f

This reverts commit 386ef0642a.

.github/workflows/CI-master_tests.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -36,11 +36,11 @@ jobs:
             
       # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -48,23 +48,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
         
       # Execute all unit tests in the solution
-      #- name: Execute unit tests
-      #  run: dotnet test $env:Solution_Path
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build & update all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -220,6 +220,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -230,6 +231,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Build linpeas binaries
       - name: Build linpeas binaries 
@@ -362,7 +366,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       
       # Build linpeas
       - name: Build macpeas
@@ -469,11 +473,11 @@ jobs:
     
     - name: Get current date
       id: date
-      run: echo "::set-output name=date::$(date +'%Y%m%d')"
+      run: echo "date=$(date +'%Y%m%d')" >> "$GITHUB_OUTPUT"
     
     - name: Generate random
       id: random_n
-      run: echo "::set-output name=some_rand::$(openssl rand -hex 4)"
+      run: echo "some_rand=$(openssl rand -hex 4)" >> "$GITHUB_OUTPUT"
     
     # Create the release
     - name: Create Release

.github/workflows/PR-tests.yml

@@ -8,6 +8,8 @@ on:
     paths-ignore:
       - '.github/**'
 
+  workflow_dispatch:
+
 jobs:
   Build_and_test_winpeas_pr:
     runs-on: windows-latest
@@ -20,7 +22,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -30,11 +32,11 @@ jobs:
             
       # Add MSBuild to the PATH
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -42,19 +44,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
+
+      # Execute unit tests in the solution
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -105,7 +111,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -113,6 +119,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -123,6 +130,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Run linpeas help as quick test
       - name: Run linpeas help
@@ -161,7 +171,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       

.github/workflows/chack-agent-pr-triage.yml

@@ -0,0 +1,193 @@
+name: Chack-Agent PR Triage
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  chack_agent_triage:
+    # Temporarily disabled by maintainer request.
+    if: ${{ false && github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+      pr_number: ${{ steps.gate.outputs.pr_number }}
+      pr_title: ${{ steps.gate.outputs.pr_title }}
+      pr_body: ${{ steps.gate.outputs.pr_body }}
+      base_ref: ${{ steps.gate.outputs.base_ref }}
+      head_ref: ${{ steps.gate.outputs.head_ref }}
+      base_sha: ${{ steps.gate.outputs.base_sha }}
+      head_sha: ${{ steps.gate.outputs.head_sha }}
+      decision: ${{ steps.parse.outputs.decision }}
+      message: ${{ steps.parse.outputs.message }}
+
+    steps:
+      - name: Resolve PR context
+        id: gate
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"
+          if [ -z "$pr_number" ]; then
+            echo "No pull request found for this workflow_run; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          author="$(gh pr view "$pr_number" --json author --jq .author.login)"
+          if [ "$author" != "carlospolop" ]; then
+            echo "PR author is $author; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          pr_title="$(gh pr view "$pr_number" --json title --jq .title)"
+          pr_body="$(gh pr view "$pr_number" --json body --jq .body)"
+          base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
+          head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
+          base_sha="$(gh pr view "$pr_number" --json baseRefOid --jq .baseRefOid)"
+          head_sha="$(gh pr view "$pr_number" --json headRefOid --jq .headRefOid)"
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "pr_title<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_title" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "pr_body<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_body" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
+          echo "base_sha=$base_sha" >> "$GITHUB_OUTPUT"
+          echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR merge ref
+        uses: actions/checkout@v5
+        with:
+          ref: refs/pull/${{ steps.gate.outputs.pr_number }}/merge
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+
+      - name: Pre-fetch base and head refs
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        run: |
+          git fetch --no-tags origin \
+            ${{ steps.gate.outputs.base_ref }} \
+            +refs/pull/${{ steps.gate.outputs.pr_number }}/head
+
+      - name: Run Chack Agent
+        id: run_chack
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        uses: carlospolop/chack-agent@master
+        with:
+          provider: openrouter
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: Chack-Agent PR Triage
+          system_prompt: |
+            You are Chack Agent, an elite PR reviewer for PEASS-ng.
+            Be conservative: merge only if changes are simple, safe, and valuable accoding to the uers give guidelines.
+            If in doubt, comment with clear questions or concerns.
+            Remember taht you are an autonomouts agent, use the exec tool to run the needed commands to list, read, analyze, modify, test...
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_list_init_first\": true}"
+          output_schema_file: .github/chack-agent/pr-merge-schema.json
+          user_prompt: |
+            You are reviewing PR #${{ steps.gate.outputs.pr_number }} for ${{ github.repository }}.
+
+            Decide whether to merge or comment. Merge only if all of the following are true:
+            - Changes are simple and safe (no DoS, no long operations, no backdoors).
+            - Changes follow common PEASS syntax and style without breaking anything and add useful checks or value.
+            - Changes simplify code or add new useful checks without breaking anything.
+
+            If you don't have any doubts, and all the previous conditions are met, decide to merge.
+            If you have serious doubts, choose "comment" and include your doubts or questions.
+            If you decide to merge, include a short rationale.
+
+            Pull request title and body:
+            ----
+            ${{ steps.gate.outputs.pr_title }}
+            ${{ steps.gate.outputs.pr_body }}
+
+            Review ONLY the changes introduced by the PR:
+              git log --oneline ${{ steps.gate.outputs.base_sha }}...${{ steps.gate.outputs.head_sha }}
+
+            Output JSON only, following the provided schema:
+            .github/chack-agent/pr-merge-schema.json
+          openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
+
+      - name: Parse Chack Agent decision
+        id: parse
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        env:
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
+        run: |
+          python3 - <<'PY'
+          import json
+          import os
+
+          raw = (os.environ.get('CHACK_MESSAGE', '') or '').strip()
+          decision = 'comment'
+          message = 'Chack Agent did not provide details.'
+          try:
+            data = json.loads(raw or '{}')
+            if isinstance(data, dict):
+              decision = data.get('decision', 'comment')
+              message = data.get('message', '').strip() or message
+            else:
+              message = raw or message
+          except Exception:
+            message = raw or message
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as handle:
+            handle.write(f"decision={decision}\n")
+            handle.write("message<<EOF\n")
+            handle.write(message + "\n")
+            handle.write("EOF\n")
+          PY
+
+  merge_or_comment:
+    runs-on: ubuntu-latest
+    needs: chack_agent_triage
+    # Temporarily disabled by maintainer request.
+    if: ${{ false && github.event.workflow_run.conclusion == 'success' && needs.chack_agent_triage.outputs.should_run == 'true' && needs.chack_agent_triage.outputs.decision != '' }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Merge PR when approved
+        if: ${{ needs.chack_agent_triage.outputs.decision == 'merge' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ needs.chack_agent_triage.outputs.pr_number }}
+        run: |
+          gh api \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
+            -f merge_method=squash \
+            -f commit_title="Auto-merge PR #${PR_NUMBER} (Chack Agent)"
+
+      - name: Comment with doubts
+        if: ${{ needs.chack_agent_triage.outputs.decision == 'comment' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.chack_agent_triage.outputs.pr_number }}
+          CHACK_MESSAGE: ${{ needs.chack_agent_triage.outputs.message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CHACK_MESSAGE,
+            });

.github/workflows/ci-master-failure-chack-agent-pr.yml

@@ -0,0 +1,186 @@
+name: CI-master Failure Chack-Agent PR
+
+on:
+  workflow_run:
+    workflows: ["CI-master_test"]
+    types: [completed]
+
+jobs:
+  chack_agent_fix_master_failure:
+    # Temporarily disabled by maintainer request.
+    if: >
+      ${{ false && github.event.workflow_run.conclusion == 'failure' &&
+          github.event.workflow_run.head_branch == 'master' &&
+          !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI-master failures for run #') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read
+    env:
+      TARGET_BRANCH: master
+      FIX_BRANCH: chack-agent/ci-master-fix-${{ github.event.workflow_run.id }}
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    steps:
+      - name: Checkout failing commit
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+          token: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+
+      - name: Configure git author
+        run: |
+          git config user.name "chack-agent"
+          git config user.email "chack-agent@users.noreply.github.com"
+
+      - name: Create fix branch
+        run: git checkout -b "$FIX_BRANCH"
+
+      - name: Fetch failure summary and failed-step logs
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          failed_logs_file="$(pwd)/chack_failed_steps_logs.txt"
+          if gh run view "$RUN_ID" --repo "${{ github.repository }}" --log-failed > "$failed_logs_file"; then
+            if [ ! -s "$failed_logs_file" ]; then
+              echo "No failed step logs were returned by gh run view --log-failed." > "$failed_logs_file"
+            fi
+          else
+            echo "Failed to download failed step logs with gh run view --log-failed." > "$failed_logs_file"
+          fi
+          echo "FAILED_LOGS_PATH=$failed_logs_file" >> "$GITHUB_ENV"
+
+          gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs \
+            --paginate > /tmp/jobs.json
+          python3 - <<'PY'
+          import json
+
+          data = json.load(open('/tmp/jobs.json'))
+          lines = []
+          for job in data.get('jobs', []):
+            if job.get('conclusion') == 'failure':
+              lines.append(f"Job: {job.get('name')} (id {job.get('id')})")
+              lines.append(f"URL: {job.get('html_url')}")
+              for step in job.get('steps', []):
+                if step.get('conclusion') == 'failure':
+                  lines.append(f"  Step: {step.get('name')}")
+              lines.append("")
+
+          summary = "\n".join(lines).strip() or "No failing job details found."
+          with open('chack_failure_summary.txt', 'w') as handle:
+            handle.write(summary)
+          PY
+
+      - name: Create Chack Agent prompt
+        env:
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: |
+          {
+            echo "You are fixing a failing CI-master_test run in ${{ github.repository }}."
+            echo "The failing workflow run is: ${RUN_URL}"
+            echo "The failing commit SHA is: ${HEAD_SHA}"
+            echo "The target branch for the final PR is: ${TARGET_BRANCH}"
+            echo ""
+            echo "Failure summary:"
+            cat chack_failure_summary.txt
+            echo ""
+            echo "Failed-step logs file absolute path (local runner): ${FAILED_LOGS_PATH}"
+            echo "Read that file to inspect the exact failing logs."
+            echo ""
+            echo "Please identify the cause, apply an easy, simple and minimal fix, and update files accordingly."
+            echo "Run any fast checks you can locally (no network)."
+            echo "Leave the repo in a state ready to commit; changes will be committed and pushed automatically."
+          } > chack_prompt.txt
+
+      - name: Run Chack Agent
+        id: run_chack
+        uses: carlospolop/chack-agent@master
+        with:
+          provider: openrouter
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: CI-master Failure Chack-Agent PR
+          system_prompt: |
+            Diagnose the failing gh actions workflow, propose the minimal and effective safe fix, and implement it.
+            Run only fast, local checks (no network). Leave the repo ready to commit.
+          prompt_file: chack_prompt.txt
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_list_init_first\": true}"
+          openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
+
+      - name: Commit and push fix branch if changed
+        id: push_fix
+        run: |
+          if git diff --quiet; then
+            echo "No changes to commit."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          git add -A
+          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+          git reset -- .github/workflows || true
+          git checkout -- .github/workflows || true
+          git clean -fdx -- .github/workflows || true
+          git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if git diff --cached --quiet; then
+            echo "No committable changes left after filtering."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+          if ! git push origin HEAD:"$FIX_BRANCH"; then
+            echo "Push failed (likely token workflow permission limits); skipping PR creation."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "pushed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Create PR to master
+        if: ${{ steps.push_fix.outputs.pushed == 'true' }}
+        id: create_pr
+        env:
+          GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+        run: |
+          pr_url=$(gh pr create \
+            --title "Fix CI-master_test failure (run #${{ github.event.workflow_run.id }})" \
+            --body "Automated Chack Agent fix for failing CI-master_test run: ${RUN_URL}" \
+            --base "$TARGET_BRANCH" \
+            --head "$FIX_BRANCH")
+          echo "url=$pr_url" >> "$GITHUB_OUTPUT"
+
+      - name: Comment on created PR with Chack Agent result
+        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.run_chack.outputs.final-message != '' }}
+        uses: actions/github-script@v7
+        env:
+          PR_URL: ${{ steps.create_pr.outputs.url }}
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const prUrl = process.env.PR_URL;
+            const match = prUrl.match(/\/pull\/(\d+)$/);
+            if (!match) {
+              core.info(`Could not parse PR number from URL: ${prUrl}`);
+              return;
+            }
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(match[1]),
+              body: process.env.CHACK_MESSAGE,
+            });

.github/workflows/codex-pr-triage.yml

@@ -1,113 +0,0 @@
-name: Codex PR Triage
-
-on:
-  pull_request:
-    types: [opened]
-
-jobs:
-  codex_triage:
-    if: ${{ github.event.pull_request.user.login == 'carlospolop' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-    outputs:
-      decision: ${{ steps.parse.outputs.decision }}
-      message: ${{ steps.parse.outputs.message }}
-
-    steps:
-      - name: Checkout PR merge ref
-        uses: actions/checkout@v5
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-
-      - name: Pre-fetch base and head refs
-        run: |
-          git fetch --no-tags origin \
-            ${{ github.event.pull_request.base.ref }} \
-            +refs/pull/${{ github.event.pull_request.number }}/head
-
-      - name: Run Codex
-        id: run_codex
-        uses: openai/codex-action@v1
-        with:
-          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-          output-schema-file: .github/codex/pr-merge-schema.json
-          model: gpt-5.2-codex
-          prompt: |
-            You are reviewing PR #${{ github.event.pull_request.number }} for ${{ github.repository }}.
-
-            Decide whether to merge or comment. Merge only if all of the following are true:
-            - Changes are simple and safe (no DoS, no long operations, no backdoors).
-            - Changes follow common PEASS syntax and style without breaking anything and add useful checks or value.
-            - Changes simplify code or add new useful checks without breaking anything.
-
-            If you don't have any doubts, and all the previous conditions are met, decide to merge.
-            If you have serious doubts, choose "comment" and include your doubts or questions.
-            If you decide to merge, include a short rationale.
-
-            Pull request title and body:
-            ----
-            ${{ github.event.pull_request.title }}
-            ${{ github.event.pull_request.body }}
-
-            Review ONLY the changes introduced by the PR:
-              git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
-
-            Output JSON only, following the provided schema.
-
-      - name: Parse Codex decision
-        id: parse
-        env:
-          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
-        run: |
-          python3 - <<'PY'
-          import json
-          import os
-
-          data = json.loads(os.environ.get('CODEX_MESSAGE', '') or '{}')
-          decision = data.get('decision', 'comment')
-          message = data.get('message', '').strip() or 'Codex did not provide details.'
-          with open(os.environ['GITHUB_OUTPUT'], 'a') as handle:
-            handle.write(f"decision={decision}\n")
-            handle.write("message<<EOF\n")
-            handle.write(message + "\n")
-            handle.write("EOF\n")
-          PY
-
-  merge_or_comment:
-    runs-on: ubuntu-latest
-    needs: codex_triage
-    if: ${{ needs.codex_triage.outputs.decision != '' }}
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Merge PR when approved
-        if: ${{ needs.codex_triage.outputs.decision == 'merge' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          gh api \
-            -X PUT \
-            -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
-            -f merge_method=squash \
-            -f commit_title="Auto-merge PR #${PR_NUMBER} (Codex)"
-
-      - name: Comment with doubts
-        if: ${{ needs.codex_triage.outputs.decision == 'comment' }}
-        uses: actions/github-script@v7
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          CODEX_MESSAGE: ${{ needs.codex_triage.outputs.message }}
-        with:
-          github-token: ${{ github.token }}
-          script: |
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: Number(process.env.PR_NUMBER),
-              body: process.env.CODEX_MESSAGE,
-            });

.github/workflows/pr-failure-chack-agent-dispatch.yml

@@ -1,4 +1,4 @@
-name: PR Failure Codex Dispatch
+name: PR Failure Chack-Agent Dispatch
 
 on:
   workflow_run:
@@ -6,19 +6,23 @@ on:
     types: [completed]
 
 jobs:
-  codex_on_failure:
+  resolve_pr_context:
+    # Temporarily disabled by maintainer request.
     if: >
-      ${{ github.event.workflow_run.conclusion == 'failure' &&
+      ${{ false && github.event.workflow_run.conclusion == 'failure' &&
           github.event.workflow_run.pull_requests &&
           github.event.workflow_run.pull_requests[0] &&
           !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      actions: read
-
+      pull-requests: read
+      issues: read
+    outputs:
+      number: ${{ steps.pr_context.outputs.number }}
+      author: ${{ steps.pr_context.outputs.author }}
+      head_repo: ${{ steps.pr_context.outputs.head_repo }}
+      head_branch: ${{ steps.pr_context.outputs.head_branch }}
+      should_run: ${{ steps.pr_context.outputs.should_run }}
     steps:
       - name: Resolve PR context
         id: pr_context
@@ -35,25 +39,47 @@ jobs:
           pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
             /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
             --jq '.head.ref')
+          pr_labels=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER} \
+            --jq '.labels[].name')
+          if echo "$pr_labels" | grep -q "^chack-agent-fix-attempted$"; then
+            echo "chack-agent fix already attempted for PR #${PR_NUMBER}; skipping."
+            should_run=false
+          else
+            should_run=true
+          fi
           {
             echo "number=${PR_NUMBER}"
             echo "author=${pr_author}"
             echo "head_repo=${pr_head_repo}"
             echo "head_branch=${pr_head_branch}"
+            echo "should_run=${should_run}"
           } >> "$GITHUB_OUTPUT"
 
+  chack_agent_on_failure:
+    needs: resolve_pr_context
+    # Temporarily disabled by maintainer request.
+    if: ${{ false && needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read
+    env:
+      CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
+    steps:
       - name: Comment on PR with failure info
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         uses: actions/github-script@v7
         env:
-          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
           WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
         with:
           github-token: ${{ github.token }}
           script: |
             const prNumber = Number(process.env.PR_NUMBER);
-            const body = `PR #${prNumber} had a failing workflow "${process.env.WORKFLOW_NAME}".\n\nRun: ${process.env.RUN_URL}\n\nLaunching Codex to attempt a fix.`;
+            const body = `PR #${prNumber} had a failing workflow "${process.env.WORKFLOW_NAME}".\n\nRun: ${process.env.RUN_URL}\n\nLaunching Chack Agent to attempt a fix.`;
             await github.rest.issues.createComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -61,23 +87,30 @@ jobs:
               body,
             });
 
+      - name: Mark fix attempt
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels \
+            -f labels[]=chack-agent-fix-attempted
+
       - name: Checkout PR head
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         uses: actions/checkout@v5
         with:
-          repository: ${{ steps.pr_context.outputs.head_repo }}
+          repository: ${{ needs.resolve_pr_context.outputs.head_repo }}
           ref: ${{ github.event.workflow_run.head_sha }}
           fetch-depth: 0
           persist-credentials: true
+          token: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
 
       - name: Configure git author
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         run: |
-          git config user.name "codex-action"
-          git config user.email "codex-action@users.noreply.github.com"
+          git config user.name "chack-agent"
+          git config user.email "chack-agent@users.noreply.github.com"
 
       - name: Fetch failure summary
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         env:
           GH_TOKEN: ${{ github.token }}
           RUN_ID: ${{ github.event.workflow_run.id }}
@@ -100,16 +133,15 @@ jobs:
               lines.append("")
 
           summary = "\n".join(lines).strip() or "No failing job details found."
-          with open('codex_failure_summary.txt', 'w') as handle:
+          with open('chack_failure_summary.txt', 'w') as handle:
             handle.write(summary)
           PY
 
-      - name: Create Codex prompt
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
+      - name: Create Chack Agent prompt
         env:
-          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
-          HEAD_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
+          HEAD_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
         run: |
           {
             echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
@@ -117,45 +149,67 @@ jobs:
             echo "The PR branch is: ${HEAD_BRANCH}"
             echo ""
             echo "Failure summary:"
-            cat codex_failure_summary.txt
+            cat chack_failure_summary.txt
             echo ""
             echo "Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly."
             echo "Run any fast checks you can locally (no network)."
             echo "Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed."
-          } > codex_prompt.txt
+          } > chack_prompt.txt
 
-      - name: Run Codex
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
-        id: run_codex
-        uses: openai/codex-action@v1
+      - name: Run Chack Agent
+        id: run_chack
+        uses: carlospolop/chack-agent@master
         with:
-          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-          prompt-file: codex_prompt.txt
-          sandbox: workspace-write
-          model: gpt-5.2-codex
+          provider: openrouter
+          model_primary: CHEAP_BUT_QUALITY
+          main_action: peass-ng
+          sub_action: PR Failure Chack-Agent Dispatch
+          system_prompt: |
+            You are Chack Agent, an elite CI-fix engineer.
+            Diagnose the failing workflow, propose the minimal safe fix, and implement it.
+            Run only fast, local checks (no network). Leave the repo ready to commit.
+          prompt_file: chack_prompt.txt
+          tools_config_json: "{\"exec_enabled\": true}"
+          session_config_json: "{\"long_term_memory_enabled\": false}"
+          agent_config_json: "{\"self_critique_enabled\": false, \"require_task_list_init_first\": true}"
+          openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
 
       - name: Commit and push if changed
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
         env:
-          TARGET_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
-          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
+          TARGET_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
         run: |
           if git diff --quiet; then
             echo "No changes to commit."
             exit 0
           fi
-          rm -f codex_failure_summary.txt codex_prompt.txt
+          rm -f chack_failure_summary.txt chack_prompt.txt
           git add -A
-          git reset -- codex_failure_summary.txt codex_prompt.txt
+          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+          git reset -- .github/workflows || true
+          git checkout -- .github/workflows || true
+          git clean -fdx -- .github/workflows || true
+          git reset -- chack_failure_summary.txt chack_prompt.txt
+          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            exit 0
+          fi
+          if git diff --cached --quiet; then
+            echo "No committable changes left after filtering."
+            exit 0
+          fi
           git commit -m "Fix CI failures for PR #${PR_NUMBER}"
-          git push origin HEAD:${TARGET_BRANCH}
+          if ! git push origin HEAD:${TARGET_BRANCH}; then
+            echo "Push failed (likely token workflow permission limits); leaving run successful without push."
+            exit 0
+          fi
 
-      - name: Comment with Codex result
-        if: ${{ steps.pr_context.outputs.author == 'carlospolop' && steps.run_codex.outputs.final-message != '' }}
+      - name: Comment with Chack Agent result
+        if: ${{ steps.run_chack.outputs.final-message != '' }}
         uses: actions/github-script@v7
         env:
-          PR_NUMBER: ${{ steps.pr_context.outputs.number }}
-          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          CHACK_MESSAGE: ${{ steps.run_chack.outputs.final-message }}
         with:
           github-token: ${{ github.token }}
           script: |
@@ -163,5 +217,5 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: Number(process.env.PR_NUMBER),
-              body: process.env.CODEX_MESSAGE,
+              body: process.env.CHACK_MESSAGE,
             });

build_lists/sensitive_files.yaml

@@ -813,6 +813,12 @@ search:
                       bad_regex: "auth|accessfile=|secret=|user"
                       remove_regex:  "^#|^@"
                       type: f
+                - name: "*"
+                  value:
+                      bad_regex: "nullok|nullok_secure|pam_permit\\.so|pam_rootok\\.so|pam_exec\\.so|pam_unix\\.so.*(nullok|remember=0)|sufficient\\s+pam_unix\\.so"
+                      only_bad_lines: True
+                      remove_regex: "^#|^@"
+                      type: f
               type: d
               search_in: 
                 - ${ROOT_FOLDER}etc
@@ -1235,12 +1241,20 @@ search:
           auto_check: False
     
         files:
-          - name: "agent*"
+          - name: "agent.*"
             value: 
                 type: f
                 remove_path: ".dll"
                 search_in: 
                   - ${ROOT_FOLDER}tmp
+                  - ${ROOT_FOLDER}run
+
+          - name: "ssh-agent.sock"
+            value:
+                type: f
+                search_in:
+                  - ${ROOT_FOLDER}tmp
+                  - ${ROOT_FOLDER}run
       
   - name: SSH_CONFIG
     value:
@@ -2067,6 +2081,45 @@ search:
                 type: f
                 search_in: 
                   - common
+
+          - name: "*.asc"
+            value:
+                type: f
+                remove_path: "/usr/share/|/usr/lib/|/lib/|/man/"
+                search_in:
+                  - common
+
+          - name: "secring.gpg"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "pubring.kbx"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "trustdb.gpg"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "gpg-agent.conf"
+            value:
+                type: f
+                search_in:
+                  - common
+
+          - name: "secret.asc"
+            value:
+                type: f
+                just_list_file: True
+                search_in:
+                  - common
+
           - name: "private-keys-v1.d/*.key"
             value: 
                 type: f
@@ -2844,6 +2897,85 @@ search:
                 remove_path: "example"
                 search_in: 
                   - common
+
+  - name: Proxy_Config
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "environment"
+            value:
+                bad_regex: "(http|https|ftp|all)_proxy|no_proxy"
+                only_bad_lines: True
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                check_extra_path: "^/etc/environment$"
+                search_in:
+                  - common
+
+          - name: "apt.conf"
+            value:
+                bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
+                only_bad_lines: True
+                remove_empty_lines: True
+                remove_regex: '^#'
+                type: f
+                search_in:
+                  - common
+
+          - name: "apt.conf.d"
+            value:
+                type: d
+                files:
+                  - name: "*"
+                    value:
+                        bad_regex: "Acquire::http::Proxy|Acquire::https::Proxy|proxy"
+                        only_bad_lines: True
+                        remove_empty_lines: True
+                        remove_regex: '^#'
+                        type: f
+                search_in:
+                  - common
+    
+  - name: Sniffing_Artifacts
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "*.pcap"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "*.pcapng"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "keys.log"
+            value:
+                bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
+                only_bad_lines: True
+                remove_empty_lines: True
+                type: f
+                search_in:
+                  - common
+
+          - name: "sslkeylog.log"
+            value:
+                bad_regex: "CLIENT_RANDOM|SERVER_HANDSHAKE_TRAFFIC_SECRET|CLIENT_HANDSHAKE_TRAFFIC_SECRET|EXPORTER_SECRET|RESUMPTION_MASTER_SECRET"
+                only_bad_lines: True
+                remove_empty_lines: True
+                type: f
+                search_in:
+                  - common
     
   - name: Msmtprc
     value:
@@ -3948,6 +4080,13 @@ search:
                 search_in: 
                   - common
 
+          - name: "*.maintenance*"
+            value:
+                just_list_file: True
+                type: f
+                search_in:
+                  - common
+
           - name: "*.key"
             value: 
                 just_list_file: True

linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh

@@ -1,39 +0,0 @@
-# Title: System Information - Linux Exploit Suggester
-# ID: SY_Linux_exploit_suggester
-# Author: Carlos Polop
-# Last Update: 07-03-2024
-# Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
-#   - Automated kernel vulnerability detection
-#   - Common vulnerable scenarios:
-#     * Known kernel vulnerabilities
-#     * Unpatched kernel versions
-#     * Missing security patches
-#   - Exploitation methods:
-#     * Kernel exploit execution: Use suggested exploits
-#     * Common attack vectors:
-#       - Kernel memory corruption
-#       - Race conditions
-#       - Use-after-free
-#       - Integer overflow
-#     * Exploit techniques:
-#       - Kernel memory manipulation
-#       - Privilege escalation
-#       - Root access acquisition
-#       - System compromise
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $MACPEAS
-# Initial Functions:
-# Generated Global Variables: $les_b64
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if [ "$(command -v bash 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
-    print_2title "Executing Linux Exploit Suggester"
-    print_info "https://github.com/mzet-/linux-exploit-suggester"
-    les_b64="peass{https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh}"
-    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
-    echo ""
-fi

linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh

@@ -1,41 +0,0 @@
-# Title: System Information - Linux Exploit Suggester 2
-# ID: SY_Linux_exploit_suggester_2
-# Author: Carlos Polop
-# Last Update: 07-03-2024
-# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
-#   - Alternative kernel vulnerability detection
-#   - Perl-based exploit suggestions
-#   - Common vulnerable scenarios:
-#     * Known kernel vulnerabilities
-#     * Unpatched kernel versions
-#     * Missing security patches
-#     * Alternative exploit paths
-#   - Exploitation methods:
-#     * Kernel exploit execution: Use suggested exploits
-#     * Common attack vectors:
-#       - Kernel memory corruption
-#       - Race conditions
-#       - Use-after-free
-#       - Integer overflow
-#     * Exploit techniques:
-#       - Kernel memory manipulation
-#       - Privilege escalation
-#       - Root access acquisition
-#       - System compromise
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables: $les2_b64
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if [ "$(command -v perl 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
-    print_2title "Executing Linux Exploit Suggester 2"
-    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
-    les2_b64="peass{https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl}"
-    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -iE "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
-    echo ""
-fi

linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh

@@ -31,8 +31,8 @@
 # Small linpeas: 0
 
 if apt list --installed 2>/dev/null | grep -E 'polkit.*0\.105-26' | grep -qEv 'ubuntu1\.[1-9]' || \
-   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
-   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
+   yum list installed 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)' || \
+   rpm -qa 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)'; then
     echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -30,11 +30,33 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks, $label, $sysctl_path, $sysctl_var, $zero_color, $nonzero_color, $sysctl_value
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
+print_sysctl_eq_zero() {
+    local label="$1"
+    local sysctl_path="$2"
+    local sysctl_var="$3"
+    local zero_color="$4"
+    local nonzero_color="$5"
+    local sysctl_value
+
+    print_list "$label" "$NC"
+    sysctl_value=$(cat "$sysctl_path" 2>/dev/null)
+    eval "$sysctl_var=\$sysctl_value"
+    if [ -z "$sysctl_value" ]; then
+        echo_not_found "$sysctl_path"
+    else
+        if [ "$sysctl_value" -eq 0 ]; then
+            echo "0" | sed -${E} "s,0,${zero_color},"
+        else
+            echo "$sysctl_value" | sed -${E} "s,.*,${nonzero_color},g"
+        fi
+    fi
+}
+
 #-- SY) AppArmor
 print_2title "Protections"
 print_list "AppArmor enabled? .............. "$NC
@@ -81,67 +103,25 @@ print_list "User namespace? ................ "$NC
 if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
 
 #-- SY) Unprivileged user namespaces
-print_list "unpriv_userns_clone? ........... "$NC
-unpriv_userns_clone=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
-if [ -z "$unpriv_userns_clone" ]; then
-    echo_not_found "/proc/sys/kernel/unprivileged_userns_clone"
-else
-    if [ "$unpriv_userns_clone" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_GREEN},"; else echo "$unpriv_userns_clone" | sed -${E} "s,.*,${SED_RED},g"; fi
-fi
+print_sysctl_eq_zero "unpriv_userns_clone? ........... " "/proc/sys/kernel/unprivileged_userns_clone" "unpriv_userns_clone" "$SED_GREEN" "$SED_RED"
 
 #-- SY) Unprivileged eBPF
-print_list "unpriv_bpf_disabled? ........... "$NC
-unpriv_bpf_disabled=$(cat /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null)
-if [ -z "$unpriv_bpf_disabled" ]; then
-    echo_not_found "/proc/sys/kernel/unprivileged_bpf_disabled"
-else
-    if [ "$unpriv_bpf_disabled" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$unpriv_bpf_disabled" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "unpriv_bpf_disabled? ........... " "/proc/sys/kernel/unprivileged_bpf_disabled" "unpriv_bpf_disabled" "$SED_RED" "$SED_GREEN"
 
 #-- SY) cgroup2
 print_list "Cgroup2 enabled? ............... "$NC
 ([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
 
 #-- SY) Kernel hardening sysctls
-print_list "kptr_restrict? ................. "$NC
-kptr_restrict=$(cat /proc/sys/kernel/kptr_restrict 2>/dev/null)
-if [ -z "$kptr_restrict" ]; then
-    echo_not_found "/proc/sys/kernel/kptr_restrict"
-else
-    if [ "$kptr_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$kptr_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "kptr_restrict? ................. " "/proc/sys/kernel/kptr_restrict" "kptr_restrict" "$SED_RED" "$SED_GREEN"
 
-print_list "dmesg_restrict? ................ "$NC
-dmesg_restrict=$(cat /proc/sys/kernel/dmesg_restrict 2>/dev/null)
-if [ -z "$dmesg_restrict" ]; then
-    echo_not_found "/proc/sys/kernel/dmesg_restrict"
-else
-    if [ "$dmesg_restrict" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$dmesg_restrict" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "dmesg_restrict? ................ " "/proc/sys/kernel/dmesg_restrict" "dmesg_restrict" "$SED_RED" "$SED_GREEN"
 
-print_list "ptrace_scope? .................. "$NC
-ptrace_scope=$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)
-if [ -z "$ptrace_scope" ]; then
-    echo_not_found "/proc/sys/kernel/yama/ptrace_scope"
-else
-    if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "ptrace_scope? .................. " "/proc/sys/kernel/yama/ptrace_scope" "ptrace_scope" "$SED_RED" "$SED_GREEN"
 
-print_list "protected_symlinks? ............ "$NC
-protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
-if [ -z "$protected_symlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_symlinks"
-else
-    if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "protected_symlinks? ............ " "/proc/sys/fs/protected_symlinks" "protected_symlinks" "$SED_RED" "$SED_GREEN"
 
-print_list "protected_hardlinks? ........... "$NC
-protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
-if [ -z "$protected_hardlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_hardlinks"
-else
-    if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "protected_hardlinks? ........... " "/proc/sys/fs/protected_hardlinks" "protected_hardlinks" "$SED_RED" "$SED_GREEN"
 
 print_list "perf_event_paranoid? ........... "$NC
 perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
@@ -151,13 +131,7 @@ else
     if [ "$perf_event_paranoid" -le 1 ]; then echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_RED},g"; else echo "$perf_event_paranoid" | sed -${E} "s,.*,${SED_GREEN},g"; fi
 fi
 
-print_list "mmap_min_addr? ................. "$NC
-mmap_min_addr=$(cat /proc/sys/vm/mmap_min_addr 2>/dev/null)
-if [ -z "$mmap_min_addr" ]; then
-    echo_not_found "/proc/sys/vm/mmap_min_addr"
-else
-    if [ "$mmap_min_addr" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$mmap_min_addr" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
+print_sysctl_eq_zero "mmap_min_addr? ................. " "/proc/sys/vm/mmap_min_addr" "mmap_min_addr" "$SED_RED" "$SED_GREEN"
 
 print_list "lockdown mode? ................. "$NC
 if [ -f "/sys/kernel/security/lockdown" ]; then

linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh

@@ -36,6 +36,14 @@ print_2title "Container details"
 
 print_list "Is this a container? ...........$NC $containerType"
 
+if [ -e "/proc/vz" ] && ! [ -e "/proc/bc" ]; then
+    print_list "Container Runtime ..............$NC OpenVZ"
+fi
+
+if [ -f "/run/systemd/container" ]; then
+     print_list "Systemd Container ..............$NC $(cat /run/systemd/container)"
+fi
+
 # Get container runtime info
 if [ "$(command -v docker || echo -n '')" ]; then
     print_list "Docker version ...............$NC "

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -37,10 +37,10 @@
 #       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, enumerateDockerSockets, print_2title, print_3title, print_info, print_list, warn_exec
 # Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
-# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
+# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $seccomp_mode_num, $seccomp_mode_desc
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -57,14 +57,34 @@ if [ "$inContainer" ]; then
     
     # Security mechanisms
     print_3title "Security Mechanisms"
-    print_list "Seccomp enabled? ............... "$NC
-    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+    seccomp_mode_num="$(awk '/^Seccomp:/{print $2}' /proc/self/status 2>/dev/null)"
+    seccomp_mode_desc="unknown"
+    case "$seccomp_mode_num" in
+      0) seccomp_mode_desc="disabled" ;;
+      1) seccomp_mode_desc="strict" ;;
+      2) seccomp_mode_desc="filtering" ;;
+    esac
+
+    print_list "Seccomp mode ................... "$NC
+    (printf "%s (%s)\n" "$seccomp_mode_desc" "${seccomp_mode_num:-?}") | sed "s,disabled,${SED_RED}," | sed "s,strict,${SED_RED_YELLOW}," | sed "s,filtering,${SED_GREEN},"
+
+    if grep -q "^Seccomp_filters:" /proc/self/status 2>/dev/null; then
+      print_list "Seccomp filters ............... "$NC
+      awk '/^Seccomp_filters:/{print $2}' /proc/self/status 2>/dev/null | sed -${E} "s,^[0-9]+$,${SED_GREEN}&,"
+    fi
 
     print_list "AppArmor profile? .............. "$NC
     (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
 
     print_list "User proc namespace? ........... "$NC
-    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then 
+        (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; 
+        echo ""
+        echo "  Mappings (Container -> Host -> Range):"
+        cat /proc/self/uid_map | awk '{print "  " $1 " -> " $2 " -> " $3}'
+    else 
+        echo "disabled" | sed "s,disabled,${SED_RED},"; 
+    fi
 
     # Known vulnerabilities
     print_3title "Known Vulnerabilities"
@@ -155,6 +175,9 @@ if [ "$inContainer" ]; then
         cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
         echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
     fi
+
+    print_list "Ambient capabilities ........... "$NC
+    (grep "CapAmb:" /proc/self/status 2>/dev/null | grep -v "0000000000000000" | sed "s,CapAmb:.,," || echo "No") | sed -${E} "s,No,${SED_GREEN}," | sed -${E} "s,[0-9a-fA-F]\+,${SED_RED}&,"
     
     # Additional capability checks
     print_list "Dangerous syscalls allowed ... "$NC
@@ -200,6 +223,10 @@ if [ "$inContainer" ]; then
         echo "No"
     fi
     
+    
+    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
+    enumerateDockerSockets
+    
     # Additional breakout vectors
     print_3title "Additional Breakout Vectors"
     

linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh

@@ -1,20 +0,0 @@
-# Title: Container - Am I Containered 
-# ID: CT_Am_I_contained
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Am I Containered tool
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, execBin
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables: $FAT_LINPEAS_AMICONTAINED
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
-  print_2title "Am I Containered?"
-  FAT_LINPEAS_AMICONTAINED="peass{https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64}"
-  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
-fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
-# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
+# Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
 # Initial Functions:
 # Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
 # Fat linpeas: 0
@@ -178,7 +178,11 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$EXTRA_CHECKS" ]; then
     echo ""
     print_3title "Service versions and status:"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    if [ "$TIMEOUT" ]; then
+      $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
+    else
+      (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    fi
   fi
 
   # Check systemd path writability
@@ -190,4 +194,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh

@@ -17,7 +17,7 @@
 # Functions Used: print_2title, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
-# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
+# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $exec_value, $cmd, $cmd_path, $svc_path_entry, $svc_writable_path
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -113,21 +113,39 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
             service=$(echo "$line" | awk '{print $1}')
             service_file=$(get_service_file "$service")
             if [ -n "$service_file" ]; then
+                # Check service-specific PATH entries (Environment=PATH=...)
+                svc_writable_path=$(grep -E '^Environment=.*PATH=' "$service_file" 2>/dev/null | sed -E 's/^Environment=//; s/^"//; s/"$//; s/^PATH=//' | tr ':' '\n' | while read -r svc_path_entry; do
+                    [ -z "$svc_path_entry" ] && continue
+                    if [ -d "$svc_path_entry" ] && [ -w "$svc_path_entry" ]; then
+                        echo "$svc_path_entry"
+                    fi
+                done)
+                if [ "$svc_writable_path" ]; then
+                    for svc_path_entry in $svc_writable_path; do
+                        echo "$service: Writable service PATH entry '$svc_path_entry'" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                    done
+                fi
+
                 # Check ExecStart paths
                 grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
                 while read -r exec_line; do
-                    # Extract the first word after ExecStart* as the command
-                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
-                    # Extract the rest as arguments
-                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
+                    # Extract command from the right side of Exec*=, not from argv
+                    exec_value="${exec_line#*=}"
+                    exec_value=$(echo "$exec_value" | sed 's/^[[:space:]]*//')
+                    cmd=$(echo "$exec_value" | awk '{print $1}' | tr -d '"')
+                    # Strip systemd command prefixes (-, @, :, +, !) before path checks
+                    cmd_path=$(echo "$cmd" | sed -E 's/^[-@:+!]+//')
                     
                     # Only check the command path, not arguments
-                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
-                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ -w "$cmd_path" ]; then
+                        echo "$service: $cmd_path (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
                     fi
                     # Check for relative paths only in the command, not arguments
-                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
-                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    if [ -n "$cmd_path" ] && [ "${cmd_path#/}" = "$cmd_path" ] && [ "${cmd_path#\$}" = "$cmd_path" ]; then
+                        echo "$service: Uses relative path '$cmd_path' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                        if [ "$svc_writable_path" ]; then
+                            echo "$service: Relative Exec path + writable service PATH can allow path hijacking" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                        fi
                     fi
                 done
             fi
@@ -153,4 +171,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     fi
 
     echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh

@@ -11,7 +11,7 @@
 # License: GNU GPL
 # Version: 1.1
 # Functions Used: print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED
 # Initial Functions:
 # Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
 # Fat linpeas: 0
@@ -142,10 +142,13 @@ if ! [ "$IAMROOT" ]; then
                     # Highlight dangerous ownership
                     if echo "$owner_info" | grep -q "root"; then
                         echo "  └─(${RED}Owned by root${NC})"
+                        if echo "$perms" | grep -q "Write"; then
+                            echo "  └─High risk: root-owned and writable Unix socket" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+                        fi
                     fi
                 fi
             fi
         done
     fi
     echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh

@@ -5,10 +5,10 @@
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
-# Global Variables:
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname
+# Global Variables: $E
 # Initial Functions:
-# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
+# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -29,8 +29,8 @@ check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
 check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
 check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
 
-# Kill all after 10 seconds
-(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
+# Kill all check workers after timeout + 1s without relying on integer arithmetic
+(sleep "$TIMEOUT_INTERNET_SECONDS"; sleep 1; kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
 
 check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
 tcp443_bin_status=$?
@@ -50,3 +50,9 @@ if [ "$tcp443_bin_status" -eq 0 ] && \
 fi
 
 echo ""
+print_3title "Proxy discovery"
+print_info "Checking common proxy env vars and apt proxy config"
+(env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g"
+grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g"
+
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh

@@ -5,8 +5,8 @@
 # Description: Check network interfaces
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
-# Global Variables:
+# Functions Used: print_2title, print_3title
+# Global Variables: $E, $SED_RED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $iface, $state, $mac, $ip_file, $line
 # Fat linpeas: 0
@@ -73,4 +73,22 @@ else
     parse_network_interfaces
 fi
 
-echo ""
+if command -v ip >/dev/null 2>&1; then
+    print_3title "Routing & policy quick view"
+    ip route 2>/dev/null
+    ip -6 route 2>/dev/null | head -n 30
+    echo ""
+    ip rule 2>/dev/null
+
+    print_3title "Virtual/overlay interfaces quick view"
+    ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g"
+
+    print_3title "Network namespaces quick view"
+    ip netns list 2>/dev/null
+    ls -la /var/run/netns/ 2>/dev/null
+fi
+
+print_3title "Forwarding status"
+sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
+
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info
-# Global Variables: $E, $SED_RED
+# Global Variables: $E, $SED_RED, $SED_RED_YELLOW
 # Initial Functions:
 # Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
 # Fat linpeas: 0
@@ -122,6 +122,45 @@ get_open_ports() {
         parse_proc_net_ports "udp"
     fi
 
+    # Focused local service exposure view
+    print_3title "Local-only listeners (loopback)"
+    if command -v ss >/dev/null 2>&1; then
+        ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
+    elif command -v netstat >/dev/null 2>&1; then
+        netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
+    fi
+
+    print_3title "Unique listener bind addresses"
+    if command -v ss >/dev/null 2>&1; then
+        ss -nltpuH 2>/dev/null | awk '{
+            a=$5
+            if (a ~ /^\[/) {
+                sub(/^\[/, "", a)
+                sub(/\]:[0-9]+$/, "", a)
+            } else if (a ~ /:[0-9]+$/) {
+                sub(/:[0-9]+$/, "", a)
+            }
+            sub(/^::ffff:/, "", a)
+            if (a != "") print a
+        }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
+    elif command -v netstat >/dev/null 2>&1; then
+        netstat -punta 2>/dev/null | grep -i listen | awk '{
+            a=$4
+            if (a ~ /^\[/) {
+                sub(/^\[/, "", a)
+                sub(/\]:[0-9]+$/, "", a)
+            } else if (a ~ /:[0-9]+$/) {
+                sub(/:[0-9]+$/, "", a)
+            }
+            if (a == ":::" ) a="::"
+            sub(/^::ffff:/, "", a)
+            if (a != "") print a
+        }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
+    fi
+
+    print_3title "Potential local forwarders/relays"
+    ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g"
+
     # Additional port information
     if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
         print_3title "Additional Port Information"

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, print_info, warn_exec
-# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW
 # Initial Functions:
-# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
+# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns, $dumpcap_test_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -26,8 +26,17 @@ check_command() {
 # Function to check if we can sniff on an interface
 check_interface_sniffable() {
     local iface=$1
-    if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
-        return 0
+    if check_command tcpdump; then
+        if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
+            return 0
+        fi
+    elif check_command dumpcap; then
+        dumpcap_test_file="/tmp/.linpeas_dumpcap_test_$$.pcap"
+        if timeout 2 dumpcap -i "$iface" -c 1 -q -w "$dumpcap_test_file" >/dev/null 2>&1; then
+            rm -f "$dumpcap_test_file" 2>/dev/null
+            return 0
+        fi
+        rm -f "$dumpcap_test_file" 2>/dev/null
     fi
     return 1
 }
@@ -55,6 +64,20 @@ check_network_traffic_analysis() {
         tools_found=1
         # Check tcpdump version and capabilities
         warn_exec tcpdump --version 2>/dev/null | head -n 1
+        getcap "$(command -v tcpdump)" 2>/dev/null
+    fi
+
+    if check_command dumpcap; then
+        echo "dumpcap is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        warn_exec dumpcap --version 2>/dev/null | head -n 1
+        getcap "$(command -v dumpcap)" 2>/dev/null
+
+        if id -nG 2>/dev/null | grep -qw wireshark; then
+            echo "Current user is in wireshark group" | sed -${E} "s,.*,${SED_GREEN},g"
+        elif getent group wireshark >/dev/null 2>&1; then
+            echo "wireshark group exists but current user is not in it" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+        fi
     fi
     
     if check_command tshark; then
@@ -68,10 +91,28 @@ check_network_traffic_analysis() {
         echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
         tools_found=1
     fi
+
+    if check_command ngrep; then
+        echo "ngrep is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
+
+    if check_command tcpflow; then
+        echo "tcpflow is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
     
     if [ $tools_found -eq 0 ]; then
         echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
     fi
+
+    if check_command tcpdump; then
+        echo "Sniffable interfaces according to tcpdump -D:"
+        timeout 2 tcpdump -D 2>/dev/null
+    elif check_command dumpcap; then
+        echo "Sniffable interfaces according to dumpcap -D:"
+        timeout 2 dumpcap -D 2>/dev/null
+    fi
     
     # Check network interfaces
     echo ""
@@ -88,25 +129,28 @@ check_network_traffic_analysis() {
     fi
     
     for iface in $interfaces; do
-        if [ "$iface" != "lo" ]; then  # Skip loopback
+        if [ "$iface" = "lo" ]; then
+            echo -n "Interface $iface (loopback): "
+        else
             echo -n "Interface $iface: "
-            if check_interface_sniffable "$iface"; then
-                echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
-                interfaces_found=1
-                
-                # Check promiscuous mode
-                if check_promiscuous_mode "$iface"; then
-                    echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
-                fi
-                
-                # Get interface details
-                if [ "$EXTRA_CHECKS" ]; then
-                    echo "  - Interface details:"
-                    warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
-                fi
-            else
-                echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+
+        if check_interface_sniffable "$iface"; then
+            echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
+            interfaces_found=1
+
+            # Check promiscuous mode
+            if [ "$iface" != "lo" ] && check_promiscuous_mode "$iface"; then
+                echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
             fi
+
+            # Get interface details
+            if [ "$EXTRA_CHECKS" ]; then
+                echo "  - Interface details:"
+                warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
+            fi
+        else
+            echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
         fi
     done
     
@@ -145,7 +189,12 @@ check_network_traffic_analysis() {
         print_info "To capture sensitive traffic, you can use:"
         echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
         echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+        echo "dumpcap -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
     fi
+
+    echo ""
+    print_3title "Running sniffing/traffic reconstruction processes"
+    ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
     
     # Additional information
     if [ "$EXTRA_CHECKS" ]; then

linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
-# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW
 # Initial Functions:
-# Generated Global Variables: $rules_file, $cmd, $tool, $config_file
+# Generated Global Variables: $rules_file, $cmd, $tool, $config_file, $sysctl_var
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -90,6 +90,9 @@ analyze_nftables() {
     # List all rules
     echo -e "\nNftables Ruleset:"
     warn_exec nft list ruleset 2>/dev/null
+
+    echo -e "\nNftables Ruleset with handles (-a):"
+    warn_exec nft -a list ruleset 2>/dev/null | sed -${E} "s,\\bdrop\\b|\\breject\\b|handle [0-9]+,${SED_RED_YELLOW},g"
     
     # Check for saved rules
     echo -e "\nSaved Rules:"
@@ -180,6 +183,17 @@ analyze_firewall_rules() {
     analyze_nftables
     analyze_firewalld
     analyze_ufw
+
+    echo ""
+    print_3title "Forwarding and rp_filter"
+    for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do
+        sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
+    done
+
+    if check_command conntrack; then
+        echo -e "\nConntrack state (first 20):"
+        warn_exec conntrack -L 2>/dev/null | head -n 20
+    fi
     
     # Additional checks if EXTRA_CHECKS is enabled
     if [ "$EXTRA_CHECKS" ]; then
@@ -207,4 +221,4 @@ analyze_firewall_rules() {
 }
 
 # Run the main function
-analyze_firewall_rules
+analyze_firewall_rules

linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
-# Global Variables: $MACPEAS, $sh_usrs, $USER 
+# Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER 
 # Initial Functions:
 # Generated Global Variables: $ushell, $no_shells, $unexpected_shells
 # Fat linpeas: 0
@@ -26,8 +26,16 @@ else
   no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
   unexpected_shells=""
   printf "%s\n" "$no_shells" | while read f; do
-    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
-      unexpected_shells="$f\n$unexpected_shells"
+    if [ -x "$f" ]; then
+      if [ "$TIMEOUT" ]; then
+        if $TIMEOUT 1 "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      else
+        if "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      fi
     fi
   done
   grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
@@ -41,4 +49,4 @@ else
     done
   fi
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $secure_path_line
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -34,6 +34,9 @@ if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
   echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
 fi
 for f in /etc/sudoers.d/*; do
+  if [ -w "$f" ]; then
+    echo "Sudoers file: $f is writable and may allow privilege escalation" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  fi
   if [ -r "$f" ]; then
     echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
     grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"

linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh

@@ -1,5 +1,5 @@
 # Title: Software Information - Browser Profiles
-# ID: SW_Browser_Profiles
+# ID: SW_Browser_profiles
 # Author: Carlos Polop
 # Last Update: 10-03-2025
 # Description: List browser profiles that may store credentials/cookies

linPEAS/builder/linpeas_parts/7_software_information/Leaks_git_repo.sh

@@ -1,30 +0,0 @@
-# Title: Software Information - Checking leaks in git repositories
-# ID: SI_Leaks_git_repo
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Checking leaks in git repositories
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: execBin, print_2title
-# Global Variables: $MACPEAS, $TIMEOUT
-# Initial Functions:
-# Generated Global Variables: $git_dirname, $FAT_LINPEAS_GITLEAKS
-# Fat linpeas: 1
-# Small linpeas: 0
-
-
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
-  print_2title "Checking leaks in git repositories"
-  printf "%s\n" "$PSTORAGE_GITHUB" | while read f; do
-    if echo "$f" | grep -Eq ".git$"; then
-      git_dirname=$(dirname "$f")
-      if [ "$MACPEAS" ]; then
-        FAT_LINPEAS_GITLEAKS="peass{https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_darwin_arm64.tar.gz}"
-      else
-        FAT_LINPEAS_GITLEAKS="peass{https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_linux_x64.tar.gz}"
-      fi
-      execBin "GitLeaks (checking $git_dirname)" "https://github.com/zricethezav/gitleaks" "$FAT_LINPEAS_GITLEAKS" "detect -s '$git_dirname' -v | grep -E 'Description|Match|Secret|Message|Date'"
-    fi
-  done
-  echo ""
-fi

linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh

@@ -8,12 +8,12 @@
 # Functions Used: print_2title, print_info
 # Global Variables:$DEBUG, $SEARCH_IN_FOLDER, $USER, $wgroups
 # Initial Functions:
-# Generated Global Variables: $screensess, $screensess2
+# Generated Global Variables: $screensess, $screensess2, $uscreen
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
+if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching screen sessions"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   screensess=$(screen -ls 2>/dev/null)
@@ -25,5 +25,16 @@ if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_
   find /run/screen -type s -path "/run/screen/S-*" -not -user $USER '(' '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | while read f; do
     echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
   done
+
+  if [ -r "/etc/passwd" ]; then
+    print_3title "Checking other users screen sessions"
+    cut -d: -f1,7 /etc/passwd 2>/dev/null | grep "sh$" | cut -d: -f1 | grep -v "^$USER$" | while read u; do
+      uscreen=$(screen -ls "${u}/" 2>/dev/null | grep -v "No Sockets found" | grep -v "^$")
+      if [ "$uscreen" ]; then
+        echo "User $u screen sessions:"
+        printf "%s\n" "$uscreen" | sed -${E} "s,.*,${SED_RED},"
+      fi
+    done
+  fi
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title, print_3title
 # Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups
 # Initial Functions:
-# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
+# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $agent_sockets, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -19,12 +19,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
   hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
-  writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+  agent_sockets=$(find /run/user /tmp -type s \( -path "/run/user/*/ssh-*/agent.*" -o -name "ssh-agent.sock" -o -path "/tmp/ssh-*" \) 2>/dev/null)
+  writable_agents=$(find /tmp /etc /home /run/user \
+    \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
+    -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
 else
   sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
   hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
-  writable_agents=$(find  ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+  agent_sockets=$(find "${ROOT_FOLDER}"tmp "${ROOT_FOLDER}"run -type s \( -name "agent.*" -o -name "ssh-agent.sock" \) 2>/dev/null)
+  writable_agents=$(find "${ROOT_FOLDER}" \
+    \( -type s -a \( -name "agent.*" -o -name "ssh-agent.sock" -o -path "*/ssh-*/agent.*" -o -name "*gpg-agent*" \) \
+    -a \( \( -user "$USER" \) -o \( -perm -o=w \) -o \( -perm -g=w -a \( $wgroups \) \) \) \) 2>/dev/null)
 fi
 
 peass{SSH}
@@ -58,7 +64,7 @@ fi
 if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
   print_3title "Some certificates were found (out limited):"
   printf "$certsb4_grep\n" | head -n 20
-  printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
+  printf "$PSTORAGE_CERTSBIN\n" | head -n 20
     echo ""
 fi
 if [ "$PSTORAGE_CERTSCLIENT" ]; then
@@ -71,6 +77,11 @@ if [ "$PSTORAGE_SSH_AGENTS" ]; then
   printf "$PSTORAGE_SSH_AGENTS\n"
   echo ""
 fi
+if [ "$agent_sockets" ]; then
+  print_3title "Potential SSH agent sockets were found:"
+  printf "%s\n" "$agent_sockets" | sed -${E} "s,.*,${SED_RED},"
+  echo ""
+fi
 if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
   print_3title "Listing SSH Agents"
   ssh-add -l

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -23,6 +23,7 @@ if ! [ "$STRACE" ]; then
 fi
 suids_files=$(find $ROOT_FOLDER -perm -4000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$suids_files" | while read s; do
+  [ -z "$s" ] && continue
   s=$(ls -lahtr "$s")
   #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
   if echo "$s" | grep -qE "^total"; then break; fi
@@ -59,6 +60,8 @@ printf "%s\n" "$suids_files" | while read s; do
                   if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n"
                   fi
+                elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline) (https://tinyurl.com/suidpath)\n"
                 else #If not a path
                   if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/' && echo "$sline_first" | grep -Eqv "\.\."; then #Check if existing binary
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh

@@ -17,6 +17,7 @@ print_2title "SGID"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$sgids_files" | while read s; do
+  [ -z "$s" ] && continue
   s=$(ls -lahtr "$s")
   #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder
   if echo "$s" | grep -qE "^total";then break; fi
@@ -53,6 +54,8 @@ printf "%s\n" "$sgids_files" | while read s; do
                   if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n"
                   fi
+                elif echo "$sline_first" | grep -q "/" && [ -d "$(dirname "$sline_first")" ] && [ -w "$(dirname "$sline_first")" ]; then #If path does not exist but can be created
+                  printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can create it inside writable dir $RED$(dirname "$sline_first")$NC$ITALIC (strings line: $sline)\n"
                 else #If not a path
                   if [ ${#sline_first} -gt 2 ] && command -v "$sline_first" 2>/dev/null | grep -q '/'; then #Check if existing binary
                     printf "$ITALIC  --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n"
@@ -90,4 +93,4 @@ printf "%s\n" "$sgids_files" | while read s; do
     fi
   fi
 done;
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $writeB, $writeVB
 # Initial Functions:
 # Generated Global Variables:
 # Fat linpeas: 0
@@ -16,12 +16,12 @@
 print_2title "Files with ACLs (limited to 50)"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 else
-  ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ( (getfacl -t -s -R -p $SEARCH_IN_FOLDER 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 fi
 
 if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl || echo -n '')" ]; then  #Find ACL files in macos (veeeery slow)
-  ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+  ls -RAle / 2>/dev/null | grep -v "group:everyone deny delete" | grep -E -B1 "\d: " | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g"
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh

@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $capsB, $capsVB, $IAMROOT, $SEARCH_IN_FOLDER
 # Initial Functions:
-# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln
+# Generated Global Variables: $cap_name, $cap_value, $cap_line, $capVB, $capname, $capbins, $capsVB_vuln, $proc_status, $proc_pid, $proc_name, $proc_uid, $user_name, $proc_inh, $proc_prm, $proc_eff, $proc_bnd, $proc_amb, $proc_inh_dec, $proc_prm_dec, $proc_eff_dec, $proc_bnd_dec, $proc_amb_dec
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -69,6 +69,40 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
       fi
     done
     echo ""
+
+    print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)"
+    find /proc -maxdepth 2 -path "/proc/[0-9]*/status" 2>/dev/null | head -n 400 | while read -r proc_status; do
+      proc_pid=$(echo "$proc_status" | cut -d/ -f3)
+      proc_name=$(awk '/^Name:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_uid=$(awk '/^Uid:/{print $2}' "$proc_status" 2>/dev/null)
+      user_name=$(awk -F: -v uid="$proc_uid" '$3==uid{print $1; exit}' /etc/passwd 2>/dev/null)
+      [ -z "$user_name" ] && user_name="$proc_uid"
+
+      proc_inh=$(awk '/^CapInh:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_prm=$(awk '/^CapPrm:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_eff=$(awk '/^CapEff:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_bnd=$(awk '/^CapBnd:/{print $2}' "$proc_status" 2>/dev/null)
+      proc_amb=$(awk '/^CapAmb:/{print $2}' "$proc_status" 2>/dev/null)
+
+      [ -z "$proc_eff" ] && continue
+      if [ "$proc_eff" != "0000000000000000" ] || [ "$proc_amb" != "0000000000000000" ]; then
+        echo "PID $proc_pid ($proc_name) user=$user_name"
+
+        proc_inh_dec=$(capsh --decode=0x"$proc_inh" 2>/dev/null)
+        proc_prm_dec=$(capsh --decode=0x"$proc_prm" 2>/dev/null)
+        proc_eff_dec=$(capsh --decode=0x"$proc_eff" 2>/dev/null)
+        proc_bnd_dec=$(capsh --decode=0x"$proc_bnd" 2>/dev/null)
+        proc_amb_dec=$(capsh --decode=0x"$proc_amb" 2>/dev/null)
+
+        echo "  CapInh: $proc_inh_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapPrm: $proc_prm_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapEff: $proc_eff_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
+        echo "  CapBnd: $proc_bnd_dec" | sed -${E} "s,$capsB,${SED_RED},g"
+        echo "  CapAmb: $proc_amb_dec" | sed -${E} "s,$capsB,${SED_RED_YELLOW},g"
+        echo ""
+      fi
+    done | head -n 240
+    echo ""
   
   else
     print_3title "Current shell capabilities"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh

@@ -6,19 +6,27 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Global Variables: $capsB, $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pam_cap_lines
 # Fat linpeas: 0
 # Small linpeas: 0
 
 
-if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
+if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ] || grep -Rqs "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null; then
   print_2title "Users with capabilities"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ -f "/etc/security/capability.conf" ]; then
-    grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
+    grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$capsB,${SED_RED},g"
   else echo_not_found "/etc/security/capability.conf"
   fi
   echo ""
-fi
+  print_info "Checking if PAM loads pam_cap.so"
+  pam_cap_lines=$(grep -RIn "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null)
+  if [ "$pam_cap_lines" ]; then
+    printf "%s\n" "$pam_cap_lines" | sed -${E} "s,pam_cap\\.so,${SED_RED_YELLOW},g"
+  else
+    echo_not_found "pam_cap.so in /etc/pam.d or /etc/pam.conf"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $wgroups
+# Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $ldsoconfdG, $wgroups
 # Initial Functions:
 # Generated Global Variables: $ini_path, $fpath
 # Fat linpeas: 0
@@ -26,40 +26,53 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   echo "Content of /etc/ld.so.conf:"
   cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
 
-  # Check each configured folder
-  cat /etc/ld.so.conf 2>/dev/null | while read l; do
-    if echo "$l" | grep -q include; then
+  # Check each configured folder and include directives
+  cat /etc/ld.so.conf 2>/dev/null | while IFS= read -r l; do
+    l=$(echo "$l" | sed 's/#.*$//' | xargs 2>/dev/null)
+    [ -z "$l" ] && continue
+
+    if echo "$l" | grep -qE '^include[[:space:]]+'; then
       ini_path=$(echo "$l" | cut -d " " -f 2)
       fpath=$(dirname "$ini_path")
 
-      if [ -d "/etc/ld.so.conf" ] && [ -w "$fpath" ]; then 
-        echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      if [ -d "$fpath" ] && [ -w "$fpath" ]; then
+        echo "You have write privileges over $fpath" | sed -${E} "s,.*,${SED_RED_YELLOW},";
         printf $RED_YELLOW$ITALIC"$fpath\n"$NC;
       else
         printf $GREEN$ITALIC"$fpath\n"$NC;
       fi
 
-      if [ "$(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
-        echo "You have write privileges over $(find $fpath -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      if [ "$(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" ]; then
+        echo "You have write privileges over $(find "$fpath" -type f '(' '(' -user "$USER" ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)" | sed -${E} "s,.*,${SED_RED_YELLOW},";
       fi
 
-      for f in $fpath/*; do
-        if [ -w "$f" ]; then 
-          echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+      for f in $ini_path; do
+        [ -f "$f" ] || continue
+
+        if [ -w "$f" ]; then
+          echo "You have write privileges over $f" | sed -${E} "s,.*,${SED_RED_YELLOW},";
           printf $RED_YELLOW$ITALIC"$f\n"$NC;
         else
           printf $GREEN$ITALIC"  $f\n"$NC;
         fi
 
-        cat "$f" | grep -v "^#" | while read l2; do
-          if [ -f "$l2" ] && [ -w "$l2" ]; then 
-            echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
+        cat "$f" 2>/dev/null | grep -v "^#" | while IFS= read -r l2; do
+          l2=$(echo "$l2" | xargs 2>/dev/null)
+          [ -z "$l2" ] && continue
+
+          if [ -d "$l2" ] && [ -w "$l2" ]; then
+            echo "You have write privileges over $l2" | sed -${E} "s,.*,${SED_RED_YELLOW},";
             printf $RED_YELLOW$ITALIC"  - $l2\n"$NC;
-          else
-            echo $ITALIC"  - $l2"$NC | sed -${E} "s,$l2,${SED_GREEN}," | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
+          elif [ -d "$l2" ]; then
+            echo $ITALIC"  - $l2"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
           fi
         done
       done
+    elif [ -d "$l" ] && [ -w "$l" ]; then
+      echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+      printf $RED_YELLOW$ITALIC"$l\n"$NC;
+    else
+      echo $ITALIC"$l"$NC | sed -${E} "s,$ldsoconfdG,${SED_GREEN},g" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g";
     fi
   done
   echo ""
@@ -75,4 +88,4 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
     if [ -f "$l" ] && [ -w "$l" ]; then echo "You have write privileges over $l" | sed -${E} "s,.*,${SED_RED_YELLOW},"; fi
   done
 
