Gate codex triage on successful PR tests

Fix pr failure dispatch context 2

.github/workflows/codex-pr-triage.yml

@@ -1,41 +1,94 @@
 name: Codex PR Triage
 
 on:
-  pull_request:
-    types: [opened]
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
 
 jobs:
   codex_triage:
-    if: ${{ github.event.pull_request.user.login == 'carlospolop' }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
     outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+      pr_number: ${{ steps.gate.outputs.pr_number }}
+      pr_title: ${{ steps.gate.outputs.pr_title }}
+      pr_body: ${{ steps.gate.outputs.pr_body }}
+      base_ref: ${{ steps.gate.outputs.base_ref }}
+      head_ref: ${{ steps.gate.outputs.head_ref }}
+      base_sha: ${{ steps.gate.outputs.base_sha }}
+      head_sha: ${{ steps.gate.outputs.head_sha }}
       decision: ${{ steps.parse.outputs.decision }}
       message: ${{ steps.parse.outputs.message }}
 
     steps:
+      - name: Resolve PR context
+        id: gate
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"
+          if [ -z "$pr_number" ]; then
+            echo "No pull request found for this workflow_run; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          author="$(gh pr view "$pr_number" --json author --jq .author.login)"
+          if [ "$author" != "carlospolop" ]; then
+            echo "PR author is $author; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          pr_title="$(gh pr view "$pr_number" --json title --jq .title)"
+          pr_body="$(gh pr view "$pr_number" --json body --jq .body)"
+          base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
+          head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
+          base_sha="$(gh pr view "$pr_number" --json baseRefOid --jq .baseRefOid)"
+          head_sha="$(gh pr view "$pr_number" --json headRefOid --jq .headRefOid)"
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "pr_title<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_title" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "pr_body<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_body" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
+          echo "base_sha=$base_sha" >> "$GITHUB_OUTPUT"
+          echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
+
       - name: Checkout PR merge ref
         uses: actions/checkout@v5
         with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          ref: refs/pull/${{ steps.gate.outputs.pr_number }}/merge
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
 
       - name: Pre-fetch base and head refs
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
         run: |
           git fetch --no-tags origin \
-            ${{ github.event.pull_request.base.ref }} \
-            +refs/pull/${{ github.event.pull_request.number }}/head
+            ${{ steps.gate.outputs.base_ref }} \
+            +refs/pull/${{ steps.gate.outputs.pr_number }}/head
 
       - name: Run Codex
         id: run_codex
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
         uses: openai/codex-action@v1
         with:
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           output-schema-file: .github/codex/pr-merge-schema.json
           model: gpt-5.2-codex
           prompt: |
-            You are reviewing PR #${{ github.event.pull_request.number }} for ${{ github.repository }}.
+            You are reviewing PR #${{ steps.gate.outputs.pr_number }} for ${{ github.repository }}.
 
             Decide whether to merge or comment. Merge only if all of the following are true:
             - Changes are simple and safe (no DoS, no long operations, no backdoors).
@@ -48,16 +101,17 @@ jobs:
 
             Pull request title and body:
             ----
-            ${{ github.event.pull_request.title }}
-            ${{ github.event.pull_request.body }}
+            ${{ steps.gate.outputs.pr_title }}
+            ${{ steps.gate.outputs.pr_body }}
 
             Review ONLY the changes introduced by the PR:
-              git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
+              git log --oneline ${{ steps.gate.outputs.base_sha }}...${{ steps.gate.outputs.head_sha }}
 
             Output JSON only, following the provided schema.
 
       - name: Parse Codex decision
         id: parse
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
         env:
           CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
         run: |
@@ -78,7 +132,7 @@ jobs:
   merge_or_comment:
     runs-on: ubuntu-latest
     needs: codex_triage
-    if: ${{ needs.codex_triage.outputs.decision != '' }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' && needs.codex_triage.outputs.should_run == 'true' && needs.codex_triage.outputs.decision != '' }}
     permissions:
       contents: write
       pull-requests: write
@@ -87,7 +141,7 @@ jobs:
         if: ${{ needs.codex_triage.outputs.decision == 'merge' }}
         env:
           GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
         run: |
           gh api \
             -X PUT \
@@ -100,7 +154,7 @@ jobs:
         if: ${{ needs.codex_triage.outputs.decision == 'comment' }}
         uses: actions/github-script@v7
         env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
           CODEX_MESSAGE: ${{ needs.codex_triage.outputs.message }}
         with:
           github-token: ${{ github.token }}

.github/workflows/pr-failure-codex-dispatch.yml

@@ -10,7 +10,7 @@ jobs:
     if: >
       ${{ github.event.workflow_run.conclusion == 'failure' &&
           github.event.workflow_run.pull_requests &&
-          github.event.workflow_run.pull_requests[0].user.login == 'carlospolop' &&
+          github.event.workflow_run.pull_requests[0] &&
           !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
     runs-on: ubuntu-latest
     permissions:
@@ -20,10 +20,33 @@ jobs:
       actions: read
 
     steps:
-      - name: Comment on PR with failure info
-        uses: actions/github-script@v7
+      - name: Resolve PR context
+        id: pr_context
         env:
           PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_author=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.user.login')
+          pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.repo.full_name')
+          pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.ref')
+          {
+            echo "number=${PR_NUMBER}"
+            echo "author=${pr_author}"
+            echo "head_repo=${pr_head_repo}"
+            echo "head_branch=${pr_head_branch}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Comment on PR with failure info
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
           WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
         with:
@@ -39,19 +62,22 @@ jobs:
             });
 
       - name: Checkout PR head
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         uses: actions/checkout@v5
         with:
-          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          repository: ${{ steps.pr_context.outputs.head_repo }}
           ref: ${{ github.event.workflow_run.head_sha }}
           fetch-depth: 0
           persist-credentials: true
 
       - name: Configure git author
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         run: |
           git config user.name "codex-action"
           git config user.email "codex-action@users.noreply.github.com"
 
       - name: Fetch failure summary
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         env:
           GH_TOKEN: ${{ github.token }}
           RUN_ID: ${{ github.event.workflow_run.id }}
@@ -79,10 +105,11 @@ jobs:
           PY
 
       - name: Create Codex prompt
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         env:
-          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
-          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
         run: |
           {
             echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
@@ -98,6 +125,7 @@ jobs:
           } > codex_prompt.txt
 
       - name: Run Codex
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         id: run_codex
         uses: openai/codex-action@v1
         with:
@@ -107,23 +135,26 @@ jobs:
           model: gpt-5.2-codex
 
       - name: Commit and push if changed
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         env:
-          TARGET_BRANCH: ${{ github.event.workflow_run.head_branch }}
-          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          TARGET_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
+          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
         run: |
           if git diff --quiet; then
             echo "No changes to commit."
             exit 0
           fi
+          rm -f codex_failure_summary.txt codex_prompt.txt
           git add -A
+          git reset -- codex_failure_summary.txt codex_prompt.txt
           git commit -m "Fix CI failures for PR #${PR_NUMBER}"
           git push origin HEAD:${TARGET_BRANCH}
 
       - name: Comment with Codex result
-        if: steps.run_codex.outputs.final-message != ''
+        if: ${{ steps.pr_context.outputs.author == 'carlospolop' && steps.run_codex.outputs.final-message != '' }}
         uses: actions/github-script@v7
         env:
-          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
           CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
         with:
           github-token: ${{ github.token }}

codex_failure_summary.txt

@@ -1,7 +0,0 @@
-Job: Build_and_test_linpeas_pr (id 60731895947)
-URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895947
-  Step: Build linpeas
-
-Job: Build_and_test_macpeas_pr (id 60731895952)
-URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895952
-  Step: Build macpeas

codex_prompt.txt

@@ -1,15 +0,0 @@
-You are fixing CI failures for PR #551 in peass-ng/PEASS-ng.
-The failing workflow run is: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167
-The PR branch is: codex-pr-failure-test-1
-
-Failure summary:
-Job: Build_and_test_linpeas_pr (id 60731895947)
-URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895947
-  Step: Build linpeas
-
-Job: Build_and_test_macpeas_pr (id 60731895952)
-URL: https://github.com/peass-ng/PEASS-ng/actions/runs/21120092167/job/60731895952
-  Step: Build macpeas
-Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly.
-Run any fast checks you can locally (no network).
-Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed.

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -30,7 +30,7 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -127,6 +127,22 @@ else
     if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
 fi
 
+print_list "protected_symlinks? ............ "$NC
+protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
+if [ -z "$protected_symlinks" ]; then
+    echo_not_found "/proc/sys/fs/protected_symlinks"
+else
+    if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "protected_hardlinks? ........... "$NC
+protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
+if [ -z "$protected_hardlinks" ]; then
+    echo_not_found "/proc/sys/fs/protected_hardlinks"
+else
+    if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
 print_list "perf_event_paranoid? ........... "$NC
 perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
 if [ -z "$perf_event_paranoid" ]; then

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -4,6 +4,7 @@
 # Last Update: 07-03-2024
 # Description: Check for additional disk information and system resources relevant to privilege escalation:
 #   - Disk utilization
+#   - Inode usage
 #   - System resources
 #   - Storage statistics
 #   - Common vulnerable scenarios:
@@ -44,4 +45,8 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
     (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
     warn_exec free 2>/dev/null
     echo ""
-fi
+
+    print_2title "Inode usage"
+    warn_exec df -i 2>/dev/null
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh

@@ -0,0 +1,25 @@
+# Title: Processes & Cron & Services & Timers - Deleted open files
+# ID: PR_Deleted_open_files
+# Author: Carlos Polop
+# Last Update: 2025-01-07
+# Description: Identify deleted files still held open by running processes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "Open deleted files can hide tools and still consume disk space"
+    lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
+    echo ""
+elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "lsof not found, scanning /proc for deleted file descriptors"
+    ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh

@@ -23,6 +23,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   incrontab -l 2>/dev/null
   ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
   cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
   crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
   ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
   atq 2>/dev/null
@@ -247,4 +248,4 @@ else
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -19,6 +19,16 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
+(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
+
+secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
+if [ "$secure_path_line" ]; then
+  for p in $(echo "$secure_path_line" | tr ':' ' '); do
+    if [ -w "$p" ]; then
+      echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  done
+fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
   echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
@@ -29,4 +39,4 @@ for f in /etc/sudoers.d/*; do
     grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
   fi
 done
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -40,4 +40,18 @@ else
   echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
 
 fi
+
+if [ -d "/var/run/sudo/ts" ]; then
+  echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  ls -ld /var/run/sudo/ts 2>/dev/null
+  if [ -w "/var/run/sudo/ts" ]; then
+    echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  if [ -f "/var/run/sudo/ts/$USER" ]; then
+    ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
+    if [ -w "/var/run/sudo/ts/$USER" ]; then
+      echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  fi
+fi
 echo ""

linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh

@@ -17,10 +17,10 @@ check_external_hostname(){
   INTERNET_SEARCH_TIMEOUT=15
   # wget or curl?
   if command -v curl >/dev/null 2>&1; then
-    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+    curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
   elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+    wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
   else
     echo "wget or curl not found"
   fi
-}
+}

linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh

@@ -15,11 +15,12 @@
 
 check_tcp_443_bin () {
   local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
-  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
+  local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
 
   if command -v curl >/dev/null 2>&1; then
     if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
-         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" \
+         -d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with curl"
       return 0                      # ✅ success
@@ -30,7 +31,8 @@ check_tcp_443_bin () {
 
   elif command -v wget >/dev/null 2>&1; then
     if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
-         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" \
+         --post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with wget"
       return 0

linPEAS/builder/linpeas_parts/variables/sudoVB1.sh

@@ -13,5 +13,5 @@
 # Small linpeas: 1
 
 
-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
 sudoVB2="peass{SUDOVB2_HERE}"

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -88,6 +88,7 @@ namespace winPEAS.Checks
                 PrintLocalGroupPolicy,
                 PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
+                PrintPrintNightmarePointAndPrint,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
                 PrintNamedPipeAbuseCandidates,
@@ -836,6 +837,39 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPrintNightmarePointAndPrint()
+        {
+            Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
+            Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
+
+            try
+            {
+                string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
+                var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
+                var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
+                var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
+
+                if (restrict == null && noWarn == null && updatePrompt == null)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                Beaprint.NoColorPrint($"      RestrictDriverInstallationToAdministrators: {restrict}\n" +
+                                      $"      NoWarningNoElevationOnInstall: {noWarn}\n" +
+                                      $"      UpdatePromptSettings: {updatePrompt}");
+
+                if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
+                {
+                    Beaprint.BadPrint("      [!] Potentially vulnerable to PrintNightmare misconfiguration");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintPrintersWMIInfo()
         {
             Beaprint.MainPrint("Enumerating Printers (WMI)");

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs

@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo
 
                 // 4. Call external checker
                 var resp = httpClient
-                    .PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
+                    .PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
                     .GetAwaiter().GetResult();
 
                 if (resp.IsSuccessStatusCode)

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs

@@ -4,6 +4,8 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.NetworkInformation;
 using System.Net.Sockets;
+using System.Text;
+using System.Text.Json;
 using System.Threading;
 
 namespace winPEAS.Info.NetworkInfo
@@ -48,7 +50,7 @@ namespace winPEAS.Info.NetworkInfo
             { "1.1.1.1", "8.8.8.8" };
 
         private const string LAMBDA_URL =
-            "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
+            "https://tools.hacktricks.wiki/api/host-checker";
 
         // Shared HttpClient (kept for HTTP & Lambda checks)
         private static readonly HttpClient http = new HttpClient
@@ -118,7 +120,12 @@ namespace winPEAS.Info.NetworkInfo
                 using var cts =
                     new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));
 
-                var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
+                var payload = new StringContent(
+                    JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
+                    Encoding.UTF8,
+                    "application/json");
+                var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
+                req.Content = payload;
                 req.Headers.UserAgent.ParseAdd("winpeas");
                 req.Headers.Accept.Add(
                     new MediaTypeWithQualityHeaderValue("application/json"));

winPEAS/winPEASps1/winPEAS.ps1

@@ -821,6 +821,34 @@ $Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorActio
 $Hotfix | Format-Table -AutoSize
 
 
+# PrintNightmare PointAndPrint policy checks
+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| PRINTNIGHTMARE POINTANDPRINT POLICY"
+$pnKey = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
+if (Test-Path $pnKey) {
+  $pn = Get-ItemProperty -Path $pnKey -ErrorAction SilentlyContinue
+  $restrict = $pn.RestrictDriverInstallationToAdministrators
+  $noWarn = $pn.NoWarningNoElevationOnInstall
+  $updatePrompt = $pn.UpdatePromptSettings
+
+  Write-Host "RestrictDriverInstallationToAdministrators: $restrict"
+  Write-Host "NoWarningNoElevationOnInstall: $noWarn"
+  Write-Host "UpdatePromptSettings: $updatePrompt"
+
+  $hasAllValues = ($null -ne $restrict) -and ($null -ne $noWarn) -and ($null -ne $updatePrompt)
+  if (-not $hasAllValues) {
+    Write-Host "PointAndPrint policy values are missing or not configured" -ForegroundColor Gray
+  } elseif (($restrict -eq 0) -and ($noWarn -eq 1) -and ($updatePrompt -eq 2)) {
+    Write-Host "Potentially vulnerable to PrintNightmare misconfiguration" -ForegroundColor Red
+  } else {
+    Write-Host "PointAndPrint policy is not in the known risky configuration" -ForegroundColor Green
+  }
+} else {
+  Write-Host "PointAndPrint policy key not found" -ForegroundColor Gray
+}
+
+
 #Show all unique updates installed
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }