${process.env.WORKFLOW_NAME}".\n\nRun: ${process.env.RUN_URL}\n\nLaunching Chack Agent to attempt a fix.`;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body,
+            });
+
+      - name: Mark fix attempt
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels \
+            -f labels[]=chack-agent-fix-attempted
+
+      - name: Checkout PR head
+        uses: actions/checkout@v5
+        with:
+          repository: ${{ needs.resolve_pr_context.outputs.head_repo }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+          token: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+
+      - name: Configure git author
+        run: |
+          git config user.name "chack-agent"
+          git config user.email "chack-agent@users.noreply.github.com"
+
+      - name: Fetch failure summary
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs \
+            --paginate > /tmp/jobs.json
+          python3 - <<'PY'
+          import json
+
+          data = json.load(open('/tmp/jobs.json'))
+          lines = []
+          for job in data.get('jobs', []):
+            if job.get('conclusion') == 'failure':
+              lines.append(f"Job: {job.get('name')} (id {job.get('id')})")
+              lines.append(f"URL: {job.get('html_url')}")
+              for step in job.get('steps', []):
+                if step.get('conclusion') == 'failure':
+                  lines.append(f"  Step: {step.get('name')}")
+              lines.append("")
+
+          summary = "\n".join(lines).strip() or "No failing job details found."
+          with open('chack_failure_summary.txt', 'w') as handle:
+            handle.write(summary)
+          PY
+
+      - name: Create Chack Agent prompt
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          HEAD_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
+        run: |
+          {
+            echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
+            echo "The failing workflow run is: ${RUN_URL}"
+            echo "The PR branch is: ${HEAD_BRANCH}"
+            echo ""
+            echo "Failure summary:"
+            cat chack_failure_summary.txt
+            echo ""
+            echo "Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly."
+            echo "Run any fast checks you can locally (no network)."
+            echo "Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed."
+          } > chack_prompt.txt
+
+      - name: Set up Node.js for Codex
+        uses: actions/setup-node@v5
+        with:
+          node-version: "20"
+
+      - name: Install Codex CLI
+        run: |
+          npm install -g @openai/codex
+          codex --version
+
+      - name: Run Chack Agent
+        id: run_chack
+        uses: carlospolop/chack-agent@master
+        with:
+          provider: codex
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: PR Failure Chack-Agent Dispatch
+          system_prompt: |
+            You are Chack Agent, an elite CI-fix engineer.
+            Diagnose the failing workflow, propose the minimal safe fix, and implement it.
+            Run only fast, local checks (no network). Leave the repo ready to commit.
+          prompt_file: chack_prompt.txt
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_steps_manager_init_first\": true}"
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+
+      - name: Commit and push if changed
+        env:
+          TARGET_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if git diff --quiet; then
+            echo "No changes to commit."
+            exit 0
+          fi
+          rm -f chack_failure_summary.txt chack_prompt.txt
+          git add -A
+          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+          git reset -- .github/workflows || true
+          git checkout -- .github/workflows || true
+          git clean -fdx -- .github/workflows || true
+          git reset -- chack_failure_summary.txt chack_prompt.txt
+          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            exit 0
+          fi
+          if git diff --cached --quiet; then
+            echo "No committable changes left after filtering."
+            exit 0
+          fi
+          git commit -m "Fix CI failures for PR #${PR_NUMBER}"
+          if ! git push origin HEAD:${TARGET_BRANCH}; then
+            echo "Push failed (likely token workflow permission limits); leaving run successful without push."
+            exit 0
+          fi
+          gh workflow run PR-tests.yml --ref "${TARGET_BRANCH}"
+
+      - name: Comment with Chack Agent result
+        if: ${{ steps.run_chack.outputs.final-message != '' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CHACK_MESSAGE,
+            });

README.md

@@ -28,7 +28,7 @@ Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JS
 
 If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 
-You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
+You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about the latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
 
 ## Let's improve PEASS together
 
@@ -37,4 +37,3 @@ If you want to **add something** and have **any cool idea** related to this proj
 ## Advisory
 
 All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
-

build_lists/sensitive_files.yaml

@@ -813,6 +813,12 @@ search:
                       bad_regex: "auth|accessfile=|secret=|user"
                       remove_regex:  "^#|^@"
                       type: f
+                - name: "*"
+                  value:
+                      bad_regex: "nullok|nullok_secure|pam_permit\\.so|pam_rootok\\.so|pam_exec\\.so|pam_unix\\.so.*(nullok|remember=0)|sufficient\\s+pam_unix\\.so"
+                      only_bad_lines: True
+                      remove_regex: "^#|^@"
+                      type: f
               type: d
               search_in: 
                 - ${ROOT_FOLDER}etc
@@ -1235,12 +1241,20 @@ search:
           auto_check: False
     
         files:
-          - name: "agent*"
+          - name: "agent.*"
             value: 
                 type: f
                 remove_path: ".dll"
                 search_in: 
                   - ${ROOT_FOLDER}tmp
+                  - ${ROOT_FOLDER}run
+
+          - name: "ssh-agent.sock"
+            value:
+                type: f
+                search_in:
+                  - ${ROOT_FOLDER}tmp
+                  - ${ROOT_FOLDER}run
       
   - name: SSH_CONFIG
     value:
@@ -1705,7 +1719,7 @@ search:
           auto_check: True
           exec:
             - '( redis-server --version || echo_not_found "redis-server") 2>/dev/null'
-            - if [ "`redis-cli INFO 2>/dev/null`" ] && ! [ "`redis-cli INFO 2>/dev/null | grep -i NOAUTH`" ]; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
+            - redis_info="$(if [ "$TIMEOUT" ]; then $TIMEOUT 2 redis-cli INFO 2>/dev/null; else redis-cli INFO 2>/dev/null; fi)"; if [ "$redis_info" ] && ! echo "$redis_info" | grep -i NOAUTH; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
 
         files:
           - name: "redis.conf"
@@ -2067,6 +2081,45 @@ search:
                 type: f
                 search_in: 
                   - common
+
+          - name: "*.asc"
+            value:
+                type: f
+                remove_path: "/usr/share/|/usr/lib/|/lib/|/man/"
+                search_in:
+                  - common
+
+          - name: "secring.gpg"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "pubring.kbx"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "trustdb.gpg"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "gpg-agent.conf"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "secret.asc"
+            value:
+                type: f
+                just_list_file: True
+                search_in:
+                  - common
+
           - name: "private-keys-v1.d/*.key"
             value: 
                 type: f
@@ -2844,6 +2897,85 @@ search:
                 remove_path: "example"
                 search_in: 
                   - common
+
+  - name: Proxy_Config
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "environment"
+            value:
+                bad_regex: "(http|https|ftp|all)_proxy|no_proxy"
+                only_bad_lines: True
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                check_extra_path: "^/etc/environment$"
+                search_in:
+                  - common
+
+          - name: "apt.conf"
+            value:
+                bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
+                only_bad_lines: True
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                search_in:
+                  - common
+
+          - name: "apt.conf.d"
+            value:
+                type: d
+                files:
+                  - name: "*"
+                    value:
+                        bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
+                        only_bad_lines: True
+                        remove_empty_lines: True
+                        remove_regex: '^#'
+                        type: f
+                search_in:
+                  - common
+    
+  - name: Sniffing_Artifacts
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "*.pcap"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "*.pcapng"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "keys.log"
+            value:
+                bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
+                only_bad_lines: True
+                remove_empty_lines: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "sslkeylog.log"
+            value:
+                bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
+                only_bad_lines: True
+                remove_empty_lines: True
+                type: f
+                search_in:
+                  - common
     
   - name: Msmtprc
     value:
@@ -3352,7 +3484,7 @@ search:
 
           - name: "credentials.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 remove_empty_lines: True
                 type: f
                 search_in: 
@@ -3360,7 +3492,7 @@ search:
           
           - name: "config.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 only_bad_lines: True
                 type: f
                 search_in: 
@@ -3948,6 +4080,13 @@ search:
                 search_in: 
                   - common
 
+          - name: "*.maintenance*"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
           - name: "*.key"
             value: 
                 just_list_file: True

linPEAS/README.md

@@ -6,6 +6,8 @@
 
 Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 
+> **Dec 2025 update:** linpeas now inspects Linux kernels for CVE-2025-38352 (POSIX CPU timers race) by combining CONFIG_POSIX_CPU_TIMERS_TASK_WORK state with kernel build information, so you immediately know if publicly available PoCs might succeed.
+
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 
 ## MacPEAS
@@ -98,10 +100,17 @@ The goal of this script is to search for possible **Privilege Escalation Paths**
 
 This script doesn't have any dependency.
 
+### Recent updates
+
+- **Dec 2025**: Added detection for sudo configurations that expose restic's `--password-command` helper, a common privilege escalation vector observed in real environments.
+
 It uses **/bin/sh** syntax, so can run in anything supporting `sh` (and the binaries and parameters used).
 
 By default, **linpeas won't write anything to disk and won't try to login as any other user using `su`**.
 
+LinPEAS keeps expanding vendor-specific coverage; as of 29-Nov-2025 it warns when IGEL OS appliances still ship the SUID `setup`/`date` helpers that allow NetworkManager/systemd configuration hijacking (Metasploit module `linux/local/igel_network_priv_esc`).
+
+
 By default linpeas takes around **4 mins** to complete, but It could take from **5 to 10 minutes** to execute all the checks using **-a** parameter *(Recommended option for CTFs)*:
 - From less than 1 min to 2 mins to make almost all the checks
 - Almost 1 min to search for possible passwords inside all the accesible files of the system

linPEAS/builder/linpeas_builder.py

@@ -51,5 +51,5 @@ if __name__ == "__main__":
         print("You must specify one of the following options: --all, --all-no-fat, --small or --include")
         parser.print_help()
         exit(1)
-    
+
     main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output)

linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh

@@ -1,39 +0,0 @@
-# Title: System Information - Linux Exploit Suggester
-# ID: SY_Linux_exploit_suggester
-# Author: Carlos Polop
-# Last Update: 07-03-2024
-# Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
-#   - Automated kernel vulnerability detection
-#   - Common vulnerable scenarios:
-#     * Known kernel vulnerabilities
-#     * Unpatched kernel versions
-#     * Missing security patches
-#   - Exploitation methods:
-#     * Kernel exploit execution: Use suggested exploits
-#     * Common attack vectors:
-#       - Kernel memory corruption
-#       - Race conditions
-#       - Use-after-free
-#       - Integer overflow
-#     * Exploit techniques:
-#       - Kernel memory manipulation
-#       - Privilege escalation
-#       - Root access acquisition
-#       - System compromise
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $MACPEAS
-# Initial Functions:
-# Generated Global Variables: $les_b64
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if [ "$(command -v bash 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
-    print_2title "Executing Linux Exploit Suggester"
-    print_info "https://github.com/mzet-/linux-exploit-suggester"
-    les_b64="peass{https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh}"
-    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
-    echo ""
-fi

linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh

@@ -1,41 +0,0 @@
-# Title: System Information - Linux Exploit Suggester 2
-# ID: SY_Linux_exploit_suggester_2
-# Author: Carlos Polop
-# Last Update: 07-03-2024
-# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
-#   - Alternative kernel vulnerability detection
-#   - Perl-based exploit suggestions
-#   - Common vulnerable scenarios:
-#     * Known kernel vulnerabilities
-#     * Unpatched kernel versions
-#     * Missing security patches
-#     * Alternative exploit paths
-#   - Exploitation methods:
-#     * Kernel exploit execution: Use suggested exploits
-#     * Common attack vectors:
-#       - Kernel memory corruption
-#       - Race conditions
-#       - Use-after-free
-#       - Integer overflow
-#     * Exploit techniques:
-#       - Kernel memory manipulation
-#       - Privilege escalation
-#       - Root access acquisition
-#       - System compromise
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables: $les2_b64
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if [ "$(command -v perl 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
-    print_2title "Executing Linux Exploit Suggester 2"
-    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
-    les2_b64="peass{https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl}"
-    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -iE "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
-    echo ""
-fi

linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh

@@ -30,10 +30,9 @@
 # Fat linpeas: 0
 # Small linpeas: 0
 
-if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
-   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
-   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
+if apt list --installed 2>/dev/null | grep -E 'polkit.*0\.105-26' | grep -qEv 'ubuntu1\.[1-9]' || \
+   yum list installed 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)' || \
+   rpm -qa 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)'; then
     echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi
-

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -30,11 +30,33 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks, $label, $sysctl_path, $sysctl_var, $zero_color, $nonzero_color, $sysctl_value
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
+print_sysctl_eq_zero() {
+    local label="$1"
+    local sysctl_path="$2"
+    local sysctl_var="$3"
+    local zero_color="$4"
+    local nonzero_color="$5"
+    local sysctl_value
+
+    print_list "$label" "$NC"
+    sysctl_value=$(cat "$sysctl_path" 2>/dev/null)
+    eval "$sysctl_var=\$sysctl_value"
+    if [ -z "$sysctl_value" ]; then
+        echo_not_found "$sysctl_path"
+    else
+        if [ "$sysctl_value" -eq 0 ]; then
+            echo "0" | sed -${E} "s,0,${zero_color},"
+        else
+            echo "$sysctl_value" | sed -${E} "s,.*,${nonzero_color},g"
+        fi
+    fi
+}
+
 #-- SY) AppArmor
 print_2title "Protections"
 print_list "AppArmor enabled? .............. "$NC
@@ -80,10 +102,54 @@ print_list "Seccomp enabled? ............... "$NC
 print_list "User namespace? ................ "$NC
 if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
 
+#-- SY) Unprivileged user namespaces
+print_sysctl_eq_zero "unpriv_userns_clone? ........... " "/proc/sys/kernel/unprivileged_userns_clone" "unpriv_userns_clone" "$SED_GREEN" "$SED_RED"
+
+#-- SY) Unprivileged eBPF
+print_sysctl_eq_zero "unpriv_bpf_disabled? ........... " "/proc/sys/kernel/unprivileged_bpf_disabled" "unpriv_bpf_disabled" "$SED_RED" "$SED_GREEN"
+
 #-- SY) cgroup2
 print_list "Cgroup2 enabled? ............... "$NC
 ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 
+#-- SY) Kernel hardening sysctls
+print_sysctl_eq_zero "kptr_restrict? ................. " "/proc/sys/kernel/kptr_restrict" "kptr_restrict" "$SED_RED" "$SED_GREEN"
+
+print_sysctl_eq_zero "dmesg_restrict? ................ " "/proc/sys/kernel/dmesg_restrict" "dmesg_restrict" "$SED_RED" "$SED_GREEN"
+
+print_sysctl_eq_zero "ptrace_scope? .................. " "/proc/sys/kernel/yama/ptrace_scope" "ptrace_scope" "$SED_RED" "$SED_GREEN"
+
+print_sysctl_eq_zero "protected_symlinks? ............ " "/proc/sys/fs/protected_symlinks" "protected_symlinks" "$SED_RED" "$SED_GREEN"
+
+print_sysctl_eq_zero "protected_hardlinks? ........... " "/proc/sys/fs/protected_hardlinks" "protected_hardlinks" "$SED_RED" "$SED_GREEN"
+
+print_list "perf_event_paranoid? ........... "$NC
+perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
+if [ -z "$perf_event_paranoid" ]; then
+    echo_not_found "/proc/sys/kernel/perf_event_paranoid"
+else
+    if [ "$perf_event_paranoid" -le 1 ]; then echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_RED},g"; else echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_sysctl_eq_zero "mmap_min_addr? ................. " "/proc/sys/vm/mmap_min_addr" "mmap_min_addr" "$SED_RED" "$SED_GREEN"
+
+print_list "lockdown mode? ................. "$NC
+if [ -f "/sys/kernel/security/lockdown" ]; then
+    cat /sys/kernel/security/lockdown 2>/dev/null | sed -${E} "s,none,${SED_RED},g; s,integrity|confidentiality,${SED_GREEN},g"
+else
+    echo_not_found "/sys/kernel/security/lockdown"
+fi
+
+#-- SY) Kernel hardening config flags
+print_list "Kernel hardening flags? ........ "$NC
+if [ -f "/boot/config-$(uname -r)" ]; then
+    grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN' /boot/config-$(uname -r) 2>/dev/null
+elif [ -f "/proc/config.gz" ]; then
+    zcat /proc/config.gz 2>/dev/null | grep -E 'CONFIG_RANDOMIZE_BASE|CONFIG_STACKPROTECTOR|CONFIG_SLAB_FREELIST_|CONFIG_KASAN'
+else
+    echo_not_found "kernel config"
+fi
+
 #-- SY) Gatekeeper
 if [ "$MACPEAS" ]; then
     print_list "Gatekeeper enabled? .......... "$NC
@@ -136,4 +202,4 @@ else
     if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
 fi
 
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh

@@ -58,5 +58,23 @@ else
     echo_not_found "/proc/sys/kernel/modules_disabled"
 fi
 
+# Check for module signature enforcement
+print_3title "Module signature enforcement? "
+if [ -f "/proc/sys/kernel/module_sig_enforce" ]; then
+    if [ "$(cat /proc/sys/kernel/module_sig_enforce)" = "1" ]; then
+        echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g"
+    else
+        echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+elif [ -f "/sys/module/module/parameters/sig_enforce" ]; then
+    if [ "$(cat /sys/module/module/parameters/sig_enforce)" = "Y" ]; then
+        echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g"
+    else
+        echo "Not enforced" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+else
+    echo_not_found "module_sig_enforce"
+fi
 
-echo "" 
+
+echo "" 

linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38236.sh

@@ -0,0 +1,126 @@
+# Title: System Information - CVE_2025_38236
+# ID: SY_CVE_2025_38236
+# Author: HT Bot
+# Last Update: 17-12-2025
+# Description: Detect Linux kernels exposed to CVE-2025-38236 (AF_UNIX MSG_OOB UAF) that allow local privilege escalation:
+#   - Vulnerable scope:
+#     * Linux kernels 6.9+ before commit 32ca245464e1479bfea8592b9db227fdc1641705
+#     * AF_UNIX stream sockets with MSG_OOB enabled (CONFIG_AF_UNIX_OOB or implicit support)
+#   - Exploitation summary:
+#     * send/recv MSG_OOB pattern leaves zero-length SKBs in the receive queue
+#     * manage_oob() skips cleanup, freeing the OOB SKB while u->oob_skb still points to it
+#     * Subsequent recv(MSG_OOB) dereferences the dangling pointer → kernel UAF → LPE
+#   - Mitigations:
+#     * Update to a kernel that includes commit 32ca245464e1479bfea8592b9db227fdc1641705 (or newer)
+#     * Disable CONFIG_AF_UNIX_OOB or block MSG_OOB in sandboxed processes
+#     * Backport vendor fixes or follow Chrome's MSG_OOB filtering approach
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SED_RED_YELLOW, $SED_GREEN, $E
+# Initial Functions:
+# Generated Global Variables: $cve38236_kernel_release, $cve38236_kernel_version, $cve38236_oob_line, $cve38236_unix_line, $cve38236_oob_status, $CVE38236_CONFIG_SOURCE, $cve38236_conf_file, $cve38236_config_key, $cve38236_release, $cve38236_cfg, $cve38236_config_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+_cve38236_version_to_number() {
+    if [ -z "$1" ]; then
+        printf '0\n'
+        return
+    fi
+    echo "$1" | awk -F. '{
+        major=$1+0
+        if (NF>=2) minor=$2+0; else minor=0
+        if (NF>=3) patch=$3+0; else patch=0
+        printf "%d\n", (major*1000000)+(minor*1000)+patch
+    }'
+}
+
+_cve38236_version_ge() {
+    local v1 v2
+    v1=$(_cve38236_version_to_number "$1")
+    v2=$(_cve38236_version_to_number "$2")
+    [ "$v1" -ge "$v2" ]
+}
+
+_cve38236_cat_config_file() {
+    local cve38236_conf_file="$1"
+    if [ -z "$cve38236_conf_file" ] || ! [ -r "$cve38236_conf_file" ]; then
+        return 1
+    fi
+    if printf '%s' "$cve38236_conf_file" | grep -q '\\.gz$'; then
+        if command -v zcat >/dev/null 2>&1; then
+            zcat "$cve38236_conf_file" 2>/dev/null
+        elif command -v gzip >/dev/null 2>&1; then
+            gzip -dc "$cve38236_conf_file" 2>/dev/null
+        else
+            cat "$cve38236_conf_file" 2>/dev/null
+        fi
+    else
+        cat "$cve38236_conf_file" 2>/dev/null
+    fi
+}
+
+_cve38236_read_config_line() {
+    local cve38236_config_key="$1"
+    local cve38236_release cve38236_config_line cve38236_cfg
+    cve38236_release="$(uname -r 2>/dev/null)"
+    for cve38236_cfg in /proc/config.gz \
+        "/boot/config-${cve38236_release}" \
+        "/usr/lib/modules/${cve38236_release}/build/.config" \
+        "/lib/modules/${cve38236_release}/build/.config"; do
+        if [ -r "$cve38236_cfg" ]; then
+            cve38236_config_line=$(_cve38236_cat_config_file "$cve38236_cfg" | grep -E "^(${cve38236_config_key}=|# ${cve38236_config_key} is not set)" | head -n1)
+            if [ -n "$cve38236_config_line" ]; then
+                CVE38236_CONFIG_SOURCE="$cve38236_cfg"
+                printf '%s\n' "$cve38236_config_line"
+                return 0
+            fi
+        fi
+    done
+    return 1
+}
+
+
+if [ ! "$MACPEAS" ]; then
+    cve38236_kernel_release="$(uname -r 2>/dev/null)"
+    cve38236_kernel_version="$(printf '%s' "$cve38236_kernel_release" | sed 's/[^0-9.].*//')"
+
+    if [ -n "$cve38236_kernel_version" ] && _cve38236_version_ge "$cve38236_kernel_version" "6.9.0"; then
+        print_2title "CVE-2025-38236 - AF_UNIX MSG_OOB UAF"
+    
+        cve38236_oob_line=$(_cve38236_read_config_line "CONFIG_AF_UNIX_OOB")
+        cve38236_oob_status="unknown"
+    
+        if printf '%s' "$cve38236_oob_line" | grep -q '=y\|=m'; then
+            cve38236_oob_status="enabled"
+        elif printf '%s' "$cve38236_oob_line" | grep -q 'not set'; then
+            cve38236_oob_status="disabled"
+        fi
+    
+        if [ "$cve38236_oob_status" = "unknown" ]; then
+            cve38236_unix_line=$(_cve38236_read_config_line "CONFIG_UNIX")
+            if printf '%s' "$cve38236_unix_line" | grep -q 'not set'; then
+                cve38236_oob_status="disabled"
+            elif printf '%s' "$cve38236_unix_line" | grep -q '=y\|=m'; then
+                cve38236_oob_status="enabled"
+            fi
+        fi
+    
+        if [ "$cve38236_oob_status" = "disabled" ]; then
+            printf 'Kernel %s >= 6.9 but MSG_OOB support is disabled (%s).\n' "$cve38236_kernel_release" "${cve38236_oob_line:-CONFIG_AF_UNIX disabled}" | sed -${E} "s,.*,${SED_GREEN},"
+            print_info "CVE-2025-38236 requires AF_UNIX MSG_OOB; disabling CONFIG_AF_UNIX_OOB/CONFIG_UNIX mitigates it."
+        else
+            printf 'Kernel %s (parsed %s) may be vulnerable to CVE-2025-38236 - AF_UNIX MSG_OOB UAF.\n' "$cve38236_kernel_release" "$cve38236_kernel_version" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            [ -n "$cve38236_oob_line" ] && print_info "Config hint: $cve38236_oob_line"
+            if [ "$cve38236_oob_status" = "unknown" ]; then
+                print_info "Could not read CONFIG_AF_UNIX_OOB directly; AF_UNIX appears enabled, so assume MSG_OOB reachable."
+            fi
+            print_info "Exploit chain: crafted MSG_OOB send/recv frees the OOB SKB while u->oob_skb still points to it, enabling kernel UAF → arbitrary read/write primitives (Project Zero 2025/08)."
+            print_info "Mitigations: update to a kernel containing commit 32ca245464e1479bfea8592b9db227fdc1641705, disable CONFIG_AF_UNIX_OOB, or filter MSG_OOB in sandbox policies."
+            print_info "Heuristic detection: based solely on uname -r and kernel config; vendor kernels with backported fixes should be verified manually."
+        fi
+        echo ""
+    fi
+
+fi

linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh

@@ -0,0 +1,183 @@
+# Title: System Information - CVE_2025_38352
+# ID: SY_CVE_2025_38352
+# Author: HT Bot
+# Last Update: 22-12-2025
+# Description: Detect Linux kernels that may still be vulnerable to CVE-2025-38352 (race-condition UAF in POSIX CPU timers)
+#   - Highlights kernels built without CONFIG_POSIX_CPU_TIMERS_TASK_WORK
+#   - Flags 6.12.x builds older than the fix commit f90fff1e152dedf52b932240ebbd670d83330eca (first shipped in 6.12.34)
+#   - Provides quick risk scoring so operators can decide whether to attempt the publicly available PoC
+#   - Core requirements for exploitation:
+#       * CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled (common on 32-bit Android / custom kernels)
+#       * Lack of the upstream exit_state guard in run_posix_cpu_timers()
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_list
+# Global Variables: $E, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SED_YELLOW
+# Initial Functions:
+# Generated Global Variables: $cve38352_kernel_release, $cve38352_kernel_version_cmp, $cve38352_symbol, $cve38352_task_work_state, $cve38352_config_status, $cve38352_config_source, $cve38352_config_candidates, $cve38352_cfg, $cve38352_line, $cve38352_patch_state, $cve38352_patch_label, $cve38352_fix_tag, $cve38352_last_vuln_tag, $cve38352_risk_msg, $cve38352_risk_color, $cve38352_task_line, $cve38352_patch_line, $cve38352_risk_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+cve38352_version_lt(){
+    awk -v v1="$1" -v v2="$2" '
+    function cleannum(val) {
+        gsub(/[^0-9].*/, "", val)
+        if (val == "") {
+            val = 0
+        }
+        return val + 0
+    }
+    BEGIN {
+        n = split(v1, a, ".")
+        m = split(v2, b, ".")
+        max = (n > m ? n : m)
+        for (i = 1; i <= max; i++) {
+            av = (i <= n ? cleannum(a[i]) : 0)
+            bv = (i <= m ? cleannum(b[i]) : 0)
+            if (av < bv) {
+                exit 0
+            }
+            if (av > bv) {
+                exit 1
+            }
+        }
+        exit 1
+    }'
+}
+
+cve38352_sanitize_version(){
+    printf "%s" "$1" | tr '-' '.' | sed 's/[^0-9.].*$//' | sed 's/\.\./\./g' | sed 's/^\.//' | sed 's/\.$//'
+}
+
+print_2title "CVE-2025-38352 - POSIX CPU timers race"
+
+cve38352_kernel_release=$(uname -r 2>/dev/null)
+if [ -z "$cve38352_kernel_release" ]; then
+    echo_not_found "uname -r"
+    echo ""
+else
+
+    cve38352_kernel_version_cmp=$(cve38352_sanitize_version "$cve38352_kernel_release")
+    if [ -z "$cve38352_kernel_version_cmp" ]; then
+        cve38352_kernel_version_cmp="unknown"
+    fi
+
+    cve38352_symbol="CONFIG_POSIX_CPU_TIMERS_TASK_WORK"
+    cve38352_task_work_state="unknown"
+    cve38352_config_status="Unknown ($cve38352_symbol not found)"
+    cve38352_config_source=""
+
+    cve38352_config_candidates="/boot/config-$cve38352_kernel_release /proc/config.gz /lib/modules/$cve38352_kernel_release/build/.config /usr/lib/modules/$cve38352_kernel_release/build/.config /usr/src/linux/.config"
+    for cve38352_cfg in $cve38352_config_candidates; do
+        [ -r "$cve38352_cfg" ] || continue
+        if printf "%s" "$cve38352_cfg" | grep -q '\\.gz$'; then
+            cve38352_line=$(gzip -dc "$cve38352_cfg" 2>/dev/null | grep -E "^(# )?$cve38352_symbol" | head -n1)
+        else
+            cve38352_line=$(grep -E "^(# )?$cve38352_symbol" "$cve38352_cfg" 2>/dev/null | head -n1)
+        fi
+        [ -z "$cve38352_line" ] && continue
+        cve38352_config_source="$cve38352_cfg"
+        case "$cve38352_line" in
+            "$cve38352_symbol=y")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Enabled (y)"
+                ;;
+            "$cve38352_symbol=m")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Built as module (m)"
+                ;;
+            "$cve38352_symbol=n")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Disabled (n)"
+                ;;
+            "# $cve38352_symbol is not set")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Not set"
+                ;;
+            *)
+                cve38352_config_status="Found: $cve38352_line"
+                ;;
+        esac
+        break
+    done
+
+    cve38352_patch_state="unknown_branch"
+    cve38352_patch_label="Unable to determine kernel train"
+    cve38352_fix_tag="6.12.34"
+    cve38352_last_vuln_tag="6.12.33"
+    case "$cve38352_kernel_version_cmp" in
+        6.12|6.12.*)
+            if cve38352_version_lt "$cve38352_kernel_version_cmp" "$cve38352_fix_tag"; then
+                cve38352_patch_state="pre_fix"
+                cve38352_patch_label="6.12.x build < $cve38352_fix_tag (last known vulnerable LTS: $cve38352_last_vuln_tag)"
+            else
+                cve38352_patch_state="post_fix"
+                cve38352_patch_label="6.12.x build >= $cve38352_fix_tag (should include fix f90fff1e152d)"
+            fi
+            ;;
+        unknown)
+            cve38352_patch_label="Kernel version string could not be parsed"
+            ;;
+        *)
+            cve38352_patch_label="Kernel train $cve38352_kernel_version_cmp (verify commit f90fff1e152dedf52b932240ebbd670d83330eca manually)"
+            ;;
+    esac
+
+    cve38352_risk_msg="Unknown - missing configuration data"
+    cve38352_risk_color=""
+    if [ "$cve38352_task_work_state" = "enabled" ]; then
+        cve38352_risk_msg="Low - CONFIG_POSIX_CPU_TIMERS_TASK_WORK is enabled"
+        cve38352_risk_color="green"
+    elif [ "$cve38352_task_work_state" = "disabled" ]; then
+        if [ "$cve38352_patch_state" = "pre_fix" ]; then
+            cve38352_risk_msg="High - task_work disabled & kernel predates fix f90fff1e152d"
+            cve38352_risk_color="red"
+        else
+            cve38352_risk_msg="Review - task_work disabled, ensure fix f90fff1e152d is backported"
+            cve38352_risk_color="yellow"
+        fi
+    fi
+
+    print_list "Kernel release ............... $cve38352_kernel_release\n"
+    print_list "Comparable version ........... $cve38352_kernel_version_cmp\n"
+
+    cve38352_task_line="Task_work config ............. $cve38352_config_status"
+    if [ -n "$cve38352_config_source" ]; then
+        cve38352_task_line="$cve38352_task_line (from $cve38352_config_source)"
+    fi
+    cve38352_task_line="$cve38352_task_line\n"
+    if [ "$cve38352_task_work_state" = "disabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_RED},"
+    elif [ "$cve38352_task_work_state" = "enabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_task_line"
+    fi
+
+    cve38352_patch_line="Patch status ................. $cve38352_patch_label\n"
+    if [ "$cve38352_patch_state" = "pre_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    elif [ "$cve38352_patch_state" = "post_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_YELLOW},"
+    fi
+
+    cve38352_risk_line="CVE-2025-38352 risk .......... $cve38352_risk_msg\n"
+    case "$cve38352_risk_color" in
+        red)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            ;;
+        green)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_GREEN},"
+            ;;
+        yellow)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_YELLOW},"
+            ;;
+        *)
+            print_list "$cve38352_risk_line"
+            ;;
+    esac
+
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -4,6 +4,7 @@
 # Last Update: 07-03-2024
 # Description: Check for additional disk information and system resources relevant to privilege escalation:
 #   - Disk utilization
+#   - Inode usage
 #   - System resources
 #   - Storage statistics
 #   - Common vulnerable scenarios:
@@ -44,4 +45,8 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
     (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
     warn_exec free 2>/dev/null
     echo ""
-fi
+
+    print_2title "Inode usage"
+    warn_exec df -i 2>/dev/null
+    echo ""
+fi

linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh

@@ -36,6 +36,14 @@ print_2title "Container details"
 
 print_list "Is this a container? ...........$NC $containerType"
 
+if [ -e "/proc/vz" ] && ! [ -e "/proc/bc" ]; then
+    print_list "Container Runtime ..............$NC OpenVZ"
+fi
+
+if [ -f "/run/systemd/container" ]; then
+     print_list "Systemd Container ..............$NC $(cat /run/systemd/container)"
+fi
+
 # Get container runtime info
 if [ "$(command -v docker || echo -n '')" ]; then
     print_list "Docker version ...............$NC "

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -37,10 +37,10 @@
 #       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, enumerateDockerSockets, print_2title, print_3title, print_info, print_list, warn_exec
 # Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
-# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
+# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $seccomp_mode_num, $seccomp_mode_desc
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -57,14 +57,34 @@ if [ "$inContainer" ]; then
     
     # Security mechanisms
     print_3title "Security Mechanisms"
-    print_list "Seccomp enabled? ............... "$NC
-    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+    seccomp_mode_num="$(awk '/^Seccomp:/{print $2}' /proc/self/status 2>/dev/null)"
+    seccomp_mode_desc="unknown"
+    case "$seccomp_mode_num" in
+      0) seccomp_mode_desc="disabled" ;;
+      1) seccomp_mode_desc="strict" ;;
+      2) seccomp_mode_desc="filtering" ;;
+    esac
+
+    print_list "Seccomp mode ................... "$NC
+    (printf "%s (%s)\n" "$seccomp_mode_desc" "${seccomp_mode_num:-?}") | sed "s,disabled,${SED_RED}," | sed "s,strict,${SED_RED_YELLOW}," | sed "s,filtering,${SED_GREEN},"
+
+    if grep -q "^Seccomp_filters:" /proc/self/status 2>/dev/null; then
+      print_list "Seccomp filters ............... "$NC
+      awk '/^Seccomp_filters:/{print $2}' /proc/self/status 2>/dev/null | sed -${E} "s,^[0-9]+$,${SED_GREEN}&,"
+    fi
 
     print_list "AppArmor profile? .............. "$NC
     (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
 
     print_list "User proc namespace? ........... "$NC
-    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then 
+        (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; 
+        echo ""
+        echo "  Mappings (Container -> Host -> Range):"
+        cat /proc/self/uid_map | awk '{print "  " $1 " -> " $2 " -> " $3}'
+    else 
+        echo "disabled" | sed "s,disabled,${SED_RED},"; 
+    fi
 
     # Known vulnerabilities
     print_3title "Known Vulnerabilities"
@@ -155,6 +175,9 @@ if [ "$inContainer" ]; then
         cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
         echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
     fi
+
+    print_list "Ambient capabilities ........... "$NC
+    (grep "CapAmb:" /proc/self/status 2>/dev/null | grep -v "0000000000000000" | sed "s,CapAmb:.,," || echo "No") | sed -${E} "s,No,${SED_GREEN}," | sed -${E} "s,[0-9a-fA-F]\+,${SED_RED}&,"
     
     # Additional capability checks
     print_list "Dangerous syscalls allowed ... "$NC
@@ -200,6 +223,10 @@ if [ "$inContainer" ]; then
         echo "No"
     fi
     
+    
+    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
+    enumerateDockerSockets
+    
     # Additional breakout vectors
     print_3title "Additional Breakout Vectors"
     

linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh

@@ -1,20 +0,0 @@
-# Title: Container - Am I Containered 
-# ID: CT_Am_I_contained
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Am I Containered tool
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, execBin
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables: $FAT_LINPEAS_AMICONTAINED
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
-  print_2title "Am I Containered?"
-  FAT_LINPEAS_AMICONTAINED="peass{https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64}"
-  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
-fi

linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh

@@ -1,14 +1,14 @@
 # Title: Cloud - AWS ECS
 # ID: CL_AWS_ECS
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 17-01-2026
 # Description: AWS ECS Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
 # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
 # Initial Functions: check_aws_ecs
-# Generated Global Variables: $aws_ecs_req
+# Generated Global Variables: $aws_ecs_req, $aws_exec_env, $ecs_task_metadata, $launch_type, $network_modes, $imds_tool, $imds_token, $imds_roles, $imds_http_code, $ecs_block_line, $ecs_host_line, $iptables_cmd, $docker_rules, $first_role
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -44,5 +44,146 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
     fi
+
+    print_3title "ECS task metadata hints"
+    aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
+    if [ "$aws_exec_env" ]; then
+        printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
+    fi
+
+    ecs_task_metadata=""
+    if [ "$aws_ecs_metadata_uri" ]; then
+        ecs_task_metadata=$(eval $aws_ecs_req "$aws_ecs_metadata_uri/task" 2>/dev/null)
+    fi
+
+    if [ "$ecs_task_metadata" ]; then
+        launch_type=$(printf "%s" "$ecs_task_metadata" | grep -oE '"LaunchType":"[^"]+"' | head -n 1 | cut -d '"' -f4)
+        if [ "$launch_type" ]; then
+            printf "ECS LaunchType reported: %s\n" "$launch_type"
+        fi
+        network_modes=$(printf "%s" "$ecs_task_metadata" | grep -oE '"NetworkMode":"[^"]+"' | cut -d '"' -f4 | sort -u | tr '\n' ' ')
+        if [ "$network_modes" ]; then
+            printf "Reported NetworkMode(s): %s\n" "$network_modes"
+        fi
+    else
+        echo "Unable to fetch task metadata (check ECS_CONTAINER_METADATA_URI)."
+    fi
     echo ""
-fi
+
+    print_3title "IMDS reachability from this task"
+    imds_token=""
+    imds_roles=""
+    imds_http_code=""
+    imds_tool=""
+
+    if command -v curl >/dev/null 2>&1; then
+        imds_tool="curl"
+    elif command -v wget >/dev/null 2>&1; then
+        imds_tool="wget"
+    fi
+
+    if [ "$imds_tool" = "curl" ]; then
+        imds_token=$(curl -s --connect-timeout 2 --max-time 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(curl -s --connect-timeout 2 --max-time 2 -H "X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+                first_role=$(printf "%s" "$imds_roles" | awk '{print $1}')
+                if [ "$first_role" ]; then
+                    printf "    Example: curl -H 'X-aws-ec2-metadata-token: <TOKEN>' http://169.254.169.254/latest/meta-data/iam/security-credentials/%s\n" "$first_role"
+                fi
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            imds_http_code=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/meta-data/" 2>/dev/null)
+            case "$imds_http_code" in
+                000|"")
+                    printf "[i] IMDS endpoint did not respond (likely blocked via hop-limit or host firewalling).\n"
+                    ;;
+                401)
+                    printf "[i] IMDS requires v2 tokens but token requests are being blocked (bridge-mode tasks rely on this when hop limit = 1).\n"
+                    ;;
+                *)
+                    printf "[i] IMDS GET returned HTTP %s (investigate host configuration).\n" "$imds_http_code"
+                    ;;
+            esac
+        fi
+    elif [ "$imds_tool" = "wget" ]; then
+        imds_token=$(wget -q -O - --timeout=2 --tries=1 --method=PUT --header="X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(wget -q -O - --timeout=2 --tries=1 --header="X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            wget --server-response -O /dev/null --timeout=2 --tries=1 "http://169.254.169.254/latest/meta-data/" 2>&1 | awk 'BEGIN{code=""} /^  HTTP/{code=$2} END{ if(code!="") { printf("[i] IMDS GET returned HTTP %s (token could not be retrieved).\n", code); } else { print "[i] IMDS endpoint did not respond (likely blocked)."; } }'
+        fi
+    else
+        echo "Neither curl nor wget were found, I can't test IMDS reachability."
+    fi
+    echo ""
+
+    print_3title "ECS agent IMDS settings"
+    if [ -r "/etc/ecs/ecs.config" ]; then
+        ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        if [ "$ecs_block_line" ]; then
+            printf "%s\n" "$ecs_block_line"
+            if echo "$ecs_block_line" | grep -qi "=true"; then
+                echo "    -> awsvpc-mode tasks should be blocked from IMDS by the ECS agent."
+            else
+                echo "    -> awsvpc-mode tasks can still reach IMDS (set this to true to block)."
+            fi
+        else
+            echo "ECS_AWSVPC_BLOCK_IMDS not set (awsvpc tasks inherit host IMDS reachability)."
+        fi
+
+        if [ "$ecs_host_line" ]; then
+            printf "%s\n" "$ecs_host_line"
+            if echo "$ecs_host_line" | grep -qi "=false"; then
+                echo "    -> Host-network tasks lose IAM task roles but IMDS is blocked."
+            else
+                echo "    -> Host-network tasks keep IAM task roles and retain IMDS access."
+            fi
+        else
+            echo "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST not set (defaults keep IMDS reachable for host-mode tasks)."
+        fi
+    else
+        echo "Cannot read /etc/ecs/ecs.config (file missing or permissions denied)."
+    fi
+    echo ""
+
+    print_3title "DOCKER-USER IMDS filtering"
+    iptables_cmd=""
+    if command -v iptables >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables)
+    elif command -v iptables-nft >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables-nft)
+    fi
+
+    if [ "$iptables_cmd" ]; then
+        docker_rules=$($iptables_cmd -S DOCKER-USER 2>/dev/null)
+        if [ $? -eq 0 ]; then
+            if [ "$docker_rules" ]; then
+                echo "$docker_rules"
+            else
+                echo "(DOCKER-USER chain exists but no rules were found)"
+            fi
+            if echo "$docker_rules" | grep -q "169\\.254\\.169\\.254"; then
+                echo "    -> IMDS traffic is explicitly filtered before Docker NAT."
+            else
+                echo "    -> No DOCKER-USER rule drops 169.254.169.254 traffic (bridge tasks rely on hop limit or host firewalling)."
+            fi
+        else
+            echo "Unable to read DOCKER-USER chain (missing chain or insufficient permissions)."
+        fi
+    else
+        echo "iptables binary not found; cannot inspect DOCKER-USER chain."
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
-# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
+# Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
 # Initial Functions:
 # Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
 # Fat linpeas: 0
@@ -178,7 +178,11 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$EXTRA_CHECKS" ]; then
     echo ""
     print_3title "Service versions and status:"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    if [ "$TIMEOUT" ]; then
+      $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
+    else
+      (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    fi
   fi
 
   # Check systemd path writability
@@ -190,4 +194,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh

@@ -17,7 +17,7 @@
 # Functions Used: print_2title, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
-# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
+# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path, $svc_path_entry, $svc_writable_path
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -113,21 +113,39 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
             service=$(echo "$line" | awk '{print $1}')
             service_file=$(get_service_file "$service")
             if [ -n "$service_file" ]; then
+                # Check service-specific PATH entries (Environment=PATH=...)
+                svc_writable_path=$(grep -E '^Environment=.*PATH=' "$service_file" 2>/dev/null | sed -E 's/^Environment=//; s/^"//; s/"$//; s/^PATH=//' | tr ':' '\n' | while read -r svc_path_entry; do
+                    [ -z "$svc_path_entry" ] && continue
+                    if [ -d "$svc_path_entry" ] && [ -w "$svc_path_entry" ]; then
+                        echo "$svc_path_entry"
+                    fi
+                done)
+                if [ "$svc_writable_path" ]; then
+                    for svc_path_entry in $svc_writable_path; do
+                        echo "$service: Writable service PATH entry '$svc_path_entry'" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                    done
+                fi
+
                 # Check ExecStart paths
                 grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
                 while read -r exec_line; do
-                    # Extract the first word after ExecStart* as the command
-                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
-                    # Extract the rest as arguments
-                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
+                    # Extract command from the right side of Exec*=, not from argv
+                    exec_value="${exec_line#*=}"
+                    exec_value=$(echo "$exec_value" | sed 's/^[[:space:]]*//')
+                    cmd=$(echo "$exec_value" | awk '{print $1}' | tr -d '"')
+                    # Strip systemd command prefixes (-, @, :, +, !) before path checks
+                    cmd_path=$(echo "$cmd" | sed -E 's/^[-@:+!]+//')
                     
                     # Only check the command path, not arguments
-                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
-                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ -w "$cmd_path" ]; then
+                        echo "$service: $cmd_path (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                     fi
                     # Check for relative paths only in the command, not arguments
-                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
-                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ "${cmd_path#/}" = "$cmd_path" ] && [ "${cmd_path#\$}" = "$cmd_path" ]; then
+                        echo "$service: Uses relative path '$cmd_path' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                        if [ "$svc_writable_path" ]; then
+                            echo "$service: Relative Exec path + writable service PATH can allow path hijacking" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                        fi
                     fi
                 done
             fi
@@ -153,4 +171,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     fi
 
     echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh

@@ -11,7 +11,7 @@
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED
 # Initial Functions:
 # Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
 # Fat linpeas: 0
@@ -142,10 +142,13 @@ if ! [ "$IAMROOT" ]; then
                     # Highlight dangerous ownership
                     if echo "$owner_info" | grep -q "root"; then
                         echo "  └─(${RED}Owned by root${NC})"
+                        if echo "$perms" | grep -q "Write"; then
+                            echo "  └─High risk: root-owned and writable Unix socket" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                        fi
                     fi
                 fi
             fi
         done
     fi
     echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh

@@ -0,0 +1,25 @@
+# Title: Processes & Cron & Services & Timers - Deleted open files
+# ID: PR_Deleted_open_files
+# Author: Carlos Polop
+# Last Update: 2025-01-07
+# Description: Identify deleted files still held open by running processes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "Open deleted files can hide tools and still consume disk space"
+    lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
+    echo ""
+elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "lsof not found, scanning /proc for deleted file descriptors"
+    ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh

@@ -23,6 +23,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   incrontab -l 2>/dev/null
   ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
   cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
   crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
   ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
   atq 2>/dev/null
@@ -247,4 +248,4 @@ else
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh

@@ -5,10 +5,10 @@
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
-# Global Variables:
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname
+# Global Variables: $E
 # Initial Functions:
-# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
+# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -29,8 +29,8 @@ check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
 check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
 check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
 
-# Kill all after 10 seconds
-(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
+# Kill all check workers after timeout + 1s without relying on integer arithmetic
+(sleep "$TIMEOUT_INTERNET_SECONDS"; sleep 1; kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
 
 check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
 tcp443_bin_status=$?
@@ -50,3 +50,9 @@ if [ "$tcp443_bin_status" -eq 0 ] && \
 fi
 
 echo ""
+print_3title "Proxy discovery"
+print_info "Checking common proxy env vars and apt proxy config"
+(env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g"
+grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g"
+
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh

@@ -5,8 +5,8 @@
 # Description: Check network interfaces
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
-# Global Variables:
+# Functions Used: print_2title, print_3title
+# Global Variables: $E, $SED_RED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $iface, $state, $mac, $ip_file, $line
 # Fat linpeas: 0
@@ -73,4 +73,22 @@ else
     parse_network_interfaces
 fi
 
-echo ""
+if command -v ip >/dev/null 2>&1; then
+    print_3title "Routing & policy quick view"
+    ip route 2>/dev/null
+    ip -6 route 2>/dev/null | head -n 30
+    echo ""
+    ip rule 2>/dev/null
+
+    print_3title "Virtual/overlay interfaces quick view"
+    ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g"
+
+    print_3title "Network namespaces quick view"
+    ip netns list 2>/dev/null
+    ls -la /var/run/netns/ 2>/dev/null
+fi
+
+print_3title "Forwarding status"
+sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
+
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info
-# Global Variables: $E, $SED_RED
+# Global Variables: $E, $SED_RED, $SED_RED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
 # Fat linpeas: 0
@@ -122,6 +122,45 @@ get_open_ports() {
         parse_proc_net_ports "udp"
     fi
 
+    # Focused local service exposure view
+    print_3title "Local-only listeners (loopback)"
+    if command -v ss >/dev/null 2>&1; then
+        ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
+    elif command -v netstat >/dev/null 2>&1; then
+        netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
+    fi
+
+    print_3title "Unique listener bind addresses"
+    if command -v ss >/dev/null 2>&1; then
+        ss -nltpuH 2>/dev/null | awk '{
+            a=$5
+            if (a ~ /^\[/) {
+                sub(/^\[/, "", a)
+                sub(/\]:[0-9]+$/, "", a)
+            } else if (a ~ /:[0-9]+$/) {
+                sub(/:[0-9]+$/, "", a)
+            }
+            sub(/^::ffff:/, "", a)
+            if (a != "") print a
+        }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
+    elif command -v netstat >/dev/null 2>&1; then
+        netstat -punta 2>/dev/null | grep -i listen | awk '{
+            a=$4
+            if (a ~ /^\[/) {
+                sub(/^\[/, "", a)
+                sub(/\]:[0-9]+$/, "", a)
+            } else if (a ~ /:[0-9]+$/) {
+                sub(/:[0-9]+$/, "", a)
+            }
+            if (a == ":::" ) a="::"
+            sub(/^::ffff:/, "", a)
+            if (a != "") print a
+        }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
+    fi
+
+    print_3title "Potential local forwarders/relays"
+    ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g"
+
     # Additional port information
     if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
         print_3title "Additional Port Information"

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info, warn_exec
-# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW
 # Initial Functions:
-# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
+# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns, $dumpcap_test_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -26,8 +26,17 @@ check_command() {
 # Function to check if we can sniff on an interface
 check_interface_sniffable() {
     local iface=$1
-    if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
-        return 0
+    if check_command tcpdump; then
+        if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
+            return 0
+        fi
+    elif check_command dumpcap; then
+        dumpcap_test_file="/tmp/.linpeas_dumpcap_test_$$.pcap"
+        if timeout 2 dumpcap -i "$iface" -c 1 -q -w "$dumpcap_test_file" >/dev/null 2>&1; then
+            rm -f "$dumpcap_test_file" 2>/dev/null
+            return 0
+        fi
+        rm -f "$dumpcap_test_file" 2>/dev/null
     fi
     return 1
 }
@@ -55,6 +64,20 @@ check_network_traffic_analysis() {
         tools_found=1
         # Check tcpdump version and capabilities
         warn_exec tcpdump --version 2>/dev/null | head -n 1
+        getcap "$(command -v tcpdump)" 2>/dev/null
+    fi
+
+    if check_command dumpcap; then
+        echo "dumpcap is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        warn_exec dumpcap --version 2>/dev/null | head -n 1
+        getcap "$(command -v dumpcap)" 2>/dev/null
+
+        if id -nG 2>/dev/null | grep -qw wireshark; then
+            echo "Current user is in wireshark group" | sed -${E} "s,.*,${SED_GREEN},g"
+        elif getent group wireshark >/dev/null 2>&1; then
+            echo "wireshark group exists but current user is not in it" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+        fi
     fi
     
     if check_command tshark; then
@@ -68,10 +91,28 @@ check_network_traffic_analysis() {
         echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
         tools_found=1
     fi
+
+    if check_command ngrep; then
+        echo "ngrep is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
+
+    if check_command tcpflow; then
+        echo "tcpflow is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
     
     if [ $tools_found -eq 0 ]; then
         echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
     fi
+
+    if check_command tcpdump; then
+        echo "Sniffable interfaces according to tcpdump -D:"
+        timeout 2 tcpdump -D 2>/dev/null
+    elif check_command dumpcap; then
+        echo "Sniffable interfaces according to dumpcap -D:"
+        timeout 2 dumpcap -D 2>/dev/null
+    fi
     
     # Check network interfaces
     echo ""
@@ -88,25 +129,28 @@ check_network_traffic_analysis() {
     fi
     
     for iface in $interfaces; do
-        if [ "$iface" != "lo" ]; then  # Skip loopback
+        if [ "$iface" = "lo" ]; then
+            echo -n "Interface $iface (loopback): "
+        else
             echo -n "Interface $iface: "
-            if check_interface_sniffable "$iface"; then
-                echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
-                interfaces_found=1
-                
-                # Check promiscuous mode
-                if check_promiscuous_mode "$iface"; then
-                    echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
-                fi
-                
-                # Get interface details
-                if [ "$EXTRA_CHECKS" ]; then
-                    echo "  - Interface details:"
-                    warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
-                fi
-            else
-                echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+
+        if check_interface_sniffable "$iface"; then
+            echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
+            interfaces_found=1
+
+            # Check promiscuous mode
+            if [ "$iface" != "lo" ] && check_promiscuous_mode "$iface"; then
+                echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
             fi
+
+            # Get interface details
+            if [ "$EXTRA_CHECKS" ]; then
+                echo "  - Interface details:"
+                warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
+            fi
+        else
+            echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
         fi
     done
     
@@ -145,7 +189,12 @@ check_network_traffic_analysis() {
         print_info "To capture sensitive traffic, you can use:"
         echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
         echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+        echo "dumpcap -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
     fi
+
+    echo ""
+    print_3title "Running sniffing/traffic reconstruction processes"
+    ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
     
     # Additional information
     if [ "$EXTRA_CHECKS" ]; then

linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
-# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW
 # Initial Functions:
-# Generated Global Variables: $rules_file, $cmd, $tool, $config_file
+# Generated Global Variables: $rules_file, $cmd, $tool, $config_file, $sysctl_var
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -90,6 +90,9 @@ analyze_nftables() {
     # List all rules
     echo -e "\nNftables Ruleset:"
     warn_exec nft list ruleset 2>/dev/null
+
+    echo -e "\nNftables Ruleset with handles (-a):"
+    warn_exec nft -a list ruleset 2>/dev/null | sed -${E} "s,\\bdrop\\b|\\breject\\b|handle [0-9]+,${SED_RED_YELLOW},g"
     
     # Check for saved rules
     echo -e "\nSaved Rules:"
@@ -180,6 +183,17 @@ analyze_firewall_rules() {
     analyze_nftables
     analyze_firewalld
     analyze_ufw
+
+    echo ""
+    print_3title "Forwarding and rp_filter"
+    for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do
+        sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
+    done
+
+    if check_command conntrack; then
+        echo -e "\nConntrack state (first 20):"
+        warn_exec conntrack -L 2>/dev/null | head -n 20
+    fi
     
     # Additional checks if EXTRA_CHECKS is enabled
     if [ "$EXTRA_CHECKS" ]; then
@@ -207,4 +221,4 @@ analyze_firewall_rules() {
 }
 
 # Run the main function
-analyze_firewall_rules
+analyze_firewall_rules

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title, print_info
 # Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
+# Generated Global Variables: $pkexec_bin, $pkexec_version, $policy_dir, $policy_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -30,6 +30,10 @@ if [ -n "$pkexec_bin" ]; then
   # Check polkit version for known vulnerabilities
   if command -v pkexec >/dev/null 2>&1; then
     pkexec --version 2>/dev/null
+    pkexec_version="$(pkexec --version 2>/dev/null | grep -oE '[0-9]+(\\.[0-9]+)+')"
+    if [ "$pkexec_version" ] && [ "$(printf '%s\n' "$pkexec_version" "0.120" | sort -V | head -n1)" = "$pkexec_version" ] && [ "$pkexec_version" != "0.120" ]; then
+      echo "Potentially vulnerable to CVE-2021-4034 (PwnKit) - check distro patches" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    fi
   fi
 fi
 

linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
-# Global Variables: $MACPEAS, $sh_usrs, $USER 
+# Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER 
 # Initial Functions:
 # Generated Global Variables: $ushell, $no_shells, $unexpected_shells
 # Fat linpeas: 0
@@ -26,8 +26,16 @@ else
   no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
   unexpected_shells=""
   printf "%s\n" "$no_shells" | while read f; do
-    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
-      unexpected_shells="$f\n$unexpected_shells"
+    if [ -x "$f" ]; then
+      if [ "$TIMEOUT" ]; then
+        if $TIMEOUT 1 "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      else
+        if "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      fi
     fi
   done
   grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
@@ -41,4 +49,4 @@ else
     done
   fi
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/16_Subuid_subgid_mappings.sh

@@ -0,0 +1,36 @@
+# Title: Users Information - subuid/subgid mappings
+# ID: UG_Subuid_subgid_mappings
+# Author: Carlos Polop
+# Last Update: 13-02-2026
+# Description: Show delegated user namespace ID ranges from /etc/subuid and /etc/subgid.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "User namespace mappings (subuid/subgid)"
+if [ "$MACPEAS" ]; then
+  echo "Not applicable on macOS"
+else
+  if [ -r /etc/subuid ]; then
+    echo "subuid:"
+    grep -v -E '^\s*#|^\s*$' /etc/subuid 2>/dev/null
+  else
+    echo "/etc/subuid not readable or not present"
+  fi
+
+  if [ -r /etc/subgid ]; then
+    echo ""
+    echo "subgid:"
+    grep -v -E '^\s*#|^\s*$' /etc/subgid 2>/dev/null
+  else
+    echo "/etc/subgid not readable or not present"
+  fi
+fi
+echo ""
+

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $secure_path_line
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -19,14 +19,27 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
+(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
+
+secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
+if [ "$secure_path_line" ]; then
+  for p in $(echo "$secure_path_line" | tr ':' ' '); do
+    if [ -w "$p" ]; then
+      echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  done
+fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
   echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
 fi
 for f in /etc/sudoers.d/*; do
+  if [ -w "$f" ]; then
+    echo "Sudoers file: $f is writable and may allow privilege escalation" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  fi
   if [ -r "$f" ]; then
     echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
     grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
   fi
 done
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -40,4 +40,18 @@ else
   echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
 
 fi
+
+if [ -d "/var/run/sudo/ts" ]; then
+  echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  ls -ld /var/run/sudo/ts 2>/dev/null
+  if [ -w "/var/run/sudo/ts" ]; then
+    echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  if [ -f "/var/run/sudo/ts/$USER" ]; then
+    ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
+    if [ -w "/var/run/sudo/ts/$USER" ]; then
+      echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  fi
+fi
 echo ""

linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh

@@ -0,0 +1,64 @@
+# Title: Software Information - Browser Profiles
+# ID: SW_Browser_profiles
+# Author: Carlos Polop
+# Last Update: 10-03-2025
+# Description: List browser profiles that may store credentials/cookies
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $HOMESEARCH, $SED_RED
+# Initial Functions:
+# Generated Global Variables: $h, $firefox_ini, $chrome_base, $profiles
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Browser Profiles"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data"
+
+echo ""
+
+for h in $HOMESEARCH; do
+  [ -d "$h" ] || continue
+
+  firefox_ini="$h/.mozilla/firefox/profiles.ini"
+  if [ -f "$firefox_ini" ]; then
+    print_3title "Firefox profiles ($h)"
+    awk -F= '
+      /^\[Profile/ { in_profile=1 }
+      /^Path=/ { path=$2 }
+      /^IsRelative=/ { isrel=$2 }
+      /^$/ {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+        path=""; isrel=""
+      }
+      END {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+      }
+    ' base="$h" "$firefox_ini" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+    echo ""
+  fi
+
+  for chrome_base in "$h/.config/google-chrome" "$h/.config/chromium" "$h/.config/BraveSoftware/Brave-Browser" "$h/.config/microsoft-edge" "$h/.config/microsoft-edge-beta" "$h/.config/microsoft-edge-dev"; do
+    if [ -d "$chrome_base" ]; then
+      profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null)
+      if [ "$profiles" ]; then
+        print_3title "Chromium profiles ($chrome_base)"
+        printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED},"
+        echo ""
+      fi
+    fi
+  done
+
+done

linPEAS/builder/linpeas_parts/7_software_information/Leaks_git_repo.sh

@@ -1,30 +0,0 @@
-# Title: Software Information - Checking leaks in git repositories
-# ID: SI_Leaks_git_repo
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Checking leaks in git repositories
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: execBin, print_2title
-# Global Variables: $MACPEAS, $TIMEOUT
-# Initial Functions:
-# Generated Global Variables: $git_dirname, $FAT_LINPEAS_GITLEAKS
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
-  print_2title "Checking leaks in git repositories"
-  printf "%s\n" "$PSTORAGE_GITHUB" | while read f; do
-    if echo "$f" | grep -Eq ".git$"; then
-      git_dirname=$(dirname "$f")
-      if [ "$MACPEAS" ]; then
-        FAT_LINPEAS_GITLEAKS="peass{https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_darwin_arm64.tar.gz}"
-      else
-        FAT_LINPEAS_GITLEAKS="peass{https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_linux_x64.tar.gz}"
-      fi
-      execBin "GitLeaks (checking $git_dirname)" "https://github.com/zricethezav/gitleaks" "$FAT_LINPEAS_GITLEAKS" "detect -s '$git_dirname' -v | grep -E 'Description|Match|Secret|Message|Date'"
-    fi
-  done
-  echo ""
-fi

linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh

@@ -8,12 +8,12 @@
 # Functions Used: print_2title, print_info
 # Global Variables:$DEBUG, $SEARCH_IN_FOLDER, $USER, $wgroups
 # Initial Functions:
-# Generated Global Variables: $screensess, $screensess2
+# Generated Global Variables: $screensess, $screensess2, $uscreen
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
+if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching screen sessions"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   screensess=$(screen -ls 2>/dev/null)
@@ -25,5 +25,16 @@ if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_
   find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
     echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
   done
+
+  if [ -r "/etc/passwd" ]; then
+    print_3title "Checking other users screen sessions"
+    cut -d: -f1,7 /etc/passwd 2>/dev/null | grep "sh$" | cut -d: -f1 | grep -v "^$USER$" | while read u; do
+      uscreen=$(screen -ls "${u}/" 2>/dev/null | grep -v "No Sockets found" | grep -v "^$")
+      if [ "$uscreen" ]; then
+        echo "User $u screen sessions:"
+        printf "%s\n" "$uscreen" | sed -${E} "s,.*,${SED_RED},"
+      fi
+    done
+  fi
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title, print_3title
 # Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups
 # Initial Functions:
-# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
+# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $agent_sockets, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -19,12 +19,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
   hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
-  writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+  agent_sockets=$(find /run/user /tmp -type s \( -path "/run/user/*/ssh-*/agent.*" -o -name "ssh-agent.sock" -o -path "/tmp/ssh-*" \) 2>/dev/null)
+  writable_agents=$(find /tmp /etc /home /run/user \
+    \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
+    -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
 else
   sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
   hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
-  writable_agents=$(find  ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+  agent_sockets=$(find "${ROOT_FOLDER}"tmp "${ROOT_FOLDER}"run -type s \( -name "agent.*" -o -name "ssh-agent.sock" \) 2>/dev/null)
+  writable_agents=$(find "${ROOT_FOLDER}" \
+    \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
+    -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
 fi
 
 peass{SSH}
@@ -33,17 +39,17 @@ grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$TIMEOUT" ]; then
-    privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
-    privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
-    privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
-    privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
+    privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /etc 2>/dev/null)
+    privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
+    privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /root 2>/dev/null)
+    privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /mnt 2>/dev/null)
   else
-    privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
-    privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
+    privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
+    privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
   fi
 else
   # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
-  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
+  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
 fi
 
 if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
@@ -58,7 +64,7 @@ fi
 if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
   print_3title "Some certificates were found (out limited):"
   printf "$certsb4_grep\n" | head -n 20
-  printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
+  printf "$PSTORAGE_CERTSBIN\n" | head -n 20
     echo ""
 fi
 if [ "$PSTORAGE_CERTSCLIENT" ]; then
@@ -71,6 +77,11 @@ if [ "$PSTORAGE_SSH_AGENTS" ]; then
   printf "$PSTORAGE_SSH_AGENTS\n"
   echo ""
 fi
+if [ "$agent_sockets" ]; then
+  print_3title "Potential SSH agent sockets were found:"
+  printf "%s\n" "$agent_sockets" | sed -${E} "s,.*,${SED_RED},"
+  echo ""
+fi
 if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
   print_3title "Listing SSH Agents"
   ssh-add -l

linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh

@@ -17,7 +17,7 @@ if ! [ "$IAMROOT" ]; then
   print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
-  obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
+  obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
   printf "%s\n" "$obmowbe" | while read l; do
     if echo "$l" | grep -q "You_can_write_even_more_files_inside_last_directory"; then printf $ITALIC"$l\n"$NC;
     elif echo "$l" | grep -qE "$writeVB"; then

linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh

@@ -0,0 +1,80 @@
+# Title: Interesting Permissions Files - IGEL OS SUID setup/date abuse
+# ID: IP_IGEL_OS_SUID
+# Author: HT Bot
+# Last Update: 29-11-2025
+# Description: Detect IGEL OS environments that expose the SUID-root `setup`/`date` binaries and highlight writable NetworkManager/systemd configs that enable the documented privilege escalation chain (Metasploit linux/local/igel_network_priv_esc).
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $ITALIC, $NC, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SUPERFAST
+# Initial Functions:
+# Generated Global Variables: $igel_markers, $igel_marker_sources, $marker, $igel_suid_hits, $candidate, $writable_nm, $writable_systemd, $unitdir, $tmp_units
+# Fat linpeas: 0
+# Small linpeas: 1
+
+igel_markers=""
+igel_marker_sources=""
+if [ -f /etc/os-release ] && grep -qi "igel" /etc/os-release 2>/dev/null; then
+  igel_markers="Yes"
+  igel_marker_sources="/etc/os-release"
+fi
+if [ -f /etc/issue ] && grep -qi "igel" /etc/issue 2>/dev/null; then
+  igel_markers="Yes"
+  igel_marker_sources="${igel_marker_sources} /etc/issue"
+fi
+for marker in /etc/igel /wfs/igel /userhome/.igel /config/sessions/igel; do
+  if [ -e "$marker" ]; then
+    igel_markers="Yes"
+    igel_marker_sources="${igel_marker_sources} $marker"
+  fi
+done
+
+igel_suid_hits=""
+for candidate in /usr/bin/setup /bin/setup /usr/sbin/setup /opt/igel/bin/setup /usr/bin/date /bin/date /usr/lib/igel/date; do
+  if [ -u "$candidate" ]; then
+    igel_suid_hits="${igel_suid_hits}$(ls -lah "$candidate" 2>/dev/null)\n"
+  fi
+done
+
+if [ -n "$igel_markers" ] || [ -n "$igel_suid_hits" ]; then
+  print_2title "IGEL OS SUID setup/date privilege escalation surface"
+  print_info "https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025"
+  if [ -n "$igel_markers" ]; then
+    echo "Potential IGEL OS detected via: $igel_marker_sources" | sed -${E} "s,.*,${SED_GREEN},"
+  else
+    echo "IGEL-specific SUID helpers found but IGEL markers were not detected" | sed -${E} "s,.*,${SED_RED},"
+  fi
+  if [ -n "$igel_suid_hits" ]; then
+    echo "SUID-root helpers exposing configuration primitives:" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    printf "%b" "$igel_suid_hits"
+  else
+    echo "No SUID setup/date binaries were located (system may be patched)."
+  fi
+
+  writable_nm=""
+  writable_systemd=""
+  if ! [ "$SUPERFAST" ]; then
+    if [ -d /etc/NetworkManager ]; then
+      writable_nm=$(find /etc/NetworkManager -maxdepth 3 -type f -writable 2>/dev/null | head -n 25)
+    fi
+    for unitdir in /etc/systemd/system /lib/systemd/system /usr/lib/systemd/system; do
+      if [ -d "$unitdir" ]; then
+        tmp_units=$(find "$unitdir" -maxdepth 2 -type f -writable 2>/dev/null | head -n 15)
+        if [ -n "$tmp_units" ]; then
+          writable_systemd="${writable_systemd}${tmp_units}\n"
+        fi
+      fi
+    done
+  fi
+
+  if [ -n "$writable_nm" ]; then
+    echo "Writable NetworkManager profiles/hooks (swap Exec path to your payload):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    echo "$writable_nm"
+  fi
+  if [ -n "$writable_systemd" ]; then
+    echo "Writable systemd unit files (edit ExecStart, then restart via setup/date):" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    printf "%b" "$writable_systemd"
+  fi
+  printf "$ITALIC  Known exploitation chain: Use the SUID setup/date binaries to edit NetworkManager or systemd configs so ExecStart points to your payload, then trigger a service restart via the same helper to run as root (Metasploit linux/local/igel_network_priv_esc).$NC\n"
+fi
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh

@@ -0,0 +1,36 @@
+# Title: Interesting Permissions Files - Writable root-owned executables
+# ID: IP_Writable_root_execs
+# Author: HT Bot
+# Last Update: 29-11-2025
+# Description: Locate root-owned executables outside home folders that the current user can modify
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, echo_not_found
+# Global Variables: $DEBUG, $IAMROOT, $ROOT_FOLDER, $HOME, $writeVB
+# Initial Functions:
+# Generated Global Variables: $writable_root_execs
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$IAMROOT" ]; then
+  print_2title "Writable root-owned executables I can modify (max 200)"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
+
+  writable_root_execs=$(
+    find "$ROOT_FOLDER" -type f -user root -perm -u=x \
+      \( -perm -g=w -o -perm -o=w \) \
+      ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null \
+      | while IFS= read -r f; do
+          if [ -w "$f" ]; then
+            ls -l "$f" 2>/dev/null
+          fi
+        done | head -n 200
+  )
+
+  if [ "$writable_root_execs" ] || [ "$DEBUG" ]; then
+    printf "%s\n" "$writable_root_execs" | sed -${E} "s,$writeVB,${SED_RED_YELLOW},"
+  else
+    echo_not_found "Writable root-owned executables"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -23,6 +23,7 @@ if ! [ "$STRACE" ]; then
 fi
 suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$suids_files" | while read s; do
+  [ -z "$s" ] && continue
   s=$(ls -lahtr "$s")
   #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
   if echo "$s" | grep -qE "^total"; then break; fi
@@ -37,14 +38,14 @@ printf "%s\n" "$suids_files" | while read s; do
   else
     c="a"
     for b in $sidB; do
-      if echo $s | grep -q $(echo $b | cut -d % -f 1); then
+      if echo "$sname" | grep -q $(echo $b | cut -d % -f 1); then
         echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m&  --->  $(echo $b | cut -d % -f 2)${C}[0m,"
         c=""
         break;
       fi
     done;
     if [ "$c" ]; then
-      if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
+      if echo "$sname" | grep -qE "$sidG1" || echo "$sname" | grep -qE "$sidG2" || echo "$sname" | grep -qE "$sidG3" || echo "$sname" | grep -qE "$sidG4" || echo "$sname" | grep -qE "$sidVB" || echo "$sname" | grep -qE "$sidVB2"; then
         echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
       else
         echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED},"
@@ -59,6 +60,8 @@ printf "%s\n" "$suids_files" | while read s; do
                   if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
                   fi
+                elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline) (https://tinyurl.com/suidpath)\n"
                 else #If not a path
                   if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
@@ -96,4 +99,4 @@ printf "%s\n" "$suids_files" | while read s; do
     fi
   fi
 done;
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh

@@ -17,6 +17,7 @@ print_2title "SGID"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$sgids_files" | while read s; do
+  [ -z "$s" ] && continue
   s=$(ls -lahtr "$s")
   #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
   if echo "$s" | grep -qE "^total";then break; fi
@@ -53,6 +54,8 @@ printf "%s\n" "$sgids_files" | while read s; do
                   if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
                   fi
+                elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline)\n"
                 else #If not a path
                   if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
@@ -90,4 +93,4 @@ printf "%s\n" "$sgids_files" | while read s; do
     fi
   fi
 done;
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $writeB, $writeVB
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
@@ -16,12 +16,12 @@
 print_2title "Files with ACLs (limited to 50)"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 else
-  ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 fi
 
 if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl || echo -n '')" ]; then  #Find ACL files in macos (veeeery slow)
-  ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh

@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $capsB, $capsVB, $IAMROOT, $SEARCH_IN_FOLDER
 # Initial Functions:
-# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln
+# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln, $proc_status, $proc_pid, $proc_name, $proc_uid, $user_name, $proc_inh, $proc_prm, $proc_eff, $proc_bnd, $proc_amb, $proc_inh_dec, $proc_prm_dec, $proc_eff_dec, $proc_bnd_dec, $proc_amb_dec
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -69,6 +69,40 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
       fi
     done
     echo ""
+
+    print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)"
+    find /proc -maxdepth 2 -path "/proc/[0-9]*/status" 2>/dev/null | head -n 400 | while read -r proc_status; do
+      proc_pid=$(echo "$proc_status" | cut -d/ -f3)
+      proc_name=$(awk '/^Name:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_uid=$(awk '/^Uid:/{print $2}' "$proc_status" 2>/dev/null)
+      user_name=$(awk -F: -v uid="$proc_uid" '$3==uid{print $1; exit}' /etc/passwd 2>/dev/null)
+      [ -z "$user_name" ] && user_name="$proc_uid"
+
+      proc_inh=$(awk '/^CapInh:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_prm=$(awk '/^CapPrm:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_eff=$(awk '/^CapEff:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_bnd=$(awk '/^CapBnd:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_amb=$(awk '/^CapAmb:/{print $2}' "$proc_status" 2>/dev/null)
+
+      [ -z "$proc_eff" ] && continue
+      if [ "$proc_eff" != "0000000000000000" ] || [ "$proc_amb" != "0000000000000000" ]; then
+        echo "PID $proc_pid ($proc_name) user=$user_name"
+
+        proc_inh_dec=$(capsh --decode=0x"$proc_inh" 2>/dev/null)
+        proc_prm_dec=$(capsh --decode=0x"$proc_prm" 2>/dev/null)
+        proc_eff_dec=$(capsh --decode=0x"$proc_eff" 2>/dev/null)
+        proc_bnd_dec=$(capsh --decode=0x"$proc_bnd" 2>/dev/null)
+        proc_amb_dec=$(capsh --decode=0x"$proc_amb" 2>/dev/null)
+
+        echo "  CapInh: $proc_inh_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapPrm: $proc_prm_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapEff: $proc_eff_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
+        echo "  CapBnd: $proc_bnd_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapAmb: $proc_amb_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
+        echo ""
+      fi
+    done | head -n 240
+    echo ""
   
   else
     print_3title "Current shell capabilities"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh

@@ -6,19 +6,27 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Global Variables: $capsB, $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pam_cap_lines
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
-if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
+if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ] || grep -Rqs "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null; then
   print_2title "Users with capabilities"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ -f "/etc/security/capability.conf" ]; then
-    grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+    grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$capsB,${SED_RED},g"
   else echo_not_found "/etc/security/capability.conf"
   fi
   echo ""
-fi
+  print_info "Checking if PAM loads pam_cap.so"
+  pam_cap_lines=$(grep -RIn "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null)
+  if [ "$pam_cap_lines" ]; then
+    printf "%s\n" "$pam_cap_lines" | sed -${E} "s,pam_cap\\.so,${SED_RED_YELLOW},g"
+  else
+    echo_not_found "pam_cap.so in /etc/pam.d or /etc/pam.conf"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $wgroups
+# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $ldsoconfdG, $wgroups
 # Initial Functions:
 # Generated Global Variables: $ini_path, $fpath
 # Fat linpeas: 0
@@ -26,40 +26,53 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   echo "Content of /etc/ld.so.conf:"
   cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
 
-  # Check each configured folder
-  cat /etc/ld.so.conf 2>/dev/null | while read l; do
-    if echo "$l" | grep -q include; then
+  # Check each configured folder and include directives
+  cat /etc/ld.so.conf 2>/dev/null | while IFS= read -r l; do
+    l=$(echo "$l" | sed 's/#.*$//' | xargs 2>/dev/null)
+    [ -z "$l" ] && continue
+
+    if echo "$l" | grep -qE '^include[[:space:]]+'; then
       ini_path=$(echo "$l" | cut -d " " -f 2)
       fpath=$(dirname "$ini_path")
 
-      if [ -d "/etc/ld.so.conf" ] && [ -w "$fpath" ]; then 
-        echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      if [ -d "$fpath" ] && [ -w "$fpath" ]; then
+        echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},";
         printf $RED_YELLOW$ITALIC"$fpath\n"$NC;
       else
         printf $GREEN$ITALIC"$fpath\n"$NC;
       fi
 
-      if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
-        echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      if [ "$(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
+        echo "You have write privileges over $(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},";
       fi
 
-      for f in $fpath/*; do
-        if [ -w "$f" ]; then 
-          echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      for f in $ini_path; do
+        [ -f "$f" ] || continue
+
+        if [ -w "$f" ]; then
+          echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},";
           printf $RED_YELLOW$ITALIC"$f\n"$NC;
         else
           printf $GREEN$ITALIC"  $f\n"$NC;
         fi
 
-        cat "$f" | grep -v "^#" | while read l2; do
-          if [ -f "$l2" ] && [ -w "$l2" ]; then 
-            echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+        cat "$f" 2>/dev/null | grep -v "^#" | while IFS= read -r l2; do
+          l2=$(echo "$l2" | xargs 2>/dev/null)
+          [ -z "$l2" ] && continue
+
+          if [ -d "$l2" ] && [ -w "$l2" ]; then
+            echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},";
             printf $RED_YELLOW$ITALIC"  - $l2\n"$NC;
-          else
-            echo $ITALIC"  - $l2"$NC | sed -${E} "s,$l2,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
+          elif [ -d "$l2" ]; then
+            echo $ITALIC"  - $l2"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
           fi
         done
       done
+    elif [ -d "$l" ] && [ -w "$l" ]; then
+      echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+      printf $RED_YELLOW$ITALIC"$l\n"$NC;
+    else
+      echo $ITALIC"$l"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
     fi
   done
   echo ""
@@ -75,4 +88,4 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
     if [ -f "$l" ] && [ -w "$l" ]; then echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
   done
 
-fi
+fi

linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh

@@ -17,10 +17,10 @@ check_external_hostname(){
   INTERNET_SEARCH_TIMEOUT=15
   # wget or curl?
   if command -v curl >/dev/null 2>&1; then
-    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+    curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
   elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+    wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
   else
     echo "wget or curl not found"
   fi
-}
+}

linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh

@@ -15,11 +15,12 @@
 
 check_tcp_443_bin () {
   local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
-  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
+  local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
 
   if command -v curl >/dev/null 2>&1; then
     if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
-         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" \
+         -d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with curl"
       return 0                      # ✅ success
@@ -30,7 +31,8 @@ check_tcp_443_bin () {
 
   elif command -v wget >/dev/null 2>&1; then
     if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
-         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" \
+         --post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with wget"
       return 0

linPEAS/builder/linpeas_parts/functions/enumerateDockerSockets.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found
-# Global Variables: $GREP_DOCKER_SOCK_INFOS, $GREP_DOCKER_SOCK_INFOS_IGNORE, $IAMROOT
+# Global Variables: $GREP_DOCKER_SOCK_INFOS, $GREP_DOCKER_SOCK_INFOS_IGNORE
 # Initial Functions:
-# Generated Global Variables: $SEARCHED_DOCKER_SOCKETS, $dock_sock, $docker_enumerated, $dockerVersion, $int_sock, $sockInfoResponse
+# Generated Global Variables: $SEARCHED_DOCKER_SOCKETS, $docker_enumerated, $dockerVersion, $int_sock, $sockInfoResponse
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -17,34 +17,55 @@ enumerateDockerSockets() {
   dockerVersion="$(echo_not_found)"
   if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
     SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
-      if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
+    # NOTE: This is intentionally "lightweight" (checks common runtime socket names) and avoids
+    # pseudo filesystems (/sys, /proc) to reduce noise and latency.
+    for int_sock in $(find / \
+      -path "/sys" -prune -o \
+      -path "/proc" -prune -o \
+      -type s \( \
+        -name "docker.sock" -o \
+        -name "docker.socket" -o \
+        -name "dockershim.sock" -o \
+        -name "containerd.sock" -o \
+        -name "crio.sock" -o \
+        -name "frakti.sock" -o \
+        -name "rktlet.sock" \
+      \) -print 2>/dev/null); do
+
+      # Basic permissions hint (you generally need write perms to connect to a unix socket).
+      if [ -w "$int_sock" ]; then
         if echo "$int_sock" | grep -Eq "docker"; then
-          dock_sock="$int_sock"
-          echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
-          echo "Docker enummeration:"
-          docker_enumerated=""
-
-          if [ "$(command -v curl || echo -n '')" ]; then
-            sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
-            echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-            if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
-          fi
-
-          if [ "$(command -v docker || echo -n '')" ] && ! [ "$docker_enumerated" ]; then
-            sockInfoResponse="$(docker info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
-            printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-          fi
-        
+          echo "You have write permissions over Docker socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED_YELLOW},g"
         else
           echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g"
         fi
-
       else
         echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g"
       fi
+
+      # Validate whether this looks like a Docker Engine API socket (amicontained-style) when curl exists.
+      docker_enumerated=""
+      if [ "$(command -v curl 2>/dev/null || echo -n '')" ]; then
+        sockInfoResponse="$(curl -s --max-time 2 --unix-socket "$int_sock" http://localhost/info 2>/dev/null)"
+        if echo "$sockInfoResponse" | grep -q "ServerVersion"; then
+          echo "Valid Docker API socket: $int_sock" | sed -${E} "s,$int_sock,${SED_RED_YELLOW},g"
+          dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
+          echo "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+          docker_enumerated="1"
+        fi
+      fi
+
+      # Fallback to docker CLI if curl is missing or the /info request didn't work.
+      # Use DOCKER_HOST so we can target non-default socket paths when possible.
+      if [ "$(command -v docker 2>/dev/null || echo -n '')" ] && ! [ "$docker_enumerated" ]; then
+        if [ -w "$int_sock" ] && echo "$int_sock" | grep -Eq "docker"; then
+          sockInfoResponse="$(DOCKER_HOST="unix://$int_sock" docker info 2>/dev/null)"
+          if [ "$sockInfoResponse" ]; then
+            dockerVersion=$(echo "$sockInfoResponse" | grep -i "^ Server Version:" | awk '{print $4}' | head -n 1)
+            printf "%s\n" "$sockInfoResponse" | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+          fi
+        fi
+      fi
     done
   fi
 }

linPEAS/builder/linpeas_parts/functions/su_try_pwd.sh

@@ -1,7 +1,7 @@
 # Title: LinPeasBase - su_try_pwd
 # ID: su_try_pwd
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 15-12-2025
 # Description: Try to login as user using a password
 # License: GNU GPL
 # Version: 1.0
@@ -17,7 +17,7 @@ su_try_pwd(){
   BFUSER=$1
   PASSWORDTRY=$2
   trysu=$(echo "$PASSWORDTRY" | timeout 1 su $BFUSER -c whoami 2>/dev/null)
-  if [ "$trysu" ]; then
+    if [ $? -eq 0 ]; then
     echo "  You can login as $BFUSER using password: $PASSWORDTRY" | sed -${E} "s,.*,${SED_RED_YELLOW},"
   fi
-}
+}

linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh

@@ -217,7 +217,7 @@ print_title(){
   max_title_len=80
   rest_len=$((($max_title_len - $title_len) / 2))
 
-  printf ${BLUE}
+  printf "%s" "${BLUE}"
   for i in $(seq 1 $rest_len); do printf " "; done
   printf "╔"
   for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
@@ -231,13 +231,13 @@ print_title(){
 
   echo ""
 
-  printf ${BLUE}
+  printf "%s" "${BLUE}"
   for i in $(seq 1 $rest_len); do printf " "; done
   printf "╚"
   for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
   printf "╝"
 
-  printf $NC
+  printf "%s" "${NC}"
   echo ""
 }
 

linPEAS/builder/linpeas_parts/variables/capsB.sh

@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module"
+capsB="=ep|cap_chown|cap_fowner|cap_fsetid|cap_setpcap|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module|cap_sys_rawio|cap_bpf|cap_perfmon"

linPEAS/builder/linpeas_parts/variables/capsVB.sh

@@ -18,7 +18,9 @@ cap_sys_ptrace:python \
 cap_sys_module:kmod|python \
 cap_dac_override:python|vim \
 cap_chown:chown|python \
-cap_former:chown|python \
+cap_fowner:chown|python \
+cap_setfcap:python|perl|ruby|php|node|lua|bash \
+cap_setpcap:python|perl|ruby|php|node|lua|bash \
 cap_setuid:peass{CAP_SETUID_HERE} \
 cap_setgid:peass{CAP_SETGID_HERE} \
-cap_net_raw:python|tcpdump"
+cap_net_raw:python|tcpdump|dumpcap|tcpflow"

linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh

@@ -24,4 +24,4 @@ pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KE
 pwd_in_variables8="OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY"
 pwd_in_variables9="S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY"
 pwd_in_variables10="SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS"
-pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY"
+pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY|USERNAME|PASSWORD|PASSWD|CREDENTIALS?"

linPEAS/builder/linpeas_parts/variables/sidG.sh

@@ -15,6 +15,5 @@
 
 sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent$|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$"
 sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/helper$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/load_osxfuse$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount$|/mount.cifs$|/mount.ecryptfs_private$|/mount.nfs$|/mount.nfs4$|/mount_osxfuse$|/mtr$|/mutt_dotlock$"
-sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
+sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/hping3$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
 sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$"
-

linPEAS/builder/linpeas_parts/variables/sudoB.sh

@@ -12,5 +12,4 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-
-sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount"
+sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|/usermod|/sbin/ldconfig|/usr/sbin/ldconfig|ldconfig -f|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"

linPEAS/builder/linpeas_parts/variables/sudoVB1.sh

@@ -13,5 +13,5 @@
 # Small linpeas: 1
 
 
-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
 sudoVB2="peass{SUDOVB2_HERE}"

linPEAS/builder/linpeas_parts/variables/writeVB.sh

@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH
+writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/ld.so.preload|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH

linPEAS/builder/src/linpeasBuilder.py

@@ -115,7 +115,7 @@ class LinpeasBuilder:
             suidVB, sudoVB, capsVB = self.__get_gtfobins_lists()
             assert len(suidVB) > 185, f"Len suidVB is {len(suidVB)}"
             assert len(sudoVB) > 250, f"Len sudo is {len(sudoVB)}"
-            assert len(capsVB) > 10, f"Len suidVB is {len(capsVB)}"
+            assert len(capsVB) > 2, f"Len capsVB is {len(capsVB)}"
 
             self.__replace_mark(SUIDVB1_MARKUP, suidVB[:int(len(suidVB)/2)], "|")
             self.__replace_mark(SUIDVB2_MARKUP, suidVB[int(len(suidVB)/2):], "|")
@@ -348,8 +348,25 @@ class LinpeasBuilder:
         return bin_b64
     
     def __get_gtfobins_lists(self) -> tuple:
-        r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins")
-        bins = re.findall(r'_gtfobins/([a-zA-Z0-9_ \-]+).md', r.text)
+        bins = []
+        api_url = "https://api.github.com/repos/GTFOBins/GTFOBins.github.io/contents/_gtfobins?per_page=100"
+        while api_url:
+            r = requests.get(api_url, timeout=10)
+            if not r.ok:
+                break
+            data = r.json()
+            for entry in data:
+                if entry.get("type") == "file" and entry.get("name"):
+                    bins.append(entry["name"])
+            api_url = None
+            link = r.headers.get("Link", "")
+            for part in link.split(","):
+                if 'rel="next"' in part:
+                    api_url = part.split(";")[0].strip().strip("<>")
+                    break
+        if not bins:
+            r = requests.get("https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins", timeout=10)
+            bins = re.findall(r'_gtfobins/([a-zA-Z0-9_ \-]+)(?:\\.md)?', r.text)
 
         sudoVB = []
         suidVB = []
@@ -357,12 +374,12 @@ class LinpeasBuilder:
 
         for b in bins:
             try:
-                rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
             except:
                 try:
-                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
                 except:
-                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
+                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}", timeout=5)
             if "sudo:" in rb.text:
                 if len(b) <= 3:
                     sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names
@@ -388,7 +405,7 @@ class LinpeasBuilder:
                 name = entry["name"]
                 caseinsensitive = entry.get("caseinsensitive", False)
                 regex = entry["regex"]
-                regex = regex.replace('"', '\\"').strip()
+                regex = regex.replace("\\", "\\\\").replace('"', '\\"').strip()
                 falsePositives = entry.get("falsePositives", False)
 
                 if falsePositives:

linPEAS/builder/src/linpeasModule.py

@@ -8,6 +8,7 @@ from .yamlGlobals import (
 class LinpeasModule:
     def __init__(self, path):
         self.path = path
+        real_path = os.path.realpath(path)
         with open(path, 'r') as file:
             self.module_text = file.read()
         
@@ -29,7 +30,7 @@ class LinpeasModule:
         self.section_info = {}
         if not (self.is_base or self.is_function or self.is_variable):
             for module in LINPEAS_PARTS["modules"]:
-                if module["folder_path"] in path:
+                if os.path.realpath(module["folder_path"]) in real_path:
                     self.section_info = module
                     self.is_check = True
                     break

linPEAS/tests/test_builder.py

@@ -0,0 +1,40 @@
+import os
+import stat
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+
+class LinpeasBuilderTests(unittest.TestCase):
+    def setUp(self):
+        self.repo_root = Path(__file__).resolve().parents[2]
+        self.linpeas_dir = self.repo_root / "linPEAS"
+
+    def _run_builder(self, args, output_path):
+        cmd = ["python3", "-m", "builder.linpeas_builder"] + args + ["--output", str(output_path)]
+        result = subprocess.run(cmd, cwd=str(self.linpeas_dir), capture_output=True, text=True)
+        if result.returncode != 0:
+            raise AssertionError(
+                f"linpeas_builder failed:\nstdout:\n{result.stdout}\nstderr:\n{result.stderr}"
+            )
+
+    def test_small_build_creates_executable(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_small.sh"
+            self._run_builder(["--small"], output_path)
+            self.assertTrue(output_path.exists(), "linpeas_small.sh was not created.")
+            mode = output_path.stat().st_mode
+            self.assertTrue(mode & stat.S_IXUSR, "linpeas_small.sh is not executable.")
+
+    def test_include_exclude_modules(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_include.sh"
+            self._run_builder(["--include", "system_information,container", "--exclude", "container"], output_path)
+            content = output_path.read_text(encoding="utf-8", errors="ignore")
+            self.assertIn("Operative system", content)
+            self.assertNotIn("Am I Containered?", content)
+
+
+if __name__ == "__main__":
+    unittest.main()

linPEAS/tests/test_modules_metadata.py

@@ -0,0 +1,60 @@
+import re
+import sys
+import unittest
+from pathlib import Path
+
+
+class LinpeasModulesMetadataTests(unittest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.repo_root = Path(__file__).resolve().parents[2]
+        cls.linpeas_dir = cls.repo_root / "linPEAS"
+        cls.parts_dir = cls.linpeas_dir / "builder" / "linpeas_parts"
+
+        # Ensure `import builder.*` works when tests are run from repo root.
+        sys.path.insert(0, str(cls.linpeas_dir))
+
+        from builder.src.linpeasModule import LinpeasModule  # pylint: disable=import-error
+
+        cls.LinpeasModule = LinpeasModule
+
+    def _iter_module_files(self):
+        return sorted(self.parts_dir.rglob("*.sh"))
+
+    def test_all_modules_parse(self):
+        module_files = self._iter_module_files()
+        self.assertGreater(len(module_files), 0, "No linPEAS module files were found.")
+
+        # Parsing a module validates its metadata and dependencies.
+        for path in module_files:
+            _ = self.LinpeasModule(str(path))
+
+    def test_check_module_id_matches_filename(self):
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            if not getattr(module, "is_check", False):
+                continue
+
+            # For checks, the filename (without numeric prefix) must match the module ID
+            # (either full ID or stripping section prefix like `SI_`).
+            file_base = re.sub(r"^[0-9]+_", "", path.stem)
+            module_id = getattr(module, "id", "")
+            module_id_tail = module_id[3:] if len(module_id) >= 3 else ""
+            self.assertIn(
+                file_base,
+                {module_id, module_id_tail},
+                f"Module ID mismatch in {path}: id={module_id} expected suffix={file_base}",
+            )
+
+    def test_module_ids_are_unique(self):
+        ids = []
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            ids.append(getattr(module, "id", ""))
+
+        duplicates = {x for x in ids if x and ids.count(x) > 1}
+        self.assertEqual(set(), duplicates, f"Duplicate module IDs found: {sorted(duplicates)}")
+
+
+if __name__ == "__main__":
+    unittest.main()

parsers/peas2json.py

@@ -127,7 +127,9 @@ def parse_line(line: str):
 
     elif is_section(line, INFO_PATTERN):
         title = parse_title(line)
-        C_SECTION["infos"].append(title)
+        if C_SECTION == {}:
+            return
+        C_SECTION.setdefault("infos", []).append(title)
     
     #If here, then it's text
     else:

winPEAS/winPEASbat/winPEAS.bat

@@ -71,7 +71,7 @@ CALL :T_Progress 2
 :ListHotFixes
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+    wmic qfe get Caption,Description,HotFixID,InstalledOn
 ) else (
     powershell -command "Get-HotFix | Format-Table -AutoSize"
 )
@@ -204,7 +204,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
 ) else (
     powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
 ) 
@@ -238,7 +238,7 @@ CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic logicaldisk get caption | more
+    wmic logicaldisk get caption
 ) else (
     fsutil fsinfo drives
 )
@@ -670,7 +670,7 @@ if "%long%" == "true" (
 	ECHO.
 	where wmic >nul 2>&1
 	if !errorlevel! equ 0 (
-		for /f %%x in ('wmic logicaldisk get name ^| more') do (
+		for /f %%x in ('wmic logicaldisk get name') do (
 			set tdrive=%%x
 			if "!tdrive:~1,2!" == ":" (
 				%%x

winPEAS/winPEASexe/CMakeLists.txt

@@ -0,0 +1,26 @@
+cmake_minimum_required(VERSION 3.16)
+project(winPEAS_dotnet NONE)
+
+set(PROJECT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/winPEAS.csproj")
+
+find_program(DOTNET_EXECUTABLE dotnet)
+find_program(MSBUILD_EXECUTABLE msbuild)
+find_program(XBUILD_EXECUTABLE xbuild)
+
+if(DOTNET_EXECUTABLE)
+  set(BUILD_TOOL "${DOTNET_EXECUTABLE}")
+  set(BUILD_ARGS build "${PROJECT_FILE}" -c Release)
+elseif(MSBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${MSBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+elseif(XBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${XBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+else()
+  message(FATAL_ERROR "dotnet, msbuild, or xbuild is required to build winPEAS")
+endif()
+
+add_custom_target(winpeas ALL
+  COMMAND ${BUILD_TOOL} ${BUILD_ARGS}
+  WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+)

winPEAS/winPEASexe/README.md

@@ -77,19 +77,12 @@ The goal of this project is to search for possible **Privilege Escalation Paths*
 New in this version:
 - Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
 
+- Flag installed OEM utilities such as ASUS DriverHub, MSI Center, Acer Control Centre and Razer Synapse 4, highlighting writable updater folders and world-accessible pipes tied to recent CVEs.
 
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
-### New (AD-aware) checks
-
-- Active Directory quick checks now include:
-  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
-  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
-
-These checks are lightweight, read-only, and only run when the host is domain-joined.
-
 
 ## Where are my COLORS?!?!?!
 
@@ -135,7 +128,7 @@ Once you have installed and activated it you need to:
 
 - **System Information**
   - [x] Basic System info information
-  - [x] Use Watson to search for vulnerabilities
+  - [x] Use WES-NG to search for vulnerabilities
   - [x] Enumerate Microsoft updates
   - [x] PS, Audit, WEF and LAPS Settings
   - [x] LSA protection
@@ -153,6 +146,7 @@ Once you have installed and activated it you need to:
   - [x] Applocker Configuration & bypass suggestions
   - [x] Printers
   - [x] Named Pipes
+  - [x] Named Pipe ACL abuse candidates
   - [x] AMSI Providers
   - [x] SysMon
   - [x] .NET Versions
@@ -217,7 +211,7 @@ Once you have installed and activated it you need to:
   - [x] SCCM
   - [x] Security Package Credentials
   - [x] AlwaysInstallElevated
-  - [x] WSUS
+  - [x] WSUS (HTTP downgrade + CVE-2025-59287 exposure)
 
 - **Browser Information**
   - [x] Firefox DBs
@@ -268,7 +262,7 @@ Once you have installed and activated it you need to:
 
 ## TODO
 - Add more checks
-- Mantain updated Watson (last JAN 2021)
+- Maintain updated WES-NG
 
 If you want to help with any of this, you can do it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)** or you can submit a pull request.
 

winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs

@@ -0,0 +1,36 @@
+using System;
+using System.Reflection;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ArgumentParsingTests
+    {
+        private static bool InvokeIsNetworkTypeValid(string arg)
+        {
+            var method = typeof(winPEAS.Checks.Checks).GetMethod("IsNetworkTypeValid", BindingFlags.NonPublic | BindingFlags.Static);
+            Assert.IsNotNull(method, "IsNetworkTypeValid method not found.");
+            return (bool)method.Invoke(null, new object[] { arg });
+        }
+
+        [TestMethod]
+        public void ShouldAcceptValidNetworkTypes()
+        {
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=auto"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10/24"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10,10.10.10.20"));
+        }
+
+        [TestMethod]
+        public void ShouldRejectInvalidNetworkTypes()
+        {
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network="));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.999"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.10/64"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=999.999.999.999/24"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=not-an-ip"));
+        }
+    }
+}

winPEAS/winPEASexe/Tests/ChecksArgumentEdgeCasesTests.cs

@@ -0,0 +1,37 @@
+using System;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ChecksArgumentEdgeCasesTests
+    {
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyLogFileArg()
+        {
+            // Should return early with a user-friendly error, not crash.
+            Program.Main(new[] { "log=" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnPortsWithoutNetwork()
+        {
+            // Should warn and return early because -network was not provided.
+            Program.Main(new[] { "-ports=80,443" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnInvalidNetworkArgument()
+        {
+            // Should warn and return early because the IP is invalid.
+            Program.Main(new[] { "-network=10.10.10.999" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyNetworkArgument()
+        {
+            // Should warn and return early because the value is empty.
+            Program.Main(new[] { "-network=" });
+        }
+    }
+}

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -61,9 +61,11 @@
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System" />
     <Reference Include="System.ComponentModel.Composition" />
@@ -95,6 +97,7 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="ArgumentParsingTests.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="SmokeTests.cs" />
   </ItemGroup>
@@ -108,6 +111,40 @@
       <Name>winPEAS</Name>
     </ProjectReference>
   </ItemGroup>
+
+  <Target Name="CopyVSTestFrameworkToMSTestAdapter" AfterTargets="Build">
+    <PropertyGroup>
+      <_PackagesDir>$(MSBuildThisFileDirectory)..\packages\</_PackagesDir>
+      <_MSTestFrameworkDir>$(_PackagesDir)MSTest.TestFramework.2.2.5\lib\net45\</_MSTestFrameworkDir>
+    </PropertyGroup>
+
+    <ItemGroup Condition="Exists('$(_MSTestFrameworkDir)')">
+      <_VSTestFrameworkDlls Include="$(_MSTestFrameworkDir)Microsoft.VisualStudio.TestPlatform.TestFramework*.dll" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <_VSTestCopyDirs Include="$(TargetDir)" Condition="'$(TargetDir)' != '' AND Exists('$(TargetDir)')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\')" />
+    </ItemGroup>
+
+    <Message
+      Condition="@(_VSTestFrameworkDlls) != ''"
+      Importance="high"
+      Text="CopyVSTestFrameworkToMSTestAdapter: copying @( _VSTestFrameworkDlls )" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_VSTestCopyDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_VSTestCopyDirs.Identity)"
+      SkipUnchangedFiles="true" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_MSTestAdapterDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_MSTestAdapterDirs.Identity)"
+      SkipUnchangedFiles="true" />
+  </Target>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
     <PropertyGroup>
@@ -133,4 +170,4 @@
   <Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
   <Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
   <Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
-</Project>
+</Project>

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -88,11 +88,13 @@ namespace winPEAS.Checks
                 new SystemCheck("userinfo", new UserInfo()),
                 new SystemCheck("processinfo", new ProcessInfo()),
                 new SystemCheck("servicesinfo", new ServicesInfo()),
+                new SystemCheck("soapclientinfo", new SoapClientInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
                 new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
+                new SystemCheck("registryinfo", new RegistryInfo()),
                 new SystemCheck("browserinfo", new BrowserInfo()),
                 new SystemCheck("filesinfo", new FilesInfo()),
                 new SystemCheck("fileanalysis", new FileAnalysis()),
@@ -354,7 +356,7 @@ namespace winPEAS.Checks
                 {
                     var rangeParts = networkType.Split('/');
 
-                    if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
+                    if (rangeParts.Length == 2 && IPAddress.TryParse(rangeParts[0], out _) && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
                     {
                         return true;
                     }

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -392,7 +392,7 @@ namespace winPEAS.Checks
 
                 foreach (string regHkcu in passRegHkcu)
                 {
-                    Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
+                    Beaprint.DictPrint(RegistryHelper.GetRegValues("HKCU", regHkcu), false);
                 }
 
                 foreach (string regHklm in passRegHklm)
@@ -524,7 +524,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Looking for documents --limit 100--");
                 List<string> docFiles = InterestingFiles.InterestingFiles.ListUsersDocs();
-                Beaprint.ListPrint(docFiles.GetRange(0, docFiles.Count <= 100 ? docFiles.Count : 100));
+                Beaprint.ListPrint(MyUtils.GetLimitedRange(docFiles, 100));
             }
             catch (Exception ex)
             {
@@ -546,7 +546,7 @@ namespace winPEAS.Checks
 
                 if (recFiles.Count != 0)
                 {
-                    foreach (Dictionary<string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70))
+                    foreach (Dictionary<string, string> recF in MyUtils.GetLimitedRange(recFiles, 70))
                     {
                         Beaprint.AnsiPrint("    " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
                     }

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

@@ -348,8 +348,7 @@ namespace winPEAS.Checks
                 Beaprint.MainPrint("DNS cached --limit 70--");
                 Beaprint.GrayPrint(string.Format("    {0,-38}{1,-38}{2}", "Entry", "Name", "Data"));
                 List<Dictionary<string, string>> DNScache = NetworkInfoHelper.GetDNSCache();
-                foreach (Dictionary<string, string> entry in DNScache.GetRange(0,
-                    DNScache.Count <= 70 ? DNScache.Count : 70))
+                foreach (Dictionary<string, string> entry in MyUtils.GetLimitedRange(DNScache, 70))
                 {
                     Console.WriteLine($"    {entry["Entry"],-38}{entry["Name"],-38}{entry["Data"]}");
                 }

winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs

@@ -0,0 +1,141 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using winPEAS.Helpers;
+using winPEAS.Helpers.Registry;
+
+namespace winPEAS.Checks
+{
+    internal class RegistryInfo : ISystemCheck
+    {
+        private const string TypingInsightsRelativePath = @"Software\Microsoft\Input\TypingInsights";
+
+        private static readonly string[] KnownWritableSystemKeyCandidates = new[]
+        {
+            @"SOFTWARE\Microsoft\CoreShell",
+            @"SOFTWARE\Microsoft\DRM",
+            @"SOFTWARE\Microsoft\Input\Locales",
+            @"SOFTWARE\Microsoft\Input\Settings",
+            @"SOFTWARE\Microsoft\Shell\Oobe",
+            @"SOFTWARE\Microsoft\Shell\Session",
+            @"SOFTWARE\Microsoft\Tracing",
+            @"SOFTWARE\Microsoft\Windows\UpdateApi",
+            @"SOFTWARE\Microsoft\WindowsUpdate\UX",
+            @"SOFTWARE\WOW6432Node\Microsoft\DRM",
+            @"SOFTWARE\WOW6432Node\Microsoft\Tracing",
+            @"SYSTEM\Software\Microsoft\TIP",
+            @"SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation",
+            @"SYSTEM\ControlSet001\Control\MUI\StringCacheSettings",
+            @"SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval",
+            @"SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings",
+        };
+
+        private static readonly string[] ScanBasePaths = new[]
+        {
+            @"SOFTWARE\Microsoft",
+            @"SOFTWARE\WOW6432Node\Microsoft",
+            @"SYSTEM\CurrentControlSet\Services",
+            @"SYSTEM\CurrentControlSet\Control",
+            @"SYSTEM\ControlSet001\Control",
+        };
+
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Registry permissions for hive exploitation");
+
+            new List<Action>
+            {
+                PrintTypingInsightsPermissions,
+                PrintKnownSystemWritableKeys,
+                PrintHeuristicWritableKeys,
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private void PrintTypingInsightsPermissions()
+        {
+            Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)");
+
+            var matches = new List<RegistryWritableKeyInfo>();
+            var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            if (RegistryAclScanner.TryGetWritableKey("HKCU", TypingInsightsRelativePath, out var currentUserKey))
+            {
+                if (seen.Add(currentUserKey.FullPath))
+                {
+                    matches.Add(currentUserKey);
+                }
+            }
+
+            foreach (var sid in RegistryHelper.GetUserSIDs())
+            {
+                if (string.IsNullOrEmpty(sid) || sid.Equals(".DEFAULT", StringComparison.OrdinalIgnoreCase) || sid.EndsWith("_Classes", StringComparison.OrdinalIgnoreCase))
+                {
+                    continue;
+                }
+
+                string relativePath = $"{sid}\\{TypingInsightsRelativePath}";
+                if (RegistryAclScanner.TryGetWritableKey("HKU", relativePath, out var info) && seen.Add(info.FullPath))
+                {
+                    matches.Add(info);
+                }
+            }
+
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] TypingInsights key does not grant write access to low-privileged groups.");
+                return;
+            }
+
+            PrintEntries(matches);
+            Beaprint.LinkPrint("https://projectzero.google/2025/05/the-windows-registry-adventure-8-exploitation.html", "Writable TypingInsights enables cross-user hive tampering and DoS.");
+        }
+
+        private void PrintKnownSystemWritableKeys()
+        {
+            Beaprint.MainPrint("Known HKLM descendants writable by standard users");
+
+            var matches = new List<RegistryWritableKeyInfo>();
+            foreach (var path in KnownWritableSystemKeyCandidates)
+            {
+                if (RegistryAclScanner.TryGetWritableKey("HKLM", path, out var info))
+                {
+                    matches.Add(info);
+                }
+            }
+
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] None of the tracked HKLM keys are writable by low-privileged groups.");
+                return;
+            }
+
+            PrintEntries(matches);
+        }
+
+        private void PrintHeuristicWritableKeys()
+        {
+            Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)");
+
+            var matches = RegistryAclScanner.ScanWritableKeys("HKLM", ScanBasePaths, maxDepth: 3, maxResults: 25);
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] No additional writable HKLM keys were found within the sampled paths.");
+                return;
+            }
+
+            PrintEntries(matches);
+            Beaprint.GrayPrint("  [*] Showing up to 25 entries from the sampled paths to avoid noisy output.");
+        }
+
+        private static void PrintEntries(IEnumerable<RegistryWritableKeyInfo> entries)
+        {
+            foreach (var entry in entries)
+            {
+                var principals = string.Join(", ", entry.Principals);
+                var rights = entry.Rights.Count > 0 ? string.Join(", ", entry.Rights.Distinct(StringComparer.OrdinalIgnoreCase)) : "Write access";
+                var displayPath = string.IsNullOrEmpty(entry.FullPath) ? $"{entry.Hive}\\{entry.RelativePath}" : entry.FullPath;
+                Beaprint.BadPrint($"  [!] {displayPath} -> {principals} ({rights})");
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -1,7 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using winPEAS.Helpers;
+using winPEAS.Helpers.Registry;
 using winPEAS.Info.ServicesInfo;
 
 namespace winPEAS.Checks
@@ -34,6 +36,9 @@ namespace winPEAS.Checks
                 PrintModifiableServices,
                 PrintWritableRegServices,
                 PrintPathDllHijacking,
+                PrintOemPrivilegedUtilities,
+                PrintLegacySignedKernelDrivers,
+                PrintKernelQuickIndicators,
             }.ForEach(action => CheckRunner.Run(action, isDebug));
         }
 
@@ -206,5 +211,190 @@ namespace winPEAS.Checks
             }
         }
 
+        void PrintOemPrivilegedUtilities()
+        {
+            try
+            {
+                Beaprint.MainPrint("OEM privileged utilities & risky components");
+                var findings = OemSoftwareHelper.GetPotentiallyVulnerableComponents(Checks.CurrentUserSiDs);
+
+                if (findings.Count == 0)
+                {
+                    Beaprint.GoodPrint("    None of the supported OEM utilities were detected.");
+                    return;
+                }
+
+                foreach (var finding in findings)
+                {
+                    bool hasCves = finding.Cves != null && finding.Cves.Length > 0;
+                    string cveSuffix = hasCves ? $" ({string.Join(", ", finding.Cves)})" : string.Empty;
+                    Beaprint.BadPrint($"  {finding.Name}{cveSuffix}");
+
+                    if (!string.IsNullOrWhiteSpace(finding.Description))
+                    {
+                        Beaprint.GrayPrint($"      {finding.Description}");
+                    }
+
+                    foreach (var evidence in finding.Evidence)
+                    {
+                        string message = $"      - {evidence.Message}";
+                        if (evidence.Highlight)
+                        {
+                            Beaprint.BadPrint(message);
+                        }
+                        else
+                        {
+                            Beaprint.GrayPrint(message);
+                        }
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        void PrintLegacySignedKernelDrivers()
+        {
+            try
+            {
+                Beaprint.MainPrint("Kernel drivers with weak/legacy signatures");
+                Beaprint.LinkPrint("https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/",
+                    "Legacy cross-signed drivers (pre-July-2015) can still grant kernel execution on modern Windows");
+
+                List<ServicesInfoHelper.KernelDriverInfo> drivers = ServicesInfoHelper.GetKernelDriverInfos();
+                if (drivers.Count == 0)
+                {
+                    Beaprint.InfoPrint("  Unable to enumerate kernel services");
+                    return;
+                }
+
+                var suspiciousDrivers = drivers.Where(d => d.Signature != null && (!d.Signature.IsSigned || d.Signature.IsLegacyExpired))
+                                               .OrderBy(d => d.Name)
+                                               .ToList();
+
+                if (suspiciousDrivers.Count == 0)
+                {
+                    Beaprint.InfoPrint("  No unsigned or legacy-signed kernel drivers detected");
+                    return;
+                }
+
+                foreach (var driver in suspiciousDrivers)
+                {
+                    var signature = driver.Signature ?? new ServicesInfoHelper.KernelDriverSignatureInfo();
+                    List<string> reasons = new List<string>();
+
+                    if (!signature.IsSigned)
+                    {
+                        reasons.Add("unsigned or signature missing");
+                    }
+                    else if (signature.IsLegacyExpired)
+                    {
+                        reasons.Add("signed with certificate that expired before 29-Jul-2015 (legacy exception)");
+                    }
+
+                    if (!string.IsNullOrEmpty(driver.StartMode) &&
+                        (driver.StartMode.Equals("System", StringComparison.OrdinalIgnoreCase) ||
+                         driver.StartMode.Equals("Boot", StringComparison.OrdinalIgnoreCase)))
+                    {
+                        reasons.Add($"loads at early boot (Start={driver.StartMode})");
+                    }
+
+                    if (string.Equals(driver.Name, "kernelquick", StringComparison.OrdinalIgnoreCase))
+                    {
+                        reasons.Add("service name matches ValleyRAT rootkit loader");
+                    }
+
+                    string reason = reasons.Count > 0 ? string.Join("; ", reasons) : "Potentially risky driver";
+                    string signatureLine = signature.IsSigned
+                        ? $"Subject: {signature.Subject}; Issuer: {signature.Issuer}; Valid: {FormatDate(signature.NotBefore)} - {FormatDate(signature.NotAfter)}"
+                        : $"Signature issue: {signature.Error ?? "Unsigned"}";
+
+                    Beaprint.BadPrint($"  {driver.Name} ({driver.DisplayName})");
+                    Beaprint.NoColorPrint($"      Path       : {driver.PathName}");
+                    Beaprint.NoColorPrint($"      Start/State: {driver.StartMode}/{driver.State}");
+                    Beaprint.NoColorPrint($"      Reason     : {reason}");
+                    Beaprint.NoColorPrint($"      Signature  : {signatureLine}");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        void PrintKernelQuickIndicators()
+        {
+            try
+            {
+                Beaprint.MainPrint("KernelQuick / ValleyRAT rootkit indicators");
+
+                bool found = false;
+
+                Dictionary<string, object> serviceValues = RegistryHelper.GetRegValues("HKLM", @"SYSTEM\\CurrentControlSet\\Services\\kernelquick");
+                if (serviceValues != null)
+                {
+                    found = true;
+                    string imagePath = serviceValues.ContainsKey("ImagePath") ? serviceValues["ImagePath"].ToString() : "Unknown";
+                    string start = serviceValues.ContainsKey("Start") ? serviceValues["Start"].ToString() : "Unknown";
+                    Beaprint.BadPrint("  Service HKLM\\SYSTEM\\CurrentControlSet\\Services\\kernelquick present");
+                    Beaprint.NoColorPrint($"      ImagePath : {imagePath}");
+                    Beaprint.NoColorPrint($"      Start     : {start}");
+                }
+
+                foreach (var path in new[] { @"SOFTWARE\\KernelQuick", @"SOFTWARE\\WOW6432Node\\KernelQuick", @"SYSTEM\\CurrentControlSet\\Services\\kernelquick" })
+                {
+                    Dictionary<string, object> values = RegistryHelper.GetRegValues("HKLM", path);
+                    if (values == null)
+                        continue;
+
+                    var kernelQuickValues = values.Where(k => k.Key.StartsWith("KernelQuick_", StringComparison.OrdinalIgnoreCase)).ToList();
+                    if (kernelQuickValues.Count == 0)
+                        continue;
+
+                    found = true;
+                    Beaprint.BadPrint($"  Registry values under HKLM\\{path}");
+                    foreach (var kv in kernelQuickValues)
+                    {
+                        string displayValue = kv.Value is byte[] bytes ? $"(binary) {bytes.Length} bytes" : string.Format("{0}", kv.Value);
+                        Beaprint.NoColorPrint($"      {kv.Key} = {displayValue}");
+                    }
+                }
+
+                Dictionary<string, object> ipdatesValues = RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\\IpDates");
+                if (ipdatesValues != null)
+                {
+                    found = true;
+                    Beaprint.BadPrint("  Possible kernel shellcode staging key HKLM\\SOFTWARE\\IpDates");
+                    foreach (var kv in ipdatesValues)
+                    {
+                        string displayValue = kv.Value is byte[] bytes ? $"(binary) {bytes.Length} bytes" : string.Format("{0}", kv.Value);
+                        Beaprint.NoColorPrint($"      {kv.Key} = {displayValue}");
+                    }
+                }
+
+                if (!found)
+                {
+                    Beaprint.InfoPrint("  No KernelQuick-specific registry indicators were found");
+                }
+                else
+                {
+                    Beaprint.LinkPrint("https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/",
+                        "KernelQuick_* values and HKLM\\SOFTWARE\\IpDates are used by the ValleyRAT rootkit to hide files and stage APC payloads");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        private string FormatDate(DateTime? dateTime)
+        {
+            return dateTime.HasValue ? dateTime.Value.ToString("yyyy-MM-dd HH:mm") : "n/a";
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs

@@ -0,0 +1,88 @@
+using System;
+using System.Collections.Generic;
+using winPEAS.Helpers;
+using winPEAS.Info.ApplicationInfo;
+
+namespace winPEAS.Checks
+{
+    internal class SoapClientInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint(".NET SOAP Client Proxies (SOAPwn)");
+
+            CheckRunner.Run(PrintSoapClientFindings, isDebug);
+        }
+
+        private static void PrintSoapClientFindings()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential SOAPwn / HttpWebClientProtocol abuse surfaces");
+                Beaprint.LinkPrint(
+                    "https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/",
+                    "Look for .NET services that let attackers control SoapHttpClientProtocol URLs or WSDL imports to coerce NTLM or drop files.");
+
+                List<SoapClientProxyFinding> findings = SoapClientProxyAnalyzer.CollectFindings();
+                if (findings.Count == 0)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                foreach (SoapClientProxyFinding finding in findings)
+                {
+                    string severity = finding.BinaryIndicators.Contains("ServiceDescriptionImporter")
+                        ? "Dynamic WSDL import"
+                        : "SOAP proxy usage";
+
+                    Beaprint.BadPrint($"    [{severity}] {finding.BinaryPath}");
+
+                    foreach (SoapClientProxyInstance instance in finding.Instances)
+                    {
+                        string instanceInfo = $"        -> {instance.SourceType}: {instance.Name}";
+                        if (!string.IsNullOrEmpty(instance.Account))
+                        {
+                            instanceInfo += $" ({instance.Account})";
+                        }
+                        if (!string.IsNullOrEmpty(instance.Extra))
+                        {
+                            instanceInfo += $" | {instance.Extra}";
+                        }
+
+                        Beaprint.GrayPrint(instanceInfo);
+                    }
+
+                    if (finding.BinaryIndicators.Count > 0)
+                    {
+                        Beaprint.BadPrint("        Binary indicators: " + string.Join(", ", finding.BinaryIndicators));
+                    }
+
+                    if (finding.ConfigIndicators.Count > 0)
+                    {
+                        string configLabel = string.IsNullOrEmpty(finding.ConfigPath)
+                            ? "Config indicators"
+                            : $"Config indicators ({finding.ConfigPath})";
+                        Beaprint.BadPrint("        " + configLabel + ": " + string.Join(", ", finding.ConfigIndicators));
+                    }
+
+                    if (finding.BinaryScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Binary scan skipped due to access/size limits)");
+                    }
+
+                    if (finding.ConfigScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Unable to read config file)");
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Management;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
@@ -81,13 +82,16 @@ namespace winPEAS.Checks
                 PrintKrbRelayUp,
                 PrintInsideContainer,
                 PrintAlwaysInstallElevated,
+                PrintObjectManagerRaceAmplification,
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
                 PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
+                PrintPrintNightmarePointAndPrint,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
+                PrintNamedPipeAbuseCandidates,
                 PrintAMSIProviders,
                 PrintSysmon,
                 PrintDotNetVersions
@@ -561,27 +565,66 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Checking WSUS");
                 Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus");
-                string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
-                string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
-                string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
-                string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path2, "UseWUServer");
-                if (HKLM_WSUS.Contains("http://"))
+                string policyPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
+                string policyAUPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
+                string wsusPolicyValue = RegistryHelper.GetRegValue("HKLM", policyPath, "WUServer");
+                string useWUServerValue = RegistryHelper.GetRegValue("HKLM", policyAUPath, "UseWUServer");
+
+                if (!string.IsNullOrEmpty(wsusPolicyValue) && wsusPolicyValue.StartsWith("http://", StringComparison.OrdinalIgnoreCase))
                 {
-                    Beaprint.BadPrint("    WSUS is using http: " + HKLM_WSUS);
+                    Beaprint.BadPrint("    WSUS is using http: " + wsusPolicyValue);
                     Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges");
-                    if (using_HKLM_WSUS == "1")
+                    if (useWUServerValue == "1")
                         Beaprint.BadPrint("    And UseWUServer is equals to 1, so it is vulnerable!");
-                    else if (using_HKLM_WSUS == "0")
+                    else if (useWUServerValue == "0")
                         Beaprint.GoodPrint("    But UseWUServer is equals to 0, so it is not vulnerable!");
                     else
-                        Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
+                        Console.WriteLine("    But UseWUServer is equals to " + useWUServerValue + ", so it may work or not");
                 }
                 else
                 {
-                    if (string.IsNullOrEmpty(HKLM_WSUS))
+                    if (string.IsNullOrEmpty(wsusPolicyValue))
                         Beaprint.NotFoundPrint();
                     else
-                        Beaprint.GoodPrint("    WSUS value: " + HKLM_WSUS);
+                        Beaprint.GoodPrint("    WSUS value: " + wsusPolicyValue);
+                }
+
+                if (!string.IsNullOrEmpty(wsusPolicyValue))
+                {
+                    bool clientsForced = useWUServerValue == "1";
+                    if (clientsForced)
+                    {
+                        Beaprint.BadPrint("    CVE-2025-59287: Clients talk to WSUS at " + wsusPolicyValue + " (UseWUServer=1). Unpatched WSUS allows unauthenticated deserialization to SYSTEM.");
+                    }
+                    else
+                    {
+                        Beaprint.InfoPrint("    CVE-2025-59287: WSUS endpoint discovered at " + wsusPolicyValue + ". Confirm patch level before attempting exploitation.");
+                        if (!string.IsNullOrEmpty(useWUServerValue))
+                            Beaprint.InfoPrint("    UseWUServer is set to " + useWUServerValue + ", clients may still reach Microsoft Update.");
+                    }
+                }
+
+                string wsusSetupPath = @"SOFTWARE\Microsoft\Update Services\Server\Setup";
+                string wsusVersion = RegistryHelper.GetRegValue("HKLM", wsusSetupPath, "VersionString");
+                string wsusInstallPath = RegistryHelper.GetRegValue("HKLM", wsusSetupPath, "InstallPath");
+                bool wsusRoleDetected = !string.IsNullOrEmpty(wsusVersion) || !string.IsNullOrEmpty(wsusInstallPath);
+
+                if (TryGetServiceStateAndAccount("WSUSService", out string wsusServiceState, out string wsusServiceAccount))
+                {
+                    wsusRoleDetected = true;
+                    string serviceMsg = "    WSUSService status: " + wsusServiceState;
+                    if (!string.IsNullOrEmpty(wsusServiceAccount))
+                        serviceMsg += " (runs as " + wsusServiceAccount + ")";
+                    Beaprint.BadPrint(serviceMsg);
+                }
+
+                if (wsusRoleDetected)
+                {
+                    if (!string.IsNullOrEmpty(wsusVersion))
+                        Beaprint.BadPrint("    WSUS Server version: " + wsusVersion + " (verify patch level for CVE-2025-59287).");
+                    if (!string.IsNullOrEmpty(wsusInstallPath))
+                        Beaprint.InfoPrint("    WSUS install path: " + wsusInstallPath);
+                    Beaprint.BadPrint("    CVE-2025-59287: Local WSUS server exposes an unauthenticated deserialization surface reachable over HTTP(S). Patch or restrict access.");
                 }
             }
             catch (Exception ex)
@@ -590,6 +633,32 @@ namespace winPEAS.Checks
             }
         }
 
+        private static bool TryGetServiceStateAndAccount(string serviceName, out string state, out string account)
+        {
+            state = string.Empty;
+            account = string.Empty;
+
+            try
+            {
+                string query = $"SELECT Name, State, StartName FROM Win32_Service WHERE Name='{serviceName.Replace("'", "''")}'";
+                using (var searcher = new ManagementObjectSearcher(@"root\cimv2", query))
+                {
+                    foreach (ManagementObject service in searcher.Get())
+                    {
+                        state = service["State"]?.ToString() ?? string.Empty;
+                        account = service["StartName"]?.ToString() ?? string.Empty;
+                        return true;
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+
+            return false;
+        }
+
         static void PrintKrbRelayUp()
         {
             try
@@ -667,6 +736,31 @@ namespace winPEAS.Checks
             }
         }
 
+        static void PrintObjectManagerRaceAmplification()
+        {
+            try
+            {
+                Beaprint.MainPrint("Object Manager race-window amplification primitives");
+                Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:");
+
+                if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error))
+                {
+                    Beaprint.BadPrint($"    Created a test named event ({objectName}) under \\BaseNamedObjects.");
+                    Beaprint.InfoPrint("    -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.");
+                    Beaprint.InfoPrint("    -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.");
+                    Beaprint.InfoPrint("    -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.");
+                }
+                else
+                {
+                    Beaprint.InfoPrint($"    Could not create a test event under \\BaseNamedObjects ({error}). The namespace might be locked down.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintNtlmSettings()
         {
             Beaprint.MainPrint($"Enumerating NTLM Settings");
@@ -743,6 +837,39 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPrintNightmarePointAndPrint()
+        {
+            Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
+            Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
+
+            try
+            {
+                string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
+                var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
+                var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
+                var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
+
+                if (restrict == null && noWarn == null && updatePrompt == null)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                Beaprint.NoColorPrint($"      RestrictDriverInstallationToAdministrators: {restrict}\n" +
+                                      $"      NoWarningNoElevationOnInstall: {noWarn}\n" +
+                                      $"      UpdatePromptSettings: {updatePrompt}");
+
+                if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
+                {
+                    Beaprint.BadPrint("      [!] Potentially vulnerable to PrintNightmare misconfiguration");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintPrintersWMIInfo()
         {
             Beaprint.MainPrint("Enumerating Printers (WMI)");
@@ -791,6 +918,48 @@ namespace winPEAS.Checks
             }
         }
 
+
+        private static void PrintNamedPipeAbuseCandidates()
+        {
+            Beaprint.MainPrint("Named Pipes with Low-Priv Write Access to Privileged Servers");
+
+            try
+            {
+                var candidates = NamedPipeSecurityAnalyzer.GetNamedPipeAbuseCandidates().ToList();
+
+                if (!candidates.Any())
+                {
+                    Beaprint.NoColorPrint("      No risky named pipe ACLs were found.\n");
+                    return;
+                }
+
+                foreach (var candidate in candidates)
+                {
+                    var aclSummary = candidate.LowPrivilegeAces.Any()
+                        ? string.Join("; ", candidate.LowPrivilegeAces.Select(ace =>
+                            $"{ace.Principal} [{ace.RightsDescription}]").Where(s => !string.IsNullOrEmpty(s)))
+                        : "Unknown";
+
+                    var serverSummary = candidate.Processes.Any()
+                        ? string.Join("; ", candidate.Processes.Select(proc =>
+                            $"{proc.ProcessName} (PID {proc.Pid}, {proc.UserName ?? proc.UserSid})"))
+                        : "No privileged handles observed (service idle or access denied)";
+
+                    var color = candidate.HasPrivilegedServer ? Beaprint.ansi_color_bad : Beaprint.ansi_color_yellow;
+
+                    Beaprint.ColorPrint($"    \\\\.\\pipe\\{candidate.Name}", color);
+                    Beaprint.NoColorPrint($"      Low-priv ACLs  : {aclSummary}");
+                    Beaprint.NoColorPrint($"      Observed owners: {serverSummary}");
+                    Beaprint.NoColorPrint($"      SDDL           : {candidate.Sddl}");
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private void PrintAMSIProviders()
         {
             Beaprint.MainPrint("Enumerating AMSI registered providers");

winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs

@@ -156,15 +156,63 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("RDP Sessions");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions", "Disconnected high-privilege RDP sessions keep reusable tokens inside LSASS.");
                 List<Dictionary<string, string>> rdp_sessions = UserInfoHelper.GetRDPSessions();
                 if (rdp_sessions.Count > 0)
                 {
-                    string format = "    {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
-                    string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
+                    string format = "    {0,-8}{1,-15}{2,-20}{3,-22}{4,-15}{5,-18}{6,-10}";
+                    string header = string.Format(format, "SessID", "Session", "User", "Domain", "State", "SourceIP", "HighPriv");
                     Beaprint.GrayPrint(header);
+                    var colors = ColorsU();
+                    List<Dictionary<string, string>> flaggedSessions = new List<Dictionary<string, string>>();
                     foreach (Dictionary<string, string> rdpSes in rdp_sessions)
                     {
-                        Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU());
+                        rdpSes.TryGetValue("SessionID", out string sessionId);
+                        rdpSes.TryGetValue("pSessionName", out string sessionName);
+                        rdpSes.TryGetValue("pUserName", out string userName);
+                        rdpSes.TryGetValue("pDomainName", out string domainName);
+                        rdpSes.TryGetValue("State", out string state);
+                        rdpSes.TryGetValue("SourceIP", out string sourceIp);
+
+                        sessionId = sessionId ?? string.Empty;
+                        sessionName = sessionName ?? string.Empty;
+                        userName = userName ?? string.Empty;
+                        domainName = domainName ?? string.Empty;
+                        state = state ?? string.Empty;
+                        sourceIp = sourceIp ?? string.Empty;
+
+                        bool isHighPriv = UserInfoHelper.IsHighPrivilegeAccount(userName, domainName);
+                        string highPrivLabel = isHighPriv ? "Yes" : "No";
+                        rdpSes["HighPriv"] = highPrivLabel;
+
+                        if (isHighPriv && string.Equals(state, "Disconnected", StringComparison.OrdinalIgnoreCase))
+                        {
+                            flaggedSessions.Add(rdpSes);
+                        }
+
+                        Beaprint.AnsiPrint(string.Format(format, sessionId, sessionName, userName, domainName, state, sourceIp, highPrivLabel), colors);
+                    }
+
+                    if (flaggedSessions.Count > 0)
+                    {
+                        Beaprint.BadPrint("    [!] Disconnected high-privilege RDP sessions detected. Their credentials/tokens stay in LSASS until the user signs out.");
+                        foreach (Dictionary<string, string> session in flaggedSessions)
+                        {
+                            session.TryGetValue("pDomainName", out string flaggedDomain);
+                            session.TryGetValue("pUserName", out string flaggedUser);
+                            session.TryGetValue("SessionID", out string flaggedSessionId);
+                            session.TryGetValue("SourceIP", out string flaggedIp);
+
+                            flaggedDomain = flaggedDomain ?? string.Empty;
+                            flaggedUser = flaggedUser ?? string.Empty;
+                            flaggedSessionId = flaggedSessionId ?? string.Empty;
+                            flaggedIp = flaggedIp ?? string.Empty;
+
+                            string userDisplay = string.Format("{0}\\{1}", flaggedDomain, flaggedUser).Trim('\\');
+                            string source = string.IsNullOrEmpty(flaggedIp) ? "local" : flaggedIp;
+                            Beaprint.BadPrint(string.Format("        -> Session {0} ({1}) from {2}", flaggedSessionId, userDisplay, source));
+                        }
+                        Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions", "Dump LSASS / steal tokens (e.g., comsvcs.dll, LsaLogonSessions, custom SSPs) to reuse those privileges.");
                     }
                 }
                 else

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -132,6 +132,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
             Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        registryinfo" + GRAY + "         Flag writable HKLM/HKU keys that enable hive tampering" + NOCOLOR);
             Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
             Console.WriteLine(LCYAN + "        fileanalysis" + GRAY + "         [NOT RUN BY DEFAULT] Search specific files that can contains credentials and for regexes inside files. Might take several minutes." + NOCOLOR);

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -21,39 +21,59 @@ namespace winPEAS.Helpers
                 ""); //To get the default object you need to use an empty string
         }
 
+        public static List<T> GetLimitedRange<T>(List<T> items, int limit)
+        {
+            return items.GetRange(0, Math.Min(items.Count, limit));
+        }
+
         ////////////////////////////////////
         /////// MISC - Files & Paths ///////
         ////////////////////////////////////
-        public static bool CheckIfDotNet(string path)
+        public static bool CheckIfDotNet(string path, bool ignoreCompanyName = false)
         {
             bool isDotNet = false;
-            FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
-            string companyName = myFileVersionInfo.CompanyName;
-            if ((string.IsNullOrEmpty(companyName)) ||
-                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
+            string companyName = string.Empty;
+
+            try
             {
-                try
+                FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
+                companyName = myFileVersionInfo.CompanyName;
+            }
+            catch
+            {
+                // Unable to read version information, continue with assembly inspection
+            }
+
+            bool shouldInspectAssembly = ignoreCompanyName ||
+                (string.IsNullOrEmpty(companyName)) ||
+                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase));
+
+            if (!shouldInspectAssembly)
+            {
+                return false;
+            }
+
+            try
+            {
+                AssemblyName.GetAssemblyName(path);
+                isDotNet = true;
+            }
+            catch (System.IO.FileNotFoundException)
+            {
+                // System.Console.WriteLine("The file cannot be found.");
+            }
+            catch (System.BadImageFormatException exception)
+            {
+                if (Regex.IsMatch(exception.Message,
+                    ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
+                    RegexOptions.IgnoreCase))
                 {
-                    AssemblyName myAssemblyName = AssemblyName.GetAssemblyName(path);
                     isDotNet = true;
                 }
-                catch (System.IO.FileNotFoundException)
-                {
-                    // System.Console.WriteLine("The file cannot be found.");
-                }
-                catch (System.BadImageFormatException exception)
-                {
-                    if (Regex.IsMatch(exception.Message,
-                        ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
-                        RegexOptions.IgnoreCase))
-                    {
-                        isDotNet = true;
-                    }
-                }
-                catch
-                {
-                    // System.Console.WriteLine("The assembly has already been loaded.");
-                }
+            }
+            catch
+            {
+                // System.Console.WriteLine("The assembly has already been loaded.");
             }
 
             return isDotNet;

winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs

@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace winPEAS.Helpers
+{
+    internal static class ObjectManagerHelper
+    {
+        public static bool TryCreateSessionEvent(out string objectName, out string error)
+        {
+            objectName = $"PEAS_OMNS_{Process.GetCurrentProcess().Id}_{Guid.NewGuid():N}";
+            error = string.Empty;
+
+            try
+            {
+                using (var handle = new EventWaitHandle(initialState: false, EventResetMode.ManualReset, objectName, out var createdNew))
+                {
+                    if (!createdNew)
+                    {
+                        error = "A test event with the generated name already existed.";
+                        return false;
+                    }
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                error = ex.Message;
+                return false;
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryAclScanner.cs

@@ -0,0 +1,221 @@
+using Microsoft.Win32;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+
+namespace winPEAS.Helpers.Registry
+{
+    internal class RegistryWritableKeyInfo
+    {
+        public string Hive { get; set; }
+        public string RelativePath { get; set; }
+        public string FullPath { get; set; }
+        public List<string> Principals { get; set; } = new List<string>();
+        public List<string> Rights { get; set; } = new List<string>();
+    }
+
+    internal static class RegistryAclScanner
+    {
+        private static readonly Dictionary<string, string> LowPrivSidMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            { new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Value, "BUILTIN\\Users" },
+            { new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null).Value, "Authenticated Users" },
+            { new SecurityIdentifier(WellKnownSidType.WorldSid, null).Value, "Everyone" },
+            { new SecurityIdentifier(WellKnownSidType.InteractiveSid, null).Value, "Interactive" },
+            { new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null).Value, "BUILTIN\\Guests" },
+        };
+
+        public static bool TryGetWritableKey(string hive, string relativePath, out RegistryWritableKeyInfo info)
+        {
+            info = null;
+            using (var key = OpenKey(hive, relativePath))
+            {
+                if (key == null)
+                {
+                    return false;
+                }
+
+                return TryCollectWritableInfo(hive, relativePath, key, out info);
+            }
+        }
+
+        public static List<RegistryWritableKeyInfo> ScanWritableKeys(string hive, IEnumerable<string> basePaths, int maxDepth, int maxResults)
+        {
+            var results = new List<RegistryWritableKeyInfo>();
+            var seenPaths = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var basePath in basePaths ?? Enumerable.Empty<string>())
+            {
+                if (results.Count >= maxResults)
+                {
+                    break;
+                }
+
+                using (var key = OpenKey(hive, basePath))
+                {
+                    if (key == null)
+                    {
+                        continue;
+                    }
+
+                    Traverse(hive, key, basePath, 0, maxDepth, maxResults, seenPaths, results);
+                }
+            }
+
+            return results;
+        }
+
+        private static void Traverse(string hive, RegistryKey currentKey, string currentPath, int depth, int maxDepth, int maxResults, HashSet<string> seenPaths, List<RegistryWritableKeyInfo> results)
+        {
+            if (currentKey == null || results.Count >= maxResults)
+            {
+                return;
+            }
+
+            if (TryCollectWritableInfo(hive, currentPath, currentKey, out var info))
+            {
+                if (seenPaths.Add(info.FullPath))
+                {
+                    results.Add(info);
+                }
+
+                if (results.Count >= maxResults)
+                {
+                    return;
+                }
+            }
+
+            if (depth >= maxDepth)
+            {
+                return;
+            }
+
+            string[] subKeys;
+            try
+            {
+                subKeys = currentKey.GetSubKeyNames();
+            }
+            catch
+            {
+                return;
+            }
+
+            foreach (var subKeyName in subKeys)
+            {
+                if (results.Count >= maxResults)
+                {
+                    break;
+                }
+
+                try
+                {
+                    using (var childKey = currentKey.OpenSubKey(subKeyName))
+                    {
+                        if (childKey == null)
+                        {
+                            continue;
+                        }
+
+                        string childPath = string.IsNullOrEmpty(currentPath) ? subKeyName : $"{currentPath}\\{subKeyName}";
+                        Traverse(hive, childKey, childPath, depth + 1, maxDepth, maxResults, seenPaths, results);
+                    }
+                }
+                catch
+                {
+                    // Ignore keys we cannot open
+                }
+            }
+        }
+
+        private static bool TryCollectWritableInfo(string hive, string relativePath, RegistryKey key, out RegistryWritableKeyInfo info)
+        {
+            info = null;
+
+            try
+            {
+                var acl = key.GetAccessControl(AccessControlSections.Access);
+
+                var principals = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+                var rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+                foreach (RegistryAccessRule rule in acl.GetAccessRules(true, true, typeof(SecurityIdentifier)))
+                {
+                    if (rule.AccessControlType != AccessControlType.Allow)
+                    {
+                        continue;
+                    }
+
+                    var sid = rule.IdentityReference as SecurityIdentifier ?? rule.IdentityReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
+                    if (sid == null)
+                    {
+                        continue;
+                    }
+
+                    if (!LowPrivSidMap.TryGetValue(sid.Value, out var label))
+                    {
+                        continue;
+                    }
+
+                    string interestingRight = PermissionsHelper.PermInt2Str((int)rule.RegistryRights, PermissionType.WRITEABLE_OR_EQUIVALENT_REG);
+                    if (string.IsNullOrEmpty(interestingRight))
+                    {
+                        continue;
+                    }
+
+                    principals.Add($"{label} ({sid.Value})");
+                    rights.Add(interestingRight);
+                }
+
+                if (principals.Count == 0)
+                {
+                    return false;
+                }
+
+                string normalizedRelativePath = relativePath ?? string.Empty;
+                string fullPath = string.IsNullOrEmpty(normalizedRelativePath) ? key.Name : $"{hive}\\{normalizedRelativePath}";
+
+                info = new RegistryWritableKeyInfo
+                {
+                    Hive = hive,
+                    RelativePath = normalizedRelativePath,
+                    FullPath = fullPath,
+                    Principals = principals.ToList(),
+                    Rights = rights.ToList(),
+                };
+                return true;
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        private static RegistryKey OpenKey(string hive, string path)
+        {
+            if (string.IsNullOrEmpty(path))
+            {
+                return null;
+            }
+
+            try
+            {
+                RegistryKey baseKey = hive switch
+                {
+                    "HKLM" => Microsoft.Win32.Registry.LocalMachine,
+                    "HKCU" => Microsoft.Win32.Registry.CurrentUser,
+                    "HKU" => Microsoft.Win32.Registry.Users,
+                    _ => null,
+                };
+
+                return baseKey?.OpenSubKey(path);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/SoapClientProxyAnalyzer.cs

@@ -0,0 +1,369 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Management;
+using System.Text;
+using winPEAS.Helpers;
+using winPEAS.Info.ProcessInfo;
+
+namespace winPEAS.Info.ApplicationInfo
+{
+    internal class SoapClientProxyInstance
+    {
+        public string SourceType { get; set; }
+        public string Name { get; set; }
+        public string Account { get; set; }
+        public string Extra { get; set; }
+    }
+
+    internal class SoapClientProxyFinding
+    {
+        public string BinaryPath { get; set; }
+        public List<SoapClientProxyInstance> Instances { get; } = new List<SoapClientProxyInstance>();
+        public HashSet<string> BinaryIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public HashSet<string> ConfigIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public string ConfigPath { get; set; }
+        public bool BinaryScanFailed { get; set; }
+        public bool ConfigScanFailed { get; set; }
+    }
+
+    internal static class SoapClientProxyAnalyzer
+    {
+        private class SoapClientProxyCandidate
+        {
+            public string BinaryPath { get; set; }
+            public string SourceType { get; set; }
+            public string Name { get; set; }
+            public string Account { get; set; }
+            public string Extra { get; set; }
+        }
+
+        private static readonly string[] BinaryIndicatorStrings = new[]
+        {
+            "SoapHttpClientProtocol",
+            "HttpWebClientProtocol",
+            "DiscoveryClientProtocol",
+            "HttpSimpleClientProtocol",
+            "HttpGetClientProtocol",
+            "HttpPostClientProtocol",
+            "ServiceDescriptionImporter",
+            "System.Web.Services.Description.ServiceDescriptionImporter",
+        };
+
+        private static readonly Dictionary<string, string> ConfigIndicatorMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            { "soap:address", "soap:address element present" },
+            { "soap12:address", "soap12:address element present" },
+            { "?wsdl", "?wsdl reference" },
+            { "<wsdl:", "WSDL schema embedded in config" },
+            { "servicedescriptionimporter", "ServiceDescriptionImporter referenced in config" },
+            { "system.web.services.description", "System.Web.Services.Description namespace referenced" },
+            { "new-webserviceproxy", "PowerShell New-WebServiceProxy referenced" },
+            { "file://", "file:// scheme referenced" },
+        };
+
+        private const long MaxBinaryScanSize = 200 * 1024 * 1024; // 200MB
+        private static readonly object DotNetCacheLock = new object();
+        private static readonly Dictionary<string, bool> DotNetCache = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+
+        public static List<SoapClientProxyFinding> CollectFindings()
+        {
+            var findings = new Dictionary<string, SoapClientProxyFinding>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var candidate in EnumerateServiceCandidates().Concat(EnumerateProcessCandidates()))
+            {
+                if (string.IsNullOrEmpty(candidate.BinaryPath) || !File.Exists(candidate.BinaryPath))
+                {
+                    continue;
+                }
+
+                if (!findings.TryGetValue(candidate.BinaryPath, out var finding))
+                {
+                    finding = new SoapClientProxyFinding
+                    {
+                        BinaryPath = candidate.BinaryPath,
+                    };
+
+                    findings.Add(candidate.BinaryPath, finding);
+                }
+
+                finding.Instances.Add(new SoapClientProxyInstance
+                {
+                    SourceType = candidate.SourceType,
+                    Name = candidate.Name,
+                    Account = string.IsNullOrEmpty(candidate.Account) ? "Unknown" : candidate.Account,
+                    Extra = candidate.Extra ?? string.Empty,
+                });
+            }
+
+            foreach (var finding in findings.Values)
+            {
+                ScanBinaryIndicators(finding);
+                ScanConfigIndicators(finding);
+            }
+
+            return findings.Values
+                .Where(f => f.BinaryIndicators.Count > 0 || f.ConfigIndicators.Count > 0)
+                .OrderByDescending(f => f.BinaryIndicators.Contains("ServiceDescriptionImporter"))
+                .ThenBy(f => f.BinaryPath, StringComparer.OrdinalIgnoreCase)
+                .ToList();
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateServiceCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                using (var searcher = new ManagementObjectSearcher(@"root\\cimv2", "SELECT Name, DisplayName, PathName, StartName FROM Win32_Service"))
+                using (var services = searcher.Get())
+                {
+                    foreach (ManagementObject service in services)
+                    {
+                        string pathName = service["PathName"]?.ToString();
+                        string binaryPath = MyUtils.GetExecutableFromPath(pathName ?? string.Empty);
+                        if (string.IsNullOrEmpty(binaryPath) || !File.Exists(binaryPath))
+                            continue;
+
+                        if (!IsDotNetBinary(binaryPath))
+                            continue;
+
+                        results.Add(new SoapClientProxyCandidate
+                        {
+                            BinaryPath = binaryPath,
+                            SourceType = "Service",
+                            Name = service["Name"]?.ToString() ?? string.Empty,
+                            Account = service["StartName"]?.ToString() ?? string.Empty,
+                            Extra = service["DisplayName"]?.ToString() ?? string.Empty,
+                        });
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating services for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateProcessCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                List<Dictionary<string, string>> processes = ProcessesInfo.GetProcInfo();
+                foreach (var proc in processes)
+                {
+                    string path = proc.ContainsKey("ExecutablePath") ? proc["ExecutablePath"] : string.Empty;
+                    if (string.IsNullOrEmpty(path) || !File.Exists(path))
+                        continue;
+
+                    if (!IsDotNetBinary(path))
+                        continue;
+
+                    string owner = proc.ContainsKey("Owner") ? proc["Owner"] : string.Empty;
+                    if (!IsInterestingProcessOwner(owner))
+                        continue;
+
+                    results.Add(new SoapClientProxyCandidate
+                    {
+                        BinaryPath = path,
+                        SourceType = "Process",
+                        Name = proc.ContainsKey("Name") ? proc["Name"] : string.Empty,
+                        Account = owner,
+                        Extra = proc.ContainsKey("ProcessID") ? $"PID {proc["ProcessID"]}" : string.Empty,
+                    });
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating processes for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static bool IsInterestingProcessOwner(string owner)
+        {
+            if (string.IsNullOrEmpty(owner))
+                return true;
+
+            string normalizedOwner = owner;
+            if (owner.Contains("\\"))
+            {
+                normalizedOwner = owner.Split('\\').Last();
+            }
+
+            return !normalizedOwner.Equals(Environment.UserName, StringComparison.OrdinalIgnoreCase);
+        }
+
+        private static bool IsDotNetBinary(string path)
+        {
+            lock (DotNetCacheLock)
+            {
+                if (DotNetCache.TryGetValue(path, out bool cached))
+                {
+                    return cached;
+                }
+
+                bool result = false;
+                try
+                {
+                    result = MyUtils.CheckIfDotNet(path, true);
+                }
+                catch
+                {
+                }
+
+                DotNetCache[path] = result;
+                return result;
+            }
+        }
+
+        private static void ScanBinaryIndicators(SoapClientProxyFinding finding)
+        {
+            try
+            {
+                FileInfo fi = new FileInfo(finding.BinaryPath);
+                if (!fi.Exists || fi.Length == 0)
+                    return;
+
+                if (fi.Length > MaxBinaryScanSize)
+                {
+                    finding.BinaryScanFailed = true;
+                    return;
+                }
+
+                foreach (var indicator in BinaryIndicatorStrings)
+                {
+                    if (FileContainsString(finding.BinaryPath, indicator))
+                    {
+                        finding.BinaryIndicators.Add(indicator);
+                    }
+                }
+            }
+            catch
+            {
+                finding.BinaryScanFailed = true;
+            }
+        }
+
+        private static void ScanConfigIndicators(SoapClientProxyFinding finding)
+        {
+            string configPath = GetConfigPath(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(configPath) && File.Exists(configPath))
+            {
+                finding.ConfigPath = configPath;
+                try
+                {
+                    string content = File.ReadAllText(configPath);
+                    foreach (var kvp in ConfigIndicatorMap)
+                    {
+                        if (content.IndexOf(kvp.Key, StringComparison.OrdinalIgnoreCase) >= 0)
+                        {
+                            finding.ConfigIndicators.Add(kvp.Value);
+                        }
+                    }
+                }
+                catch
+                {
+                    finding.ConfigScanFailed = true;
+                }
+            }
+
+            string directory = Path.GetDirectoryName(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(directory))
+            {
+                try
+                {
+                    var wsdlFiles = Directory.GetFiles(directory, "*.wsdl", SearchOption.TopDirectoryOnly);
+                    if (wsdlFiles.Length > 0)
+                    {
+                        finding.ConfigIndicators.Add($"Found {wsdlFiles.Length} WSDL file(s) next to binary");
+                    }
+                }
+                catch
+                {
+                    // ignore
+                }
+            }
+        }
+
+        private static string GetConfigPath(string binaryPath)
+        {
+            if (string.IsNullOrEmpty(binaryPath))
+                return string.Empty;
+
+            string candidate = binaryPath + ".config";
+            return File.Exists(candidate) ? candidate : string.Empty;
+        }
+
+        private static bool FileContainsString(string path, string value)
+        {
+            const int bufferSize = 64 * 1024;
+            byte[] pattern = Encoding.UTF8.GetBytes(value);
+            if (pattern.Length == 0)
+                return false;
+
+            try
+            {
+                using (var fs = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete))
+                {
+                    byte[] buffer = new byte[bufferSize + pattern.Length];
+                    int bufferLen = 0;
+                    int bytesRead;
+                    while ((bytesRead = fs.Read(buffer, bufferLen, bufferSize)) > 0)
+                    {
+                        int total = bufferLen + bytesRead;
+                        if (IndexOf(buffer, total, pattern) >= 0)
+                        {
+                            return true;
+                        }
+
+                        if (pattern.Length > 1)
+                        {
+                            bufferLen = Math.Min(pattern.Length - 1, total);
+                            Buffer.BlockCopy(buffer, total - bufferLen, buffer, 0, bufferLen);
+                        }
+                        else
+                        {
+                            bufferLen = 0;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                return false;
+            }
+
+            return false;
+        }
+
+        private static int IndexOf(byte[] buffer, int bufferLength, byte[] pattern)
+        {
+            int limit = bufferLength - pattern.Length;
+            if (limit < 0)
+                return -1;
+
+            for (int i = 0; i <= limit; i++)
+            {
+                bool match = true;
+                for (int j = 0; j < pattern.Length; j++)
+                {
+                    if (buffer[i + j] != pattern[j])
+                    {
+                        match = false;
+                        break;
+                    }
+                }
+
+                if (match)
+                    return i;
+            }
+
+            return -1;
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs

@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo
 
                 // 4. Call external checker
                 var resp = httpClient
-                    .PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
+                    .PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
                     .GetAwaiter().GetResult();
 
                 if (resp.IsSuccessStatusCode)

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs

@@ -4,6 +4,8 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.NetworkInformation;
 using System.Net.Sockets;
+using System.Text;
+using System.Text.Json;
 using System.Threading;
 
 namespace winPEAS.Info.NetworkInfo
@@ -48,7 +50,7 @@ namespace winPEAS.Info.NetworkInfo
             { "1.1.1.1", "8.8.8.8" };
 
         private const string LAMBDA_URL =
-            "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
+            "https://tools.hacktricks.wiki/api/host-checker";
 
         // Shared HttpClient (kept for HTTP & Lambda checks)
         private static readonly HttpClient http = new HttpClient
@@ -118,7 +120,12 @@ namespace winPEAS.Info.NetworkInfo
                 using var cts =
                     new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));
 
-                var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
+                var payload = new StringContent(
+                    JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
+                    Encoding.UTF8,
+                    "application/json");
+                var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
+                req.Content = payload;
                 req.Headers.UserAgent.ParseAdd("winpeas");
                 req.Headers.Accept.Add(
                     new MediaTypeWithQualityHeaderValue("application/json"));

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/OemSoftwareHelper.cs

@@ -0,0 +1,458 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using System.ServiceProcess;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.ServicesInfo
+{
+    internal static class OemSoftwareHelper
+    {
+        internal static List<OemSoftwareFinding> GetPotentiallyVulnerableComponents(Dictionary<string, string> currentUserSids)
+        {
+            var findings = new List<OemSoftwareFinding>();
+            var services = GetServiceSnapshot();
+            var processes = GetProcessSnapshot();
+
+            foreach (var definition in GetDefinitions())
+            {
+                var finding = new OemSoftwareFinding
+                {
+                    Name = definition.Name,
+                    Description = definition.Description,
+                    Cves = definition.Cves,
+                };
+
+                AppendServiceEvidence(definition, services, finding);
+                AppendProcessEvidence(definition, processes, finding);
+                AppendPathEvidence(definition, currentUserSids, finding);
+                AppendPipeEvidence(definition, finding);
+
+                if (finding.Evidence.Count > 0)
+                {
+                    findings.Add(finding);
+                }
+            }
+
+            return findings;
+        }
+
+        private static void AppendServiceEvidence(OemComponentDefinition definition, List<ServiceSnapshot> services, OemSoftwareFinding finding)
+        {
+            if (definition.ServiceHints == null || definition.ServiceHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var serviceHint in definition.ServiceHints)
+            {
+                foreach (var service in services)
+                {
+                    if (ContainsIgnoreCase(service.Name, serviceHint) ||
+                        ContainsIgnoreCase(service.DisplayName, serviceHint))
+                    {
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "service",
+                            Highlight = true,
+                            Message = $"Service '{service.Name}' (Display: {service.DisplayName}) matches indicator '{serviceHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendProcessEvidence(OemComponentDefinition definition, List<ProcessSnapshot> processes, OemSoftwareFinding finding)
+        {
+            if (definition.ProcessHints == null || definition.ProcessHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var processHint in definition.ProcessHints)
+            {
+                foreach (var process in processes)
+                {
+                    bool matchesName = ContainsIgnoreCase(process.Name, processHint);
+                    bool matchesPath = ContainsIgnoreCase(process.FullPath, processHint);
+
+                    if (matchesName || matchesPath)
+                    {
+                        var location = string.IsNullOrWhiteSpace(process.FullPath) ? "Unknown" : process.FullPath;
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "process",
+                            Highlight = true,
+                            Message = $"Process '{process.Name}' (Path: {location}) matches indicator '{processHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendPathEvidence(OemComponentDefinition definition, Dictionary<string, string> currentUserSids, OemSoftwareFinding finding)
+        {
+            if ((definition.DirectoryHints == null || definition.DirectoryHints.Length == 0) &&
+                (definition.FileHints == null || definition.FileHints.Length == 0))
+            {
+                return;
+            }
+
+            if (definition.DirectoryHints != null)
+            {
+                foreach (var dirHint in definition.DirectoryHints)
+                {
+                    var expandedPath = ExpandPath(dirHint.Path);
+                    if (!Directory.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFolder(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "path",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, dirHint.Description, isWritable, permissions)
+                    });
+                }
+            }
+
+            if (definition.FileHints != null)
+            {
+                foreach (var fileHint in definition.FileHints)
+                {
+                    var expandedPath = ExpandPath(fileHint);
+                    if (!File.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFile(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "file",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, "file", isWritable, permissions)
+                    });
+                }
+            }
+        }
+
+        private static void AppendPipeEvidence(OemComponentDefinition definition, OemSoftwareFinding finding)
+        {
+            if (definition.PipeHints == null)
+            {
+                return;
+            }
+
+            foreach (var pipeHint in definition.PipeHints)
+            {
+                try
+                {
+                    var path = $"\\\\.\\pipe\\{pipeHint.Name}";
+                    var security = File.GetAccessControl(path);
+                    string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
+                    string identity = string.Empty;
+                    string rights = string.Empty;
+                    bool worldWritable = false;
+
+                    if (pipeHint.CheckWorldWritable)
+                    {
+                        worldWritable = HasWorldWritableAce(security, out identity, out rights);
+                    }
+
+                    string details = worldWritable
+                        ? $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) is writable by {identity} ({rights})."
+                        : $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) present. SDDL: {sddl}";
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "pipe",
+                        Highlight = worldWritable,
+                        Message = details
+                    });
+                }
+                catch (FileNotFoundException)
+                {
+                    // Pipe not present.
+                }
+                catch (DirectoryNotFoundException)
+                {
+                    // Pipe namespace not accessible.
+                }
+                catch (Exception)
+                {
+                    // Best effort: pipes might disappear during enumeration or deny access.
+                }
+            }
+        }
+
+        private static List<ServiceSnapshot> GetServiceSnapshot()
+        {
+            var services = new List<ServiceSnapshot>();
+
+            try
+            {
+                foreach (var service in ServiceController.GetServices())
+                {
+                    services.Add(new ServiceSnapshot
+                    {
+                        Name = service.ServiceName ?? string.Empty,
+                        DisplayName = service.DisplayName ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - this is best effort.
+            }
+
+            return services;
+        }
+
+        private static List<ProcessSnapshot> GetProcessSnapshot()
+        {
+            var processes = new List<ProcessSnapshot>();
+
+            try
+            {
+                foreach (var process in Process.GetProcesses())
+                {
+                    string fullPath = string.Empty;
+                    try
+                    {
+                        fullPath = process.MainModule?.FileName ?? string.Empty;
+                    }
+                    catch
+                    {
+                        // Access denied or 64-bit vs 32-bit mismatch.
+                    }
+
+                    processes.Add(new ProcessSnapshot
+                    {
+                        Name = process.ProcessName ?? string.Empty,
+                        FullPath = fullPath ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - enumeration is best effort.
+            }
+
+            return processes;
+        }
+
+        private static string ExpandPath(string rawPath)
+        {
+            if (string.IsNullOrWhiteSpace(rawPath))
+            {
+                return string.Empty;
+            }
+
+            var expanded = Environment.ExpandEnvironmentVariables(rawPath);
+            return expanded.Trim().Trim('"');
+        }
+
+        private static string BuildPathMessage(string path, string description, bool isWritable, List<string> permissions)
+        {
+            string descriptor = string.IsNullOrWhiteSpace(description) ? "" : $" ({description})";
+            if (isWritable)
+            {
+                return $"Path '{path}'{descriptor} is writable by current user: {string.Join(", ", permissions)}";
+            }
+
+            return $"Path '{path}'{descriptor} detected.";
+        }
+
+        private static bool ContainsIgnoreCase(string value, string toFind)
+        {
+            if (string.IsNullOrWhiteSpace(value) || string.IsNullOrWhiteSpace(toFind))
+            {
+                return false;
+            }
+
+            return value.IndexOf(toFind, StringComparison.OrdinalIgnoreCase) >= 0;
+        }
+
+        private static bool HasWorldWritableAce(FileSecurity security, out string identity, out string rights)
+        {
+            identity = string.Empty;
+            rights = string.Empty;
+
+            try
+            {
+                var rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                foreach (FileSystemAccessRule rule in rules)
+                {
+                    if (rule.AccessControlType != AccessControlType.Allow)
+                    {
+                        continue;
+                    }
+
+                    if (rule.IdentityReference is SecurityIdentifier sid)
+                    {
+                        bool isWorld = sid.IsWellKnown(WellKnownSidType.WorldSid);
+                        bool isAuthenticated = sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid);
+
+                        if (!isWorld && !isAuthenticated)
+                        {
+                            continue;
+                        }
+
+                        const FileSystemRights interestingRights =
+                            FileSystemRights.FullControl |
+                            FileSystemRights.Modify |
+                            FileSystemRights.Write |
+                            FileSystemRights.WriteData |
+                            FileSystemRights.CreateFiles |
+                            FileSystemRights.ChangePermissions;
+
+                        if ((rule.FileSystemRights & interestingRights) != 0)
+                        {
+                            identity = isWorld ? "Everyone" : "Authenticated Users";
+                            rights = rule.FileSystemRights.ToString();
+                            return true;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                // Ignore parsing issues.
+            }
+
+            return false;
+        }
+
+        private static IEnumerable<OemComponentDefinition> GetDefinitions()
+        {
+            return new List<OemComponentDefinition>
+            {
+                new OemComponentDefinition
+                {
+                    Name = "ASUS DriverHub",
+                    Description = "Local web API exposed by ADU.exe allowed bypassing origin/url validation and signature checks.",
+                    Cves = new[] { "CVE-2025-3462", "CVE-2025-3463" },
+                    ServiceHints = new[] { "asusdriverhub", "asus driverhub" },
+                    ProcessHints = new[] { "adu", "asusdriverhub" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\ASUS\\AsusDriverHub", Description = "Program Files" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\ASUS\\AsusDriverHub", Description = "Program Files (x86)" },
+                        new PathHint { Path = "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp", Description = "SupportTemp updater staging" }
+                    },
+                    FileHints = new[]
+                    {
+                        "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp\\Installer.json"
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "MSI Center",
+                    Description = "MSI.CentralServer.exe exposed TCP commands with TOCTOU and signature bypass issues.",
+                    Cves = new[] { "CVE-2025-27812", "CVE-2025-27813" },
+                    ServiceHints = new[] { "msi.center", "msi centralserver" },
+                    ProcessHints = new[] { "msi.centralserver", "msi center" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\MSI\\MSI Center", Description = "Main installation" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\MSI\\MSI Center", Description = "Main installation (x86)" },
+                        new PathHint { Path = "%ProgramData%\\MSI\\MSI Center", Description = "Shared data" },
+                        new PathHint { Path = "%ProgramData%\\MSI Center SDK", Description = "SDK temp copy location" }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Acer Control Centre",
+                    Description = "ACCSvc.exe exposes treadstone_service_LightMode named pipe with weak impersonation controls.",
+                    Cves = new[] { "CVE-2025-5491" },
+                    ServiceHints = new[] { "accsvc", "acer control" },
+                    ProcessHints = new[] { "accsvc", "accstd" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Acer\\Care Center", Description = "Install directory" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Acer\\Care Center", Description = "Install directory (x86)" }
+                    },
+                    PipeHints = new[]
+                    {
+                        new PipeHint { Name = "treadstone_service_LightMode", Description = "Command dispatcher", CheckWorldWritable = true }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Razer Synapse 4 Elevation Service",
+                    Description = "razer_elevation_service.exe exposes COM elevation helpers that allowed arbitrary process launch.",
+                    Cves = new[] { "CVE-2025-27811" },
+                    ServiceHints = new[] { "razer_elevation_service" },
+                    ProcessHints = new[] { "razer_elevation_service" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Razer\\RazerAppEngine", Description = "Razer App Engine" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Razer\\RazerAppEngine", Description = "Razer App Engine (x86)" }
+                    }
+                }
+            };
+        }
+
+        private class ServiceSnapshot
+        {
+            public string Name { get; set; }
+            public string DisplayName { get; set; }
+        }
+
+        private class ProcessSnapshot
+        {
+            public string Name { get; set; }
+            public string FullPath { get; set; }
+        }
+
+        private class OemComponentDefinition
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public string[] Cves { get; set; } = Array.Empty<string>();
+            public string[] ServiceHints { get; set; } = Array.Empty<string>();
+            public string[] ProcessHints { get; set; } = Array.Empty<string>();
+            public PathHint[] DirectoryHints { get; set; } = Array.Empty<PathHint>();
+            public string[] FileHints { get; set; } = Array.Empty<string>();
+            public PipeHint[] PipeHints { get; set; } = Array.Empty<PipeHint>();
+        }
+
+        private class PathHint
+        {
+            public string Path { get; set; }
+            public string Description { get; set; }
+        }
+
+        private class PipeHint
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public bool CheckWorldWritable { get; set; }
+        }
+    }
+
+    internal class OemSoftwareFinding
+    {
+        public string Name { get; set; }
+        public string Description { get; set; }
+        public string[] Cves { get; set; } = Array.Empty<string>();
+        public List<OemEvidence> Evidence { get; } = new List<OemEvidence>();
+    }
+
+    internal class OemEvidence
+    {
+        public string EvidenceType { get; set; }
+        public string Message { get; set; }
+        public bool Highlight { get; set; }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs

@@ -2,11 +2,14 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.IO;
 using System.Linq;
 using System.Management;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security.AccessControl;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.ServiceProcess;
 using System.Text.RegularExpressions;
 using winPEAS.Helpers;
@@ -276,6 +279,109 @@ namespace winPEAS.Info.ServicesInfo
         }
 
 
+        private static readonly DateTime LegacyDriverCutoff = new DateTime(2015, 7, 29);
+
+        public static List<KernelDriverInfo> GetKernelDriverInfos()
+        {
+            List<KernelDriverInfo> drivers = new List<KernelDriverInfo>();
+
+            try
+            {
+                using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name,DisplayName,PathName,StartMode,State,ServiceType FROM win32_service"))
+                {
+                    using (ManagementObjectCollection data = wmiData.Get())
+                    {
+                        foreach (ManagementObject result in data)
+                        {
+                            string serviceType = GetStringOrEmpty(result["ServiceType"]);
+                            if (string.IsNullOrEmpty(serviceType) || !serviceType.ToLowerInvariant().Contains("kernel driver"))
+                                continue;
+
+                            string binaryPath = MyUtils.ReconstructExecPath(GetStringOrEmpty(result["PathName"]));
+
+                            drivers.Add(new KernelDriverInfo
+                            {
+                                Name = GetStringOrEmpty(result["Name"]),
+                                DisplayName = GetStringOrEmpty(result["DisplayName"]),
+                                StartMode = GetStringOrEmpty(result["StartMode"]),
+                                State = GetStringOrEmpty(result["State"]),
+                                PathName = binaryPath,
+                                Signature = GetDriverSignatureInfo(binaryPath)
+                            });
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+
+            return drivers;
+        }
+
+        private static KernelDriverSignatureInfo GetDriverSignatureInfo(string binaryPath)
+        {
+            KernelDriverSignatureInfo info = new KernelDriverSignatureInfo
+            {
+                FilePath = binaryPath,
+                IsSigned = false
+            };
+
+            if (string.IsNullOrEmpty(binaryPath) || !File.Exists(binaryPath))
+            {
+                info.Error = "Binary not found";
+                return info;
+            }
+
+            try
+            {
+                using (var baseCertificate = X509Certificate.CreateFromSignedFile(binaryPath))
+                using (var certificate = new X509Certificate2(baseCertificate))
+                {
+                    info.IsSigned = true;
+                    info.Subject = certificate.Subject;
+                    info.Issuer = certificate.Issuer;
+                    info.NotBefore = certificate.NotBefore;
+                    info.NotAfter = certificate.NotAfter;
+                    info.IsLegacyExpired = certificate.NotAfter < LegacyDriverCutoff;
+                }
+            }
+            catch (CryptographicException cryptoEx)
+            {
+                info.Error = cryptoEx.Message;
+            }
+            catch (Exception ex)
+            {
+                info.Error = ex.Message;
+            }
+
+            return info;
+        }
+
+        internal class KernelDriverInfo
+        {
+            public string Name { get; set; }
+            public string DisplayName { get; set; }
+            public string PathName { get; set; }
+            public string StartMode { get; set; }
+            public string State { get; set; }
+            public KernelDriverSignatureInfo Signature { get; set; }
+        }
+
+        internal class KernelDriverSignatureInfo
+        {
+            public string FilePath { get; set; }
+            public bool IsSigned { get; set; }
+            public string Subject { get; set; }
+            public string Issuer { get; set; }
+            public DateTime? NotBefore { get; set; }
+            public DateTime? NotAfter { get; set; }
+            public bool IsLegacyExpired { get; set; }
+            public string Error { get; set; }
+        }
+
+
         //////////////////////////////////////
         ////////  PATH DLL Hijacking /////////
         //////////////////////////////////////

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipeSecurityAnalyzer.cs

@@ -0,0 +1,508 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+using winPEAS.Native;
+
+namespace winPEAS.Info.SystemInfo.NamedPipes
+{
+    internal static class NamedPipeSecurityAnalyzer
+    {
+        private const string DeviceNamedPipePrefix = @"\Device\NamedPipe\";
+        private static readonly char[] CandidateSeparators = { '\\', '/', '-', ':', '(' };
+
+        private static readonly HashSet<string> LowPrivSidSet = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "S-1-1-0",      // Everyone
+            "S-1-5-11",     // Authenticated Users
+            "S-1-5-32-545", // Users
+            "S-1-5-32-546", // Guests
+            "S-1-5-32-547", // Power Users
+            "S-1-5-32-554", // Pre-Windows 2000 Compatible Access
+            "S-1-5-32-555", // Remote Desktop Users
+            "S-1-5-32-558", // Performance Log Users
+            "S-1-5-32-559", // Performance Monitor Users
+            "S-1-5-32-562", // Distributed COM Users
+            "S-1-5-32-569", // Remote Management Users
+            "S-1-5-4",      // Interactive
+            "S-1-5-2",      // Network
+            "S-1-5-1",      // Dialup
+            "S-1-5-7"       // Anonymous Logon
+        };
+
+        private static readonly HashSet<string> LowPrivPrincipalKeywords = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "everyone",
+            "authenticated users",
+            "users",
+            "guests",
+            "power users",
+            "remote desktop users",
+            "remote management users",
+            "distributed com users",
+            "anonymous logon",
+            "interactive",
+            "network",
+            "local",
+            "batch",
+            "iis_iusrs"
+        };
+
+        private static readonly HashSet<string> PrivilegedSidSet = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "S-1-5-18",      // SYSTEM
+            "S-1-5-19",      // LOCAL SERVICE
+            "S-1-5-20",      // NETWORK SERVICE
+            "S-1-5-32-544"   // Administrators
+        };
+
+        private static readonly (string Label, FileSystemRights Right)[] DangerousRightsMap = new[]
+        {
+            ("FullControl", FileSystemRights.FullControl),
+            ("Modify", FileSystemRights.Modify),
+            ("Write", FileSystemRights.Write),
+            ("WriteData", FileSystemRights.WriteData),
+            ("AppendData", FileSystemRights.AppendData),
+            ("CreateFiles", FileSystemRights.CreateFiles),
+            ("CreateDirectories", FileSystemRights.CreateDirectories),
+            ("WriteAttributes", FileSystemRights.WriteAttributes),
+            ("WriteExtendedAttributes", FileSystemRights.WriteExtendedAttributes),
+            ("Delete", FileSystemRights.Delete),
+            ("ChangePermissions", FileSystemRights.ChangePermissions),
+            ("TakeOwnership", FileSystemRights.TakeOwnership)
+        };
+
+        public static IEnumerable<NamedPipeSecurityIssue> GetNamedPipeAbuseCandidates()
+        {
+            var insecurePipes = DiscoverInsecurePipes();
+            if (!insecurePipes.Any())
+            {
+                return Enumerable.Empty<NamedPipeSecurityIssue>();
+            }
+
+            AttachProcesses(insecurePipes);
+
+            return insecurePipes.Values
+                                .Where(issue => issue.LowPrivilegeAces.Any())
+                                .OrderByDescending(issue => issue.HasPrivilegedServer)
+                                .ThenBy(issue => issue.Name)
+                                .ToList();
+        }
+
+        private static Dictionary<string, NamedPipeSecurityIssue> DiscoverInsecurePipes()
+        {
+            var result = new Dictionary<string, NamedPipeSecurityIssue>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var pipe in NamedPipes.GetNamedPipeInfos())
+            {
+                if (string.IsNullOrWhiteSpace(pipe.Sddl) || pipe.Sddl.Equals("ERROR", StringComparison.OrdinalIgnoreCase))
+                    continue;
+
+                try
+                {
+                    var descriptor = new RawSecurityDescriptor(pipe.Sddl);
+                    if (descriptor.DiscretionaryAcl == null)
+                        continue;
+
+                    foreach (GenericAce ace in descriptor.DiscretionaryAcl)
+                    {
+                        if (!(ace is CommonAce commonAce))
+                            continue;
+
+                        var sid = commonAce.SecurityIdentifier;
+                        if (sid == null || !IsLowPrivilegePrincipal(sid))
+                            continue;
+
+                        if (!HasDangerousWriteRights(commonAce.AccessMask))
+                            continue;
+
+                        var rights = DescribeRights(commonAce.AccessMask).ToList();
+                        if (!rights.Any())
+                            continue;
+
+                        if (!result.TryGetValue(pipe.Name, out var issue))
+                        {
+                            issue = new NamedPipeSecurityIssue(pipe.Name, pipe.Sddl, NormalizePipeName(pipe.Name));
+                            result[pipe.Name] = issue;
+                        }
+
+                        var account = ResolveSidToName(sid);
+                        issue.AddLowPrivPrincipal(account, sid.Value, rights);
+                    }
+                }
+                catch
+                {
+                    // Ignore malformed SDDL strings
+                }
+            }
+
+            return result;
+        }
+
+        private static void AttachProcesses(Dictionary<string, NamedPipeSecurityIssue> insecurePipes)
+        {
+            if (!insecurePipes.Any())
+                return;
+
+            var lookup = BuildLookup(insecurePipes.Values);
+            if (!lookup.Any())
+                return;
+
+            List<HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles;
+            try
+            {
+                handles = HandlesHelper.GetAllHandlers();
+            }
+            catch
+            {
+                return;
+            }
+
+            var currentProcess = Kernel32.GetCurrentProcess();
+            var processCache = new Dictionary<int, NamedPipeProcessInfo>();
+
+            foreach (var handle in handles)
+            {
+                IntPtr processHandle = IntPtr.Zero;
+                IntPtr duplicatedHandle = IntPtr.Zero;
+
+                try
+                {
+                    int pid = GetPid(handle);
+                    if (pid <= 0)
+                        continue;
+
+                    processHandle = Kernel32.OpenProcess(
+                        HandlesHelper.ProcessAccessFlags.DupHandle | HandlesHelper.ProcessAccessFlags.QueryLimitedInformation,
+                        false,
+                        pid);
+
+                    if (processHandle == IntPtr.Zero)
+                        continue;
+
+                    if (!Kernel32.DuplicateHandle(processHandle, handle.HandleValue, currentProcess, out duplicatedHandle, 0, false, HandlesHelper.DUPLICATE_SAME_ACCESS))
+                        continue;
+
+                    var typeName = HandlesHelper.GetObjectType(duplicatedHandle);
+                    if (!string.Equals(typeName, "File", StringComparison.OrdinalIgnoreCase))
+                        continue;
+
+                    var objectName = HandlesHelper.GetObjectName(duplicatedHandle);
+                    if (string.IsNullOrEmpty(objectName) || !objectName.StartsWith(DeviceNamedPipePrefix, StringComparison.OrdinalIgnoreCase))
+                        continue;
+
+                    var normalizedHandleName = NormalizePipeName(objectName.Substring(DeviceNamedPipePrefix.Length));
+                    var candidates = GetCandidateKeys(normalizedHandleName);
+
+                    bool matched = false;
+
+                    foreach (var candidate in candidates)
+                    {
+                        if (!lookup.TryGetValue(candidate, out var matchedIssues))
+                            continue;
+
+                        if (!processCache.TryGetValue(pid, out var processInfo))
+                        {
+                            var raw = HandlesHelper.getProcInfoById(pid);
+                            processInfo = new NamedPipeProcessInfo(raw.pid, raw.name, raw.userName, raw.userSid, IsHighPrivilegeAccount(raw.userSid, raw.userName));
+                            processCache[pid] = processInfo;
+                        }
+
+                        foreach (var issue in matchedIssues)
+                        {
+                            issue.AddProcess(processInfo);
+                        }
+
+                        matched = true;
+                        break;
+                    }
+
+                    if (!matched)
+                        continue;
+                }
+                catch
+                {
+                    // Ignore per-handle failures
+                }
+                finally
+                {
+                    if (duplicatedHandle != IntPtr.Zero)
+                    {
+                        Kernel32.CloseHandle(duplicatedHandle);
+                    }
+                    if (processHandle != IntPtr.Zero)
+                    {
+                        Kernel32.CloseHandle(processHandle);
+                    }
+                }
+            }
+        }
+
+        private static Dictionary<string, List<NamedPipeSecurityIssue>> BuildLookup(IEnumerable<NamedPipeSecurityIssue> issues)
+        {
+            var lookup = new Dictionary<string, List<NamedPipeSecurityIssue>>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var issue in issues)
+            {
+                foreach (var key in GetCandidateKeys(issue.NormalizedName))
+                {
+                    if (!lookup.TryGetValue(key, out var list))
+                    {
+                        list = new List<NamedPipeSecurityIssue>();
+                        lookup[key] = list;
+                    }
+
+                    if (!list.Contains(issue))
+                    {
+                        list.Add(issue);
+                    }
+                }
+            }
+
+            return lookup;
+        }
+
+        private static IEnumerable<string> GetCandidateKeys(string normalizedName)
+        {
+            if (string.IsNullOrEmpty(normalizedName))
+                return Array.Empty<string>();
+
+            var candidates = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+            {
+                normalizedName
+            };
+
+            foreach (var separator in CandidateSeparators)
+            {
+                var idx = normalizedName.IndexOf(separator);
+                if (idx > 0)
+                {
+                    candidates.Add(normalizedName.Substring(0, idx));
+                }
+            }
+
+            return candidates;
+        }
+
+        private static string NormalizePipeName(string rawName)
+        {
+            if (string.IsNullOrWhiteSpace(rawName))
+                return string.Empty;
+
+            var normalized = rawName.Replace('/', '\\').Trim();
+            while (normalized.StartsWith("\\", StringComparison.Ordinal))
+            {
+                normalized = normalized.Substring(1);
+            }
+
+            return normalized.ToLowerInvariant();
+        }
+
+        private static bool HasDangerousWriteRights(int accessMask)
+        {
+            var rights = (FileSystemRights)accessMask;
+            foreach (var entry in DangerousRightsMap)
+            {
+                if ((rights & entry.Right) == entry.Right)
+                    return true;
+            }
+
+            return false;
+        }
+
+        private static IEnumerable<string> DescribeRights(int accessMask)
+        {
+            var rights = (FileSystemRights)accessMask;
+            var descriptions = new List<string>();
+
+            foreach (var entry in DangerousRightsMap)
+            {
+                if ((rights & entry.Right) == entry.Right)
+                {
+                    descriptions.Add(entry.Label);
+                    if (entry.Right == FileSystemRights.FullControl)
+                        break;
+                }
+            }
+
+            if (!descriptions.Any())
+            {
+                descriptions.Add($"0x{accessMask:x}");
+            }
+
+            return descriptions;
+        }
+
+        private static bool IsLowPrivilegePrincipal(SecurityIdentifier sid)
+        {
+            if (sid == null)
+                return false;
+
+            if (LowPrivSidSet.Contains(sid.Value))
+                return true;
+
+            var accountName = ResolveSidToName(sid);
+            if (string.IsNullOrEmpty(accountName))
+                return false;
+
+            return LowPrivPrincipalKeywords.Any(keyword => accountName.IndexOf(keyword, StringComparison.OrdinalIgnoreCase) >= 0);
+        }
+
+        private static string ResolveSidToName(SecurityIdentifier sid)
+        {
+            if (sid == null)
+                return string.Empty;
+
+            try
+            {
+                return sid.Translate(typeof(NTAccount)).Value;
+            }
+            catch
+            {
+                return sid.Value;
+            }
+        }
+
+        private static bool IsHighPrivilegeAccount(string sid, string userName)
+        {
+            if (!string.IsNullOrEmpty(sid))
+            {
+                if (PrivilegedSidSet.Contains(sid))
+                    return true;
+
+                if (sid.StartsWith("S-1-5-80-", StringComparison.OrdinalIgnoreCase)) // Service SID
+                    return true;
+
+                if (sid.StartsWith("S-1-5-82-", StringComparison.OrdinalIgnoreCase)) // AppPool / service-like SIDs
+                    return true;
+            }
+
+            if (!string.IsNullOrEmpty(userName))
+            {
+                if (string.Equals(userName, HandlesHelper.elevatedProcess, StringComparison.OrdinalIgnoreCase))
+                    return true;
+
+                var normalized = userName.ToUpperInvariant();
+                if (normalized.Contains("SYSTEM") || normalized.Contains("LOCAL SERVICE") || normalized.Contains("NETWORK SERVICE"))
+                    return true;
+
+                if (normalized.StartsWith("NT SERVICE\\", StringComparison.Ordinal))
+                    return true;
+
+                if (normalized.EndsWith("$", StringComparison.Ordinal) && normalized.Contains("\\"))
+                    return true;
+            }
+
+            return false;
+        }
+
+        private static int GetPid(HandlesHelper.SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handle)
+        {
+            unchecked
+            {
+                if (IntPtr.Size == 4)
+                {
+                    return (int)handle.UniqueProcessId.ToUInt32();
+                }
+
+                return (int)handle.UniqueProcessId.ToUInt64();
+            }
+        }
+    }
+
+    internal class NamedPipeSecurityIssue
+    {
+        private readonly Dictionary<string, NamedPipePrincipalAccess> _principalAccess = new Dictionary<string, NamedPipePrincipalAccess>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<int, NamedPipeProcessInfo> _processes = new Dictionary<int, NamedPipeProcessInfo>();
+
+        public NamedPipeSecurityIssue(string name, string sddl, string normalizedName)
+        {
+            Name = name;
+            Sddl = sddl;
+            NormalizedName = normalizedName;
+        }
+
+        public string Name { get; }
+        public string Sddl { get; }
+        public string NormalizedName { get; }
+
+        public IReadOnlyCollection<NamedPipePrincipalAccess> LowPrivilegeAces => _principalAccess.Values;
+        public IReadOnlyCollection<NamedPipeProcessInfo> Processes => _processes.Values;
+        public bool HasPrivilegedServer => _processes.Values.Any(process => process.IsHighPrivilege);
+
+        public void AddLowPrivPrincipal(string principal, string sid, IEnumerable<string> rights)
+        {
+            if (string.IsNullOrEmpty(sid))
+                return;
+
+            if (!_principalAccess.TryGetValue(sid, out var access))
+            {
+                access = new NamedPipePrincipalAccess(principal, sid);
+                _principalAccess[sid] = access;
+            }
+
+            access.AddRights(rights);
+        }
+
+        public void AddProcess(NamedPipeProcessInfo process)
+        {
+            if (process == null)
+                return;
+
+            if (!_processes.ContainsKey(process.Pid))
+            {
+                _processes[process.Pid] = process;
+            }
+        }
+    }
+
+    internal class NamedPipePrincipalAccess
+    {
+        private readonly HashSet<string> _rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+        public NamedPipePrincipalAccess(string principal, string sid)
+        {
+            Principal = principal;
+            Sid = sid;
+        }
+
+        public string Principal { get; }
+        public string Sid { get; }
+        public string RightsDescription => _rights.Count == 0 ? string.Empty : string.Join("|", _rights.OrderBy(r => r));
+        public IEnumerable<string> Rights => _rights;
+
+        public void AddRights(IEnumerable<string> rights)
+        {
+            if (rights == null)
+                return;
+
+            foreach (var right in rights)
+            {
+                if (!string.IsNullOrWhiteSpace(right))
+                {
+                    _rights.Add(right.Trim());
+                }
+            }
+        }
+    }
+
+    internal class NamedPipeProcessInfo
+    {
+        public NamedPipeProcessInfo(int pid, string processName, string userName, string userSid, bool isHighPrivilege)
+        {
+            Pid = pid;
+            ProcessName = processName;
+            UserName = userName;
+            UserSid = userSid;
+            IsHighPrivilege = isHighPrivilege;
+        }
+
+        public int Pid { get; }
+        public string ProcessName { get; }
+        public string UserName { get; }
+        public string UserSid { get; }
+        public bool IsHighPrivilege { get; }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/Structs.cs

@@ -16,6 +16,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_maxPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_maxPasswordAge);
             }
             set
@@ -28,6 +32,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_minPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_minPasswordAge);
             }
             set

winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs

@@ -16,6 +16,20 @@ namespace winPEAS.Info.UserInfo
 {
     class UserInfoHelper
     {
+        private static readonly Dictionary<string, bool> _highPrivAccountCache = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+        private static readonly string[] _highPrivGroupIndicators = new string[]
+        {
+            "administrators",
+            "domain admins",
+            "enterprise admins",
+            "schema admins",
+            "server operators",
+            "account operators",
+            "backup operators",
+            "dnsadmins",
+            "hyper-v administrators"
+        };
+
         // https://stackoverflow.com/questions/5247798/get-list-of-local-computer-usernames-in-windows
 
 
@@ -91,6 +105,65 @@ namespace winPEAS.Info.UserInfo
             return oPrincipalContext;
         }
 
+        public static bool IsHighPrivilegeAccount(string userName, string domain)
+        {
+            if (string.IsNullOrWhiteSpace(userName))
+            {
+                return false;
+            }
+
+            string cacheKey = ($"{domain}\\{userName}").Trim('\\');
+            if (_highPrivAccountCache.TryGetValue(cacheKey, out bool cached))
+            {
+                return cached;
+            }
+
+            bool isHighPriv = false;
+            try
+            {
+                string resolvedDomain = string.IsNullOrWhiteSpace(domain) ? Checks.Checks.CurrentUserDomainName : domain;
+                List<string> groups = User.GetUserGroups(userName, resolvedDomain);
+                foreach (string group in groups)
+                {
+                    if (IsHighPrivilegeGroup(group))
+                    {
+                        isHighPriv = true;
+                        break;
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint(string.Format("  [-] Unable to resolve groups for {0}\\{1}: {2}", domain, userName, ex.Message));
+            }
+
+            if (!isHighPriv)
+            {
+                isHighPriv = string.Equals(userName, "administrator", StringComparison.OrdinalIgnoreCase) || userName.StartsWith("admin", StringComparison.OrdinalIgnoreCase);
+            }
+
+            _highPrivAccountCache[cacheKey] = isHighPriv;
+            return isHighPriv;
+        }
+
+        private static bool IsHighPrivilegeGroup(string groupName)
+        {
+            if (string.IsNullOrWhiteSpace(groupName))
+            {
+                return false;
+            }
+
+            foreach (string indicator in _highPrivGroupIndicators)
+            {
+                if (groupName.IndexOf(indicator, StringComparison.OrdinalIgnoreCase) >= 0)
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
         //From Seatbelt
         public enum WTS_CONNECTSTATE_CLASS
         {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -88,6 +88,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
+                        if (subKeys.Length == 0)
+                        {
+                            subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions", SID));
+                        }
 
                         foreach (string sessionName in subKeys)
                         {
@@ -129,6 +133,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
+                if (subKeys.Length == 0)
+                {
+                    subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions");
+                }
                 RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys           
 
                 if (selfKey != null)
@@ -198,6 +206,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
+                        if ((hostKeys == null) || (hostKeys.Count == 0))
+                        {
+                            hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys", SID));
+                        }
                         if ((hostKeys != null) && (hostKeys.Count != 0))
                         {
                             Dictionary<string, string> putty_ssh = new Dictionary<string, string>
@@ -216,6 +228,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys\\");
+                if ((hostKeys == null) || (hostKeys.Count == 0))
+                {
+                    hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys");
+                }
                 if ((hostKeys != null) && (hostKeys.Count != 0))
                 {
                     Dictionary<string, string> putty_ssh = new Dictionary<string, string>();

winPEAS/winPEASexe/winPEAS/Program.cs

@@ -11,6 +11,7 @@ namespace winPEAS
         [STAThread]
         public static void Main(string[] args)
         {
+            // TODO: keep Main minimal; this line was an intentional break in test PR.
             Checks.Checks.Run(args);
         }
     }