-fi
+fi

linPEAS/builder/linpeas_parts/functions/enumerateDockerSockets.sh

@@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found
-# Global Variables: $GREP_DOCKER_SOCK_INFOS, $GREP_DOCKER_SOCK_INFOS_IGNORE, $IAMROOT
+# Global Variables: $GREP_DOCKER_SOCK_INFOS, $GREP_DOCKER_SOCK_INFOS_IGNORE
 # Initial Functions:
-# Generated Global Variables: $SEARCHED_DOCKER_SOCKETS, $dock_sock, $docker_enumerated, $dockerVersion, $int_sock, $sockInfoResponse
+# Generated Global Variables: $SEARCHED_DOCKER_SOCKETS, $docker_enumerated, $dockerVersion, $int_sock, $sockInfoResponse
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -17,34 +17,55 @@ enumerateDockerSockets() {
   dockerVersion="$(echo_not_found)"
   if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
     SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
-      if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
+    # NOTE: This is intentionally "lightweight" (checks common runtime socket names) and avoids
+    # pseudo filesystems (/sys, /proc) to reduce noise and latency.
+    for int_sock in $(find / \
+      -path "/sys" -prune -o \
+      -path "/proc" -prune -o \
+      -type s \( \
+        -name "docker.sock" -o \
+        -name "docker.socket" -o \
+        -name "dockershim.sock" -o \
+        -name "containerd.sock" -o \
+        -name "crio.sock" -o \
+        -name "frakti.sock" -o \
+        -name "rktlet.sock" \
+      \) -print 2>/dev/null); do
+
+      # Basic permissions hint (you generally need write perms to connect to a unix socket).
+      if [ -w "$int_sock" ]; then
         if echo "$int_sock" | grep -Eq "docker"; then
-          dock_sock="$int_sock"
-          echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
-          echo "Docker enummeration:"
-          docker_enumerated=""
-
-          if [ "$(command -v curl || echo -n '')" ]; then
-            sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
-            echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-            if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
-          fi
-
-          if [ "$(command -v docker || echo -n '')" ] && ! [ "$docker_enumerated" ]; then
-            sockInfoResponse="$(docker info)"
-            dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
-            printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
-          fi
-        
+          echo "You have write permissions over Docker socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED_YELLOW},g"
         else
           echo "You have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_RED},g"
         fi
-
       else
         echo "You don't have write permissions over interesting socket $int_sock" | sed -${E} "s,$int_sock,${SED_GREEN},g"
       fi
+
+      # Validate whether this looks like a Docker Engine API socket (amicontained-style) when curl exists.
+      docker_enumerated=""
+      if [ "$(command -v curl 2>/dev/null || echo -n '')" ]; then
+        sockInfoResponse="$(curl -s --max-time 2 --unix-socket "$int_sock" http://localhost/info 2>/dev/null)"
+        if echo "$sockInfoResponse" | grep -q "ServerVersion"; then
+          echo "Valid Docker API socket: $int_sock" | sed -${E} "s,$int_sock,${SED_RED_YELLOW},g"
+          dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
+          echo "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+          docker_enumerated="1"
+        fi
+      fi
+
+      # Fallback to docker CLI if curl is missing or the /info request didn't work.
+      # Use DOCKER_HOST so we can target non-default socket paths when possible.
+      if [ "$(command -v docker 2>/dev/null || echo -n '')" ] && ! [ "$docker_enumerated" ]; then
+        if [ -w "$int_sock" ] && echo "$int_sock" | grep -Eq "docker"; then
+          sockInfoResponse="$(DOCKER_HOST="unix://$int_sock" docker info 2>/dev/null)"
+          if [ "$sockInfoResponse" ]; then
+            dockerVersion=$(echo "$sockInfoResponse" | grep -i "^ Server Version:" | awk '{print $4}' | head -n 1)
+            printf "%s\n" "$sockInfoResponse" | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
+          fi
+        fi
+      fi
     done
   fi
 }

linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh

@@ -217,7 +217,7 @@ print_title(){
   max_title_len=80
   rest_len=$((($max_title_len - $title_len) / 2))
 
-  printf ${BLUE}
+  printf "%s" "${BLUE}"
   for i in $(seq 1 $rest_len); do printf " "; done
   printf "╔"
   for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
@@ -231,13 +231,13 @@ print_title(){
 
   echo ""
 
-  printf ${BLUE}
+  printf "%s" "${BLUE}"
   for i in $(seq 1 $rest_len); do printf " "; done
   printf "╚"
   for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
   printf "╝"
 
-  printf $NC
+  printf "%s" "${NC}"
   echo ""
 }
 

linPEAS/builder/linpeas_parts/variables/capsB.sh

@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-capsB="=ep|cap_chown|cap_former|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module"
+capsB="=ep|cap_chown|cap_fowner|cap_fsetid|cap_setpcap|cap_setfcap|cap_dac_override|cap_dac_read_search|cap_setuid|cap_setgid|cap_kill|cap_net_bind_service|cap_net_raw|cap_net_admin|cap_sys_admin|cap_sys_ptrace|cap_sys_module|cap_sys_rawio|cap_bpf|cap_perfmon"

linPEAS/builder/linpeas_parts/variables/capsVB.sh

@@ -18,7 +18,9 @@ cap_sys_ptrace:python \
 cap_sys_module:kmod|python \
 cap_dac_override:python|vim \
 cap_chown:chown|python \
-cap_former:chown|python \
+cap_fowner:chown|python \
+cap_setfcap:python|perl|ruby|php|node|lua|bash \
+cap_setpcap:python|perl|ruby|php|node|lua|bash \
 cap_setuid:peass{CAP_SETUID_HERE} \
 cap_setgid:peass{CAP_SETGID_HERE} \
-cap_net_raw:python|tcpdump"
+cap_net_raw:python|tcpdump|dumpcap|tcpflow"

linPEAS/builder/linpeas_parts/variables/pwd_in_variables.sh

@@ -24,4 +24,4 @@ pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KE
 pwd_in_variables8="OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY"
 pwd_in_variables9="S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY"
 pwd_in_variables10="SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS"
-pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY"
+pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY|USERNAME|PASSWORD|PASSWD|CREDENTIALS?"

linPEAS/builder/linpeas_parts/variables/sudoB.sh

@@ -12,4 +12,4 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"
+sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|env_keep|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount|/restic|/usermod|/sbin/ldconfig|/usr/sbin/ldconfig|ldconfig -f|--password-command|--password-file|-o ProxyCommand|-o PreferredAuthentications"

linPEAS/builder/linpeas_parts/variables/writeVB.sh

@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH
+writeVB="/etc/anacrontab|/etc/apt/apt.conf.d|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/ld.so.preload|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/cron/tabs/|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"$(echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g') #Add Path but remove simple dot in PATH

linPEAS/builder/src/linpeasBuilder.py

@@ -405,7 +405,7 @@ class LinpeasBuilder:
                 name = entry["name"]
                 caseinsensitive = entry.get("caseinsensitive", False)
                 regex = entry["regex"]
-                regex = regex.replace('"', '\\"').strip()
+                regex = regex.replace("\\", "\\\\").replace('"', '\\"').strip()
                 falsePositives = entry.get("falsePositives", False)
 
                 if falsePositives:

linPEAS/builder/src/linpeasModule.py

@@ -8,6 +8,7 @@ from .yamlGlobals import (
 class LinpeasModule:
     def __init__(self, path):
         self.path = path
+        real_path = os.path.realpath(path)
         with open(path, 'r') as file:
             self.module_text = file.read()
         
@@ -29,7 +30,7 @@ class LinpeasModule:
         self.section_info = {}
         if not (self.is_base or self.is_function or self.is_variable):
             for module in LINPEAS_PARTS["modules"]:
-                if module["folder_path"] in path:
+                if os.path.realpath(module["folder_path"]) in real_path:
                     self.section_info = module
                     self.is_check = True
                     break

linPEAS/tests/test_builder.py

@@ -0,0 +1,40 @@
+import os
+import stat
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+
+class LinpeasBuilderTests(unittest.TestCase):
+    def setUp(self):
+        self.repo_root = Path(__file__).resolve().parents[2]
+        self.linpeas_dir = self.repo_root / "linPEAS"
+
+    def _run_builder(self, args, output_path):
+        cmd = ["python3", "-m", "builder.linpeas_builder"] + args + ["--output", str(output_path)]
+        result = subprocess.run(cmd, cwd=str(self.linpeas_dir), capture_output=True, text=True)
+        if result.returncode != 0:
+            raise AssertionError(
+                f"linpeas_builder failed:\nstdout:\n{result.stdout}\nstderr:\n{result.stderr}"
+            )
+
+    def test_small_build_creates_executable(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_small.sh"
+            self._run_builder(["--small"], output_path)
+            self.assertTrue(output_path.exists(), "linpeas_small.sh was not created.")
+            mode = output_path.stat().st_mode
+            self.assertTrue(mode & stat.S_IXUSR, "linpeas_small.sh is not executable.")
+
+    def test_include_exclude_modules(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_include.sh"
+            self._run_builder(["--include", "system_information,container", "--exclude", "container"], output_path)
+            content = output_path.read_text(encoding="utf-8", errors="ignore")
+            self.assertIn("Operative system", content)
+            self.assertNotIn("Am I Containered?", content)
+
+
+if __name__ == "__main__":
+    unittest.main()

linPEAS/tests/test_modules_metadata.py

@@ -0,0 +1,60 @@
+import re
+import sys
+import unittest
+from pathlib import Path
+
+
+class LinpeasModulesMetadataTests(unittest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.repo_root = Path(__file__).resolve().parents[2]
+        cls.linpeas_dir = cls.repo_root / "linPEAS"
+        cls.parts_dir = cls.linpeas_dir / "builder" / "linpeas_parts"
+
+        # Ensure `import builder.*` works when tests are run from repo root.
+        sys.path.insert(0, str(cls.linpeas_dir))
+
+        from builder.src.linpeasModule import LinpeasModule  # pylint: disable=import-error
+
+        cls.LinpeasModule = LinpeasModule
+
+    def _iter_module_files(self):
+        return sorted(self.parts_dir.rglob("*.sh"))
+
+    def test_all_modules_parse(self):
+        module_files = self._iter_module_files()
+        self.assertGreater(len(module_files), 0, "No linPEAS module files were found.")
+
+        # Parsing a module validates its metadata and dependencies.
+        for path in module_files:
+            _ = self.LinpeasModule(str(path))
+
+    def test_check_module_id_matches_filename(self):
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            if not getattr(module, "is_check", False):
+                continue
+
+            # For checks, the filename (without numeric prefix) must match the module ID
+            # (either full ID or stripping section prefix like `SI_`).
+            file_base = re.sub(r"^[0-9]+_", "", path.stem)
+            module_id = getattr(module, "id", "")
+            module_id_tail = module_id[3:] if len(module_id) >= 3 else ""
+            self.assertIn(
+                file_base,
+                {module_id, module_id_tail},
+                f"Module ID mismatch in {path}: id={module_id} expected suffix={file_base}",
+            )
+
+    def test_module_ids_are_unique(self):
+        ids = []
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            ids.append(getattr(module, "id", ""))
+
+        duplicates = {x for x in ids if x and ids.count(x) > 1}
+        self.assertEqual(set(), duplicates, f"Duplicate module IDs found: {sorted(duplicates)}")
+
+
+if __name__ == "__main__":
+    unittest.main()

parsers/peas2json.py

@@ -127,7 +127,9 @@ def parse_line(line: str):
 
     elif is_section(line, INFO_PATTERN):
         title = parse_title(line)
-        C_SECTION["infos"].append(title)
+        if C_SECTION == {}:
+            return
+        C_SECTION.setdefault("infos", []).append(title)
     
     #If here, then it's text
     else:

winPEAS/winPEASbat/winPEAS.bat

@@ -71,7 +71,7 @@ CALL :T_Progress 2
 :ListHotFixes
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+    wmic qfe get Caption,Description,HotFixID,InstalledOn
 ) else (
     powershell -command "Get-HotFix | Format-Table -AutoSize"
 )
@@ -204,7 +204,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
 ) else (
     powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
 ) 
@@ -238,7 +238,7 @@ CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic logicaldisk get caption | more
+    wmic logicaldisk get caption
 ) else (
     fsutil fsinfo drives
 )
@@ -670,7 +670,7 @@ if "%long%" == "true" (
 	ECHO.
 	where wmic >nul 2>&1
 	if !errorlevel! equ 0 (
-		for /f %%x in ('wmic logicaldisk get name ^| more') do (
+		for /f %%x in ('wmic logicaldisk get name') do (
 			set tdrive=%%x
 			if "!tdrive:~1,2!" == ":" (
 				%%x

winPEAS/winPEASexe/CMakeLists.txt

@@ -0,0 +1,26 @@
+cmake_minimum_required(VERSION 3.16)
+project(winPEAS_dotnet NONE)
+
+set(PROJECT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/winPEAS.csproj")
+
+find_program(DOTNET_EXECUTABLE dotnet)
+find_program(MSBUILD_EXECUTABLE msbuild)
+find_program(XBUILD_EXECUTABLE xbuild)
+
+if(DOTNET_EXECUTABLE)
+  set(BUILD_TOOL "${DOTNET_EXECUTABLE}")
+  set(BUILD_ARGS build "${PROJECT_FILE}" -c Release)
+elseif(MSBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${MSBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+elseif(XBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${XBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+else()
+  message(FATAL_ERROR "dotnet, msbuild, or xbuild is required to build winPEAS")
+endif()
+
+add_custom_target(winpeas ALL
+  COMMAND ${BUILD_TOOL} ${BUILD_ARGS}
+  WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+)

winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs

@@ -0,0 +1,36 @@
+using System;
+using System.Reflection;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ArgumentParsingTests
+    {
+        private static bool InvokeIsNetworkTypeValid(string arg)
+        {
+            var method = typeof(winPEAS.Checks.Checks).GetMethod("IsNetworkTypeValid", BindingFlags.NonPublic | BindingFlags.Static);
+            Assert.IsNotNull(method, "IsNetworkTypeValid method not found.");
+            return (bool)method.Invoke(null, new object[] { arg });
+        }
+
+        [TestMethod]
+        public void ShouldAcceptValidNetworkTypes()
+        {
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=auto"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10/24"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10,10.10.10.20"));
+        }
+
+        [TestMethod]
+        public void ShouldRejectInvalidNetworkTypes()
+        {
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network="));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.999"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.10/64"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=999.999.999.999/24"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=not-an-ip"));
+        }
+    }
+}

winPEAS/winPEASexe/Tests/ChecksArgumentEdgeCasesTests.cs

@@ -0,0 +1,37 @@
+using System;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ChecksArgumentEdgeCasesTests
+    {
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyLogFileArg()
+        {
+            // Should return early with a user-friendly error, not crash.
+            Program.Main(new[] { "log=" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnPortsWithoutNetwork()
+        {
+            // Should warn and return early because -network was not provided.
+            Program.Main(new[] { "-ports=80,443" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnInvalidNetworkArgument()
+        {
+            // Should warn and return early because the IP is invalid.
+            Program.Main(new[] { "-network=10.10.10.999" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyNetworkArgument()
+        {
+            // Should warn and return early because the value is empty.
+            Program.Main(new[] { "-network=" });
+        }
+    }
+}

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -61,9 +61,11 @@
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System" />
     <Reference Include="System.ComponentModel.Composition" />
@@ -95,6 +97,7 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="ArgumentParsingTests.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="SmokeTests.cs" />
   </ItemGroup>
@@ -108,6 +111,40 @@
       <Name>winPEAS</Name>
     </ProjectReference>
   </ItemGroup>
+
+  <Target Name="CopyVSTestFrameworkToMSTestAdapter" AfterTargets="Build">
+    <PropertyGroup>
+      <_PackagesDir>$(MSBuildThisFileDirectory)..\packages\</_PackagesDir>
+      <_MSTestFrameworkDir>$(_PackagesDir)MSTest.TestFramework.2.2.5\lib\net45\</_MSTestFrameworkDir>
+    </PropertyGroup>
+
+    <ItemGroup Condition="Exists('$(_MSTestFrameworkDir)')">
+      <_VSTestFrameworkDlls Include="$(_MSTestFrameworkDir)Microsoft.VisualStudio.TestPlatform.TestFramework*.dll" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <_VSTestCopyDirs Include="$(TargetDir)" Condition="'$(TargetDir)' != '' AND Exists('$(TargetDir)')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\')" />
+    </ItemGroup>
+
+    <Message
+      Condition="@(_VSTestFrameworkDlls) != ''"
+      Importance="high"
+      Text="CopyVSTestFrameworkToMSTestAdapter: copying @( _VSTestFrameworkDlls )" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_VSTestCopyDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_VSTestCopyDirs.Identity)"
+      SkipUnchangedFiles="true" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_MSTestAdapterDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_MSTestAdapterDirs.Identity)"
+      SkipUnchangedFiles="true" />
+  </Target>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
     <PropertyGroup>
@@ -133,4 +170,4 @@
   <Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
   <Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
   <Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
-</Project>
+</Project>

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -356,7 +356,7 @@ namespace winPEAS.Checks
                 {
                     var rangeParts = networkType.Split('/');
 
-                    if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
+                    if (rangeParts.Length == 2 && IPAddress.TryParse(rangeParts[0], out _) && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
                     {
                         return true;
                     }

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -524,7 +524,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Looking for documents --limit 100--");
                 List<string> docFiles = InterestingFiles.InterestingFiles.ListUsersDocs();
-                Beaprint.ListPrint(docFiles.GetRange(0, docFiles.Count <= 100 ? docFiles.Count : 100));
+                Beaprint.ListPrint(MyUtils.GetLimitedRange(docFiles, 100));
             }
             catch (Exception ex)
             {
@@ -546,7 +546,7 @@ namespace winPEAS.Checks
 
                 if (recFiles.Count != 0)
                 {
-                    foreach (Dictionary<string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70))
+                    foreach (Dictionary<string, string> recF in MyUtils.GetLimitedRange(recFiles, 70))
                     {
                         Beaprint.AnsiPrint("    " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
                     }

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

@@ -348,8 +348,7 @@ namespace winPEAS.Checks
                 Beaprint.MainPrint("DNS cached --limit 70--");
                 Beaprint.GrayPrint(string.Format("    {0,-38}{1,-38}{2}", "Entry", "Name", "Data"));
                 List<Dictionary<string, string>> DNScache = NetworkInfoHelper.GetDNSCache();
-                foreach (Dictionary<string, string> entry in DNScache.GetRange(0,
-                    DNScache.Count <= 70 ? DNScache.Count : 70))
+                foreach (Dictionary<string, string> entry in MyUtils.GetLimitedRange(DNScache, 70))
                 {
                     Console.WriteLine($"    {entry["Entry"],-38}{entry["Name"],-38}{entry["Data"]}");
                 }

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -88,6 +88,7 @@ namespace winPEAS.Checks
                 PrintLocalGroupPolicy,
                 PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
+                PrintPrintNightmarePointAndPrint,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
                 PrintNamedPipeAbuseCandidates,
@@ -836,6 +837,39 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPrintNightmarePointAndPrint()
+        {
+            Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
+            Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
+
+            try
+            {
+                string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
+                var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
+                var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
+                var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
+
+                if (restrict == null && noWarn == null && updatePrompt == null)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                Beaprint.NoColorPrint($"      RestrictDriverInstallationToAdministrators: {restrict}\n" +
+                                      $"      NoWarningNoElevationOnInstall: {noWarn}\n" +
+                                      $"      UpdatePromptSettings: {updatePrompt}");
+
+                if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
+                {
+                    Beaprint.BadPrint("      [!] Potentially vulnerable to PrintNightmare misconfiguration");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintPrintersWMIInfo()
         {
             Beaprint.MainPrint("Enumerating Printers (WMI)");

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -21,6 +21,11 @@ namespace winPEAS.Helpers
                 ""); //To get the default object you need to use an empty string
         }
 
+        public static List<T> GetLimitedRange<T>(List<T> items, int limit)
+        {
+            return items.GetRange(0, Math.Min(items.Count, limit));
+        }
+
         ////////////////////////////////////
         /////// MISC - Files & Paths ///////
         ////////////////////////////////////

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/Structs.cs

@@ -16,6 +16,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_maxPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_maxPasswordAge);
             }
             set
@@ -28,6 +32,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_minPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_minPasswordAge);
             }
             set

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -88,6 +88,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
+                        if (subKeys.Length == 0)
+                        {
+                            subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions", SID));
+                        }
 
                         foreach (string sessionName in subKeys)
                         {
@@ -129,6 +133,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
+                if (subKeys.Length == 0)
+                {
+                    subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions");
+                }
                 RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys           
 
                 if (selfKey != null)
@@ -198,6 +206,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
+                        if ((hostKeys == null) || (hostKeys.Count == 0))
+                        {
+                            hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys", SID));
+                        }
                         if ((hostKeys != null) && (hostKeys.Count != 0))
                         {
                             Dictionary<string, string> putty_ssh = new Dictionary<string, string>
@@ -216,6 +228,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys\\");
+                if ((hostKeys == null) || (hostKeys.Count == 0))
+                {
+                    hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys");
+                }
                 if ((hostKeys != null) && (hostKeys.Count != 0))
                 {
                     Dictionary<string, string> putty_ssh = new Dictionary<string, string>();

winPEAS/winPEASexe/winPEAS/Program.cs

@@ -11,6 +11,7 @@ namespace winPEAS
         [STAThread]
         public static void Main(string[] args)
         {
+            // TODO: keep Main minimal; this line was an intentional break in test PR.
             Checks.Checks.Run(args);
         }
     }

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -57,7 +57,7 @@
     <Prefer32Bit>false</Prefer32Bit>
     <LangVersion>8.0</LangVersion>
     <RunCodeAnalysis>false</RunCodeAnalysis>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <PropertyGroup>
@@ -71,7 +71,7 @@
     <PlatformTarget>AnyCPU</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <NoWarn>0168 ; 0169; 0414; 0618; 0649</NoWarn>
@@ -84,7 +84,7 @@
     <PlatformTarget>x64</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -96,7 +96,7 @@
     <PlatformTarget>x86</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -108,7 +108,7 @@
     <PlatformTarget>x86</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>

winPEAS/winPEASps1/winPEAS.ps1

@@ -821,6 +821,34 @@ $Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorActio
 $Hotfix | Format-Table -AutoSize
 
 
+# PrintNightmare PointAndPrint policy checks
+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| PRINTNIGHTMARE POINTANDPRINT POLICY"
+$pnKey = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
+if (Test-Path $pnKey) {
+  $pn = Get-ItemProperty -Path $pnKey -ErrorAction SilentlyContinue
+  $restrict = $pn.RestrictDriverInstallationToAdministrators
+  $noWarn = $pn.NoWarningNoElevationOnInstall
+  $updatePrompt = $pn.UpdatePromptSettings
+
+  Write-Host "RestrictDriverInstallationToAdministrators: $restrict"
+  Write-Host "NoWarningNoElevationOnInstall: $noWarn"
+  Write-Host "UpdatePromptSettings: $updatePrompt"
+
+  $hasAllValues = ($null -ne $restrict) -and ($null -ne $noWarn) -and ($null -ne $updatePrompt)
+  if (-not $hasAllValues) {
+    Write-Host "PointAndPrint policy values are missing or not configured" -ForegroundColor Gray
+  } elseif (($restrict -eq 0) -and ($noWarn -eq 1) -and ($updatePrompt -eq 2)) {
+    Write-Host "Potentially vulnerable to PrintNightmare misconfiguration" -ForegroundColor Red
+  } else {
+    Write-Host "PointAndPrint policy is not in the known risky configuration" -ForegroundColor Green
+  }
+} else {
+  Write-Host "PointAndPrint policy key not found" -ForegroundColor Gray
+}
+
+
 #Show all unique updates installed
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
@@ -1649,7 +1677,7 @@ if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
+Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens"
 Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege"
 Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
 Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow