fix capabilities module

Update 4_Capabilities.sh: Fix capability decoding to prevent shell breaking output from shell/process capabiltiy checking.

.gitignore

@@ -1,4 +1,5 @@
 .vs/*
+.vscode/*
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
@@ -24,6 +25,8 @@ __pycache__
 linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
 linPEAS/linpeas.sh
+linPEAS/builder/linpeas_base_tmp.sh
+build_lists/regexes.yaml
 sh2bin
 sh2bin/*
 .dccache

README.md

@@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
 
-- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 - **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
 
-- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**
 - **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 
 ## Quick Start

build_lists/sensitive_files.yaml

@@ -1271,6 +1271,8 @@ search:
     value:
         config:
           auto_check: True
+          exec:
+            - '(pwsh -Command "Save-AzContext -Path /tmp/az-context3489ht.json" && cat /tmp/az-context3489ht.json && rm /tmp/az-context3489ht.json) || echo_not_found "pwsh"'
 
         files:
           #- name: "credentials"
@@ -1379,13 +1381,54 @@ search:
                   - common
 
           - name: "AzureRMContext.json"
+            value:
+                bad_regex: "Id.*|Credential.*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "clouds.config"
+            value: 
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.json"
             value: 
                 bad_regex: ".*"
                 type: f
                 search_in: 
                   - common
           
-          - name: "ErrorRecords" #Azure logs can contain creentials
+          - name: "msal_token_cache.json"
+            value: 
+                bad_regex: ".*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_http_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "service_principal_entries.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "msal_token_cache.bin"
+            value: 
+                just_list_file: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "ErrorRecords" #Azure logs can contain crentials
             value: 
                 type: d
                 search_in: 
@@ -1458,7 +1501,7 @@ search:
         config:
           auto_check: True
           exec:
-            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi
+            - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi
         
         files:
           - name: "ipa"

linPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
 
-**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
+**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)**
 
-Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
+Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 
@@ -22,7 +22,7 @@ Check how to **select the checks you want to build [in your own linpeas followin
 
 Note that by default, in the releases pages of this repository, you will find a **linpeas with all the checks**.
 
-## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
 
 - **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
 - **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.

linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh

@@ -15,7 +15,7 @@
 
 if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
     print_2title "Searching Signature verification failed in dmesg"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
     (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh

@@ -13,7 +13,7 @@
 # Small linpeas: 1
 
 print_2title "Operative system"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then

linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh

@@ -15,7 +15,7 @@
 
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi

linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh

@@ -15,7 +15,7 @@
 
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
     print_2title "USBCreator"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
 
     pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
     if [ -z "$pc_version" ]; then

linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "PATH"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
     echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 fi

linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh

@@ -15,7 +15,7 @@
 
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
   print_2title "Listing mounted tokens"
-  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+  print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
   ALREADY_TOKENS="IinItialVaaluE"
   for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
       TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -16,7 +16,7 @@
 if [ "$inContainer" ]; then
     echo ""
     print_2title "Container & breakout enumeration"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
     print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
     if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
         print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
@@ -34,7 +34,7 @@ if [ "$inContainer" ]; then
     print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
 
     print_3title "Breakout via mounts"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
     
     checkProcSysBreakouts
     print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
@@ -71,7 +71,7 @@ if [ "$inContainer" ]; then
     
     echo ""
     print_3title "Namespaces"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
     ls -l /proc/self/ns/
 
     if echo "$containerType" | grep -qi "kubernetes"; then
@@ -80,7 +80,7 @@ if [ "$inContainer" ]; then
         echo ""
         
         print_2title "Kubernetes Information"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
         
         
         print_3title "Kubernetes service account folder"
@@ -92,7 +92,7 @@ if [ "$inContainer" ]; then
         echo ""
 
         print_3title "Current sa user k8s permissions"
-        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html"
         kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
           "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
             -X 'POST' -H 'Content-Type: application/json' \
@@ -102,7 +102,7 @@ if [ "$inContainer" ]; then
     echo ""
 
     print_2title "Container Capabilities"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape"
     if [ "$(command -v capsh || echo -n '')" ]; then 
       capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
     else

linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh

@@ -0,0 +1,46 @@
+# Title: Cloud - Azure Automation Account
+# ID: CL_Azure_automation_account
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure Automation Account Service Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_automation_acc,
+# Initial Functions: check_az_automation_acc
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
+
+if [ "$is_az_automation_acc" = "Yes" ]; then
+  print_2title "Azure Automation Account Service Enumeration"
+
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - --header '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh

@@ -28,7 +28,7 @@ if [ "$is_ibm_vm" = "Yes" ]; then
     if [ "$(command -v curl || echo -n '')" ]; then
         ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
     elif [ "$(command -v wget || echo -n '')" ]; then
-        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+        ibm_req="wget -q -O - --header '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi

linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh

@@ -5,15 +5,16 @@
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
-# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
-# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm
 # Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
 printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.xyz\n"$NC
+echo ""
 
 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
@@ -24,8 +25,9 @@ print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure APP or IDENTITY_ENDPOINT? ...... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 

linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh

@@ -8,7 +8,7 @@
 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_ec2
 # Initial Functions: check_aws_ec2
-# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role
+# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role, $TOKEN, $TOKEN_HEADER, $TOKEN_TTL
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -16,14 +16,20 @@
 if [ "$is_aws_ec2" = "Yes" ]; then
     print_2title "AWS EC2 Enumeration"
     
-    HEADER="X-aws-ec2-metadata-token: "
+    TOKEN=""
+    TOKEN_HEADER="X-aws-ec2-metadata-token"
+    TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600"
     URL="http://169.254.169.254/latest/meta-data"
     
     aws_req=""
     if [ "$(command -v curl || echo -n '')" ]; then
-        aws_req="curl -s -f -L -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(curl -s -f -X PUT "http://169.254.169.254/latest/api/token" -H "$TOKEN_TTL" 2>/dev/null)
+        aws_req="curl -s -f -L -H '$TOKEN_HEADER: $TOKEN'"
     elif [ "$(command -v wget || echo -n '')" ]; then
-        aws_req="wget -q -O - -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(wget -q -O - --method=PUT --header="$TOKEN_TTL" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        aws_req="wget -q -O - --header '$TOKEN_HEADER: $TOKEN'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
     # GCP Enumeration
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh

@@ -26,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
 
     if [ "$gcp_req" ]; then
         print_2title "Google Cloud Platform Enumeration"
-        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
+        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
         p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')

linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh

@@ -24,7 +24,7 @@ if [ "$is_az_vm" = "Yes" ]; then
   if [ "$(command -v curl || echo -n '')" ]; then
       az_req="curl -s -f -L -H '$HEADER'"
   elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
   else 
       echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
   fi
@@ -32,21 +32,39 @@ if [ "$is_az_vm" = "Yes" ]; then
   if [ "$az_req" ]; then
     print_3title "Instance details"
     exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+    echo ""
 
     print_3title "Load Balancer details"
     exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+    echo ""
+
+    print_3title "User Data"
+    exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null
+    echo ""
+
+    print_3title "Custom Data and other configs (root needed)"
+    (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED},"
+    echo ""
 
     print_3title "Management token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo ""
 
     print_3title "Graph token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo ""
     
     print_3title "Vault token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo ""
 
     print_3title "Storage token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+    echo ""
   fi
   echo ""
 fi

linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh

@@ -13,19 +13,18 @@
 # Small linpeas: 0
 
 
-API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 
 if [ "$is_az_app" = "Yes" ]; then
   print_2title "Azure App Service Enumeration"
-  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
 
-  HEADER="secret:$IDENTITY_HEADER"
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
 
   az_req=""
   if [ "$(command -v curl || echo -n '')" ]; then
       az_req="curl -s -f -L -H '$HEADER'"
   elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
   else 
       echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
   fi
@@ -33,13 +32,13 @@ if [ "$is_az_app" = "Yes" ]; then
   if [ "$az_req" ]; then
     print_3title "Management token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
+    echo
     print_3title "Graph token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
+    echo
     print_3title "Vault token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
+    echo
     print_3title "Storage token"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
   fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "System timers"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
   (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
   echo ""
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
   if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
     echo "$t" | sed -${E} "s,.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh

@@ -15,7 +15,7 @@
 
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
   if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh

@@ -16,7 +16,7 @@
 #TODO: .socket files in MACOS are folders
 if ! [ "$IAMROOT" ]; then
   print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh

@@ -17,7 +17,7 @@
 if ! [ "$IAMROOT" ]; then
   if ! [ "$SEARCH_IN_FOLDER" ]; then
     print_2title "Unix Sockets Listening"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
     # Search sockets using netstat and ss
     unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
     if ! [ "$unix_scks_list" ];then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "D-Bus Service Objects list"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
   dbuslist=$(busctl list 2>/dev/null)
   if [ "$dbuslist" ]; then
     busctl list | while read l; do

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh

@@ -13,7 +13,7 @@
 # Small linpeas: 0
 
 print_2title "D-Bus config files"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
 if [ "$PSTORAGE_DBUS" ]; then
   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
     for f in $d/*; do

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh

@@ -19,7 +19,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
     printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
   fi
-  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
 
   if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
     echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Processes with credentials in memory (root req)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
   if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
   if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
   if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
     print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
     binW="IniTialiZZinnggg"
     ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
       if [ -w "$bpath" ]; then

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh

@@ -28,9 +28,9 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
       continue
     fi
     ppid_user=$(get_user_by_pid "$ppid")
-    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
+    if echo "$ppid_user" | grep -Eqv "$user|root$"; then
       echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
     fi
   done
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
     temp_file=$(mktemp)
     if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
       for i in $(seq 1 1210); do 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Systemd PATH"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
   systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
   WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
   echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   command -v crontab 2>/dev/null || echo_not_found "crontab"
   crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
   command -v incrontab 2>/dev/null || echo_not_found "incrontab"
@@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   atq 2>/dev/null
 else
   print_2title "Cron jobs"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
 echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh

@@ -16,7 +16,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$MACPEAS" ]; then
     print_2title "Third party LaunchAgents & LaunchDemons"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
     ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
     echo ""
 
@@ -34,12 +34,12 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     echo ""
 
     print_2title "StartupItems"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
     echo ""
 
     print_2title "Login Items"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
     echo ""
 
@@ -48,7 +48,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     echo ""
 
     print_2title "Emond scripts"
-    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
     ls -l /private/var/db/emondClients
     echo ""
   fi

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "Active Ports"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
 ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -16,7 +16,7 @@
 print_2title "Can I sniff with tcpdump?"
 timeout 1 tcpdump >/dev/null 2>&1
 if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sniffing"
     echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
 else echo_no
 fi

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "Checking Pkexec policy"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
 (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh

@@ -14,6 +14,6 @@
 
 
 print_2title "My user"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh

@@ -15,7 +15,7 @@
 
 if [ "$MACPEAS" ];then
   print_2title "Keychains"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
   security list-keychains
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Checking sudo tokens"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
   echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";

linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   containerd=$(command -v ctr || echo -n '')
   if [ "$containerd" ] || [ "$DEBUG" ]; then
     print_2title "Checking if containerd(ctr) is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation"
     if [ "$containerd" ]; then
       echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
       ctr image list 2>&1

linPEAS/builder/linpeas_parts/7_software_information/Docker.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
   print_2title "Searching docker files (limit 70)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation"
   printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
     ls -l "$f" 2>/dev/null
     if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then

linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh

@@ -15,7 +15,7 @@
 
 if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
   print_2title "Analyzing kcpassword files"
-  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
+  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword"
   printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
     echo "$f" | sed -${E} "s,.*,${SED_RED},"
     base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"

linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh

@@ -18,7 +18,7 @@ klist_exists="$(command -v klist || echo -n '')"
 kinit_exists="$(command -v kinit || echo -n '')"
 if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
   print_2title "Searching kerberos conf files and tickets"
-  print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory"
 
   if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
   if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi

linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh

@@ -36,7 +36,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
       for f in $(find $d -name user.MYD 2>/dev/null); do
         if [ -r "$f" ]; then
           echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
-          grep -oaE "[-_\.\*a-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
+          grep -oaE "[-_\.\*a-zA-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
         fi
       done
       

linPEAS/builder/linpeas_parts/7_software_information/Runc.sh

@@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   runc=$(command -v runc || echo -n '')
   if [ "$runc" ] || [ "$DEBUG" ]; then
     print_2title "Checking if runc is available"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation"
     if [ "$runc" ]; then
       echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
     fi

linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh

@@ -15,7 +15,7 @@
 
 if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching screen sessions"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   screensess=$(screen -ls 2>/dev/null)
   screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
   

linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh

@@ -18,7 +18,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
 tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
 if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching tmux sessions"$N
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
   tmux -V
   printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
 

linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
   obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
   printf "%s\n" "$obmowbe" | while read l; do

linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$IAMROOT" ]; then
   print_2title "Interesting GROUP writable files (not in Home) (max 200)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
   for g in $(groups); do
     iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
     if [ "$iwfbg" ] || [ "$DEBUG" ]; then

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SUID - Check easy privesc, exploits and write perms"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 if ! [ "$STRINGS" ]; then
   echo_not_found "strings"
 fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "SGID"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
 printf "%s\n" "$sgids_files" | while read s; do
   s=$(ls -lahtr "$s")

linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh

@@ -14,7 +14,7 @@
 
 
 print_2title "Files with ACLs (limited to 50)"
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
 else

linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh

@@ -15,29 +15,57 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Capabilities"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ "$(command -v capsh || echo -n '')" ]; then
-
     print_3title "Current shell capabilities"
     cat "/proc/$$/status" | grep Cap | while read -r cap_line; do
       cap_name=$(echo "$cap_line" | awk '{print $1}')
       cap_value=$(echo "$cap_line" | awk '{print $2}')
       if [ "$cap_name" = "CapEff:" ]; then
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        # Add validation check for cap_value
+        # For more POSIX-compliant formatting, the following could be used instead:
+        # if echo "$cap_value" | grep -E '^[0-9a-fA-F]+$' > /dev/null 2>&1; then
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
       else
-        echo "$cap_name  $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name  $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED},")"
+        else
+          echo "$cap_name  [Invalid capability format]"
+        fi
       fi
     done
     echo ""
-
     print_info "Parent process capabilities"
     cat "/proc/$PPID/status" | grep Cap | while read -r cap_line; do
       cap_name=$(echo "$cap_line" | awk '{print $1}')
       cap_value=$(echo "$cap_line" | awk '{print $2}')
       if [ "$cap_name" = "CapEff:" ]; then
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
       else
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
       fi
     done
     echo ""
@@ -69,10 +97,9 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     if ! [ "$capsVB_vuln" ]; then
       echo "$cb" | sed -${E} "s,$capsB,${SED_RED},"
     fi
-
     if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then
       echo "$cb is writable" | sed -${E} "s,.*,${SED_RED},"
     fi
   done
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh

@@ -15,7 +15,7 @@
 
 if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
   print_2title "Users with capabilities"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
   if [ -f "/etc/security/capability.conf" ]; then
     grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
   else echo_not_found "/etc/security/capability.conf"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   print_2title "Checking misconfigurations of ld.so"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso"
   if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then 
     echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
     printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;

linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Files (scripts) in /etc/profile.d/"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files"
   if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
     (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
     check_critial_root_path "/etc/profile"

linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
 print_2title "Permissions in init, init.d, systemd, and rc.d"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd"
   if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
     check_critial_root_path "/etc/init/"
     check_critial_root_path "/etc/init.d/"

linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh

@@ -15,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title ".sh files in path"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path"
   echo $PATH | tr ":" "\n" | while read d; do
     for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do
       if ! [ "$IAMROOT" ] && [ -O "$f" ]; then

linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh

@@ -15,6 +15,6 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching passwords inside logs (limit 70)"
-  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
+  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -H -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh

@@ -19,7 +19,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
   print_2title "Searching possible password variables inside key folders (limit 140)"
   if ! [ "$SEARCH_IN_FOLDER" ]; then
     timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
-    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
+    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
   else
     timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
   fi
@@ -29,12 +29,12 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
   ##-- IF) Find possible conf files with passwords
   print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
   if ! [ "$SEARCH_IN_FOLDER" ]; then
-    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
   else
-    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
   fi
   printf "%s\n" "$ppicf" | while read f; do
-    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' \"$f\" 2>/dev/null; then
+    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null; then
       echo "$ITALIC $f$NC"
       grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
     fi

linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh

@@ -15,7 +15,7 @@
 
 if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
 print_2title "Writable log files (logrotten) (limit 50)"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation"
   logrotate --version 2>/dev/null || echo_not_found "logrotate"
   lastWlogFolder="ImPOsSiBleeElastWlogFolder"
   logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)

linPEAS/builder/linpeas_parts/functions/check_aliyun_ecs.sh

@@ -13,8 +13,7 @@
 # Small linpeas: 1
 
 
-
-check_aliyun_ecs () {
+check_aliyun_ecs(){
   is_aliyun_ecs="No"
   if [ -f "/etc/cloud/cloud.cfg.d/aliyun_cloud.cfg" ]; then 
     is_aliyun_ecs="Yes"

linPEAS/builder/linpeas_parts/functions/check_az_app.sh

@@ -16,7 +16,10 @@
 check_az_app(){
   is_az_app="No"
 
-  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
+  if [ -d "/opt/microsoft" ] && env | grep -iq "azure"; then
+    is_az_app="Yes"
+  fi
+  if [ -n "$IDENTITY_ENDPOINT" ] && echo "$IDENTITY_ENDPOINT" | grep -q "/token" && [ -n "$IDENTITY_HEADER" ]; then
     is_az_app="Yes"
   fi
 }

linPEAS/builder/linpeas_parts/functions/check_az_automation_acc.sh

@@ -0,0 +1,22 @@
+# Title: Cloud - check_az_automation_acc
+# ID: check_az_automation_acc
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the script is running in Azure App Service
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $is_az_automation_acc
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+check_az_automation_acc(){
+  is_az_automation_acc="No"
+
+  if env | grep -iq "azure" && env | grep -iq "AutomationServiceEndpoint"; then
+    is_az_automation_acc="Yes"
+  fi
+}

linPEAS/builder/linpeas_parts/functions/check_az_vm.sh

@@ -8,7 +8,7 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $is_az_vm
+# Generated Global Variables: $is_az_vm, $meta_response
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -16,10 +16,28 @@
 check_az_vm(){
   is_az_vm="No"
 
+  # 1. Check if the Azure log directory exists
   if [ -d "/var/log/azure/" ]; then
     is_az_vm="Yes"
-  
-  elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
+
+  # 2. Check if 'reddog.microsoft.com' is found in /etc/resolv.conf
+  elif grep -q "search reddog.microsoft.com" /etc/resolv.conf 2>/dev/null; then
     is_az_vm="Yes"
+
+  else
+    # 3. Try querying the Azure Metadata Service for more wide support (e.g. Azure Container Registry tasks need this)
+    if command -v curl &> /dev/null; then
+      meta_response=$(curl -s --max-time 2 \
+        "http://169.254.169.254/metadata/identity/oauth2/token")
+      if echo "$meta_response" | grep -q "Missing"; then
+        is_az_vm="Yes"
+      fi
+    elif command -v wget &> /dev/null; then
+      meta_response=$(wget -qO- --timeout=2 \
+        "http://169.254.169.254/metadata/identity/oauth2/token")
+      if echo "$meta_response" | grep -q "Missing"; then
+        is_az_vm="Yes"
+      fi
+    fi
   fi
-}
+}

linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh

@@ -16,7 +16,7 @@
 
 check_tencent_cvm () {
   is_tencent_cvm="No"
-  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
+  if grep -qi Tencent /etc/cloud/cloud.cfg 2>/dev/null; then
       is_tencent_cvm="Yes"
   fi
 }

linPEAS/builder/linpeas_parts/functions/execBin.sh

@@ -2,30 +2,53 @@
 # ID: execBin
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Write and exected an embedded binary
+# Description: Write and execute an embedded binary
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_3title, print_info
 # Global Variables: $Wfolder
 # Initial Functions:
-# Generated Global Variables: $TOOL_NAME, $TOOL_LINK, $B64_BIN, $PARAMS
+# Generated Global Variables: $TOOL_NAME, $TOOL_LINK, $B64_BIN, $PARAMS, $TMP_BIN, $cmdpid, $watcher, $rc
 # Fat linpeas: 0
 # Small linpeas: 1
 
 
-execBin(){
-  TOOL_NAME=$1
-  TOOL_LINK=$2
-  B64_BIN=$3
-  PARAMS=$4
-  if [ "$B64_BIN" ]; then
-    echo ""
-    print_3title "Running $TOOL_NAME"
-    print_info "$TOOL_LINK"
-    echo "$B64_BIN" | base64 -d > $Wfolder/bin
-    chmod +x $Wfolder/bin
-    eval "$Wfolder/bin $PARAMS"
-    rm -f $Wfolder/bin
-    echo ""
+execBin() {
+  TOOL_NAME=$1        # Display name
+  TOOL_LINK=$2        # Reference URL
+  B64_BIN=$3          # base64‑encoded executable
+  PARAMS=$4           # Arguments to the tool
+
+  [ -z "$B64_BIN" ] && return 0   # nothing to do
+
+  echo
+  print_3title "Running $TOOL_NAME"
+  print_info  "$TOOL_LINK"
+
+  TMP_BIN=$(mktemp "${Wfolder:-/tmp}/bin.XXXXXX") || { echo "mktemp failed"; return 1; }
+  printf '%s' "$B64_BIN" | base64 -d > "$TMP_BIN" || { echo "decode failed"; rm -f "$TMP_BIN"; return 1; }
+  chmod +x "$TMP_BIN"
+
+  # ---------------- 120‑second wall‑clock timeout ----------------
+  if command -v timeout >/dev/null 2>&1; then                 # GNU/BSD timeout
+      timeout --preserve-status -s 9 120 "$TMP_BIN" $PARAMS
+  elif command -v gtimeout >/dev/null 2>&1; then              # Homebrew coreutils (macOS)
+      gtimeout --preserve-status -s 9 120 "$TMP_BIN" $PARAMS
+  else                                                        # POSIX fall‑back
+      (
+        "$TMP_BIN" $PARAMS &                                  # run in background
+        cmdpid=$!
+        ( sleep 120 && kill -9 "$cmdpid" 2>/dev/null) &
+        watcher=$!
+        wait "$cmdpid"
+        rc=$?
+        kill -9 "$watcher" 2>/dev/null
+        exit $rc
+      )
   fi
+  rc=$?
+
+  rm -f "$TMP_BIN"
+  echo
+  return $rc
 }

linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh

@@ -188,6 +188,9 @@ if [ $? -ne 0 ] ; then
 	fi
 fi
 
+# on macOS the built-in echo does not support -n, use /bin/echo instead
+if [ "$MACPEAS" ] ; then alias echo=/bin/echo ; fi
+
 print_title(){
   if [ "$DEBUG" ]; then
     END_T1_TIME=$(date +%s 2>/dev/null)
@@ -343,7 +346,7 @@ print_support () {
     ${GREEN}/---------------------------------------------------------------------------------\\
     |                             ${BLUE}Do you like PEASS?${GREEN}                                  |
     |---------------------------------------------------------------------------------|
-    |         ${YELLOW}Learn Cloud Hacking${GREEN}       :     ${RED}https://training.hacktricks.xyz${GREEN}         |
+    |         ${YELLOW}Learn Cloud Hacking${GREEN}       :     ${RED}https://training.hacktricks.xyz ${GREEN}        |
     |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@hacktricks_live${GREEN}                        |
     |         ${YELLOW}Respect on HTB${GREEN}            :     ${RED}SirBroccoli            ${GREEN}                 |
     |---------------------------------------------------------------------------------|
@@ -362,7 +365,7 @@ printf ${BLUE}"          $SCRIPTNAME-$VERSION ${YELLOW}by carlospolop\n"$NC;
 echo ""
 printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC"
 echo ""
-printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC
+printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC
 echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
 echo "  RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
 echo "  RED: You should take a look to it" | sed "s,RED,${SED_RED},"

linPEAS/builder/src/linpeasBaseBuilder.py

@@ -66,7 +66,7 @@ class LinpeasBaseBuilder:
             self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n"
             self.linpeas_base += f'print_title "{section_name}"\n'
 
-            # Sort checks alphabetically to get them in the same order of they are in the folder
+            # Sort checks alphabetically to get them in the same order as they are in the folder
             section_info["checks"] = sorted(section_info["checks"], key=lambda x: int(os.path.basename(x.path).split('_')[0]) if os.path.basename(x.path).split('_')[0].isdigit() else 99)
             for check in section_info["checks"]:
                 for func in check.initial_functions:
@@ -193,8 +193,9 @@ class LinpeasBaseBuilder:
     
     def get_funcs_deps(self, module, all_funcs):
         """Given 1 module and the list of modules return the functions recursively it depends on"""
-            
-        for func in module.functions_used:
+        
+        module_funcs = list(set(module.initial_functions + module.functions_used))
+        for func in module_funcs:
             func_module = self.find_func_module(func)
             #print(f"{module.id} has found {func} in {func_module.id}") #To find circular dependencies
             if not func_module.is_function:

linPEAS/builder/src/linpeasBuilder.py

@@ -365,7 +365,7 @@ class LinpeasBuilder:
                     rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
             if "sudo:" in rb.text:
                 if len(b) <= 3:
-                    sudoVB.append("[^a-ZA-Z0-9]"+b+"$") # Less false possitives applied to small names
+                    sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names
                 else:
                     sudoVB.append(b+"$")
             if "suid:" in rb.text:

metasploit/README.md

@@ -37,9 +37,10 @@ Basic options:
   ----        ---------------                                                           --------  -----------
   PARAMETERS                                                                            no        Parameters to pass to the script
   PASSWORD    um1xipfws17nkw1bi1ma3bh7tzt4mo3e                                          no        Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used
-                                                                                                  .
-  PEASS_URL   https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/wi  yes       Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/peass-ng/PEASS-ng
-              nPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe                              /master/linPEAS/linpeas.sh
+
+  WINPEASS    true                                                                      yes       Use PEASS for Windows or PEASS for linux. Default is windows change to false for linux.
+  CUSTOM_URL                                                                            no        Path to the PEASS script. Accepted: http(s):// URL or absolute local path.
+                                            
   SESSION                                                                               yes       The session to run this module on.
   SRVHOST                                                                               no        Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.
   SRVPORT     443                                                                       no        Port to download the PEASS script from using http(s) (only used if SRVHOST)

metasploit/peass.rb

@@ -1,3 +1,30 @@
+# Copyright (c) 2025, PEASS-ng owners
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#   1. Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#   2. Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#   3. Neither the name of PEASS-ng owners nor the names of its
+#      contributors may be used to endorse or promote products derived from
+#      this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -37,7 +64,8 @@ class MetasploitModule < Msf::Post
     ))
     register_options(
       [
-        OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh', "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"]),
+        OptString.new('WINPEASS', [true, 'Which PEASS script to use. Use True for WinPeass and false for LinPEASS', true]),
+        OptString.new('CUSTOM_URL', [false, 'URL to download the PEASS script from (if not using the default one). Accepts http(s) or absolute path. Overrides the WINPEASS variable', '']),
         OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]),
         OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']),
         OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]),
@@ -237,8 +265,14 @@ class MetasploitModule < Msf::Post
   def load_peass
     # Load the PEASS script from a local file or from Internet
     peass_script = ""
-    url_peass = datastore['PEASS_URL']
-    
+    url_peass = ""
+    # If no URL is set, use the default one
+    if datastore['CUSTOM_URL'] != ""
+      url_peass = datastore['CUSTOM_URL']
+    else
+      url_peass = datastore['WINPEASS'] ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
+    end
+    # If URL is set, check if it is a valid URL or local file
     if url_peass.include?("http://") || url_peass.include?("https://")
       target = URI.parse url_peass
       raise 'Invalid URL' unless target.scheme =~ /https?/

parsers/README.md

@@ -38,7 +38,7 @@ There is a **maximun of 3 levels of sections**.
           }
         ],
         "infos": [
-          "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+          "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
         ]
       },
       "infos": []
@@ -65,7 +65,7 @@ There is a **maximun of 3 levels of sections**.
           }
         ],
         "infos": [
-          "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+          "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
         ]
       },
       "infos": []

parsers/peas2json.py

@@ -144,7 +144,12 @@ def parse_line(line: str):
         })
 
 
-def main():
+def parse_peass(outputpath: str, jsonpath: str = ""):
+    global OUTPUT_PATH, JSON_PATH
+
+    OUTPUT_PATH = outputpath
+    JSON_PATH = jsonpath
+
     for line in open(OUTPUT_PATH, 'r', encoding="utf8").readlines():
         line = line.strip()
         if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
@@ -152,17 +157,21 @@ def main():
 
         parse_line(line)
 
-    with open(JSON_PATH, "w") as f:
-        json.dump(FINAL_JSON, f)
+    if JSON_PATH:
+        with open(JSON_PATH, "w") as f:
+            json.dump(FINAL_JSON, f)
+    
+    else:
+        return FINAL_JSON
 
 
 # Start execution
 if __name__ == "__main__":
     try:
-        OUTPUT_PATH = sys.argv[1]
-        JSON_PATH = sys.argv[2]
+        outputpath = sys.argv[1]
+        jsonpath = sys.argv[2]
+        parse_peass(outputpath, jsonpath)
     except IndexError as err:
         print("Error: Please pass the peas.out file and the path to save the json\npeas2json.py <output_file> <json_file.json>")
         sys.exit(1)
     
-    main()

winPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 
-Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
 ## Quick Start
 Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.

winPEAS/winPEASbat/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
-Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
+Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)
 
 ### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)
 

winPEAS/winPEASbat/winPEAS.bat

@@ -63,7 +63,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
 systeminfo
 ECHO.
 CALL :T_Progress 2
@@ -190,7 +190,7 @@ CALL :T_Progress 1
 :UACSettings
 CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
 ECHO.   [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
 ECHO.
 CALL :T_Progress 1
@@ -241,7 +241,7 @@ CALL :T_Progress 1
 :InstalledSoftware
 CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
 ECHO.   [i] Some weird software? Check for vulnerabilities in unknow software installed
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
 ECHO.
 dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
 reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@@ -252,7 +252,7 @@ CALL :T_Progress 2
 
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
 IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
@@ -260,7 +260,7 @@ CALL :T_Progress 1
 :WSUS
 CALL :ColorLine " %E%33m[+]%E%97m WSUS"
 ECHO.   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
 reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
 ECHO.
 CALL :T_Progress 1
@@ -268,7 +268,7 @@ CALL :T_Progress 1
 :RunningProcesses
 CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
 ECHO.   [i] Something unexpected is running? Check for vulnerabilities
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
 tasklist /SVC
 ECHO.
 CALL :T_Progress 2
@@ -289,7 +289,7 @@ CALL :T_Progress 3
 :RunAtStartup
 CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
 ECHO.   [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup
 ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@@ -313,7 +313,7 @@ CALL :T_Progress 2
 :AlwaysInstallElevated
 CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
 ECHO.   [i] If '1' then you can install a .msi file with admin privileges ;)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 ECHO.
@@ -377,7 +377,7 @@ CALL :T_Progress 1
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
 ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
 net user %username%
@@ -451,7 +451,7 @@ ECHO.
 
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
     for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 )
@@ -460,7 +460,7 @@ CALL :T_Progress 1
 
 :CheckRegistryModificationAbilities
 CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
 ECHO.
 CALL :T_Progress 1
@@ -469,7 +469,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
 ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
 		ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@@ -484,7 +484,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
 ECHO.   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
 ECHO.   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
 ECHO.
 CALL :T_Progress 1
@@ -493,7 +493,7 @@ CALL :T_Progress 1
 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
 cmdkey /list
 ECHO.
 CALL :T_Progress 2
@@ -501,14 +501,14 @@ CALL :T_Progress 2
 :DPAPIMasterKeys
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
 powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
 CALL :T_Progress 2
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
 ECHO.   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 ECHO.
 ECHO.Looking inside %appdata%\Microsoft\Credentials\
 ECHO.
@@ -581,7 +581,7 @@ CALL :T_Progress 2
 
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2
@@ -589,7 +589,7 @@ CALL :T_Progress 2
 :RegFilesCredentials
 CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
 ECHO.   [i] Searching specific files that may contains credentials.
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
 ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
 CALL :T_Progress 2

winPEAS/winPEASexe/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
 
-Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
 
 [![youtube](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI)
 
@@ -22,10 +22,15 @@ $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany
 # One liner to download and execute winPEASany from memory in a PS shell
 $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
 
-# Before cmd in 3 lines
+# The cprevios cmd in 2 lines
 $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
 
+# Download to disk and execute (super noisy)
+$wc = New-Object System.Net.WebClient
+$wc.DownloadFile("https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe", "winPEASany_ofs.exe")
+.\winPEASany_ofs.exe
+
 # Load from disk in memory and execute:
 $wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS.exe")));
 [winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use

winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs

@@ -56,7 +56,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software");
                 SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
                 string format = "    ==>  {0} ({1})";
 
@@ -102,7 +102,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Autorun Applications");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
                 List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
 
                 foreach (Dictionary<string, string> app in apps)
@@ -189,7 +189,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries");
                 List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
 
                 foreach (Dictionary<string, string> sapp in scheduled_apps)
@@ -239,7 +239,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Device Drivers --Non Microsoft--");
                 // this link is not very specific, but its the best on hacktricks
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
 
                 foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
                 {

winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs

@@ -21,6 +21,7 @@ namespace winPEAS.Checks
             {
                new AWSInfo(),
                new AzureInfo(),
+               new AzureTokensInfo(),
                new GCPInfo(),
                new GCPJoinedInfo(),
                new GCDSInfo(),
@@ -57,36 +58,31 @@ namespace winPEAS.Checks
 
                             foreach (var endpointData in endpointDataList)
                             {
-                                var colors = new Dictionary<string, string>
-                                {
-                                    { endpointData.EndpointName, Beaprint.GRAY }
-                                };
+                                string msgcolor = Beaprint.NOCOLOR;
 
                                 string message;
                                 if (!string.IsNullOrEmpty(endpointData.Data))
                                 {
                                     message = endpointData.Data;
                                     // if it is a JSON data, add additional newline so it's displayed on a separate line
-                                    if (message.StartsWith("{"))
+                                    if (message.StartsWith("{") || message.StartsWith("["))
                                     {
                                         message = $"\n{message}\n";
                                     }
 
                                     if (endpointData.IsAttackVector)
                                     {
-                                        colors.Add(message, Beaprint.ansi_color_bad);
-                                    }
-                                    else
-                                    {
-                                        colors.Add(message, Beaprint.ansi_color_gray);
+                                        msgcolor = Beaprint.ansi_color_bad;
                                     }
                                 }
                                 else
                                 {
                                     message = "No data received from the metadata endpoint";
+                                    msgcolor = Beaprint.ansi_color_gray;
                                 }
 
-                                Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
+                                Beaprint.ColorPrint($"{endpointData.EndpointName,-30}", Beaprint.ansi_users_active);
+                                Beaprint.ColorPrint(message, msgcolor);
                             }
 
                             Beaprint.GrayPrint("");

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -151,7 +151,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Cloud Credentials");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
                 List<Dictionary<string, string>> could_creds = KnownFileCredsInfo.ListCloudCreds();
                 if (could_creds.Count != 0)
                 {
@@ -382,7 +382,7 @@ namespace winPEAS.Checks
                 string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
 
                 Beaprint.MainPrint("Looking for possible regs with creds");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry");
 
                 string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
                 if (!string.IsNullOrEmpty(winVnc4.Trim()))
@@ -431,7 +431,7 @@ namespace winPEAS.Checks
                 };
 
                 Beaprint.MainPrint("Looking for possible password files in users homes");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
                 var fileInfos = SearchHelper.SearchUserCredsFiles();
 
                 foreach (var fileInfo in fileInfos)
@@ -470,7 +470,7 @@ namespace winPEAS.Checks
                 };
 
                 Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
                 List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
 
                 foreach (Dictionary<string, string> rec_file in recy_files)
@@ -506,7 +506,7 @@ namespace winPEAS.Checks
                 };
 
                 Beaprint.MainPrint("Searching known files that can contain creds in home");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
 
                 var files = SearchHelper.SearchUsersInterestingFiles();
 

winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs

@@ -24,7 +24,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Interesting Processes -non Microsoft-");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
                 List<Dictionary<string, string>> processesInfo = ProcessesInfo.GetProcInfo();
 
                 foreach (Dictionary<string, string> procInfo in processesInfo)
@@ -93,7 +93,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Vulnerable Leaked Handlers");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers");
 
                 List<Dictionary<string, string>> vulnHandlers = new List<Dictionary<string, string>>(); 
 

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -42,7 +42,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Interesting Services -non Microsoft-");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
 
                 List<Dictionary<string, string>> services_info = ServicesInfoHelper.GetNonstandardServices();
 
@@ -121,7 +121,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Modifiable Services");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can modify any service");
                 if (modifiableServices.Count > 0)
                 {
                     Beaprint.BadPrint("    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
@@ -158,7 +158,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Looking if you can modify any service registry");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions", "Check if you can modify the registry of a service");
                 List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
 
                 Dictionary<string, string> colorsWR = new Dictionary<string, string>()
@@ -186,7 +186,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking", "Check for DLL Hijacking in PATH folders");
                 Dictionary<string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
                 foreach (KeyValuePair<string, string> entry in path_dllhijacking)
                 {

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -98,7 +98,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Basic System Information");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits", "Check if the Windows versions is vulnerable to some known exploit");
                 Dictionary<string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
                 basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
                 Dictionary<string, string> colorsSI = new Dictionary<string, string>
@@ -337,7 +337,7 @@ namespace winPEAS.Checks
         static void PrintWdigest()
         {
             Beaprint.MainPrint("Wdigest");
-            Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
+            Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest", "If enabled, plain-text crds could be stored in LSASS");
             string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
             if (useLogonCredential == "1")
                 Beaprint.BadPrint("    Wdigest is active");
@@ -348,7 +348,7 @@ namespace winPEAS.Checks
         static void PrintLSAProtection()
         {
             Beaprint.MainPrint("LSA Protection");
-            Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
+            Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
             string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
             if (useLogonCredential == "1")
                 Beaprint.GoodPrint("    LSA Protection is active");
@@ -359,7 +359,7 @@ namespace winPEAS.Checks
         static void PrintCredentialGuard()
         {
             Beaprint.MainPrint("Credentials Guard");
-            Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
+            Beaprint.LinkPrint("https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard", "If enabled, a driver is needed to read LSASS memory");
             string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
 
             if (lsaCfgFlags == "1")
@@ -384,7 +384,7 @@ namespace winPEAS.Checks
         {
             try{
                 Beaprint.MainPrint("Cached Creds");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
                 string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
                 if (!string.IsNullOrEmpty(cachedlogonscount))
                 {
@@ -526,7 +526,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("UAC Status");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss", "If you are in the Administrators group check how to bypass the UAC");
                 Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
 
                 Dictionary<string, string> colorsSI = new Dictionary<string, string>()
@@ -559,7 +559,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking WSUS");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus");
                 string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
                 string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
                 string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
@@ -594,7 +594,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking KrbRelayUp");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup");
 
                 if (Checks.CurrentAdDomainName.Length > 0)
                 {
@@ -640,7 +640,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking AlwaysInstallElevated");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated");
                 string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
                 string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
                 string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");

winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs

@@ -78,7 +78,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Users");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups", "Check if you have some admin equivalent privileges");
 
                 List<string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
 
@@ -109,7 +109,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Current Token privileges");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation", "Check if you can escalate privilege using some enabled token");
                 Dictionary<string, string> tokenPrivs = Token.GetTokenGroupPrivs();
                 Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
             }

winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs

@@ -48,7 +48,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking Windows Vault");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
                 var vaultCreds = VaultCli.DumpVault();
 
                 var colorsC = new Dictionary<string, string>()
@@ -68,7 +68,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking Credential manager");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
 
                 var colorsC = new Dictionary<string, string>()
                 {
@@ -153,7 +153,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking for DPAPI Master Keys");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
                 var masterKeys = KnownFileCredsInfo.ListMasterKeys();
 
                 if (masterKeys.Count != 0)
@@ -181,7 +181,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking for DPAPI Credential Files");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
                 var credFiles = KnownFileCredsInfo.GetCredFiles();
                 Beaprint.DictPrint(credFiles, false);
 
@@ -201,7 +201,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking for RDCMan Settings Files");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager",
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager",
                     "Dump credentials from Remote Desktop Connection Manager");
                 var rdcFiles = RemoteDesktop.GetRDCManFiles();
                 Beaprint.DictPrint(rdcFiles, false);
@@ -222,7 +222,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Looking for Kerberos tickets");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html");
                 var kerberosTickets = Kerberos.ListKerberosTickets();
 
                 Beaprint.DictPrint(kerberosTickets, false);
@@ -307,7 +307,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Looking AppCmd.exe");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe");
 
                 var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
 
@@ -368,7 +368,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Looking SSClient.exe");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm");
 
                 if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
                 {

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -81,7 +81,7 @@ namespace winPEAS.Helpers
        /---------------------------------------------------------------------------------\
        |                             {1}Do you like PEASS?{0}                                  |
        |---------------------------------------------------------------------------------| 
-       |         {3}Learn Cloud Hacking{0}       :     {2}training.hacktricks.xyz{0}                 |
+       |         {3}Learn Cloud Hacking{0}       :     {2}training.hacktricks.xyz {0}                 |
        |         {3}Follow on Twitter{0}         :     {2}@hacktricks_live{0}                        |
        |         {3}Respect on HTB{0}            :     {2}SirBroccoli            {0}                 |
        |---------------------------------------------------------------------------------|
@@ -104,7 +104,7 @@ namespace winPEAS.Helpers
 
             PrintLegend();
             Console.WriteLine();
-            Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
+            Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html");
         }
 
         static void PrintLegend()

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -184,9 +184,17 @@ namespace winPEAS.Helpers
         //////////////////////
         public static List<string> ListFolder(String path)
         {
-            string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
-            var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
-            return dirs.ToList();
+            try
+            {
+                string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
+                var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
+                return dirs.ToList();
+            }
+            catch(Exception ex)
+            {
+                //Path can't be accessed
+                return new List<string>();
+            }
         }
 
         internal static byte[] CombineArrays(byte[] first, byte[] second)

winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs

@@ -1,20 +1,53 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Net;
-using System;
+using System.Diagnostics;
 
 namespace winPEAS.Info.CloudInfo
 {
     internal class AzureInfo : CloudInfoBase
     {
-        public override string Name => "Azure VM";
-        public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER);
-      
+        // The Name property now differentiates between an Azure VM and an Azure Container.
+        public override string Name
+        {
+            get
+            {
+                if (IsContainer())
+                    return "Azure Container"; // **Container environment detected**
+                return "Azure VM"; // **VM environment detected**
+            }
+        }
+
+        // IsCloud now returns true if either the Azure VM folder exists or container env vars are set.
+        public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER) || IsContainer();
+
         private Dictionary<string, List<EndpointData>> _endpointData = null;
 
         const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure";
         const string AZURE_BASE_URL = "http://169.254.169.254/metadata/";
         const string API_VERSION = "2021-12-13";
+        const string CONTAINER_API_VERSION = "2019-08-01";
+
+        public static bool DoesProcessExist(string processName)
+        {
+            // Return false if the process name is null or empty
+            if (string.IsNullOrEmpty(processName))
+            {
+                return false;
+            }
+
+            // Retrieve all processes matching the specified name
+            Process[] processes = Process.GetProcessesByName(processName);
+            return processes.Length > 0;
+        }
+
+        // New helper method to detect if running inside an Azure container
+        private bool IsContainer()
+        {
+            return !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT")) ||
+                   !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("MSI_ENDPOINT"));
+        }
 
         public override Dictionary<string, List<EndpointData>> EndpointDataList()
         {
@@ -25,28 +58,38 @@ namespace winPEAS.Info.CloudInfo
 
                 try
                 {
-                    string result;                   
+                    string result;
+                    List<Tuple<string, string, bool>> endpoints;
 
-                    List<Tuple<string, string, bool>> endpoints = new List<Tuple<string, string, bool>>()
+                    if (IsContainer())
                     {
-                        new Tuple<string, string, bool>("Instance Details", $"instance?api-version={API_VERSION}", false),
-                        new Tuple<string, string, bool>("Load Balancer details",  $"loadbalancer?api-version={API_VERSION}", false),
-                        new Tuple<string, string, bool>("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
-                        new Tuple<string, string, bool>("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
-                        new Tuple<string, string, bool>("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
-                        new Tuple<string, string, bool>("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
-                    };
-                   
-                    if (IsAvailable)
-                    {
-                        
-        
+                        // **Running in Azure Container: use the container endpoint and add the "Secret" header if available**
+                        string containerBaseUrl = Environment.GetEnvironmentVariable("MSI_ENDPOINT") ??
+                                                  Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
+                        endpoints = new List<Tuple<string, string, bool>>()
+                        {
+                            new Tuple<string, string, bool>("Management token", $"?api-version={CONTAINER_API_VERSION}&resource=https://management.azure.com/", true),
+                            new Tuple<string, string, bool>("Graph token", $"?api-version={CONTAINER_API_VERSION}&resource=https://graph.microsoft.com/", true),
+                            new Tuple<string, string, bool>("Vault token", $"?api-version={CONTAINER_API_VERSION}&resource=https://vault.azure.net/", true),
+                            new Tuple<string, string, bool>("Storage token", $"?api-version={CONTAINER_API_VERSION}&resource=https://storage.azure.com/", true)
+                        };
+
                         foreach (var tuple in endpoints)
                         {
-                            string url = $"{AZURE_BASE_URL}{tuple.Item2}";
-
-                            result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
-
+                            // Ensure proper URL formatting.
+                            string url = $"{containerBaseUrl}{(containerBaseUrl.EndsWith("/") ? "" : "/")}{tuple.Item2}";
+                            var headers = new WebHeaderCollection();
+                            string msiSecret = Environment.GetEnvironmentVariable("MSI_SECRET");
+                            if (!string.IsNullOrEmpty(msiSecret))
+                            {
+                                headers.Add("Secret", msiSecret);
+                            }
+                            string identitySecret = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
+                            if (!string.IsNullOrEmpty(identitySecret))
+                            {
+                                headers.Add("X-IDENTITY-HEADER", identitySecret);
+                            }
+                            result = CreateMetadataAPIRequest(url, "GET", headers);
                             _endpointDataList.Add(new EndpointData()
                             {
                                 EndpointName = tuple.Item1,
@@ -54,12 +97,36 @@ namespace winPEAS.Info.CloudInfo
                                 IsAttackVector = tuple.Item3
                             });
                         }
+                    }
+                    else if (Directory.Exists(WINDOWS_AZURE_FOLDER))
+                    {
+                        // **Running in Azure VM: use the standard metadata endpoint with "Metadata: true" header**
+                        endpoints = new List<Tuple<string, string, bool>>()
+                        {
+                            new Tuple<string, string, bool>("Instance Details", $"instance?api-version={API_VERSION}", false),
+                            new Tuple<string, string, bool>("Load Balancer details",  $"loadbalancer?api-version={API_VERSION}", false),
+                            new Tuple<string, string, bool>("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
+                            new Tuple<string, string, bool>("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
+                            new Tuple<string, string, bool>("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
+                            new Tuple<string, string, bool>("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
+                        };
 
-                        
+                        foreach (var tuple in endpoints)
+                        {
+                            string url = $"{AZURE_BASE_URL}{tuple.Item2}";
+                            result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
+                            _endpointDataList.Add(new EndpointData()
+                            {
+                                EndpointName = tuple.Item1,
+                                Data = result,
+                                IsAttackVector = tuple.Item3
+                            });
+                        }
                     }
                     else
                     {
-                        foreach (var endpoint in endpoints)
+                        // If neither container nor VM, endpoints remain unset.
+                        foreach (var endpoint in new List<Tuple<string, string, bool>>())
                         {
                             _endpointDataList.Add(new EndpointData()
                             {
@@ -70,10 +137,27 @@ namespace winPEAS.Info.CloudInfo
                         }
                     }
 
+                    string hwsRun = DoesProcessExist("HybridWorkerService") ? "Yes" : "No";
+                    _endpointDataList.Add(new EndpointData()
+                    {
+                        EndpointName = "HybridWorkerService.exe Running",
+                        Data = hwsRun,
+                        IsAttackVector = true
+                    });
+
+                    string OSRun = DoesProcessExist("Orchestrator.Sandbox") ? "Yes" : "No";
+                    _endpointDataList.Add(new EndpointData()
+                    {
+                        EndpointName = "Orchestrator.Sandbox.exe Running",
+                        Data = OSRun,
+                        IsAttackVector = true
+                    });
+
                     _endpointData.Add("General", _endpointDataList);
                 }
                 catch (Exception ex)
                 {
+                    // **Exception handling (e.g., logging) can be added here**
                 }
             }
 
@@ -82,7 +166,31 @@ namespace winPEAS.Info.CloudInfo
 
         public override bool TestConnection()
         {
-            return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null;
-        }       
+            if (IsContainer())
+            {
+                // **Test connection for Azure Container**
+                string containerBaseUrl = Environment.GetEnvironmentVariable("MSI_ENDPOINT") ??
+                                          Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
+                if (string.IsNullOrEmpty(containerBaseUrl))
+                    return false;
+                var headers = new WebHeaderCollection();
+                string msiSecret = Environment.GetEnvironmentVariable("MSI_SECRET");
+                if (!string.IsNullOrEmpty(msiSecret))
+                {
+                    headers.Add("Secret", msiSecret);
+                }
+                string identitySecret = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
+                if (!string.IsNullOrEmpty(identitySecret))
+                {
+                    headers.Add("X-IDENTITY-HEADER", identitySecret);
+                }
+                return CreateMetadataAPIRequest(containerBaseUrl, "GET", headers) != null;
+            }
+            else
+            {
+                // **Test connection for Azure VM**
+                return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET", new WebHeaderCollection() { { "Metadata", "true" } }) != null;
+            }
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureTokensInfo.cs

@@ -0,0 +1,288 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using winPEAS.Helpers;
+using System.Data.SQLite;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Crypto.Modes;
+using System.Linq;
+using Microsoft.Win32;
+using System.Web.Script.Serialization;
+using System;
+using System.IO;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+
+
+namespace winPEAS.Info.CloudInfo
+{
+    internal class AzureTokensInfo : CloudInfoBase
+    {
+        public override string Name => "Azure Tokens";
+
+        public override bool IsCloud => CheckIfAzureTokensInstalled();
+
+        private Dictionary<string, List<EndpointData>> _endpointData = null;
+
+        public static bool CheckIfAzureTokensInstalled()
+        {
+            string homeDirectory = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+            string AzureFolderPath = Path.Combine(homeDirectory, ".Azure");
+            string azureFolderPath = Path.Combine(homeDirectory, ".azure");
+
+            string identityCachePath = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+                "Microsoft",
+                "IdentityCache"
+            );
+
+            string tokenBrokerPath = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+                "Microsoft",
+                "TokenBroker"
+            );
+
+            return Directory.Exists(AzureFolderPath) || Directory.Exists(azureFolderPath) || Directory.Exists(identityCachePath) || Directory.Exists(tokenBrokerPath);
+        }
+
+        public static string TBRESDecryptedData(string filePath)
+        {
+            var fileJSON = File.ReadAllText(filePath, Encoding.Unicode);
+            fileJSON = fileJSON.Substring(0, fileJSON.Length - 1);
+
+            try
+            {
+                var jsonObject = JsonNode.Parse(fileJSON).AsObject();
+                var encodedData = jsonObject["TBDataStoreObject"]["ObjectData"]["SystemDefinedProperties"]["ResponseBytes"]["Value"].ToString();
+                var encryptedData = Convert.FromBase64String(encodedData);
+                var decryptedData = ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.CurrentUser);
+                string decodedData = Encoding.UTF8.GetString(decryptedData);
+
+                if (decodedData.Contains("No Token"))
+                {
+                    return "";
+                }
+
+                return decodedData;
+
+            }
+            catch (System.Exception)
+            {
+                Beaprint.PrintException($"[!] Error Decrypting File: {filePath}");
+                return "";
+            }
+        }
+
+
+        private List<EndpointData> GetAzureCliValues()
+        {
+            Dictionary<string, string> AzureCliValues = new Dictionary<string, string>();
+            string homeDirectory = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+            string AzureFolderPath = Path.Combine(homeDirectory, ".Azure");
+            string azureFolderPath = Path.Combine(homeDirectory, ".azure");
+
+            string azureHomePath = azureFolderPath;
+
+            if (Directory.Exists(AzureFolderPath))
+            {
+                azureHomePath = AzureFolderPath;
+            };
+
+            if (Directory.Exists(azureHomePath))
+            {
+
+                // Files that doesn't need decryption
+                string[] fileNames = {
+                @"azureProfile.json",
+                @"clouds.config",
+                @"service_principal_entries.json",
+                @"msal_token_cache.json"
+            };
+
+                foreach (string fileName in fileNames)
+                {
+                    string filePath = Path.Combine(azureHomePath, fileName);
+                    // Check if the file exists
+                    if (File.Exists(filePath))
+                    {
+                        try
+                        {
+                            // Read the file content
+                            string fileContent = File.ReadAllText(filePath);
+
+                            // Add the file path and content to the dictionary
+                            AzureCliValues[filePath] = fileContent;
+                        }
+                        catch (Exception ex)
+                        {
+                            Beaprint.PrintException($"Error reading file '{filePath}': {ex.Message}");
+                        }
+                    }
+                }
+            }
+
+
+
+            // Get the IdentityCache directory path and encrypted files with tokens
+            string identityCachePath = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+                "Microsoft",
+                "IdentityCache"
+            );
+
+            string[] binFiles = { };
+
+            // Check if the directory exists
+            if (!Directory.Exists(identityCachePath))
+            {
+                Beaprint.PrintException($"The directory '{identityCachePath}' does not exist.");
+            }
+
+            try
+            {
+                // Recursively find all *.bin files
+                binFiles = Directory.GetFiles(identityCachePath, "*.bin", SearchOption.AllDirectories);
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException($"An error occurred while scanning the identityCache directory: {ex.Message}");
+            }
+            
+
+            // Files that need decryption
+            string[] fileNamesEncrp = {
+                @"service_principal_entries.bin",
+                @"msal_token_cache.bin"
+            };
+
+            foreach (string fileName in fileNamesEncrp.Concat(binFiles).ToArray())//.Concat(tbFiles).ToArray())
+            {
+                string filePath = fileName;
+
+                if (!fileName.Contains("\\"))
+                {
+                    filePath = Path.Combine(azureHomePath, fileName);
+                }
+
+                try
+                {
+                    if (File.Exists(filePath))
+                    {
+                        // Read encrypted file
+                        byte[] encryptedData = File.ReadAllBytes(filePath);
+
+                        // Decrypt using DPAPI for the current user
+                        byte[] decryptedData = ProtectedData.Unprotect(
+                            encryptedData,
+                            null,
+                            DataProtectionScope.CurrentUser
+                        );
+
+                        // Write decrypted data to output file
+                        AzureCliValues[filePath] = Encoding.UTF8.GetString(decryptedData);
+                    }
+
+                }
+                catch (CryptographicException ex)
+                {
+                    Beaprint.PrintException($"Decrypting {filePath} failed: {ex.Message}");
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.PrintException($"An error occurred: {ex.Message}");
+                }
+            }
+
+
+            //TBRES files
+            string tokenBrokerPath = Path.Combine(
+                Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+                "Microsoft",
+                "TokenBroker"
+            );
+
+            string[] tbFiles = { };
+
+            // Check if the directory exists
+            if (!Directory.Exists(tokenBrokerPath))
+            {
+                Beaprint.PrintException($"The directory '{tokenBrokerPath}' does not exist.");
+            }
+
+            try
+            {
+                // Recursively find all *.bin files
+                tbFiles = Directory.GetFiles(tokenBrokerPath, "*.tbres", SearchOption.AllDirectories);
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException($"An error occurred while scanning the Token Broker directory: {ex.Message}");
+            }
+
+            foreach (string filePath in tbFiles)
+            {
+                string TBRESContent = TBRESDecryptedData(filePath);
+                if (TBRESContent.Length > 0)
+                    AzureCliValues[filePath] = TBRESContent;
+            }
+
+            // Format the info in expected CloudInfo format
+            List<EndpointData> _endpointDataList = new List<EndpointData>();
+
+            foreach (var kvp in AzureCliValues)
+            {
+                _endpointDataList.Add(new EndpointData()
+                {
+                    EndpointName = kvp.Key,
+                    Data = kvp.Value?.Trim(),
+                    IsAttackVector = false
+                });
+            }
+
+            return _endpointDataList;
+        }
+        
+
+        public override Dictionary<string, List<EndpointData>> EndpointDataList()
+        {
+            if (_endpointData == null)
+            {
+                _endpointData = new Dictionary<string, List<EndpointData>>();
+
+                try
+                {
+                    if (IsAvailable)
+                    {
+                        _endpointData.Add("Local Info", GetAzureCliValues());
+                    }
+                    else
+                    {
+                        _endpointData.Add("General Info", new List<EndpointData>()
+                        {
+                            new EndpointData()
+                            {
+                                EndpointName = "",
+                                Data = null,
+                                IsAttackVector = false
+                            }
+                        });
+                    }
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.PrintException(ex.Message);
+                }
+            }
+
+            return _endpointData;
+        }
+
+        public override bool TestConnection()
+        {
+            return true;
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs

@@ -112,7 +112,7 @@ namespace winPEAS.Info.UserInfo
                { "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
                { "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain.               
                { "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned.
-               { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users
+               { "525", "Protected Users" }, //https://book.hacktricks.wiki/en/windows-hardening/stealing-credentials/credentials-protections.html#protected-users
                { "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
                { "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.                             
                { "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.