Merge pull request #483 from securitytime/patch-1

Update Beaprint.cs
f
2025-07-01 16:23:13 +02:00 · 2025-07-01 12:12:01 +02:00 · 2025-07-01 11:10:21 +02:00 · 2025-06-28 09:12:40 +02:00 · 2025-06-25 01:59:43 +02:00 · 2025-06-25 01:59:03 +02:00
120 changed files with 5489 additions and 1025 deletions
--- a/.github/workflows/CI-master_tests.yml
+++ b/.github/workflows/CI-master_tests.yml
@ -99,6 +99,17 @@ jobs:
            Write-Error "winPEAS.exe not found at $exePath"
          }
      
+      - name: Execute winPEAS networkinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath networkinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+      
      # Copy the built versions
      - name: Copy all versions
        run: |
--- a/linPEAS/builder/linpeas_builder.py
+++ b/linPEAS/builder/linpeas_builder.py
@ -33,7 +33,7 @@ if __name__ == "__main__":
    parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
    parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
    parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
-    parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
+    parser.add_argument('--output', required=True, type=str, help='Path to write the final linpeas file to.')
    args = parser.parse_args()

    all_modules = args.all
--- a/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh
@ -1,19 +0,0 @@
-# Title: System Information - Enviroment
-# ID: SY_Enviroment
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information inside environment variables
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables:
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-print_2title "Environment"
-print_info "Any private information inside environment variables?"
-(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
-echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh
@ -0,0 +1,39 @@
+# Title: System Information - Environment
+# ID: SY_Environment
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for sensitive information in environment variables that could lead to privilege escalation:
+#   - Credentials in environment variables
+#   - API keys and tokens
+#   - Sensitive configuration data
+#   - Common vulnerable scenarios:
+#     * Hardcoded credentials in environment
+#     * API keys exposed in environment
+#     * Database credentials in environment
+#     * Service account tokens
+#   - Exploitation methods:
+#     * Credential harvesting: Extract sensitive data from environment
+#     * Common attack vectors:
+#       - Password/credential extraction
+#       - API key abuse
+#       - Token theft
+#       - Configuration data leakage
+#     * Exploit techniques:
+#       - Environment variable dumping
+#       - Credential reuse
+#       - Token reuse
+#       - Configuration abuse
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $NoEnvVars, $EnvVarsRed
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh
@ -1,8 +1,24 @@
 # Title: System Information - Dmesg
 # ID: SY_Dmesg
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Searching Signature verification failed in dmesg
+# Last Update: 07-03-2024
+# Description: Check for kernel signature verification failures that could lead to privilege escalation:
+#   - Failed kernel module signature verifications
+#   - Common vulnerable scenarios:
+#     * Disabled kernel module signing
+#     * Failed signature verifications
+#     * Unsigned kernel modules
+#   - Exploitation methods:
+#     * Kernel module injection: Load malicious kernel modules
+#     * Common attack vectors:
+#       - Kernel module loading
+#       - Kernel module replacement
+#       - Kernel module modification
+#     * Exploit techniques:
+#       - Module signing bypass
+#       - Kernel module injection
+#       - Kernel module modification
+#       - Kernel module replacement
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh
@ -1,8 +1,29 @@
 # Title: System Information - MacOS OS checks
 # ID: SY_Macos_os_checks
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Macos OS checks
+# Last Update: 07-03-2024
+# Description: Check for MacOS-specific vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Unsigned kernel extensions
+#   - Non-Apple kernel extensions
+#   - System Integrity Protection (SIP) status
+#   - Gatekeeper status
+#   - Common vulnerable scenarios:
+#     * Disabled SIP
+#     * Unsigned kernel extensions
+#     * Third-party kernel extensions
+#     * Disabled Gatekeeper
+#   - Exploitation methods:
+#     * Kernel extension injection: Load malicious kernel extensions
+#     * Common attack vectors:
+#       - SIP bypass
+#       - Kernel extension loading
+#       - Gatekeeper bypass
+#       - System modification
+#     * Exploit techniques:
+#       - Kernel extension injection
+#       - SIP bypass
+#       - Gatekeeper bypass
+#       - System modification
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:macosNotSigned, print_2title
--- a/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh
@ -1,8 +1,25 @@
 # Title: System Information - Linux Exploit Suggester
 # ID: SY_Linux_exploit_suggester
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Linux Exploit Suggester tool execution
+# Last Update: 07-03-2024
+# Description: Execute Linux Exploit Suggester to identify potential kernel exploits:
+#   - Automated kernel vulnerability detection
+#   - Common vulnerable scenarios:
+#     * Known kernel vulnerabilities
+#     * Unpatched kernel versions
+#     * Missing security patches
+#   - Exploitation methods:
+#     * Kernel exploit execution: Use suggested exploits
+#     * Common attack vectors:
+#       - Kernel memory corruption
+#       - Race conditions
+#       - Use-after-free
+#       - Integer overflow
+#     * Exploit techniques:
+#       - Kernel memory manipulation
+#       - Privilege escalation
+#       - Root access acquisition
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh
@ -1,8 +1,27 @@
-# Title: System Information - Linux Exploit Suggester 2 
+# Title: System Information - Linux Exploit Suggester 2
 # ID: SY_Linux_exploit_suggester_2
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Linux Exploit Suggester 2 tool execution
+# Last Update: 07-03-2024
+# Description: Execute Linux Exploit Suggester 2 (Perl version) to identify potential kernel exploits:
+#   - Alternative kernel vulnerability detection
+#   - Perl-based exploit suggestions
+#   - Common vulnerable scenarios:
+#     * Known kernel vulnerabilities
+#     * Unpatched kernel versions
+#     * Missing security patches
+#     * Alternative exploit paths
+#   - Exploitation methods:
+#     * Kernel exploit execution: Use suggested exploits
+#     * Common attack vectors:
+#       - Kernel memory corruption
+#       - Race conditions
+#       - Use-after-free
+#       - Integer overflow
+#     * Exploit techniques:
+#       - Kernel memory manipulation
+#       - Privilege escalation
+#       - Root access acquisition
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
@ -1,8 +1,26 @@
 # Title: System Information - CVE_2021_3560
 # ID: SY_CVE_2021_3560
 # Author: Carlos Polop
-# Last Update: 07-10-2024
-# Description: CVE-2021-3560 - paper box from HTB
+# Last Update: 07-03-2024
+# Description: Check for Polkit vulnerability (CVE-2021-3560) that could lead to privilege escalation:
+#   - Vulnerable Polkit versions:
+#     * polkit 0.105-26 (Ubuntu)
+#     * polkit 0.117-2 (RHEL)
+#     * polkit 0.115-6 (RHEL)
+#   - Common vulnerable scenarios:
+#     * Unpatched Polkit versions
+#     * Default Polkit configurations
+#   - Exploitation methods:
+#     * Race condition in Polkit authentication
+#     * Common attack vectors:
+#       - Authentication bypass
+#       - Privilege escalation
+#       - Root access acquisition
+#     * Exploit techniques:
+#       - Race condition exploitation
+#       - Authentication bypass
+#       - Privilege escalation
+#       - System compromise
 # License: GNU GPL
 # Version: 1.0
 # Functions Used:
--- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
@ -1,8 +1,30 @@
-# Title: System Information - Kernel Extensions
+# Title: System Information - Protections
 # ID: SY_Protections
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Kernel Extensions
+# Last Update: 07-03-2024
+# Description: Check for system security protections and their bypass possibilities:
+#   - AppArmor/SELinux status and profiles
+#   - ASLR status
+#   - Seccomp filters
+#   - Capabilities
+#   - Common vulnerable scenarios:
+#     * Disabled security modules
+#     * Weak security profiles
+#     * Missing security features
+#     * Misconfigured protections
+#   - Exploitation methods:
+#     * Protection bypass: Circumvent security measures
+#     * Common attack vectors:
+#       - AppArmor/SELinux bypass
+#       - ASLR bypass
+#       - Seccomp filter bypass
+#       - Capability abuse
+#     * Exploit techniques:
+#       - Profile bypass
+#       - Memory randomization bypass
+#       - Filter bypass
+#       - Capability exploitation
+#       - Protection circumvention
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
@ -112,4 +134,6 @@ if [ "$(command -v systemd-detect-virt 2>/dev/null || echo -n '')" ]; then
    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
 else
    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
-fi
+fi
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh
@ -0,0 +1,62 @@
+# Title: System Information - Kernel Modules
+# ID: SY_Kernel_Modules
+# Author: Carlos Polop
+# Last Update: 07-03-2024
+# Description: Check for kernel module vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Loaded kernel modules with known vulnerabilities
+#   - Kernel modules with weak permissions that could be modified
+#   - Ability to load kernel modules as unprivileged user
+#   - Missing kernel module signing requirements
+#   - Exploitation methods:
+#     * Vulnerable modules: Use known exploits for vulnerable kernel modules
+#     * Weak permissions: Modify kernel modules to inject malicious code
+#     * Module loading: Load malicious kernel modules to get root access
+#     * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title
+# Global Variables: 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+echo ""
+print_2title "Kernel Modules Information"
+
+# List loaded kernel modules
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_3title "Loaded kernel modules"
+    if [ -f "/proc/modules" ]; then
+        lsmod
+    else
+        echo_not_found "/proc/modules"
+    fi
+fi
+
+# Check for kernel modules with weak permissions
+print_3title "Kernel modules with weak perms?"
+if [ -d "/lib/modules" ]; then
+    find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g"
+    if [ $? -eq 1 ]; then
+        echo "No kernel modules with weak permissions found"
+    fi
+else
+    echo_not_found "/lib/modules"
+fi
+echo ""
+
+# Check for kernel modules that can be loaded by unprivileged users
+print_3title "Kernel modules loadable? "
+if [ -f "/proc/sys/kernel/modules_disabled" ]; then
+    if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then
+        echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g"
+    else
+        echo "Modules cannot be loaded" | sed -${E} "s,.*,${SED_GREEN},g"
+    fi
+else
+    echo_not_found "/proc/sys/kernel/modules_disabled"
+fi
+
+
+echo "" 
--- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh
@ -1,8 +1,28 @@
 # Title: System Information - Operative System
 # ID: SY_Operative_system
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Operative system
+# Last Update: 07-03-2024
+# Description: Check for operating system information relevant to privilege escalation:
+#   - OS version and distribution
+#   - Kernel version
+#   - Architecture
+#   - Common vulnerable scenarios:
+#     * Outdated OS versions
+#     * Unpatched systems
+#     * Known vulnerable distributions
+#     * Architecture-specific vulnerabilities
+#   - Exploitation methods:
+#     * Version-specific exploits: Use known exploits for the OS version
+#     * Common attack vectors:
+#       - OS version exploits
+#       - Distribution-specific vulnerabilities
+#       - Architecture-specific exploits
+#       - Kernel version exploits
+#     * Exploit techniques:
+#       - Version-specific payloads
+#       - Distribution-specific attacks
+#       - Architecture-specific techniques
+#       - Kernel exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info, warn_exec
--- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh
@ -1,8 +1,22 @@
 # Title: System Information - Sudo Version
 # ID: SY_Sudo_version
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Sudo Version
+# Last Update: 07-03-2024
+# Description: Check for sudo vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Vulnerable sudo versions with known exploits
+#   - Common vulnerable versions and CVEs:
+#     * CVE-2021-3156 (Baron Samedit): Heap overflow in sudo
+#     * CVE-2021-23239: Potential privilege escalation
+#     * CVE-2021-23240: Potential privilege escalation
+#     * CVE-2021-23241: Potential privilege escalation
+#   - Exploitation methods:
+#     * Version exploits: Use known exploits for vulnerable sudo versions
+#     * Common targets: sudo < 1.9.5p2 (Baron Samedit)
+#     * Exploit techniques:
+#       - Heap overflow exploitation
+#       - Race conditions
+#       - Memory corruption
+#       - Command injection
 # License: GNU GPL
 # Version: 1.0 
 # Functions Used: echo_not_found, print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh
@ -1,8 +1,22 @@
 # Title: System Information - USBCreator
 # ID: SY_USBCreator
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the USBCreator
+# Last Update: 07-03-2024
+# Description: Check for USBCreator vulnerabilities that could lead to privilege escalation:
+#   - Vulnerable policykit-desktop-privileges versions
+#   - Common vulnerable versions:
+#     * policykit-desktop-privileges < 0.21
+#   - Exploitation methods:
+#     * D-Bus command injection through USBCreator
+#     * Abuse of policykit privileges
+#     * Common attack vectors:
+#       - D-Bus method call injection
+#       - PolicyKit authentication bypass
+#       - Command execution through USB creation
+#     * Exploit techniques:
+#       - D-Bus method spoofing
+#       - PolicyKit privilege escalation
+#       - USB device creation abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh
@ -1,8 +1,25 @@
 # Title: System Information - Path
 # ID: SY_Path
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Path
+# Last Update: 07-03-2024
+# Description: Check for PATH environment misconfigurations that could lead to privilege escalation:
+#   - Writable directories in PATH
+#   - Current directory (.) in PATH
+#   - Common vulnerable scenarios:
+#     * Writable system directories in PATH
+#     * Current directory in PATH
+#     * Relative paths in PATH
+#   - Exploitation methods:
+#     * PATH hijacking: Place malicious executables in writable PATH directories
+#     * Common attack vectors:
+#       - Replace common binaries (ls, cat, etc.)
+#       - Create malicious executables with common names
+#       - Abuse sudo PATH inheritance
+#     * Exploit techniques:
+#       - Binary replacement
+#       - Symbolic link attacks
+#       - PATH manipulation
+#       - Sudo PATH abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh
@ -1,8 +1,28 @@
 # Title: System Information - Date
 # ID: SY_Date
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the Date
+# Last Update: 07-03-2024
+# Description: Check for system date and uptime information relevant to privilege escalation:
+#   - System uptime
+#   - Last boot time
+#   - System time
+#   - Common vulnerable scenarios:
+#     * Long uptime (unpatched systems)
+#     * Time-based vulnerabilities
+#     * Scheduled tasks timing
+#     * Cron job timing
+#   - Exploitation methods:
+#     * Timing attacks: Abuse time-based vulnerabilities
+#     * Common attack vectors:
+#       - Race conditions
+#       - Time-of-check to time-of-use (TOCTOU)
+#       - Scheduled task abuse
+#       - Cron job timing
+#     * Exploit techniques:
+#       - Race condition exploitation
+#       - TOCTOU attacks
+#       - Scheduled task manipulation
+#       - Cron job abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
--- a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh
@ -1,8 +1,28 @@
 # Title: System Information - CPU info
 # ID: SY_CPU_info
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the CPU
+# Last Update: 07-03-2024
+# Description: Check for CPU information relevant to privilege escalation:
+#   - CPU architecture
+#   - CPU features
+#   - CPU vulnerabilities
+#   - Common vulnerable scenarios:
+#     * CPU-specific vulnerabilities (Spectre, Meltdown, etc.)
+#     * Missing CPU mitigations
+#     * Architecture-specific exploits
+#     * CPU feature abuse
+#   - Exploitation methods:
+#     * CPU-based attacks: Abuse CPU vulnerabilities
+#     * Common attack vectors:
+#       - Spectre/Meltdown exploitation
+#       - CPU feature abuse
+#       - Architecture-specific attacks
+#       - CPU timing attacks
+#     * Exploit techniques:
+#       - Side-channel attacks
+#       - CPU feature exploitation
+#       - Architecture-specific techniques
+#       - CPU timing exploitation
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
--- a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh
@ -1,8 +1,28 @@
 # Title: System Information - Mounts
 # ID: SY_Mounts
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the mounts
+# Last Update: 07-03-2024
+# Description: Check for mount point misconfigurations that could lead to privilege escalation:
+#   - Unmounted filesystems
+#   - Mount point permissions
+#   - Mount options
+#   - Common vulnerable scenarios:
+#     * Writable mount points
+#     * Insecure mount options
+#     * Unmounted sensitive filesystems
+#     * Shared mount points
+#   - Exploitation methods:
+#     * Mount point abuse: Exploit mount misconfigurations
+#     * Common attack vectors:
+#       - Mount point modification
+#       - Filesystem remounting
+#       - Mount option abuse
+#       - Shared mount exploitation
+#     * Exploit techniques:
+#       - Mount point manipulation
+#       - Filesystem remounting
+#       - Mount option exploitation
+#       - Shared mount abuse
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
--- a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh
@ -1,8 +1,28 @@
 # Title: System Information - Disks
 # ID: SY_Disks
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the disks
+# Last Update: 07-03-2024
+# Description: Check for disk information and misconfigurations that could lead to privilege escalation:
+#   - Available disks
+#   - Disk permissions
+#   - SMB shares
+#   - Common vulnerable scenarios:
+#     * Writable disks
+#     * Insecure SMB shares
+#     * Exposed disk devices
+#     * Shared storage
+#   - Exploitation methods:
+#     * Disk access abuse: Exploit disk misconfigurations
+#     * Common attack vectors:
+#       - Disk device modification
+#       - SMB share abuse
+#       - Storage device access
+#       - Shared disk exploitation
+#     * Exploit techniques:
+#       - Disk device manipulation
+#       - SMB share exploitation
+#       - Storage device abuse
+#       - Shared disk access
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
--- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
@ -1,8 +1,28 @@
-# Title: System Information - Disks
+# Title: System Information - Disks Extra
 # ID: SY_Disks_extra
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get Information about the disks
+# Last Update: 07-03-2024
+# Description: Check for additional disk information and system resources relevant to privilege escalation:
+#   - Disk utilization
+#   - System resources
+#   - Storage statistics
+#   - Common vulnerable scenarios:
+#     * Low disk space (potential for race conditions)
+#     * Resource exhaustion
+#     * Storage device misconfigurations
+#     * System resource abuse
+#   - Exploitation methods:
+#     * Resource-based attacks: Abuse system resources
+#     * Common attack vectors:
+#       - Disk space exhaustion
+#       - Resource starvation
+#       - Storage device abuse
+#       - System resource manipulation
+#     * Exploit techniques:
+#       - Resource exhaustion
+#       - Storage device exploitation
+#       - System resource abuse
+#       - Resource-based attacks
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, warn_exec
--- a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh
@ -1,8 +1,25 @@
 # Title: Container - Container Tools
 # ID: CT_Container_tools
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Find container related tools in the PATH of the system
+# Last Update: 07-03-2024
+# Description: Find container related tools in the PATH of the system that could be used for container escape:
+#   - Container runtime tools
+#   - Container management tools
+#   - Container networking tools
+#   - Common vulnerable scenarios:
+#     * Misconfigured container tools
+#     * Privileged container tools
+#     * Container escape tools
+#   - Exploitation methods:
+#     * Tool abuse: Exploit container tool misconfigurations
+#     * Common attack vectors:
+#       - Runtime escape
+#       - Privilege escalation
+#       - Container breakout
+#     * Exploit techniques:
+#       - Tool misconfiguration abuse
+#       - Privileged tool exploitation
+#       - Container escape tool usage
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@ -12,11 +29,45 @@
 # Fat linpeas: 0
 # Small linpeas: 1

-
 print_2title "Container related tools present (if any):"
-command -v docker || echo -n ''
-command -v lxc || echo -n ''
-command -v rkt || echo -n ''
-command -v kubectl || echo -n ''
-command -v podman || echo -n ''
-command -v runc || echo -n ''
+
+# Container runtimes
+command -v docker
+command -v lxc
+command -v rkt
+command -v podman
+command -v runc
+command -v ctr
+command -v containerd
+command -v crio
+command -v nerdctl
+
+# Container management
+command -v kubectl
+command -v crictl
+command -v docker-compose
+command -v docker-machine
+command -v minikube
+command -v kind
+
+# Container networking
+command -v docker-proxy
+command -v cni
+command -v flanneld
+command -v calicoctl
+
+# Container security
+command -v apparmor_parser
+command -v seccomp
+command -v gvisor
+command -v kata-runtime
+
+# Container debugging
+command -v nsenter
+command -v unshare
+command -v chroot
+command -v capsh
+command -v setcap
+command -v getcap
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh
@ -29,4 +29,5 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/n
          echo ""
      fi
  done
-fi
+fi
+
--- a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh
@ -1,21 +1,63 @@
 # Title: Container - Container details
 # ID: CT_Container_details
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Get container details
+# Last Update: 07-03-2024
+# Description: Get detailed container information relevant to privilege escalation:
+#   - Container type and runtime
+#   - Running containers
+#   - Container configuration
+#   - Common vulnerable scenarios:
+#     * Misconfigured containers
+#     * Privileged containers
+#     * Exposed container APIs
+#     * Container networking
+#   - Exploitation methods:
+#     * Container breakout: Exploit container misconfigurations
+#     * Common attack vectors:
+#       - Runtime escape
+#       - Privilege escalation
+#       - Container breakout
+#       - Network escape
+#     * Exploit techniques:
+#       - Container misconfiguration abuse
+#       - Privileged container exploitation
+#       - Container API abuse
+#       - Network escape techniques
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: containerCheck, echo_no, print_2title, print_list
+# Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec
 # Global Variables: $containerType
 # Initial Functions: containerCheck
 # Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
 # Fat linpeas: 0
 # Small linpeas: 1

-
 print_2title "Container details"
+
 print_list "Is this a container? ...........$NC $containerType"

+# Get container runtime info
+if [ "$(command -v docker || echo -n '')" ]; then
+    print_list "Docker version ...............$NC "
+    warn_exec docker version
+    print_list "Docker info .................$NC "
+    warn_exec docker info
+fi
+
+if [ "$(command -v podman || echo -n '')" ]; then
+    print_list "Podman version ..............$NC "
+    warn_exec podman version
+    print_list "Podman info ................$NC "
+    warn_exec podman info
+fi
+
+if [ "$(command -v lxc || echo -n '')" ]; then
+    print_list "LXC version ................$NC "
+    warn_exec lxc version
+    print_list "LXC info ...................$NC "
+    warn_exec lxc info
+fi
+
 print_list "Any running containers? ........ "$NC
 # Get counts of running containers for each platform
 dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
@ -32,9 +74,36 @@ else
    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
    
-    # List any running containers
-    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
-    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
-    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
-fi
+    # List any running containers with more details
+    if [ "$dockercontainers" -ne "0" ]; then 
+        echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"
+        docker ps -a 2>/dev/null
+        #echo "Docker Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #docker inspect $(docker ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$podmancontainers" -ne "0" ]; then 
+        echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"
+        podman ps -a 2>/dev/null
+        #echo "Podman Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #podman inspect $(podman ps -q) 2>/dev/null | grep -E "Privileged|CapAdd|CapDrop|SecurityOpt|HostConfig" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$lxccontainers" -ne "0" ]; then 
+        echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"
+        lxc list 2>/dev/null
+        #echo "LXC Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #lxc config show $(lxc list -c n --format csv) 2>/dev/null | grep -E "security.privileged|security.capabilities|security.syscalls" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+    if [ "$rktcontainers" -ne "0" ]; then 
+        echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"
+        rkt list 2>/dev/null
+        #echo "RKT Container Details" | sed -${E} "s,.*,${SED_RED},"
+        #rkt status $(rkt list --format=json 2>/dev/null | jq -r '.[].id') 2>/dev/null | grep -E "privileged|capabilities|security" | sed -${E} "s,true|privileged|host,${SED_RED},g"
+        echo ""
+    fi
+fi
+
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
+++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh
@ -1,26 +1,62 @@
 # Title: Container - Container & breakout enumeration
 # ID: CT_Container_breakout
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Container breakout enumeration to see if in case we are inside a container we could escape
+# Last Update: 07-03-2024
+# Description: Container breakout enumeration to identify potential escape vectors:
+#   - Container runtime vulnerabilities
+#   - Mount point misconfigurations
+#   - Capability abuse
+#   - Namespace escape
+#   - Common vulnerable scenarios:
+#     * Privileged containers
+#     * Misconfigured mounts
+#     * Excessive capabilities
+#     * Namespace isolation bypass
+#     * Runtime vulnerabilities
+#     * Container escape tools
+#     * Shared kernel exploits
+#     * Container escape CVEs
+#   - Exploitation methods:
+#     * Mount escape: Abuse mount misconfigurations
+#     * Capability abuse: Exploit excessive capabilities
+#     * Namespace escape: Break out of container namespaces
+#     * Runtime escape: Exploit container runtime vulnerabilities
+#     * Common attack vectors:
+#       - Mount point manipulation
+#       - Capability exploitation
+#       - Namespace breakout
+#       - Runtime vulnerability abuse
+#       - Kernel exploit abuse
+#       - Container escape tool usage
+#     * Exploit techniques:
+#       - Mount point abuse
+#       - Capability escalation
+#       - Namespace escape
+#       - Runtime exploitation
+#       - Kernel exploitation
+#       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list
-# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos,  $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, print_2title, print_3title, print_info, print_list, warn_exec
+# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
-# Generated Global Variables: $defautl_docker_caps
+# Generated Global Variables: $defautl_docker_caps, $containerd_version, $runc_version, $containerd_version
 # Fat linpeas: 0
 # Small linpeas: 0

-
 if [ "$inContainer" ]; then
    echo ""
    print_2title "Container & breakout enumeration"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
+    
+    # Basic container info
    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
    fi
+    
+    # Security mechanisms
+    print_3title "Security Mechanisms"
    print_list "Seccomp enabled? ............... "$NC
    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"

@ -30,9 +66,51 @@ if [ "$inContainer" ]; then
    print_list "User proc namespace? ........... "$NC
    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi

+    # Known vulnerabilities
+    print_3title "Known Vulnerabilities"
+    
    checkContainerExploits
    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-
+    
+    # Check for container escape tools
+    print_list "Container escape tools present .. "$NC
+    (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g"
+    
+    # Runtime vulnerabilities
+    print_3title "Runtime Vulnerabilities"
+    
+    # Check for known runtime vulnerabilities
+    if [ "$(command -v runc || echo -n '')" ]; then
+        print_list "Runc version ................. "$NC
+        warn_exec runc --version
+        # Check for specific runc vulnerabilities
+        runc_version=$(runc --version 2>/dev/null | grep -i "version" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
+        if [ "$runc_version" ]; then
+            print_list "Runc CVE-2019-5736 ........... "$NC
+            if [ "$(echo $runc_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 0) || ($1 == 1 && $2 == 0 && $3 < 7)) print "Yes"; else print "No"; }')" = "Yes" ]; then
+                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
+            else
+                echo "No"
+            fi
+        fi
+    fi
+    
+    if [ "$(command -v containerd || echo -n '')" ]; then
+        print_list "Containerd version ........... "$NC
+        warn_exec containerd --version
+        # Check for specific containerd vulnerabilities
+        containerd_version=$(containerd --version 2>/dev/null | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
+        if [ "$containerd_version" ]; then
+            print_list "Containerd CVE-2020-15257 ..... "$NC
+            if [ "$(echo $containerd_version | awk -F. '{ if ($1 < 1 || ($1 == 1 && $2 < 4) || ($1 == 1 && $2 == 4 && $3 < 3)) print "Yes"; else print "No"; }')" = "Yes" ]; then
+                echo "Yes - Vulnerable" | sed -${E} "s,Yes,${SED_RED},"
+            else
+                echo "No"
+            fi
+        fi
+    fi
+    
+    # Mount escape vectors
    print_3title "Breakout via mounts"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
    
@ -46,89 +124,170 @@ if [ "$inContainer" ]; then
    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    
+    # Additional mount checks
+    print_list "Docker socket mounted? ......... "$NC
+    (mount | grep -E "docker.sock|/var/run/docker.sock" || echo "No") | sed -${E} "s,Yes|docker.sock,${SED_RED},"
+    
+    print_list "Common host filesystem mounted?  "$NC
+    (mount | grep -E "host|/host|/mnt/host" || echo "No") | sed -${E} "s,Yes|host,${SED_RED},"
+    
+    print_list "Interesting mounts ............. "$NC
+    mount | grep -E "docker|container|overlay|kubelet" | grep -v "proc" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Check for writable mount points
+    print_list "Writable mount points ......... "$NC
+    mount | grep -E "rw," | grep -v "ro," | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Check for shared mount points
+    print_list "Shared mount points ........... "$NC
+    mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
+    
+    # Capability checks
+    print_3title "Capability Checks"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html"
+    
+    print_list "Dangerous capabilities ......... "$NC
+    if [ "$(command -v capsh || echo -n '')" ]; then 
+        capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
+    else
+        defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
+        cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
+        echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
+    fi
+    
+    # Additional capability checks
+    print_list "Dangerous syscalls allowed ... "$NC
+    if [ -f "/proc/sys/kernel/yama/ptrace_scope" ]; then
+        (cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || echo "Not found") | sed -${E} "s,0,${SED_RED},"
+    else
+        echo "Not found"
+    fi
+    
+    # Namespace checks
+    print_3title "Namespace Checks"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
+    
+    print_list "Current namespaces ............. "$NC
+    ls -l /proc/self/ns/
+    
+    print_list "Host network namespace? ........ "$NC
+    if [ "$(ip netns list 2>/dev/null)" ]; then
+        echo "Yes - Host network namespace accessible" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    # Additional namespace checks
+    print_list "Host IPC namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/ipc 2>/dev/null)" = "$(ls -l /proc/1/ns/ipc 2>/dev/null)" ]; then
+        echo "Yes - Host IPC namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    print_list "Host PID namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/pid 2>/dev/null)" = "$(ls -l /proc/1/ns/pid 2>/dev/null)" ]; then
+        echo "Yes - Host PID namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    print_list "Host UTS namespace? ........... "$NC
+    if [ "$(ls -l /proc/self/ns/uts 2>/dev/null)" = "$(ls -l /proc/1/ns/uts 2>/dev/null)" ]; then
+        echo "Yes - Host UTS namespace shared" | sed -${E} "s,Yes,${SED_RED},"
+    else
+        echo "No"
+    fi
+    
+    # Additional breakout vectors
+    print_3title "Additional Breakout Vectors"
+    
    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    
+    # Check for container escape tools in PATH
+    print_list "Container escape tools in PATH . "$NC
+    (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g"
+
+    print_3title "Extra Breakout Vectors"
    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    if [ "$EXTRA_CHECKS" ]; then
-      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
-    fi
+    print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
    
-    echo ""
-    print_3title "Namespaces"
-    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
-    ls -l /proc/self/ns/
-
+    # Additional kernel checks
+    print_list "Kernel version .............. "$NC
+    uname -a | sed -${E} "s,$(uname -r),${SED_RED},"
+    
+    print_list "Kernel modules ............. "$NC
+    lsmod | grep -E "overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio" | sed -${E} "s,overlay|aufs|btrfs|device_mapper|floppy|loop|squashfs|udf|veth|vbox|vmware|kvm|xen|docker|containerd|runc|crio,${SED_RED},g"
+    
+    # Additional container runtime checks
+    print_list "Container runtime sockets .. "$NC
+    (find /var/run -name "*.sock" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
+    
+    print_list "Container runtime configs .. "$NC
+    (find /etc -name "*.conf" -o -name "*.json" 2>/dev/null | grep -E "docker|containerd|crio|podman|lxc|rkt" || echo "No") | sed -${E} "s,docker|containerd|crio|podman|lxc|rkt,${SED_RED},g"
+    
+    # Kubernetes specific checks
    if echo "$containerType" | grep -qi "kubernetes"; then
-        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
-        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
-        echo ""
-        
-        print_2title "Kubernetes Information"
+        print_3title "Kubernetes Specific Checks"
        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
        
+        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
+        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
        
-        print_3title "Kubernetes service account folder"
+        print_list "Kubernetes service account folder" | sed -${E} "s,.*,${SED_RED},"
        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
-        echo ""
        
-        print_3title "Kubernetes env vars"
+        print_list "Kubernetes env vars" | sed -${E} "s,.*,${SED_RED},"
        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
-        echo ""
-
-        print_3title "Current sa user k8s permissions"
-        print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html"
+        
+        print_list "Current sa user k8s permissions" | sed -${E} "s,.*,${SED_RED},"
        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
            -X 'POST' -H 'Content-Type: application/json' \
            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
-
+        
+        # Additional Kubernetes checks
+        print_list "Kubernetes API server ...... "$NC
+        (curl -s -k https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/version 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes secrets ......... "$NC
+        (kubectl get secrets 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes pods ............ "$NC
+        (kubectl get pods 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes services ........ "$NC
+        (kubectl get services 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
+        
+        print_list "Kubernetes nodes ........... "$NC
+        (kubectl get nodes 2>/dev/null || echo "Not accessible") | sed -${E} "s,Not accessible,${SED_GREEN},"
    fi
-    echo ""
-
-    print_2title "Container Capabilities"
-    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape"
-    if [ "$(command -v capsh || echo -n '')" ]; then 
-      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
-    else
-      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
-      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
-      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
-    fi
-    echo ""
-
-    print_2title "Privilege Mode"
-    if [ -x "$(command -v fdisk || echo -n '')" ]; then
-        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
-            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
-        else
-            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
-        fi
-    else
-        echo_not_found
-    fi
-    echo ""
-
-    print_2title "Interesting Files Mounted"
+    
+    # Interesting files and mounts
+    print_3title "Interesting Files & Mounts"
+    print_list "Interesting files mounted ........ "$NC
    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
-    echo ""
-
-    print_2title "Possible Entrypoints"
+    
+    print_list "Possible entrypoints ........... "$NC
    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
+    
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh
@ -24,7 +24,7 @@ if [ "$is_az_automation_acc" = "Yes" ]; then
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh
@ -28,7 +28,7 @@ if [ "$is_ibm_vm" = "Yes" ]; then
    if [ "$(command -v curl || echo -n '')" ]; then
        ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    elif [ "$(command -v wget || echo -n '')" ]; then
-        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+        ibm_req="wget -q -O - --header '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
@ -13,7 +13,7 @@
 # Small linpeas: 1


-printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.wiki\n"$NC
+printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}https://training.hacktricks.xyz\n"$NC
 echo ""

 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
@ -26,7 +26,7 @@ print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
-print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure APP or IDENTITY_ENDPOINT? ...... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
--- a/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh
@ -8,7 +8,7 @@
 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_ec2
 # Initial Functions: check_aws_ec2
-# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role
+# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role, $TOKEN, $TOKEN_HEADER, $TOKEN_TTL
 # Fat linpeas: 0
 # Small linpeas: 1

@ -16,14 +16,20 @@
 if [ "$is_aws_ec2" = "Yes" ]; then
    print_2title "AWS EC2 Enumeration"
    
-    HEADER="X-aws-ec2-metadata-token: "
+    TOKEN=""
+    TOKEN_HEADER="X-aws-ec2-metadata-token"
+    TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600"
    URL="http://169.254.169.254/latest/meta-data"
    
    aws_req=""
    if [ "$(command -v curl || echo -n '')" ]; then
-        aws_req="curl -s -f -L -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(curl -s -f -X PUT "http://169.254.169.254/latest/api/token" -H "$TOKEN_TTL" 2>/dev/null)
+        aws_req="curl -s -f -L -H '$TOKEN_HEADER: $TOKEN'"
    elif [ "$(command -v wget || echo -n '')" ]; then
-        aws_req="wget -q -O - -H '$HEADER'"
+        # Get token for IMDSv2
+        TOKEN=$(wget -q -O - --method=PUT --header="$TOKEN_TTL" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        aws_req="wget -q -O - --header '$TOKEN_HEADER: $TOKEN'"
    else 
        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
    fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh
@ -24,7 +24,7 @@ if [ "$is_az_vm" = "Yes" ]; then
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh
@ -24,7 +24,7 @@ if [ "$is_az_app" = "Yes" ]; then
  if [ "$(command -v curl || echo -n '')" ]; then
      az_req="curl -s -f -L -H '$HEADER'"
  elif [ "$(command -v wget || echo -n '')" ]; then
-      az_req="wget -q -O - -H '$HEADER'"
+      az_req="wget -q -O - --header '$HEADER'"
  else 
      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
  fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
@ -0,0 +1,193 @@
+# Title: Processes & Cron & Services & Timers - Services and Service Files
+# ID: PR_Services
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Services and service files analysis with privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info, print_3title
+# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
+# Initial Functions:
+# Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Services and Service Files"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
+
+  # Function to check service content for privilege escalation vectors
+  check_service_content() {
+    local service="$1"
+    local findings=""
+    
+    # Check if service runs with elevated privileges
+    if systemctl show "$service" -p User 2>/dev/null | grep -q "root"; then
+      findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
+    fi
+
+    # Get the executable path and check it
+    local exec_path=$(systemctl show "$service" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
+    if [ -n "$exec_path" ]; then
+      if [ -w "$exec_path" ]; then
+        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+      fi
+      # Check for relative paths
+      #case "$exec_path" in
+      #  /*) : ;; # Absolute path, do nothing
+      #  *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
+      #esac
+      # Check for weak permissions
+      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
+      fi
+    fi
+
+    # Check for unsafe configurations
+    if systemctl show "$service" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
+      findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
+    fi
+
+    # Check for environment variables with sensitive data
+    if systemctl show "$service" -p Environment 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
+      findings="${findings}SENSITIVE_ENV: Contains sensitive environment variables\n"
+    fi
+
+    # Check for capabilities
+    if systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH)'; then
+      findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "  Potential issue in service: $service"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # Function to check service file for privilege escalation vectors
+  check_service_file() {
+    local service_file="$1"
+    local findings=""
+
+    # Check if service file is writable (following symlinks)
+    if [ -L "$service_file" ]; then
+      # If it's a symlink, check the target file
+      local target_file=$(readlink -f "$service_file")
+      if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+        findings="${findings}WRITABLE_FILE: Service target file is writable: $target_file\n"
+      fi
+    elif ! [ "$IAMROOT" ] && [ -w "$service_file" ] && [ -f "$service_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      findings="${findings}WRITABLE_FILE: Service file is writable\n"
+    fi
+
+    # Check for weak permissions (following symlinks)
+    if [ "$(stat -L -c %a "$service_file" 2>/dev/null)" = "777" ]; then
+      findings="${findings}WEAK_PERMS: Service file has 777 permissions\n"
+    fi
+
+    # Check for relative paths in Exec directives - Original logic
+    local relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$service_file" 2>/dev/null | grep -Iv "=/")
+    local relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$service_file" 2>/dev/null)
+    if [ "$relpath1" ] || [ "$relpath2" ]; then
+      if [ "$WRITABLESYSTEMDPATH" ]; then
+        findings="${findings}RELATIVE_PATH: Could be executing some relative path (systemd path is writable)\n"
+      else
+        findings="${findings}RELATIVE_PATH: Could be executing some relative path\n"
+      fi
+    fi
+
+    # Check for writable executables (following symlinks)
+    local exec_paths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$service_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$exec_paths" | while read -r exec_path; do
+      if [ -n "$exec_path" ]; then
+        if [ -L "$exec_path" ]; then
+          local target_exec=$(readlink -f "$exec_path")
+          if [ -w "$target_exec" ]; then
+            findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
+          fi
+        elif [ -w "$exec_path" ]; then
+          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+        fi
+      fi
+    done
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "  Potential issue in service file: $service_file"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # List all services and check for privilege escalation vectors
+  echo ""
+  print_3title "Active services:"
+  systemctl list-units --type=service --state=active 2>/dev/null | grep -v "UNIT" | while read -r line; do
+    service_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$service_unit" ]; then
+      # Print the service line with highlighting
+      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
+
+      # Get service file path
+      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$service_path" ]; then
+        check_service_file "$service_path"
+      fi
+
+      # Check service content for privilege escalation vectors
+      check_service_content "$service_unit"
+    fi
+  done || echo_not_found
+
+  # Check for disabled but available services
+  echo ""
+  print_3title "Disabled services:"
+  systemctl list-unit-files --type=service --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
+    service_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$service_unit" ]; then
+      # Print the service line with highlighting
+      echo "$line" | sed -${E} "s,$service_unit,${SED_GREEN},"
+
+      # Get service file path
+      service_path=$(systemctl show "$service_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$service_path" ]; then
+        check_service_file "$service_path"
+      fi
+
+      # Check service content for privilege escalation vectors
+      check_service_content "$service_unit"
+    fi
+  done || echo_not_found
+
+  # Check service files from PSTORAGE_SYSTEMD
+  if [ -n "$PSTORAGE_SYSTEMD" ]; then
+    echo ""
+    print_3title "Additional service files:"
+    printf "%s\n" "$PSTORAGE_SYSTEMD" | while read -r service_file; do
+      if [ -n "$service_file" ] && [ -e "$service_file" ]; then
+        check_service_file "$service_file"
+      fi
+    done
+  fi
+
+  # Check for outdated services if EXTRA_CHECKS is enabled
+  if [ "$EXTRA_CHECKS" ]; then
+    echo ""
+    print_3title "Service versions and status:"
+    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+  fi
+
+  # Check systemd path writability
+  if [ ! "$WRITABLESYSTEMDPATH" ]; then 
+    echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"
+  else
+    echo "You can write on systemd PATH" | sed -${E} "s,.*,${SED_RED},"
+    echo "If a relative path is used, it's possible to abuse it."
+  fi
+
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh
@ -1,21 +0,0 @@
-# Title: Processes & Cron & Services & Timers - System Timers
-# ID: PR_System_timers
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: System Timers
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $SEARCH_IN_FOLDER, $timersG
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "System timers"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
-  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
-  echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh
@ -0,0 +1,156 @@
+# Title: System Information - Systemd
+# ID: SY_Systemd
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Check for systemd vulnerabilities and misconfigurations that could lead to privilege escalation:
+#   - Systemd version vulnerabilities (CVE-2021-4034, CVE-2021-33910, etc.)
+#   - Services running as root that could be exploited
+#   - Services with dangerous capabilities that could be abused
+#   - Services with writable paths that could be used to inject malicious code
+#   - Exploitation methods:
+#     * Version exploits: Use known exploits for vulnerable systemd versions
+#     * Root services: Abuse services running as root to execute commands
+#     * Capabilities: Abuse services with dangerous capabilities (CAP_SYS_ADMIN, etc.)
+#     * Writable paths: Replace executables in writable paths to get code execution
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_list, echo_not_found
+# Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
+# Initial Functions:
+# Generated Global Variables: $WRITABLESYSTEMDPATH, $line, $service, $file, $version, $user, $caps, $path, $path_line, $service_file, $exec_line, $cmd
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "Systemd Information"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
+
+    # Function to check if systemctl is available
+    check_systemctl() {
+        if ! command -v systemctl >/dev/null 2>&1; then
+            echo_not_found "systemctl"
+            return 1
+        fi
+        return 0
+    }
+
+    # Function to get service file path
+    get_service_file() {
+        local service="$1"
+        local file=""
+        for path in "/etc/systemd/system/$service" "/lib/systemd/system/$service"; do
+            if [ -f "$path" ]; then
+                file="$path"
+                break
+            fi
+        done
+        echo "$file"
+    }
+
+    # Function to check dangerous capabilities
+    check_dangerous_caps() {
+        local caps="$1"
+        echo "$caps" | grep -qE '(CAP_SYS_ADMIN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_SETUID|CAP_SETGID|CAP_NET_ADMIN)'
+        return $?
+    }
+
+    # Check systemd version and known vulnerabilities
+    print_list "Systemd version and vulnerabilities? .............. "$NC
+    if check_systemctl; then
+        version=$(systemctl --version | head -n 1 | grep -oE '([0-9]+(\.[0-9]+)+)')
+        if [ -n "$version" ]; then
+            echo "$version" | sed -${E} "s,([0-9]+(\.[0-9]+)+),${SED_RED},g"
+            # Check for known vulnerable versions
+            case "$version" in
+                "2.3"[0-4]|"2.3"[0-4]"."*)
+                    echo "  └─ Vulnerable to CVE-2021-4034 (Polkit)" | sed -${E} "s,.*,${SED_RED},g"
+                    ;;
+                "2.4"[0-9]|"2.4"[0-9]"."*)
+                    echo "  └─ Vulnerable to CVE-2021-33910 (systemd-tmpfiles)" | sed -${E} "s,.*,${SED_RED},g"
+                    ;;
+            esac
+        fi
+    fi
+
+    # Check for systemd services running as root
+    print_list "Services running as root? ..... "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "root|0:0" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            user=$(systemctl show "$service" -p User 2>/dev/null | cut -d= -f2)
+            echo "$service (User: $user)" | sed -${E} "s,root|0:0,${SED_RED},g"
+        done
+        echo ""
+    else
+        echo ""
+    fi
+
+    # Check for systemd services with dangerous capabilities
+    print_list "Running services with dangerous capabilities? ... "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "\.service" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            caps=$(systemctl show "$service" -p CapabilityBoundingSet 2>/dev/null | cut -d= -f2)
+            if [ -n "$caps" ] && check_dangerous_caps "$caps"; then
+                echo "$service: $caps" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+        done
+        echo ""
+    else
+        echo ""
+    fi
+
+    # Check for systemd services with writable paths
+    print_list "Services with writable paths? . "$NC
+    if check_systemctl; then
+        systemctl list-units --type=service --state=running 2>/dev/null | 
+        grep -E "\.service" | 
+        while read -r line; do
+            service=$(echo "$line" | awk '{print $1}')
+            service_file=$(get_service_file "$service")
+            if [ -n "$service_file" ]; then
+                # Check ExecStart paths
+                grep -E "ExecStart|ExecStartPre|ExecStartPost" "$service_file" 2>/dev/null | 
+                while read -r exec_line; do
+                    # Extract the first word after ExecStart* as the command
+                    cmd=$(echo "$exec_line" | awk '{print $2}' | tr -d '"')
+                    # Extract the rest as arguments
+                    args=$(echo "$exec_line" | awk '{$1=$2=""; print $0}' | tr -d '"')
+                    
+                    # Only check the command path, not arguments
+                    if [ -n "$cmd" ] && [ -w "$cmd" ]; then
+                        echo "$service: $cmd (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                    # Check for relative paths only in the command, not arguments
+                    if [ -n "$cmd" ] && [ "${cmd#/}" = "$cmd" ] && ! echo "$cmd" | grep -qE '^-|^--'; then
+                        echo "$service: Uses relative path '$cmd' (from $exec_line)" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                done
+            fi
+        done
+    else
+        echo ""
+    fi
+
+    echo ""
+
+    print_2title "Systemd PATH"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
+    if check_systemctl; then
+        systemctl show-environment 2>/dev/null | 
+        grep "PATH" | 
+        while read -r path_line; do
+            echo "$path_line" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+            # Store writable paths for later use
+            if echo "$path_line" | grep -qE "$Wfolders"; then
+                WRITABLESYSTEMDPATH="$path_line"
+            fi
+        done
+    fi
+
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh
@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - .timer files
-# ID: PR_Timer_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: .timer files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $timerbinpaths, $relpath
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
-printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
-  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
-  fi
-  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
-  printf "%s\n" "$timerbinpaths" | while read tb; do
-    if [ -w "$tb" ]; then
-      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
-    fi
-  done
-  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
-  #for rp in "$relpath"; do
-  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
-  #done
-done
-echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh
@ -1,23 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Services
-# ID: PR_Services
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Services outdated versions
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Services"
-    print_info "Search for outdated versions"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
-    echo ""
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh
@ -0,0 +1,146 @@
+# Title: Processes & Cron & Services & Timers - Socket Files Analysis
+# ID: PR_Socket_files
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Analyze .socket files for privilege escalation vectors:
+#   - Writable socket files
+#   - Socket files executing writable binaries
+#   - Socket files with writable listeners
+#   - Socket files with relative paths
+#   - Socket files with unsafe configurations
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: print_2title, print_info, print_list
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
+# Initial Functions:
+# Generated Global Variables: $exec_path, $listen_path, $path, $exec_paths, $finding, $listen_paths, $socket_file, $findings, $target_file, $target_listen, $target_exec, $lpath
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$IAMROOT" ]; then
+    print_2title "Analyzing .socket files"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
+
+    # Function to check if path is relative
+    is_relative_path() {
+        local lpath="$1"
+        case "$lpath" in
+            /*) return 1 ;; # Absolute path
+            *) return 0 ;;  # Relative path
+        esac
+    }
+
+    # Function to check socket file content
+    check_socket_file() {
+        local socket_file="$1"
+        local findings=""
+
+        # Check if socket file is writable (following symlinks)
+        if [ -L "$socket_file" ]; then
+            # If it's a symlink, check the target file
+            local target_file=$(readlink -f "$socket_file")
+            if ! [ "$IAMROOT" ] && [ -w "$target_file" ] && [ -f "$target_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+                findings="${findings}WRITABLE_FILE: Socket target file is writable: $target_file\n"
+            fi
+        elif ! [ "$IAMROOT" ] && [ -w "$socket_file" ] && [ -f "$socket_file" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+            findings="${findings}WRITABLE_FILE: Socket file is writable\n"
+        fi
+
+        # Check for weak permissions (following symlinks)
+        if [ "$(stat -L -c %a "$socket_file" 2>/dev/null)" = "777" ]; then
+            findings="${findings}WEAK_PERMS: Socket file has 777 permissions\n"
+        fi
+
+        # Check for executables (following symlinks)
+        local exec_paths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+        printf "%s\n" "$exec_paths" | while read -r exec_path; do
+            if [ -n "$exec_path" ]; then
+                # Check if executable is writable (following symlinks)
+                if [ -L "$exec_path" ]; then
+                    local target_exec=$(readlink -f "$exec_path")
+                    if [ -w "$target_exec" ]; then
+                        findings="${findings}WRITABLE_EXEC: Executable target is writable: $target_exec\n"
+                    fi
+                    # Check for weak permissions on target
+                    if [ -e "$target_exec" ] && [ "$(stat -L -c %a "$target_exec" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_EXEC_PERMS: Executable target has 777 permissions: $target_exec\n"
+                    fi
+                else
+                    if [ -w "$exec_path" ]; then
+                        findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+                    fi
+                    # Check for weak permissions
+                    if [ -e "$exec_path" ] && [ "$(stat -L -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_EXEC_PERMS: Executable has 777 permissions: $exec_path\n"
+                    fi
+                fi
+                # Check for relative paths
+                if is_relative_path "$exec_path"; then
+                    findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n"
+                fi
+            fi
+        done
+
+        # Check for listeners (following symlinks)
+        local listen_paths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$socket_file" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+        printf "%s\n" "$listen_paths" | while read -r listen_path; do
+            if [ -n "$listen_path" ]; then
+                # Check if listener path is writable (following symlinks)
+                if [ -L "$listen_path" ]; then
+                    local target_listen=$(readlink -f "$listen_path")
+                    if [ -w "$target_listen" ]; then
+                        findings="${findings}WRITABLE_LISTENER: Listener target path is writable: $target_listen\n"
+                    fi
+                    # Check for weak permissions on target
+                    if [ -e "$target_listen" ] && [ "$(stat -L -c %a "$target_listen" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_LISTENER_PERMS: Listener target path has 777 permissions: $target_listen\n"
+                    fi
+                else
+                    if [ -w "$listen_path" ]; then
+                        findings="${findings}WRITABLE_LISTENER: Listener path is writable: $listen_path\n"
+                    fi
+                    # Check for weak permissions
+                    if [ -e "$listen_path" ] && [ "$(stat -L -c %a "$listen_path" 2>/dev/null)" = "777" ]; then
+                        findings="${findings}WEAK_LISTENER_PERMS: Listener path has 777 permissions: $listen_path\n"
+                    fi
+                fi
+                # Check for relative paths
+                if is_relative_path "$listen_path"; then
+                    findings="${findings}RELATIVE_LISTENER: Uses relative path: $listen_path\n"
+                fi
+            fi
+        done
+
+        # Check for unsafe configurations
+        if grep -qE '^(User|Group)=root' "$socket_file" 2>/dev/null; then
+            findings="${findings}ROOT_USER: Socket runs as root\n"
+        fi
+        if grep -qE '^(CapabilityBoundingSet).*CAP_SYS_ADMIN' "$socket_file" 2>/dev/null; then
+            findings="${findings}DANGEROUS_CAPS: Has dangerous capabilities\n"
+        fi
+        if grep -qE '^(BindIP|BindIPv6Only)=yes' "$socket_file" 2>/dev/null; then
+            findings="${findings}NETWORK_BIND: Can bind to network interfaces\n"
+        fi
+
+        # If any findings, print them
+        if [ -n "$findings" ]; then
+            echo "Potential privilege escalation in socket file: $socket_file"
+            echo "$findings" | while read -r finding; do
+                [ -n "$finding" ] && echo "  └─ $finding" | sed -${E} "s,WRITABLE.*,${SED_RED},g" | sed -${E} "s,RELATIVE.*,${SED_RED_YELLOW},g"
+            done
+        fi
+    }
+
+    # Process each socket file
+    if [ -n "$PSTORAGE_SOCKET" ]; then
+        printf "%s\n" "$PSTORAGE_SOCKET" | while read -r socket_file; do
+            if [ -n "$socket_file" ] && [ -e "$socket_file" ]; then
+                check_socket_file "$socket_file"
+            fi
+        done
+    else
+        print_list "No socket files found" "$NC"
+    fi
+
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh
@ -1,42 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Analyzing .service files
-# ID: PR_Service_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Analyze .service files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $WRITABLESYSTEMDPATH
-# Initial Functions:
-# Generated Global Variables: $relpath1, $relpath2, $servicebinpaths
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .service files in MACOS are folders
-print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
-printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
-  if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
-    fi
-    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
-    printf "%s\n" "$servicebinpaths" | while read sp; do
-      if [ -w "$sp" ]; then
-        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
-      fi
-    done
-    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
-    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
-    if [ "$relpath1" ] || [ "$relpath2" ]; then
-      if [ "$WRITABLESYSTEMDPATH" ]; then
-        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
-      else
-        echo "$s could be executing some relative path"
-      fi
-    fi
-  fi
-done
-if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
-echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh
@ -0,0 +1,151 @@
+# Title: Processes & Cron & Services & Timers - Unix Sockets Analysis
+# ID: PR_Unix_sockets_listening
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Analyze Unix sockets for privilege escalation vectors:
+#   - Listening Unix sockets
+#   - Socket file permissions
+#   - Socket ownership
+#   - Socket connectivity
+#   - Socket protocol analysis
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $NC, $RED
+# Initial Functions:
+# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $perms, $owner, $owner_info, $response, $socket, $cmd, $mode, $group
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$IAMROOT" ]; then
+    if ! [ "$SEARCH_IN_FOLDER" ]; then
+        print_2title "Unix Sockets Analysis"
+        print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
+
+
+        # Function to get socket permissions
+        get_socket_perms() {
+            local socket="$1"
+            local perms=""
+            
+            # Check read permission
+            if [ -r "$socket" ]; then
+                perms="Read "
+            fi
+            
+            # Check write permission
+            if [ -w "$socket" ]; then
+                perms="${perms}Write "
+            fi
+            
+            # Check execute permission
+            if [ -x "$socket" ]; then
+                perms="${perms}Execute "
+            fi
+            
+            # Check socket mode
+            local mode=$(stat -c "%a" "$socket" 2>/dev/null)
+            if [ "$mode" = "777" ] || [ "$mode" = "666" ]; then
+                perms="${perms}(Weak Permissions: $mode) "
+            fi
+            
+            echo "$perms"
+        }
+
+        # Function to check socket connectivity
+        check_socket_connectivity() {
+            local socket="$1"
+            local perms="$2"
+            
+            if [ "$EXTRA_CHECKS" ] && command -v curl >/dev/null 2>&1; then
+                # Try to connect to the socket
+                if curl -v --unix-socket "$socket" --max-time 1 http:/linpeas 2>&1 | grep -iq "Permission denied"; then
+                    perms="${perms} - Cannot Connect"
+                else
+                    perms="${perms} - Can Connect"
+                fi
+            fi
+            
+            echo "$perms"
+        }
+
+        # Function to analyze socket protocol
+        analyze_socket_protocol() {
+            local socket="$1"
+            local owner="$2"
+            local response=""
+            
+            # Try to get HTTP response
+            if command -v curl >/dev/null 2>&1; then
+                response=$(curl --max-time 2 --unix-socket "$socket" http:/index 2>/dev/null)
+                if [ $? -eq 0 ]; then
+                    echo "  └─ HTTP Socket (owned by $owner):" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+                    echo "     └─ Response to /index (limit 30):"
+                    echo "$response" | head -n 30 | sed 's/^/       /'
+                fi
+            fi
+        }
+
+        # Function to get socket owner and group
+        get_socket_owner() {
+            local socket="$1"
+            local owner=""
+            local group=""
+            
+            if [ -e "$socket" ]; then
+                owner=$(ls -l "$socket" 2>/dev/null | awk '{print $3}')
+                group=$(ls -l "$socket" 2>/dev/null | awk '{print $4}')
+                echo "$owner:$group"
+            fi
+        }
+
+        # Collect listening sockets using multiple methods
+        unix_scks_list=""
+        for cmd in "ss -xlp -H state listening" "ss -l -p -A 'unix'" "netstat -a -p --unix"; do
+            if [ -z "$unix_scks_list" ]; then
+                unix_scks_list=$($cmd 2>/dev/null | grep -Eo "/[a-zA-Z0-9\._/\-]+" | grep -v " " | sort -u)
+            fi
+        done
+
+        # Get additional socket information
+        if [ -z "$unix_scks_list" ]; then
+            unix_scks_list=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/" | sort -u)
+        fi
+
+        # Find socket files
+        if ! [ "$SEARCH_IN_FOLDER" ]; then
+            unix_scks_list2=$(find / -type s 2>/dev/null)
+        else
+            unix_scks_list2=$(find "$SEARCH_IN_FOLDER" -type s 2>/dev/null)
+        fi
+
+        # Process all found sockets
+        (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort -u | while read -r socket; do
+            if [ -n "$socket" ] && [ -e "$socket" ]; then
+                # Get socket information
+                perms=$(get_socket_perms "$socket")
+                perms=$(check_socket_connectivity "$socket" "$perms")
+                owner_info=$(get_socket_owner "$socket")
+                
+                # Print socket information
+                if [ -z "$perms" ]; then
+                    echo "$socket" | sed -${E} "s,$socket,${SED_GREEN},g"
+                else
+                    echo "$socket" | sed -${E} "s,$socket,${SED_RED},g"
+                    echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
+                    
+                    # Analyze socket protocol if we can connect
+                    if echo "$perms" | grep -q "Can Connect"; then
+                        analyze_socket_protocol "$socket" "$owner_info"
+                    fi
+                    
+                    # Highlight dangerous ownership
+                    if echo "$owner_info" | grep -q "root"; then
+                        echo "  └─(${RED}Owned by root${NC})"
+                    fi
+                fi
+            fi
+        done
+    fi
+    echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh
@ -0,0 +1,253 @@
+# Title: Processes & Cron & Services & Timers - D-Bus Analysis
+# ID: PR_DBus_analysis
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Comprehensive D-Bus analysis for privilege escalation vectors:
+#   - D-Bus Service Objects enumeration
+#   - D-Bus Service Object permissions and ownership
+#   - D-Bus Configuration files analysis
+#   - D-Bus Policy analysis
+#   - D-Bus Method and Interface analysis
+#   - D-Bus Privilege Escalation Vectors
+# License: GNU GPL
+# Version: 1.3
+# Functions Used: print_2title, print_3title, print_info, echo_not_found
+# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $dbuslistG, $knw_usrs, $rootcommon, $SED_RED, $SED_GREEN, $SED_BLUE, $SED_LIGHT_CYAN, $SED_LIGHT_MAGENTA, $NC
+# Initial Functions:
+# Generated Global Variables: $dbuslist, $srvc_object, $genpol, $userpol, $grppol, $dangerous_service, $pattern, $dir, $weak_policies, $dangerous_services, $dangerous, $dbussrvc_object, $patterns, $methods, $file, $dbusservice, $session_services, $prop, $dangerous_session_services, $interface, $dangerous_methods, $dbus_file, $dbus_service, $method, $dangerous_patterns, $properties, $interfaces, $dangerous_props, $service, $info, $allow_rules
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "D-Bus Analysis"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
+
+
+    # Function to check for dangerous methods
+    check_dangerous_methods() {
+        service="$1"
+        interface="$2"
+        dangerous=0
+        dangerous_methods=""
+        
+        # Common dangerous method patterns - using space-separated string instead of array
+        patterns="StartUnit StopUnit RestartUnit EnableUnit DisableUnit SetProperty SetUser SetPassword CreateUser DeleteUser ModifyUser Execute Run Spawn Shell Command Exec Authenticate Login Logout Reboot Shutdown PowerOff Suspend Hibernate Update Install Uninstall Configure Modify Change Delete Remove Add Create Write Read Access Grant Revoke Allow Deny"
+        
+        # Get methods for the interface
+        methods=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "method" | awk '{print $2}')
+        
+        # Check each method against dangerous patterns
+        for method in $methods; do
+            for pattern in $patterns; do
+                if echo "$method" | grep -qi "$pattern"; then
+                    dangerous=1
+                    dangerous_methods="${dangerous_methods}${method} "
+                fi
+            done
+        done
+        
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potentially dangerous methods found${NC})"
+            echo "     └─ $dangerous_methods" | sed 's/^/        /'
+        fi
+        
+        return $dangerous
+    }
+
+    # Function to check for dangerous properties
+    check_dangerous_properties() {
+        service="$1"
+        interface="$2"
+        dangerous=0
+        dangerous_props=""
+        
+        # Common dangerous property patterns - using space-separated string instead of array
+        patterns="Executable Command Path User Group Permission Access Auth Password Secret Key Token Credential Config Setting Policy Rule Allow Deny Write Read Execute"
+        
+        # Get properties for the interface
+        properties=$(busctl introspect "$service" "$interface" 2>/dev/null | grep "property" | awk '{print $2}')
+        
+        # Check each property against dangerous patterns
+        for prop in $properties; do
+            for pattern in $patterns; do
+                if echo "$prop" | grep -qi "$pattern"; then
+                    dangerous=1
+                    dangerous_props="${dangerous_props}${prop} "
+                fi
+            done
+        done
+        
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potentially dangerous properties found${NC})"
+            echo "     └─ $dangerous_props" | sed 's/^/        /'
+        fi
+        
+        return $dangerous
+    }
+
+    # Function to analyze service object
+    analyze_service_object() {
+        dbusservice="$1"
+        info=""
+        dangerous=0
+        
+        # Get service status
+        info=$(busctl status "$dbusservice" 2>/dev/null)
+        
+        # Check for root ownership
+        if echo "$info" | grep -qE "^(UID|EUID|OwnerUID)=0"; then
+            echo "  └─(${RED}Running as root${NC})"
+            dangerous=1
+        fi
+        
+        # Get service interfaces
+        interfaces=$(busctl tree "$dbusservice" 2>/dev/null)
+        if [ -n "$interfaces" ]; then
+            echo "  └─ Interfaces:"
+            echo "$interfaces" | sed 's/^/     /'
+            
+            # Check each interface for dangerous methods and properties
+            echo "$interfaces" | while read -r interface; do
+                if [ -n "$interface" ]; then
+                    if check_dangerous_methods "$dbusservice" "$interface"; then
+                        dangerous=1
+                    fi
+                    if check_dangerous_properties "$dbusservice" "$interface"; then
+                        dangerous=1
+                    fi
+                fi
+            done
+        fi
+        
+        # Check for known dangerous services - using space-separated string instead of array
+        dangerous_services="org.freedesktop.systemd1 org.freedesktop.PolicyKit1 org.freedesktop.Accounts org.freedesktop.login1 org.freedesktop.hostname1 org.freedesktop.timedate1 org.freedesktop.locale1 org.freedesktop.machine1 org.freedesktop.portable1 org.freedesktop.resolve1 org.freedesktop.timesync1 org.freedesktop.import1 org.freedesktop.export1 org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver"
+        
+        for dangerous_service in $dangerous_services; do
+            if echo "$dbusservice" | grep -qi "$dangerous_service"; then
+                echo "  └─(${RED}Known dangerous service: $dangerous_service${NC})"
+                dangerous=1
+            fi
+        done
+        
+        # If service is dangerous, provide exploitation hints
+        if [ "$dangerous" -eq 1 ]; then
+            echo "  └─(${RED}Potential privilege escalation vector${NC})"
+            echo "     └─ Try: busctl call $dbusservice / [Interface] [Method] [Arguments]"
+            echo "     └─ Or: dbus-send --session --dest=$dbusservice / [Interface] [Method] [Arguments]"
+        fi
+    }
+
+    # Function to analyze policy file
+    analyze_policy_file() {
+        file="$1"
+        weak_policies=0
+        
+        # Check file permissions
+        if ! [ "$IAMROOT" ] && [ -w "$file" ]; then
+            echo "  └─(${RED}Writable policy file${NC})"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check general policy
+        genpol=$(grep "<policy>" "$file" 2>/dev/null)
+        if [ -n "$genpol" ]; then
+            echo "  └─(${RED}Weak general policy found${NC})"
+            echo "     └─ $genpol" | sed 's/^/        /'
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check user policies
+        userpol=$(grep "<policy user=" "$file" 2>/dev/null | grep -v "root")
+        if [ -n "$userpol" ]; then
+            echo "  └─(${RED}Weak user policy found${NC})"
+            echo "     └─ $userpol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check group policies
+        grppol=$(grep "<policy group=" "$file" 2>/dev/null | grep -v "root")
+        if [ -n "$grppol" ]; then
+            echo "  └─(${RED}Weak group policy found${NC})"
+            echo "     └─ $grppol" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check for allow rules in default context
+        allow_rules=$(grep -A 5 "context=\"default\"" "$file" 2>/dev/null | grep "allow")
+        if [ -n "$allow_rules" ]; then
+            echo "  └─(${RED}Allow rules in default context${NC})"
+            echo "     └─ $allow_rules" | sed 's/^/        /'
+            weak_policies=$((weak_policies + 1))
+        fi
+        
+        # Check for specific dangerous policy patterns - using space-separated string instead of array
+        dangerous_patterns="allow_any allow_all allow_root allow_user allow_group allow_anonymous allow_any_user allow_any_group allow_any_uid allow_any_gid allow_any_pid allow_any_connection allow_any_method allow_any_property allow_any_signal allow_any_interface allow_any_path allow_any_destination allow_any_sender allow_any_receiver"
+        
+        for pattern in $dangerous_patterns; do
+            if grep -qi "$pattern" "$file" 2>/dev/null; then
+                echo "  └─(${RED}Dangerous policy pattern found: $pattern${NC})"
+                weak_policies=$((weak_policies + 1))
+            fi
+        done
+        
+        return $weak_policies
+    }
+
+    # Analyze D-Bus Service Objects
+    dbuslist=$(busctl list 2>/dev/null)
+    if [ -n "$dbuslist" ]; then
+        echo "$dbuslist" | while read -r dbus_service; do
+            # Print service name with highlighting
+            echo "$dbus_service" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+            
+            # Analyze service if it's not in the known list
+            if ! echo "$dbus_service" | grep -qE "$dbuslistG"; then
+                dbussrvc_object=$(echo "$dbus_service" | cut -d " " -f1)
+                analyze_service_object "$dbussrvc_object"
+            fi
+        done
+    else
+        echo_not_found "busctl"
+    fi
+
+    # Analyze D-Bus Configuration Files
+    if [ "$PSTORAGE_DBUS" ]; then
+        echo ""
+        print_2title "D-Bus Configuration Files"
+        echo "$PSTORAGE_DBUS" | while read -r dir; do
+            for dbus_file in "$dir"/*; do
+                if [ -f "$dbus_file" ]; then
+                    echo "Analyzing $dbus_file:"
+                    if analyze_policy_file "$dbus_file"; then
+                        echo "  └─(${RED}Multiple weak policies found${NC})"
+                    fi
+                fi
+            done
+        done
+    fi
+
+    # Check for D-Bus session bus
+    if command -v dbus-send >/dev/null 2>&1; then
+        echo ""
+        print_3title "D-Bus Session Bus Analysis"
+        if dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep -q "Error"; then
+            echo "(${RED}No access to session bus${NC})"
+        else
+            echo "(${GREEN}Access to session bus available${NC})"
+            # List available services on session bus
+            session_services=$(dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep "string" | sed 's/^/     /')
+            echo "$session_services"
+            
+            # Check for known dangerous session services - using space-separated string instead of array
+            dangerous_session_services="org.gnome.SettingsDaemon org.gnome.Shell org.gnome.SessionManager org.gnome.DisplayManager org.gnome.ScreenSaver org.freedesktop.Notifications org.freedesktop.ScreenSaver org.freedesktop.PowerManagement org.freedesktop.UPower org.freedesktop.NetworkManager org.freedesktop.Avahi org.freedesktop.UDisks2 org.freedesktop.ModemManager1 org.freedesktop.PackageKit org.freedesktop.PolicyKit1 org.freedesktop.systemd1 org.freedesktop.Accounts org.freedesktop.login1"
+            
+            for dangerous_service in $dangerous_session_services; do
+                if echo "$session_services" | grep -qi "$dangerous_service"; then
+                    echo "  └─(${RED}Known dangerous session service: $dangerous_service${NC})"
+                    echo "     └─ Try: dbus-send --session --dest=$dangerous_service / [Interface] [Method] [Arguments]"
+                fi
+            done
+        fi
+    fi
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh
@ -1,38 +0,0 @@
-# Title: Processes & Cron & Services & Timers - .socket files
-# ID: PR_Socket_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: .socket files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $socketsbinpaths, $socketslistpaths
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .socket files in MACOS are folders
-if ! [ "$IAMROOT" ]; then
-  print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
-  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
-    fi
-    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketsbinpaths" | while read sb; do
-      if [ -w "$sb" ]; then
-        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
-      fi
-    done
-    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
-    printf "%s\n" "$socketslistpaths" | while read sl; do
-      if [ -w "$sl" ]; then
-        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
-      fi
-    done
-  done
-  echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh
@ -1,72 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Unix Sockets Listening
-# ID: PR_Unix_sockets_listening
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Unix Sockets Listening
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $unix_scks_list3, $perms, $socketcurl, $owner, $CANNOT_CONNECT_TO_SOCKET
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-#TODO: .socket files in MACOS are folders
-if ! [ "$IAMROOT" ]; then
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    print_2title "Unix Sockets Listening"
-    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
-    # Search sockets using netstat and ss
-    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
-    fi
-    if ! [ "$unix_scks_list" ];then
-      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
-    fi
-      unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
-  fi
-  
-  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    # But also search socket files
-    unix_scks_list2=$(find / -type s 2>/dev/null)
-  else
-    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
-  fi
-
-  # Detele repeated dockets and check permissions
-  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
-    perms=""
-    if [ -r "$l" ]; then
-      perms="Read "
-    fi
-    if [ -w "$l" ];then
-      perms="${perms}Write"
-    fi
-    
-    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl || echo -n '')" ]; then
-      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
-      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
-        perms="${perms} - Can Connect"
-      else
-        perms="${perms} - Cannot Connect"
-      fi
-    fi
-    
-    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
-    else 
-      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
-      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
-      # Try to contact the socket
-      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
-      if [ $? -eq 0 ]; then
-        owner=$(ls -l "$s" | cut -d ' ' -f 3)
-        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
-        echo "$socketcurl" | head -n 30
-      fi
-    fi
-  done
-  echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh
@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - D-Bus Service Objects list
-# ID: PR_DBus_service_objects_list
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate D-Bus Service Objects list
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables:  $dbuslistG, $knw_usrs, $nosh_usrs, $rootcommon, $SEARCH_IN_FOLDER, $USER
-# Initial Functions:
-# Generated Global Variables: $dbuslist, $srvc_object, $srvc_object_info
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "D-Bus Service Objects list"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
-  dbuslist=$(busctl list 2>/dev/null)
-  if [ "$dbuslist" ]; then
-    busctl list | while read l; do
-      echo "$l" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
-      if ! echo "$l" | grep -qE "$dbuslistG"; then
-        srvc_object=$(echo $l | cut -d " " -f1)
-        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
-        if [ "$srvc_object_info" ]; then
-          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
-        fi
-      fi
-    done
-  else echo_not_found "busctl"
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh
@ -1,40 +0,0 @@
-# Title: Processes & Cron & Services & Timers - D-Bus config files
-# ID: PR_DBus_config_files
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate D-Bus config files
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: $genpol, $userpol, $grppol
-# Fat linpeas: 0
-# Small linpeas: 0
-
-print_2title "D-Bus config files"
-print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
-if [ "$PSTORAGE_DBUS" ]; then
-  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
-    for f in $d/*; do
-      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
-        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
-      fi
-
-      genpol=$(grep "<policy>" "$f" 2>/dev/null)
-      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
-
-      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-      #for g in `groups`; do
-      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
-      #done
-      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
-      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
-
-      #TODO: identify allows in context="default"
-    done
-  done
-fi
-echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh
@ -1,37 +1,227 @@
-# Title: Processes & Cron & Services & Timers - List proccesses
+# Title: Processes & Cron & Services & Timers - List processes
 # ID: PR_List_processes
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: List running proccesses removing the ones that aren't interesting
+# Last Update: 2024-03-19
+# Description: List running processes and check for unusual configurations
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.4
 # Functions Used: print_2title, print_info, print_ps
 # Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
-# Generated Global Variables: $pslist, $cpid, $caphex, $psline
+# Generated Global Variables: $pslist, $cpid, $caphex, $psline, $pid, $selinux_ctx, $current_env_vars, $env_findings, $apparmor_profile, $mount, $mount_findings, $fd_findings, $proc_cmd, $proc_user, $mount_point, $current_mounts, $fd_target, $var, $findings, $sec_findings, $proc_env_vars, $fd_count, $proc_mounts, $$escaped_var
 # Fat linpeas: 0
 # Small linpeas: 1

-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Running processes (cleaned)"

  if [ "$NOUSEPS" ]; then
    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
  fi
-  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
+  print_info "Check weird & unexpected processes run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"

  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
  fi

+  # Get current process environment variables
+  if [ -r "/proc/self/environ" ]; then
+    current_env_vars=$(cat /proc/self/environ 2>/dev/null | tr '\0' '\n' | sort)
+  else
+    current_env_vars=$(env 2>/dev/null | sort)
+  fi
+  
+  # Get current process mounts
+  if [ -r "/proc/self/mountinfo" ]; then
+    current_mounts=$(cat /proc/self/mountinfo 2>/dev/null | sort)
+  else
+    current_mounts=$(mount 2>/dev/null | sort)
+  fi
+
+  # Function to check for unusual environment variables
+  check_env_vars() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the environment
+    [ ! -r "/proc/$pid/environ" ] && return
+    
+    # Get process environment variables
+    proc_env_vars=$(cat "/proc/$pid/environ" 2>/dev/null | tr '\0' '\n' | sort)
+    [ -z "$proc_env_vars" ] && return
+
+    # Find environment variables that the target process has but we don't
+    if [ -n "$current_env_vars" ]; then
+      echo "$proc_env_vars" | while read -r var; do
+        if [ -n "$var" ]; then
+          # Escape special regex characters in var
+          escaped_var=$(echo "$var" | sed 's/[][^$.*+?(){}|]/\\&/g')
+          if ! echo "$current_env_vars" | grep -q "^$escaped_var$"; then
+            if [ -z "$findings" ]; then
+              findings="Has additional environment variables:"
+            fi
+            findings="$findings\n  └─ $var"
+          fi
+        fi
+      done
+    else
+      # If we can't get current env vars, just show all process env vars
+      findings="Has environment variables:"
+      echo "$proc_env_vars" | while read -r var; do
+        if [ -n "$var" ]; then
+          findings="$findings\n  └─ $var"
+        fi
+      done
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual security contexts
+  check_security_context() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Check SELinux context
+    if [ -r "/proc/$pid/attr/current" ]; then
+      selinux_ctx=$(cat "/proc/$pid/attr/current" 2>/dev/null)
+      if [ -n "$selinux_ctx" ] && [ "$selinux_ctx" != "unconfined" ]; then
+        findings="SELinux context: $selinux_ctx"
+      fi
+    fi
+    
+    # Check AppArmor profile
+    if [ -r "/proc/$pid/attr/apparmor/current" ]; then
+      apparmor_profile=$(cat "/proc/$pid/attr/apparmor/current" 2>/dev/null)
+      if [ -n "$apparmor_profile" ] && [ "$apparmor_profile" != "unconfined" ]; then
+        if [ -n "$findings" ]; then
+          findings="$findings\n  └─ AppArmor profile: $apparmor_profile"
+        else
+          findings="AppArmor profile: $apparmor_profile"
+        fi
+      fi
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual mount namespaces
+  check_mount_namespace() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the mountinfo
+    [ ! -r "/proc/$pid/mountinfo" ] && return
+    
+    # Get process mounts
+    proc_mounts=$(cat "/proc/$pid/mountinfo" 2>/dev/null | sort)
+    [ -z "$proc_mounts" ] && return
+
+    # Find mounts that the target process has but we don't
+    if [ -n "$current_mounts" ]; then
+      echo "$proc_mounts" | while read -r mount; do
+        if [ -n "$mount" ] && ! echo "$current_mounts" | grep -q "^$mount$"; then
+          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
+          if [ -z "$findings" ]; then
+            findings="Has additional mounts:"
+          fi
+          findings="$findings\n  └─ $mount_point"
+        fi
+      done
+    else
+      # If we can't get current mounts, just show all process mounts
+      findings="Has mounts:"
+      echo "$proc_mounts" | while read -r mount; do
+        if [ -n "$mount" ]; then
+          mount_point=$(echo "$mount" | sed "s,.* - \(.*\),\1,")
+          findings="$findings\n  └─ $mount_point"
+        fi
+      done
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
+  # Function to check for unusual file descriptors
+  check_file_descriptors() {
+    local pid="$1"
+    local proc_user="$2"
+    local proc_cmd="$3"
+    local findings=""
+    
+    # Skip if we can't read the file descriptors
+    [ ! -r "/proc/$pid/fd" ] && return
+
+    # Check for interesting file descriptors
+    for fd in /proc/$pid/fd/*; do
+      # Skip if fd doesn't exist or we can't access it
+      [ ! -e "$fd" ] && continue
+      
+      # Get fd target
+      fd_target=$(readlink "$fd" 2>/dev/null)
+      [ -z "$fd_target" ] && continue
+
+      # Skip if target doesn't exist
+      [ ! -e "$fd_target" ] && continue
+
+      # Check if we can access the FD but not the target file
+      if [ -r "$fd" ] && [ ! -r "$fd_target" ]; then
+        if [ -z "$findings" ]; then
+          findings="Readable FD to unreadable file: $fd -> $fd_target"
+        else
+          findings="$findings\n  └─ Readable FD to unreadable file: $fd -> $fd_target"
+        fi
+      fi
+      if [ -w "$fd" ] && [ ! -w "$fd_target" ]; then
+        if [ -z "$findings" ]; then
+          findings="Writable FD to unwritable file: $fd -> $fd_target"
+        else
+          findings="$findings\n  └─ Writable FD to unwritable file: $fd -> $fd_target"
+        fi
+      fi
+    done
+
+    # Check for unusual number of file descriptors
+    fd_count=$(ls -1 "/proc/$pid/fd" 2>/dev/null | wc -l)
+    [ -z "$fd_count" ] && return
+
+    # If process has more than 100 file descriptors, it might be interesting
+    if [ "$fd_count" -gt 100 ]; then
+      if [ -z "$findings" ]; then
+        findings="Unusual number of FDs: $fd_count"
+      else
+        findings="$findings\n  └─ Unusual number of FDs: $fd_count"
+      fi
+    fi
+
+    # Return findings if any
+    if [ -n "$findings" ]; then
+      echo "$findings"
+    fi
+  }
+
  if [ "$NOUSEPS" ]; then
    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
    pslist=$(print_ps)
  else
    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
-      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q root; then
+      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q "root"; then
        cpid=$(echo "$psline" | awk '{print $2}')
        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
@ -42,5 +232,34 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
    pslist=$(ps auxwww)
    echo ""
  fi
+
+  # Additional checks for each process
+  print_2title "Processes with unusual configurations"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+    
+    # Run all checks and collect findings
+    sec_findings=$(check_security_context "$pid" "$proc_user" "$proc_cmd")
+    mount_findings=$(check_mount_namespace "$pid" "$proc_user" "$proc_cmd")
+    fd_findings=$(check_file_descriptors "$pid" "$proc_user" "$proc_cmd")
+    env_findings=$(check_env_vars "$pid" "$proc_user" "$proc_cmd")
+
+    # If any findings exist, print process info and findings
+    if [ -n "$env_findings" ] || [ -n "$sec_findings" ] || [ -n "$mount_findings" ] || [ -n "$fd_findings" ]; then
+      echo "Process $pid ($proc_user) - $proc_cmd"
+      [ -n "$env_findings" ] && echo "$env_findings"
+      [ -n "$sec_findings" ] && echo "$sec_findings"
+      [ -n "$mount_findings" ] && echo "$mount_findings"
+      [ -n "$fd_findings" ] && echo "$fd_findings"
+      echo ""
+    fi
+  done
+
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh
@ -1,26 +1,103 @@
 # Title: Processes & Cron & Services & Timers - Processes with credentials inside memory
 # ID: PR_Process_cred_in_memory
 # Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Processes with credentials inside memory
+# Last Update: 2024-03-19
+# Description: Processes with credentials inside memory and memory-mapped files
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $pslist, $SEARCH_IN_FOLDER
+# Global Variables: $pslist, $SEARCH_IN_FOLDER, $processesDump, $nosh_usrs, $processesB, $knw_usrs, $rootcommon, $sh_usrs, $processesVB
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $line, $cred_files, $filename, $fd_target, $found_cred_files, $proc, $proc_cmd, $pid, $proc_user, $cred_processes, $seen_files
 # Fat linpeas: 0
 # Small linpeas: 1

-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Processes with credentials in memory (root req)"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
-  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
-  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
-  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
-  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
-  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
-  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+
+  # Common credential-storing processes
+  cred_processes="gdm-password gnome-keyring-daemon lightdm vsftpd apache2 sshd: mysql postgres redis-server mongod memcached elasticsearch jenkins tomcat nginx php-fpm supervisord vncserver xrdp teamviewer"
+
+  # Check for credential-storing processes
+  for proc in $cred_processes; do
+    if echo "$pslist" | grep -q "$proc"; then
+      echo "$proc process found (dump creds from memory as root)" | sed "s,$proc,${SED_RED},"
+    else
+      echo_not_found "$proc"
+    fi
+  done
+
+  # Check for processes with open handles to credential files
+  echo ""
+  print_2title "Opened Files by processes"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    [ ! -r "/proc/$pid/fd" ] && continue
+
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+    
+    # Skip processes that start with "sed " or contain "linpeas.sh"
+    echo "$proc_cmd" | grep -q "^sed " && continue
+    echo "$proc_cmd" | grep -q "linpeas.sh" && continue
+
+    # Variable to store unique files for this process
+    seen_files=""
+    found_cred_files=""
+    
+    # Check for open credential files
+    for fd in /proc/$pid/fd/*; do
+      [ ! -e "$fd" ] && continue
+      fd_target=$(readlink "$fd" 2>/dev/null)
+      [ -z "$fd_target" ] && continue
+      [ "$fd_target" = "/dev/null" ] && continue
+      echo "$fd_target" | grep -q "^socket:" && continue
+      echo "$fd_target" | grep -q "^anon_inode:" && continue
+
+      # Only add if not already seen (using case to check)
+      case " $seen_files " in
+        *" $fd_target "*) continue ;;
+        *)
+          seen_files="$seen_files $fd_target"
+          if [ -z "$found_cred_files" ]; then
+            echo "Process $pid ($proc_user) - $proc_cmd"
+            echo "  └─ Has open files:"
+            found_cred_files="yes"
+          fi
+          echo "    └─ $fd_target"
+          ;;
+      esac
+    done
+  done | sed -${E} "s,\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$,\1${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+
+  # Check for processes with memory-mapped files that might contain credentials
+  echo ""
+  print_2title "Processes with memory-mapped credential files"
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -d "/proc/$pid" ] && continue
+    [ ! -r "/proc/$pid/maps" ] && continue
+
+    # Get process user and command
+    proc_user=$(stat -c '%U' "/proc/$pid" 2>/dev/null)
+    proc_cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+    [ -z "$proc_user" ] || [ -z "$proc_cmd" ] && continue
+
+    # Check for memory-mapped files that might contain credentials
+    cred_files=$(grep -E '\.(pem|key|cred|db|sqlite|conf|cnf|ini|env|secret|token|auth|passwd|shadow)$' "/proc/$pid/maps" 2>/dev/null)
+    if [ -n "$cred_files" ]; then
+      echo "Process $pid ($proc_user) - $proc_cmd"
+      echo "  └─ Has memory-mapped credential files:"
+      echo "$cred_files" | while read -r line; do
+        filename=$(echo "$line" | sed "s,.*/\(.*\),\1,")
+        echo "    └─ $filename"
+      done
+    fi
+  done
+
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh
@ -1,29 +1,56 @@
 # Title: Processes & Cron & Services & Timers - Process binaries permissions
 # ID: PR_Process_binaries_perms
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Check the permissions of the binaries of the running processes
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.2
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
-# Generated Global Variables: $binW, $bpath
+# Generated Global Variables: $binW, $bpath, $pid
 # Fat linpeas: 0
 # Small linpeas: 1

-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$NOUSEPS" ]; then
    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
-    binW="IniTialiZZinnggg"
-    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
+    
+    # Get list of writable binaries
+    binW=""
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/exe" ] && continue
+      
+      # Get binary path
+      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
+      [ -z "$bpath" ] && continue
+      
+      # Check if binary is writable
      if [ -w "$bpath" ]; then
-        binW="$binW|$bpath"
+        if [ -z "$binW" ]; then
+          binW="$bpath"
+        else
+          binW="$binW|$bpath"
+        fi
      fi
    done
-    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+
+    # Get and display binary permissions
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/exe" ] && continue
+      
+      # Get binary path
+      bpath=$(readlink "/proc/$pid/exe" 2>/dev/null)
+      [ -z "$bpath" ] && continue
+      
+      # Display binary permissions if file exists
+      if [ -e "$bpath" ]; then
+        ls -la "$bpath" 2>/dev/null
+      fi
+    done | grep -Ev "\sroot\s+root" | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh
@ -1,34 +1,58 @@
 # Title: Processes & Cron & Services & Timers - Process opened by other users
 # ID: PR_Processes_PPID_different_user
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Processes whose PPID belongs to a different user (not root)
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $ppid_user, $pid, $ppid, $user
+# Generated Global Variables: $ppid_user, $pid, $ppid, $user, $ppid_uid, $user_uid
 # Fat linpeas: 0
 # Small linpeas: 1

-
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
  print_2title "Processes whose PPID belongs to a different user (not root)"
  print_info "You will know if a user can somehow spawn processes as a different user"
  
-  # Function to get user by PID
+  # Function to get user by PID using /proc
  get_user_by_pid() {
-    ps -p "$1" -o user | grep -v "USER"
+    if [ -r "/proc/$1/status" ]; then
+      grep "^Uid:" "/proc/$1/status" 2>/dev/null | awk '{print $2}'
+    fi
+  }
+
+  # Function to get username by UID
+  get_username_by_uid() {
+    if [ -r "/etc/passwd" ]; then
+      grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
+    fi
  }

  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
-  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
-    if [ "$ppid" = "0" ]; then
-      continue
-    fi
-    ppid_user=$(get_user_by_pid "$ppid")
-    if echo "$ppid_user" | grep -Eqv "$user|root$"; then
+  for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+    # Skip if process doesn't exist or we can't access it
+    [ ! -r "/proc/$pid/status" ] && continue
+    
+    # Get process user
+    user_uid=$(get_user_by_pid "$pid")
+    [ -z "$user_uid" ] && continue
+    user=$(get_username_by_uid "$user_uid")
+    [ -z "$user" ] && continue
+
+    # Get PPID
+    ppid=$(grep "^PPid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
+    [ -z "$ppid" ] || [ "$ppid" = "0" ] && continue
+
+    # Get PPID user
+    ppid_uid=$(get_user_by_pid "$ppid")
+    [ -z "$ppid_uid" ] && continue
+    ppid_user=$(get_username_by_uid "$ppid_uid")
+    [ -z "$ppid_user" ] && continue
+
+    # Check if users are different and PPID user is not root
+    if [ "$user" != "$ppid_user" ] && [ "$ppid_user" != "root" ]; then
      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
    fi
  done
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh
@ -1,23 +1,64 @@
 # Title: Processes & Cron & Services & Timers - Files opened by processes belonging to other users
 # ID: PR_Files_open_process_other_user
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 2024-03-19
 # Description: Files opened by processes belonging to other users
 # License: GNU GPL
-# Version: 1.0
+# Version: 1.1
 # Functions Used: print_2title, print_info
 # Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_uid, $pid, $fd_target, $cmd, $user
 # Fat linpeas: 0
 # Small linpeas: 1

-
 if ! [ "$SEARCH_IN_FOLDER" ]; then
  if ! [ "$IAMROOT" ]; then
    print_2title "Files opened by processes belonging to other users"
    print_info "This is usually empty because of the lack of privileges to read other user processes information"
-    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+
+    # Function to get username by UID
+    get_username_by_uid() {
+      if [ -r "/etc/passwd" ]; then
+        grep "^[^:]*:[^:]*:$1:" "/etc/passwd" 2>/dev/null | cut -d: -f1
+      fi
+    }
+
+    # Check each process
+    for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
+      # Skip if process doesn't exist or we can't access it
+      [ ! -r "/proc/$pid/status" ] && continue
+      [ ! -r "/proc/$pid/fd" ] && continue
+
+      # Get process user
+      user_uid=$(grep "^Uid:" "/proc/$pid/status" 2>/dev/null | awk '{print $2}')
+      [ -z "$user_uid" ] && continue
+      user=$(get_username_by_uid "$user_uid")
+      [ -z "$user" ] && continue
+
+      # Skip if process belongs to current user
+      [ "$user" = "$USER" ] && continue
+
+      # Get process command
+      cmd=$(cat "/proc/$pid/cmdline" 2>/dev/null | tr '\0' ' ' | head -c 100)
+      [ -z "$cmd" ] && continue
+
+      # Check file descriptors
+      for fd in /proc/$pid/fd/*; do
+        [ ! -e "$fd" ] && continue
+        fd_target=$(readlink "$fd" 2>/dev/null)
+        [ -z "$fd_target" ] && continue
+
+        # Skip if target doesn't exist or is a special file
+        [ ! -e "$fd_target" ] && continue
+        case "$fd_target" in
+          /dev/*|/proc/*|/sys/*) continue ;;
+        esac
+
+        echo "Process $pid ($user) - $cmd"
+        echo "  └─ Has open file: $fd_target" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+      done
+    done
    echo ""
  fi
 fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
@ -0,0 +1,250 @@
+# Title: Processes & Cron & Services & Timers - Cron jobs and Wildcards
+# ID: PR_Cron_jobs
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Enumerate system cron jobs and check for privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB, $PATH
+# Initial Functions:
+# Generated Global Variables: $cmd, $VAR, $file, $path, $user_crontab, $username, $job_id, $cron_dir, $crontab, $findings, $line, $finding, $bin
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Check for vulnerable cron jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
+
+  print_3title "Cron jobs list"
+  command -v crontab 2>/dev/null || echo_not_found "crontab"
+  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+  incrontab -l 2>/dev/null
+  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  atq 2>/dev/null
+  echo ""
+
+  print_3title "Checking for specific cron jobs vulnerabilities"
+
+
+
+  # Function to check if a binary is writable and executable
+  check_binary_perms() {
+    local bin="$1"
+    [ -z "$bin" ] && return
+    
+    # Skip if binary doesn't exist
+    [ ! -e "$bin" ] && return
+    
+    # Check if it's a regular file
+    [ ! -f "$bin" ] && return
+    
+    # Check if it's writable and executable
+    if [ -w "$bin" ]; then
+      echo "Writable binary: $bin"
+      ls -l "$bin" 2>/dev/null
+    fi
+  }
+
+  # Function to extract binary path from command
+  get_binary_path() {
+    local cmd="$1"
+    local bin=""
+    
+    # Try to get the first word of the command
+    bin=$(echo "$cmd" | awk '{print $1}')
+    [ -z "$bin" ] && return
+    
+    # If it's an absolute path, use it directly
+    if [ "$(echo "$bin" | cut -c1)" = "/" ]; then
+      echo "$bin"
+      return
+    fi
+    
+    # If it's a relative path, try to resolve it
+    if [ -e "$bin" ]; then
+      echo "$(pwd)/$bin"
+      return
+    fi
+    
+    # Try to find it in PATH
+    for path in $(echo "$PATH" | tr ':' ' '); do
+      if [ -x "$path/$bin" ]; then
+        echo "$path/$bin"
+        return
+      fi
+    done
+  }
+
+  # Function to check for privilege escalation vectors in a command
+  check_privesc_vectors() {
+    local cmd="$1"
+    local file="$2"
+    local findings=""
+    local bin=""
+
+    # Skip common false positives (mail commands, shell conditionals, variable assignments)
+    if echo "$cmd" | grep -qE '^(mail|echo|then|else|fi|if|for|while|do|done|case|esac|exit|return|break|continue|:|\[|test|\[\[|\]\]|true|false|source|\.|cd|pwd|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|^[[:space:]]*[A-Za-z0-9_]+[[:space:]]*[=:])'; then
+      return
+    fi
+
+    # Get the binary path
+    bin=$(get_binary_path "$cmd")
+    if [ -n "$bin" ]; then
+      check_binary_perms "$bin"
+    fi
+
+    # Check for wildcard injection vectors
+    # Attack: Using wildcards in tar/chmod/chown to execute arbitrary commands
+    # Example: tar cf archive.tar * (where * expands to --checkpoint=1 --checkpoint-action=exec=sh)
+    if echo "$cmd" | grep -qE '\*'; then
+      findings="${findings}POTENTIAL_WILDCARD_INJECTION: Command uses wildcards with potentially exploitable command\n"
+    fi
+
+    # Check for path hijacking vectors
+    # Attack: Using relative paths or commands without full path that can be hijacked
+    # Example: script.sh instead of /usr/bin/script.sh
+    if echo "$cmd" | grep -qE '^[[:space:]]*[^/][^[:space:]]*[[:space:]]'; then
+      # Skip common false positives like shell builtins, control structures, and variable assignments
+      # Also skip test commands ([ ]), logical operators (&& ||), and complex shell constructs
+      if ! echo "$cmd" | grep -qE '^[[:space:]]*(cd|\.|source|\./|if|then|else|fi|for|while|do|done|case|esac|exit|return|break|continue|:|\[[[:space:]]|test|\[\[|\]\]|true|false|export|unset|readonly|local|declare|typeset|alias|unalias|set|unset|shift|wait|trap|umask|ulimit|exec|eval|command|builtin|let|read|printf|[A-Za-z0-9_]+[[:space:]]*[=:]|&&|\|\||;|\(|\)|\{|\})'; then
+        findings="${findings}PATH_HIJACKING: Command uses relative path\n"
+      fi
+    fi
+
+    # Check for command injection vectors
+    # Attack: Using unquoted variables or command substitution that can be injected
+    # Example: echo $VAR or echo $(command)
+    if echo "$cmd" | grep -qE '\$\{?[A-Za-z0-9_]|\$\(|`'; then
+      findings="${findings}COMMAND_INJECTION: Command uses unquoted variables or command substitution\n"
+    fi
+
+    # Check for overly permissive commands
+    # Attack: Commands that can be used to escalate privileges
+    # Example: chmod 777, chown root, etc.
+    if echo "$cmd" | grep -qE '\b(chmod\s+[0-7]{3,4}|chown\s+root|chgrp\s+root|sudo|su |pkexec)\b'; then
+      findings="${findings}PERMISSIVE_COMMAND: Command modifies permissions or uses privilege escalation tools\n"
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in cron job:"
+      echo "  └─ File: $file"
+      echo "  └─ Command: $cmd"
+      if [ -n "$bin" ]; then
+        echo "  └─ Binary: $bin"
+      fi
+      echo "  └─ Findings:"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "     * $finding"
+      done
+    fi
+  }
+
+  # Check system crontabs
+  #echo "Checking system crontabs..."
+  #for crontab in /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /var/spool/cron/crontabs/* /etc/at* /etc/anacrontab /etc/incron.d/* /var/spool/incron/*; do
+  #  [ ! -f "$crontab" ] && continue
+  #  [ ! -r "$crontab" ] && continue
+
+  #  # Check if the file is writable
+  #  if [ -w "$crontab" ]; then
+  #    echo "Writable cron file: $crontab"
+  #  fi
+
+  #  # Check each line for privilege escalation vectors
+  #  while IFS= read -r line || [ -n "$line" ]; do
+  #    # Skip comments and empty lines
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+
+  #    # Extract the command part (everything after the time specification)
+  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #    [ -z "$cmd" ] && continue
+
+  #    check_privesc_vectors "$cmd" "$crontab"
+  #  done < "$crontab"
+  #done
+
+  # Check user crontabs
+  #echo "Checking user crontabs..."
+  #if command -v crontab >/dev/null 2>&1; then
+  #  # Check current user's crontab
+  #  crontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+  #    cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #    [ -z "$cmd" ] && continue
+  #    check_privesc_vectors "$cmd" "current user crontab"
+  #  done
+
+  #  # Check other users' crontabs if accessible
+  #  for user_crontab in /var/spool/cron/crontabs/*; do
+  #    [ ! -f "$user_crontab" ] && continue
+  #    [ ! -r "$user_crontab" ] && continue
+  #    username=$(basename "$user_crontab")
+  #    [ "$username" = "$USER" ] && continue
+      
+  #    echo "Found crontab for user: $username"
+  #    while IFS= read -r line || [ -n "$line" ]; do
+  #      case "$line" in
+  #        \#*|"") continue ;;
+  #      esac
+  #      cmd=$(echo "$line" | sed -E 's/^[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+ //')
+  #      [ -z "$cmd" ] && continue
+  #      check_privesc_vectors "$cmd" "$user_crontab"
+  #    done < "$user_crontab"
+  #  done
+  #else
+  #  echo_not_found "crontab"
+  #fi
+
+  # Check for writable cron directories
+  echo "Checking cron directories..."
+  for cron_dir in /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron/crontabs /usr/lib/cron/tabs /private/var/at/jobs /var/at/tabs /etc/periodic; do
+    [ ! -d "$cron_dir" ] && continue
+    if [ -w "$cron_dir" ]; then
+      echo "Writable cron directory: $cron_dir"
+    fi
+  done
+
+  # Check for at jobs
+  #if command -v atq >/dev/null 2>&1; then
+  #  echo "Checking at jobs..."
+  #  atq 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    [ -z "$line" ] && continue
+  #    job_id=$(echo "$line" | awk '{print $1}')
+  #    [ -z "$job_id" ] && continue
+  #    at -c "$job_id" 2>/dev/null | while IFS= read -r cmd || [ -n "$cmd" ]; do
+  #      case "$cmd" in
+  #        \#*|"") continue ;;
+  #      esac
+  #      check_privesc_vectors "$cmd" "at job $job_id"
+  #    done
+  #  done
+  #fi
+
+  # Check for incron jobs
+  #if command -v incrontab >/dev/null 2>&1; then
+  #  echo "Checking incron jobs..."
+  #  incrontab -l 2>/dev/null | while IFS= read -r line || [ -n "$line" ]; do
+  #    case "$line" in
+  #      \#*|"") continue ;;
+  #    esac
+  #    cmd=$(echo "$line" | awk '{print $3}')
+  #    [ -z "$cmd" ] && continue
+  #    check_privesc_vectors "$cmd" "incron job"
+  #  done
+  #fi
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh
@ -1,22 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Systemd PATH
-# ID: PR_Systemd_path
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Systemd PATH
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $SEARCH_IN_FOLDER, $Wfolders
-# Initial Functions:
-# Generated Global Variables: $WRITABLESYSTEMDPATH
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Systemd PATH"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
-  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
-  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
-  echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh
@ -1,33 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Cron jobs
-# ID: PR_Cron_jobs
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Enumerate system cron jobs
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
-  command -v crontab 2>/dev/null || echo_not_found "crontab"
-  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
-  incrontab -l 2>/dev/null
-  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
-  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
-  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
-  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
-  atq 2>/dev/null
-else
-  print_2title "Cron jobs"
-  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
-  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
-fi
-echo ""
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh
@ -0,0 +1,169 @@
+# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
+# ID: PR_Macos_launch_agents_daemons
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: Third party LaunchAgents & LaunchDemons and privilege escalation vectors
+# License: GNU GPL
+# Version: 1.1
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $program, $plist_content, $binary_path, $periodic_dir, $workdir, $startup_dir, $line, $emond_script, $startup_item, $finding, $location, $findings, $login_item, $plist, $periodic_script, $plist_dir
+# Fat linpeas: 0
+# Small linpeas: 0
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$MACPEAS" ]; then
+    print_2title "Third party LaunchAgents & LaunchDemons"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
+    print_info "Checking for privilege escalation vectors in LaunchAgents & LaunchDaemons:"
+    print_info "1. Writable plist files"
+    print_info "2. Writable program binaries"
+    print_info "3. Environment variables with sensitive data"
+    print_info "4. Unsafe program arguments"
+    print_info "5. RunAtLoad with elevated privileges"
+    print_info "6. KeepAlive with elevated privileges"
+
+    # Function to check plist content for privilege escalation vectors
+    check_plist_content() {
+      local plist="$1"
+      local findings=""
+      
+      # Check for environment variables
+      if defaults read "$plist" EnvironmentVariables 2>/dev/null | grep -qE '(PASS|SECRET|KEY|TOKEN|CRED)'; then
+        findings="${findings}ENV_VARS: Contains sensitive environment variables\n"
+      fi
+
+      # Check for RunAtLoad with elevated privileges
+      if defaults read "$plist" RunAtLoad 2>/dev/null | grep -q "true"; then
+        if [ -w "$plist" ]; then
+          findings="${findings}RUN_AT_LOAD: Runs at load and plist is writable\n"
+        fi
+      fi
+
+      # Check for KeepAlive with elevated privileges
+      if defaults read "$plist" KeepAlive 2>/dev/null | grep -q "true"; then
+        if [ -w "$plist" ]; then
+          findings="${findings}KEEP_ALIVE: Keeps running and plist is writable\n"
+        fi
+      fi
+
+      # Check for unsafe program arguments
+      if defaults read "$plist" ProgramArguments 2>/dev/null | grep -qE '(sudo|su|chmod|chown|chroot|mount)'; then
+        findings="${findings}UNSAFE_ARGS: Uses potentially dangerous program arguments\n"
+      fi
+
+      # Check for writable working directory
+      if defaults read "$plist" WorkingDirectory 2>/dev/null | grep -qE '^/'; then
+        local workdir=$(defaults read "$plist" WorkingDirectory 2>/dev/null)
+        if [ -w "$workdir" ]; then
+          findings="${findings}WRITABLE_WORKDIR: Working directory is writable\n"
+        fi
+      fi
+
+      # If any findings, print them
+      if [ -n "$findings" ]; then
+        echo "Potential privilege escalation in: $plist"
+        echo "$findings" | while read -r finding; do
+          [ -n "$finding" ] && echo "  └─ $finding"
+        done
+      fi
+    }
+
+    # Check system and user LaunchAgents & LaunchDaemons
+    for plist_dir in /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/; do
+      [ ! -d "$plist_dir" ] && continue
+      
+      echo "Checking $plist_dir..."
+      find "$plist_dir" -name "*.plist" 2>/dev/null | while read -r plist; do
+        # Check if plist is writable
+        if [ -w "$plist" ]; then
+          echo "Writable plist: $plist" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+        fi
+
+        # Get program path
+        program=""
+        program=$(defaults read "$plist" Program 2>/dev/null)
+        if ! [ "$program" ]; then
+          program=$(defaults read "$plist" ProgramArguments 2>/dev/null | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
+        fi
+
+        # Check if program is writable
+        if [ -n "$program" ] && [ -w "$program" ]; then
+          echo "Writable program: $program" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$program" 2>/dev/null
+        fi
+
+        # Check plist content for privilege escalation vectors
+        check_plist_content "$plist"
+      done
+    done
+    echo ""
+
+    print_2title "StartupItems"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
+    for startup_dir in /Library/StartupItems/ /System/Library/StartupItems/; do
+      [ ! -d "$startup_dir" ] && continue
+      echo "Checking $startup_dir..."
+      find "$startup_dir" -type f -executable 2>/dev/null | while read -r startup_item; do
+        if [ -w "$startup_item" ]; then
+          echo "Writable startup item: $startup_item" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$startup_item" 2>/dev/null
+        fi
+      done
+    done
+    echo ""
+
+    print_2title "Login Items"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
+    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ", " "\n" | while read -r login_item; do
+      if [ -n "$login_item" ]; then
+        # Try to find the actual binary
+        binary_path=$(mdfind "kMDItemDisplayName == '$login_item'" 2>/dev/null | head -n 1)
+        if [ -n "$binary_path" ] && [ -w "$binary_path" ]; then
+          echo "Writable login item binary: $binary_path" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$binary_path" 2>/dev/null
+        fi
+      fi
+    done
+    echo ""
+
+    print_2title "SPStartupItemDataType"
+    system_profiler SPStartupItemDataType 2>/dev/null | while read -r line; do
+      if echo "$line" | grep -q "Location:"; then
+        location=$(echo "$line" | cut -d: -f2- | xargs)
+        if [ -w "$location" ]; then
+          echo "Writable startup item location: $location" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$location" 2>/dev/null
+        fi
+      fi
+    done
+    echo ""
+
+    print_2title "Emond scripts"
+    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
+    if [ -d "/private/var/db/emondClients" ]; then
+      find "/private/var/db/emondClients" -type f 2>/dev/null | while read -r emond_script; do
+        if [ -w "$emond_script" ]; then
+          echo "Writable emond script: $emond_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$emond_script" 2>/dev/null
+        fi
+      done
+    fi
+    echo ""
+
+    print_2title "Periodic tasks"
+    print_info "Checking periodic tasks for privilege escalation vectors"
+    for periodic_dir in /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly; do
+      [ ! -d "$periodic_dir" ] && continue
+      echo "Checking $periodic_dir..."
+      find "$periodic_dir" -type f -executable 2>/dev/null | while read -r periodic_script; do
+        if [ -w "$periodic_script" ]; then
+          echo "Writable periodic script: $periodic_script" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+          ls -l "$periodic_script" 2>/dev/null
+        fi
+      done
+    done
+    echo ""
+  fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh
@ -1,55 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
-# ID: PR_Macos_launch_agents_daemons
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Third party LaunchAgents & LaunchDemons
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
-# Initial Functions:
-# Generated Global Variables: $program
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-if ! [ "$SEARCH_IN_FOLDER" ]; then
-  if [ "$MACPEAS" ]; then
-    print_2title "Third party LaunchAgents & LaunchDemons"
-    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
-    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
-    echo ""
-
-    print_2title "Writable System LaunchAgents & LaunchDemons"
-    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
-      program=""
-      program=$(defaults read "$f" Program 2>/dev/null)
-      if ! [ "$program" ]; then
-        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
-      fi
-      if [ -w "$program" ]; then
-        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
-      fi
-    done
-    echo ""
-
-    print_2title "StartupItems"
-    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
-    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
-    echo ""
-
-    print_2title "Login Items"
-    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
-    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
-    echo ""
-
-    print_2title "SPStartupItemDataType"
-    system_profiler SPStartupItemDataType
-    echo ""
-
-    print_2title "Emond scripts"
-    print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
-    ls -l /private/var/db/emondClients
-    echo ""
-  fi
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh
@ -0,0 +1,156 @@
+# Title: Processes & Cron & Services & Timers - System Timers
+# ID: PR_System_timers
+# Author: Carlos Polop
+# Last Update: 2024-03-19
+# Description: System Timers and privilege escalation vectors
+# License: GNU GPL
+# Version: 1.2
+# Functions Used: echo_not_found, print_2title, print_info, print_3title
+# Global Variables: $SEARCH_IN_FOLDER, $timersG
+# Initial Functions:
+# Generated Global Variables: $timer_unit, $timer_path, $timer_content, $exec_path, $timer_file, $line, $findings, $unit_path, $finding, $service_unit, $timer, $target_unit, $target_file
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "System timers"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
+
+  # Function to check timer content for privilege escalation vectors
+  check_timer_content() {
+    local timer="$1"
+    local findings=""
+    
+    # Get the service unit this timer activates
+    local service_unit=$(systemctl show "$timer" -p Unit 2>/dev/null | cut -d= -f2)
+    if [ -n "$service_unit" ]; then
+      # Check if the service runs with elevated privileges
+      if systemctl show "$service_unit" -p User 2>/dev/null | grep -q "root"; then
+        findings="${findings}RUNS_AS_ROOT: Service runs as root\n"
+      fi
+
+      # Get the executable path
+      local exec_path=$(systemctl show "$service_unit" -p ExecStart 2>/dev/null | cut -d= -f2 | cut -d' ' -f1)
+      if [ -n "$exec_path" ]; then
+        if [ -w "$exec_path" ]; then
+          findings="${findings}WRITABLE_EXEC: Executable is writable: $exec_path\n"
+        fi
+        # Check for relative paths
+        case "$exec_path" in
+          /*) : ;; # Absolute path, do nothing
+          *) findings="${findings}RELATIVE_PATH: Uses relative path: $exec_path\n" ;;
+        esac
+      fi
+
+      # Check for unsafe configurations
+      if systemctl show "$service_unit" -p ExecStart 2>/dev/null | grep -qE '(chmod|chown|mount|sudo|su)'; then
+        findings="${findings}UNSAFE_CMD: Uses potentially dangerous commands\n"
+      fi
+
+      # Check for weak permissions
+      if [ -e "$exec_path" ] && [ "$(stat -c %a "$exec_path" 2>/dev/null)" = "777" ]; then
+        findings="${findings}WEAK_PERMS: Executable has 777 permissions\n"
+      fi
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in timer: $timer"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # Function to check timer file for privilege escalation vectors
+  check_timer_file() {
+    local timer_file="$1"
+    local findings=""
+
+    # Check if timer file is writable (following symlinks)
+    if [ -L "$timer_file" ]; then
+      # If it's a symlink, check the target file
+      local target_file=$(readlink -f "$timer_file")
+      if [ -w "$target_file" ]; then
+        findings="${findings}WRITABLE_FILE: Timer target file is writable: $target_file\n"
+      fi
+    elif [ -w "$timer_file" ]; then
+      findings="${findings}WRITABLE_FILE: Timer file is writable\n"
+    fi
+
+    # Check for weak permissions (following symlinks)
+    if [ "$(stat -L -c %a "$timer_file" 2>/dev/null)" = "777" ]; then
+      findings="${findings}WEAK_PERMS: Timer file has 777 permissions\n"
+    fi
+
+    # Check for relative paths in Unit directive
+    if grep -q "^Unit=[^/]" "$timer_file" 2>/dev/null; then
+      findings="${findings}RELATIVE_PATH: Uses relative path in Unit directive\n"
+    fi
+
+    # Check for writable executables in Unit directive (following symlinks)
+    local unit_path=$(grep -Po '^Unit=*(.*?$)' "$timer_file" 2>/dev/null | cut -d '=' -f2)
+    if [ -n "$unit_path" ]; then
+      if [ -L "$unit_path" ]; then
+        local target_unit=$(readlink -f "$unit_path")
+        if [ -w "$target_unit" ]; then
+          findings="${findings}WRITABLE_UNIT: Unit target file is writable: $target_unit\n"
+        fi
+      elif [ -w "$unit_path" ]; then
+        findings="${findings}WRITABLE_UNIT: Unit file is writable: $unit_path\n"
+      fi
+    fi
+
+    # If any findings, print them
+    if [ -n "$findings" ]; then
+      echo "Potential privilege escalation in timer file: $timer_file"
+      echo "$findings" | while read -r finding; do
+        [ -n "$finding" ] && echo "  └─ $finding"
+      done
+    fi
+  }
+
+  # List all timers and check for privilege escalation vectors
+  print_3title "Active timers:"
+  systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | while read -r line; do
+    # Extract timer unit name
+    timer_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$timer_unit" ]; then
+      # Check if timer file is writable
+      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$timer_path" ]; then
+        check_timer_file "$timer_path"
+      fi
+
+      # Check timer content for privilege escalation vectors
+      check_timer_content "$timer_unit"
+
+      # Print the timer line with highlighting
+      echo "$line" | sed -${E} "s,$timersG,${SED_GREEN},"
+    fi
+  done || echo_not_found
+
+  # Check for disabled but available timers
+  print_3title "Disabled timers:"
+  systemctl list-unit-files --type=timer --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
+    timer_unit=$(echo "$line" | awk '{print $1}')
+    if [ -n "$timer_unit" ]; then
+      timer_path=$(systemctl show "$timer_unit" -p FragmentPath 2>/dev/null | cut -d= -f2)
+      if [ -n "$timer_path" ]; then
+        check_timer_file "$timer_path"
+      fi
+    fi
+  done || echo_not_found
+
+  # Check timer files from PSTORAGE_TIMER
+  if [ -n "$PSTORAGE_TIMER" ]; then
+    print_3title "Additional timer files:"
+    printf "%s\n" "$PSTORAGE_TIMER" | while read -r timer_file; do
+      if [ -n "$timer_file" ] && [ -e "$timer_file" ]; then
+        check_timer_file "$timer_file"
+      fi
+    done
+  fi
+
+  echo ""
+fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh
@ -5,20 +5,48 @@
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_80, print_2title
-# Global Variables: $FAST, $TIMEOUT
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, check_external_hostname
+# Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pid4, $pid2, $pid1, $pid3, $$tcp443_bin_status, $NOT_CHECK_EXTERNAL_HOSTNAME, $TIMEOUT_INTERNET_SECONDS
 # Fat linpeas: 0
 # Small linpeas: 0


-if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
-  print_2title "Internet Access?"
-  check_tcp_80 2>/dev/null &
-  check_tcp_443 2>/dev/null &
-  check_icmp 2>/dev/null &
-  check_dns 2>/dev/null &
-  wait
-  echo ""
+
+print_2title "Internet Access?"
+
+TIMEOUT_INTERNET_SECONDS=5
+
+if [ "$SUPERFAST" ]; then
+  TIMEOUT_INTERNET_SECONDS=2.5
 fi
+
+
+# Run all checks in background
+check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$!
+check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$!
+check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$!
+check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$!
+
+# Kill all after 10 seconds
+(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) &
+
+check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null
+tcp443_bin_status=$?
+
+wait $pid1 $pid2 $pid3 $pid4 2>/dev/null
+
+
+# Wait for all to finish
+wait 2>/dev/null
+
+if [ "$tcp443_bin_status" -eq 0 ] && \
+   [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
+  echo ""
+  print_2title "Is hostname malicious or leaked?"
+  print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
+  check_external_hostname 2>/dev/null
+fi
+
+echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh
@ -8,12 +8,69 @@
 # Functions Used: print_2title
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $iface, $state, $mac, $ip_file, $line
 # Fat linpeas: 0
 # Small linpeas: 1

+# Function to parse network interfaces from /proc/net/dev and other sources
+parse_network_interfaces() {
+    # Try to get interfaces from /proc/net/dev
+    if [ -f "/proc/net/dev" ]; then
+        echo "Network Interfaces from /proc/net/dev:"
+        echo "----------------------------------------"
+        # Skip header lines and format output
+        grep -v "^Inter\|^ face" /proc/net/dev | while read -r line; do
+            iface=$(echo "$line" | awk -F: '{print $1}' | tr -d ' ')
+            if [ -n "$iface" ]; then
+                echo "Interface: $iface"
+                # Try to get IP address from /sys/class/net
+                if [ -f "/sys/class/net/$iface/address" ]; then
+                    mac=$(cat "/sys/class/net/$iface/address" 2>/dev/null)
+                    echo "  MAC: $mac"
+                fi
+                # Try to get IP from /sys/class/net
+                if [ -d "/sys/class/net/$iface/ipv4" ]; then
+                    for ip_file in /sys/class/net/$iface/ipv4/addr_*; do
+                        if [ -f "$ip_file" ]; then
+                            ip=$(cat "$ip_file" 2>/dev/null)
+                            echo "  IP: $ip"
+                        fi
+                    done
+                fi
+                # Get interface state
+                if [ -f "/sys/class/net/$iface/operstate" ]; then
+                    state=$(cat "/sys/class/net/$iface/operstate" 2>/dev/null)
+                    echo "  State: $state"
+                fi
+                echo ""
+            fi
+        done
+    fi
+
+    # Try to get additional info from /proc/net/fib_trie
+    if [ -f "/proc/net/fib_trie" ]; then
+        echo "Additional IP Information from fib_trie:"
+        echo "----------------------------------------"
+        grep -A1 "Main" /proc/net/fib_trie | grep -v "\-\-" | while read -r line; do
+            if echo "$line" | grep -q "Main"; then
+                echo "Network: $(echo "$line" | awk '{print $2}')"
+            elif echo "$line" | grep -q "/"; then
+                echo "  IP: $(echo "$line" | awk '{print $2}')"
+            fi
+        done
+    fi
+}

 print_2title "Interfaces"
 cat /etc/networks 2>/dev/null
-(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
+
+# Try standard tools first, then fall back to our custom function
+if command -v ifconfig >/dev/null 2>&1; then
+    ifconfig 2>/dev/null
+elif command -v ip >/dev/null 2>&1; then
+    ip a 2>/dev/null
+else
+    parse_network_interfaces
+fi
+
 echo ""
--- a/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh
@ -8,12 +8,100 @@
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $conf, $line
 # Fat linpeas: 0
 # Small linpeas: 1

+# Function to get hostname using multiple methods
+get_hostname_info() {
+    print_3title "Hostname Information"
+    # Try multiple methods to get hostname
+    if command -v hostname >/dev/null 2>&1; then
+        echo "System hostname: $(hostname 2>/dev/null)"
+        echo "FQDN: $(hostname -f 2>/dev/null)"
+    else
+        # Fallback methods
+        if [ -f "/proc/sys/kernel/hostname" ]; then
+            echo "System hostname: $(cat /proc/sys/kernel/hostname 2>/dev/null)"
+        fi
+        if [ -f "/etc/hostname" ]; then
+            echo "Hostname from /etc/hostname: $(cat /etc/hostname 2>/dev/null)"
+        fi
+    fi
+    echo ""
+}
+
+# Function to get hosts file information
+get_hosts_info() {
+    print_3title "Hosts File Information"
+    if [ -f "/etc/hosts" ]; then
+        echo "Contents of /etc/hosts:"
+        grep -v "^#" /etc/hosts 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+    echo ""
+}
+
+# Function to get DNS information
+get_dns_info() {
+    print_3title "DNS Configuration"
+    
+    # Get resolv.conf information
+    if [ -f "/etc/resolv.conf" ]; then
+        echo "DNS Servers (resolv.conf):"
+        grep -v "^#" /etc/resolv.conf 2>/dev/null | grep -v "^$" | while read -r line; do
+            if echo "$line" | grep -q "nameserver"; then
+                echo "  $(echo "$line" | awk '{print $2}')"
+            elif echo "$line" | grep -q "search\|domain"; then
+                echo "  $line"
+            fi
+        done
+    fi
+
+    # Check for systemd-resolved configuration
+    if [ -f "/etc/systemd/resolved.conf" ]; then
+        echo -e "\nSystemd-resolved configuration:"
+        grep -v "^#" /etc/systemd/resolved.conf 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    # Check for NetworkManager DNS settings
+    if [ -d "/etc/NetworkManager" ]; then
+        echo -e "\nNetworkManager DNS settings:"
+        find /etc/NetworkManager -type f -name "*.conf" 2>/dev/null | while read -r conf; do
+            if grep -q "dns=" "$conf" 2>/dev/null; then
+                echo "  From $conf:"
+                grep "dns=" "$conf" 2>/dev/null | while read -r line; do
+                    echo "    $line"
+                done
+            fi
+        done
+    fi
+
+    # Try to get DNS domain name
+    echo -e "\nDNS Domain Information:"
+    if command -v dnsdomainname >/dev/null 2>&1; then
+        warn_exec dnsdomainname 2>/dev/null
+    fi
+    if command -v domainname >/dev/null 2>&1; then
+        warn_exec domainname 2>/dev/null
+    fi
+
+    # Check for DNS cache status
+    if command -v systemd-resolve >/dev/null 2>&1; then
+        echo -e "\nDNS Cache Status (systemd-resolve):"
+        systemd-resolve --status 2>/dev/null | grep -A5 "DNS Servers" | grep -v "\-\-" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+    echo ""
+}

 print_2title "Hostname, hosts and DNS"
-cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
-warn_exec dnsdomainname 2>/dev/null
-echo ""
+
+# Execute all information gathering functions
+get_hostname_info
+get_hosts_info
+get_dns_info
--- a/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh
@ -5,21 +5,134 @@
 # Description: Networks and neighbours
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
+# Functions Used: print_2title, print_3title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $hwtype, $flags, $line, $iface, $dest, $ref, $use, $mask, $metric, $device, $hwaddr
 # Fat linpeas: 0
 # Small linpeas: 0

+# Function to parse routing information from /proc/net/route
+parse_proc_route() {
+    print_3title "Routing Table (from /proc/net/route)"
+    echo "Destination         Gateway         Genmask         Flags Metric Ref    Use Iface"
+    echo "--------------------------------------------------------------------------------"
+    # Skip header line and process each route
+    tail -n +2 /proc/net/route 2>/dev/null | while read -r line; do
+        if [ -n "$line" ]; then
+            # Extract fields
+            iface=$(echo "$line" | awk '{print $1}')
+            dest=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($2,7,2), substr($2,5,2), substr($2,3,2), substr($2,1,2)}'))
+            gw=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($3,7,2), substr($3,5,2), substr($3,3,2), substr($3,1,2)}'))
+            mask=$(printf "%d.%d.%d.%d" $(echo "$line" | awk '{printf "0x%s 0x%s 0x%s 0x%s", substr($4,7,2), substr($4,5,2), substr($4,3,2), substr($4,1,2)}'))
+            flags=$(echo "$line" | awk '{print $5}')
+            metric=$(echo "$line" | awk '{print $6}')
+            ref=$(echo "$line" | awk '{print $7}')
+            use=$(echo "$line" | awk '{print $8}')
+            
+            # Print formatted output
+            printf "%-18s %-15s %-15s %-6s %-6s %-6s %-6s %s\n" "$dest" "$gw" "$mask" "$flags" "$metric" "$ref" "$use" "$iface"
+        fi
+    done
+    echo ""
+}
+
+# Function to parse ARP information from /proc/net/arp
+parse_proc_arp() {
+    print_3title "ARP Table (from /proc/net/arp)"
+    echo "IP address       HW type     Flags     HW address           Mask     Device"
+    echo "------------------------------------------------------------------------"
+    # Skip header line and process each ARP entry
+    tail -n +2 /proc/net/arp 2>/dev/null | while read -r line; do
+        if [ -n "$line" ]; then
+            ip=$(echo "$line" | awk '{print $1}')
+            hwtype=$(echo "$line" | awk '{print $2}')
+            flags=$(echo "$line" | awk '{print $3}')
+            hwaddr=$(echo "$line" | awk '{print $4}')
+            mask=$(echo "$line" | awk '{print $5}')
+            device=$(echo "$line" | awk '{print $6}')
+            
+            # Print formatted output
+            printf "%-15s %-11s %-9s %-18s %-8s %s\n" "$ip" "$hwtype" "$flags" "$hwaddr" "$mask" "$device"
+        fi
+    done
+    echo ""
+}
+
+# Function to get network neighbors information
+get_network_neighbors() {
+    print_2title "Networks and neighbours"
+
+    # Get routing information
+    print_3title "Routing Information"
+    if [ "$MACPEAS" ]; then
+        # macOS specific
+        if command -v netstat >/dev/null 2>&1; then
+            netstat -rn 2>/dev/null
+        else
+            echo "No routing information available"
+        fi
+    else
+        # Linux systems
+        if command -v ip >/dev/null 2>&1; then
+            ip route 2>/dev/null
+            echo -e "\nNeighbor table:"
+            ip neigh 2>/dev/null
+        elif command -v route >/dev/null 2>&1; then
+            route -n 2>/dev/null
+        elif [ -f "/proc/net/route" ]; then
+            parse_proc_route
+        else
+            echo "No routing information available"
+        fi
+    fi
+
+    # Get ARP information
+    print_3title "ARP Information"
+    if command -v arp >/dev/null 2>&1; then
+        if [ "$MACPEAS" ]; then
+            arp -a 2>/dev/null
+        else
+            arp -e 2>/dev/null || arp -a 2>/dev/null
+        fi
+    elif [ -f "/proc/net/arp" ]; then
+        parse_proc_arp
+    else
+        echo "No ARP information available"
+    fi
+
+    # Additional neighbor discovery methods
+    print_3title "Additional Neighbor Information"
+    
+    # Check for IPv6 neighbors if available
+    if [ -f "/proc/net/ipv6_neigh" ]; then
+        echo "IPv6 Neighbors:"
+        cat /proc/net/ipv6_neigh 2>/dev/null | grep -v "^IP" | while read -r line; do
+            if [ -n "$line" ]; then
+                echo "  $line"
+            fi
+        done
+    fi
+
+    # Try to get LLDP neighbors if available
+    if command -v lldpctl >/dev/null 2>&1; then
+        echo -e "\nLLDP Neighbors:"
+        lldpctl 2>/dev/null | grep -A2 "Interface:" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    # Try to get CDP neighbors if available
+    if command -v cdp >/dev/null 2>&1; then
+        echo -e "\nCDP Neighbors:"
+        cdp 2>/dev/null | grep -v "^$" | while read -r line; do
+            echo "  $line"
+        done
+    fi
+
+    echo ""
+}

 if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Networks and neighbours"
-  if [ "$MACPEAS" ]; then
-    netstat -rn 2>/dev/null
-  else
-    (route || ip n || cat /proc/net/route) 2>/dev/null
-  fi
-  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
-  echo ""
+    get_network_neighbors
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh
@ -5,15 +5,173 @@
 # Description: Enumerate open ports
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables:
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $E, $SED_RED
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pid_dir, $tx_queue, $pid, $rem_port, $proc_file, $rem_ip, $local_ip, $rx_queue, $proto, $rem_addr, $program, $state, $header_sep, $proc_info, $inode, $header, $line, $local_addr, $local_port
 # Fat linpeas: 0
 # Small linpeas: 1

+# Function to get process info from inode
+get_process_info() {
+    local inode=$1
+    local pid=""
+    local program=""
+    
+    if [ -n "$inode" ]; then
+        for pid_dir in /proc/[0-9]*/fd; do
+            if [ -d "$pid_dir" ]; then
+                if ls -l "$pid_dir" 2>/dev/null | grep -q "$inode"; then
+                    pid=$(echo "$pid_dir" | awk -F/ '{print $3}')
+                    if [ -f "/proc/$pid/cmdline" ]; then
+                        program=$(tr '\0' ' ' < "/proc/$pid/cmdline" | cut -d' ' -f1)
+                        program=$(basename "$program")
+                    fi
+                    break
+                fi
+            fi
+        done
+    fi
+    echo "$pid/$program"
+}

-print_2title "Active Ports"
-print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
-( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
-echo ""
+# Function to parse /proc/net/tcp and /proc/net/udp files
+parse_proc_net_ports() {
+    local proto=$1
+    local proc_file="/proc/net/$proto"
+    local header="Proto  Recv-Q  Send-Q  Local Address          Foreign Address        State       PID/Program name"
+    local header_sep="--------------------------------------------------------------------------------"
+
+    if [ -f "$proc_file" ]; then
+        print_3title "Active $proto Ports (from /proc/net/$proto)"
+        echo "$header"
+        echo "$header_sep"
+
+        # Process each connection using a pipe
+        tail -n +2 "$proc_file" 2>/dev/null | while IFS= read -r line; do
+            [ -z "$line" ] && continue
+            
+            # Skip header
+            case "$line" in
+                *"sl"*) continue ;;
+                *) : ;;
+            esac
+
+            # Extract fields using awk
+            sl=$(echo "$line" | awk '{print $1}')
+            local_addr=$(echo "$line" | awk '{print $2}')
+            rem_addr=$(echo "$line" | awk '{print $3}')
+            st=$(echo "$line" | awk '{print $4}')
+            tx_queue=$(echo "$line" | awk '{print $5}')
+            rx_queue=$(echo "$line" | awk '{print $6}')
+            uid=$(echo "$line" | awk '{print $7}')
+            inode=$(echo "$line" | awk '{print $10}')
+
+            # Convert hex IP:port to decimal
+            local_ip=$(printf "%d.%d.%d.%d" $(echo "$local_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
+            local_port=$(printf "%d" "0x$(echo "$local_addr" | awk -F: '{print $2}')")
+            rem_ip=$(printf "%d.%d.%d.%d" $(echo "$rem_addr" | awk -F: '{printf "0x%s 0x%s 0x%s 0x%s", substr($1,7,2), substr($1,5,2), substr($1,3,2), substr($1,1,2)}'))
+            rem_port=$(printf "%d" "0x$(echo "$rem_addr" | awk -F: '{print $2}')")
+
+            # Get process information
+            proc_info=$(get_process_info "$inode")
+
+            # Get state name
+            case $st in
+                "01") state="ESTABLISHED" ;;
+                "02") state="SYN_SENT" ;;
+                "03") state="SYN_RECV" ;;
+                "04") state="FIN_WAIT1" ;;
+                "05") state="FIN_WAIT2" ;;
+                "06") state="TIME_WAIT" ;;
+                "07") state="CLOSE" ;;
+                "08") state="CLOSE_WAIT" ;;
+                "09") state="LAST_ACK" ;;
+                "0A") state="LISTEN" ;;
+                "0B") state="CLOSING" ;;
+                "0C") state="NEW_SYN_RECV" ;;
+                *) state="UNKNOWN" ;;
+            esac
+
+            # Only show listening ports
+            if [ "$state" = "LISTEN" ]; then
+                # Format the output
+                printf "%-6s %-8s %-8s %-21s %-21s %-12s %s\n" \
+                    "$proto" "$rx_queue" "$tx_queue" "$local_ip:$local_port" "$rem_ip:$rem_port" "$state" "$proc_info"
+            fi
+        done
+    fi
+    echo ""
+}
+
+# Function to get open ports information
+get_open_ports() {
+    print_2title "Active Ports"
+    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
+
+    # Try standard tools first
+    if command -v netstat >/dev/null 2>&1; then
+        print_3title "Active Ports (netstat)"
+        netstat -punta 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+    elif command -v ss >/dev/null 2>&1; then
+        print_3title "Active Ports (ss)"
+        ss -nltpu 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+    else
+        # Fallback to parsing /proc/net files
+        parse_proc_net_ports "tcp"
+        parse_proc_net_ports "udp"
+    fi
+
+    # Additional port information
+    if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+        print_3title "Additional Port Information"
+
+        # Check for listening ports in /proc/net/unix
+        if [ -f "/proc/net/unix" ]; then
+            echo "Unix Domain Sockets:"
+            # Use awk to process the file in one go, avoiding duplicates and empty paths
+            awk '$8 != "" && $8 != "@" && $8 != "00000000" {
+                inode=$7
+                socket=$8
+                # Find process using inode
+                cmd="find /proc/[0-9]*/fd -ls 2>/dev/null | grep " inode " | head -n1 | awk \"{print \\$11}\" | xargs -r readlink"
+                pid=""
+                while (cmd | getline pid_dir) {
+                    if (pid_dir != "") {
+                        split(pid_dir, parts, "/")
+                        pid=parts[3]
+                        break
+                    }
+                }
+                close(cmd)
+                if (pid != "") {
+                    cmd="tr \\0 \" \" < /proc/" pid "/cmdline 2>/dev/null | cut -d\" \" -f1 | xargs -r basename"
+                    cmd | getline prog
+                    close(cmd)
+                    if (prog != "") {
+                        print "  " socket " (" pid "/" prog ")"
+                    } else {
+                        print "  " socket " (" pid ")"
+                    }
+                } else {
+                    print "  " socket
+                }
+            }' /proc/net/unix 2>/dev/null | sort -u
+        fi
+
+        # Check for ports in use by systemd
+        if command -v systemctl >/dev/null 2>&1; then
+            echo -e "\nSystemd Socket Units:"
+            systemctl list-sockets 2>/dev/null | while IFS= read -r line; do
+                [ -z "$line" ] && continue
+                if ! echo "$line" | grep -q "UNIT\|listed"; then
+                    echo "  $line"
+                fi
+            done
+        fi
+    fi
+
+    echo ""
+}
+
+get_open_ports
--- a/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh
@ -5,16 +5,84 @@
 # Description: MacOS network Capabilities
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, warn_exec
-# Global Variables: $MACPEAS
+# Functions Used: print_2title, print_3title, warn_exec
+# Global Variables: $MACPEAS, $EXTRA_CHECKS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $net_service
 # Fat linpeas: 0
 # Small linpeas: 0

+# Function to get network capabilities information
+get_macos_network_capabilities() {
+    print_2title "Network Capabilities"
+
+    # Basic network information
+    echo ""
+    print_3title "Network Interfaces and Configuration"
+    warn_exec system_profiler SPNetworkDataType
+
+    # Network locations
+    echo ""
+    print_3title "Network Locations"
+    warn_exec system_profiler SPNetworkLocationDataType
+
+    # Network extensions
+    echo ""
+    print_3title "Network Extensions"
+    if [ -d "/Library/SystemExtensions" ]; then
+        warn_exec systemextensionsctl list
+    fi
+
+    # Network security
+    echo ""
+    print_3title "Network Security"
+    if command -v networksetup >/dev/null 2>&1; then
+        echo "Firewall Status:"
+        warn_exec networksetup -getglobalstate
+        echo -e "\nFirewall Rules:"
+        warn_exec networksetup -listallnetworkservices | while read -r net_service; do
+            if [ -n "$net_service" ]; then
+                echo "Service: $net_service"
+                warn_exec networksetup -getwebproxy "$net_service"
+                warn_exec networksetup -getsecurewebproxy "$net_service"
+                warn_exec networksetup -getproxybypassdomains "$net_service"
+            fi
+        done
+    fi
+
+    # Additional network information if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        # Network preferences
+        echo ""
+        print_3title "Network Preferences"
+        if [ -f "/Library/Preferences/SystemConfiguration/preferences.plist" ]; then
+            warn_exec plutil -p /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 5 "NetworkServices"
+        fi
+        
+        # Network statistics
+        echo ""
+        print_3title "Network Statistics"
+        warn_exec netstat -s
+        
+        # Network routes
+        echo ""
+        print_3title "Network Routes"
+        warn_exec netstat -rn
+        
+        # Network interfaces details
+        echo ""
+        print_3title "Network Interfaces Details"
+        warn_exec ifconfig -a
+        
+        # Network kernel extensions
+        echo ""
+        print_3title "Network Kernel Extensions"
+        warn_exec kextstat | grep -i network
+    fi
+
+    echo ""
+}

 if [ "$MACPEAS" ]; then
-  print_2title "Network Capabilities"
-  warn_exec system_profiler SPNetworkDataType
-  echo ""
+    get_macos_network_capabilities
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh
@ -5,42 +5,160 @@
 # Description: Enumerate macos network services
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title, warn_exec
-# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Functions Used: print_2title, print_3title, warn_exec
+# Global Variables: $EXTRA_CHECKS, $MACPEAS, $E, $SED_RED
 # Initial Functions:
-# Generated Global Variables: $rmMgmt, $scrShrng, $flShrng, $rLgn, $rAE, $bmM
+# Generated Global Variables: $sharing_service, $profile, $port3, $service_count, $port1, $port, $services, $total, $port_list, $count, $ports, $active_ports, $port2
 # Fat linpeas: 0
 # Small linpeas: 0

+# Function to check if a port is listening
+check_listening_port() {
+    local port=$1
+    local service=$2
+    local count=0
+    
+    # Check both IPv4 and IPv6
+    count=$(netstat -na 2>/dev/null | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.${port}" | wc -l)
+    echo "$count"
+}
+
+# Function to get sharing services status
+get_sharing_services_status() {
+    print_2title "MacOS Sharing Services Status"
+    
+    # Define services and their ports using parallel arrays
+    services="Screen Sharing File Sharing Remote Login Remote Management Remote Apple Events Back to My Mac AirPlay Receiver AirDrop Bonjour Printer Sharing Internet Sharing"
+    ports="5900 88,445,548 22 3283 3031 4488 7000 5353 5353 515,631 67,68"
+
+    # Check each service
+    echo "Service Status (0=OFF, >0=ON):"
+    echo "--------------------------------"
+    
+    # Get number of services
+    service_count=$(echo "$services" | wc -w)
+    
+    # Loop through services using index
+    i=1
+    while [ $i -le $service_count ]; do
+        sharing_service=$(echo "$services" | cut -d' ' -f$i)
+        port_list=$(echo "$ports" | cut -d' ' -f$i)
+        total=0
+        active_ports=""
+        
+        # Check each port for the service
+        port1=$(echo "$port_list" | cut -d',' -f1)
+        port2=$(echo "$port_list" | cut -d',' -f2)
+        port3=$(echo "$port_list" | cut -d',' -f3)
+        for port in $port1 $port2 $port3; do
+            if [ -n "$port" ]; then
+                count=$(check_listening_port "$port" "$sharing_service")
+                if [ "$count" -gt 0 ]; then
+                    total=$((total + count))
+                    if [ -n "$active_ports" ]; then
+                        active_ports="${active_ports},"
+                    fi
+                    active_ports="${active_ports}${port}"
+                fi
+            fi
+        done
+        
+        # Print service status
+        if [ "$total" -gt 0 ]; then
+            printf "%-20s: ON  (Ports: %s)\n" "$sharing_service" "$active_ports" | sed -${E} "s,ON.*,${SED_RED},g"
+        else
+            printf "%-20s: OFF\n" "$sharing_service"
+        fi
+        
+        i=$((i + 1))
+    done
+    echo ""
+}
+
+# Function to get VPN information
+get_vpn_info() {
+    print_3title "VPN Information"
+    
+    # Get VPN configurations
+    warn_exec system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},g"
+    
+    # Check for VPN profiles
+    if [ -d "/Library/Preferences/SystemConfiguration" ]; then
+        echo -e "\nVPN Profiles:"
+        find /Library/Preferences/SystemConfiguration -name "*.plist" -exec grep -l "VPN" {} \; 2>/dev/null | while read -r profile; do
+            echo "Profile: $profile"
+            warn_exec plutil -p "$profile" | grep -A 5 "VPN"
+        done
+    fi
+    echo ""
+}
+
+# Function to get firewall information
+get_firewall_info() {
+    print_3title "Firewall Information"
+    
+    # Get firewall status
+    warn_exec system_profiler SPFirewallDataType
+    
+    # Get application firewall rules
+    if command -v /usr/libexec/ApplicationFirewall/socketfilterfw >/dev/null 2>&1; then
+        echo -e "\nApplication Firewall Rules:"
+        warn_exec /usr/libexec/ApplicationFirewall/socketfilterfw --listapps
+    fi
+    
+    # Get pf firewall rules if available
+    if command -v pfctl >/dev/null 2>&1; then
+        echo -e "\nPF Firewall Rules:"
+        warn_exec pfctl -s rules 2>/dev/null
+    fi
+    echo ""
+}
+
+# Function to get additional network information
+get_additional_network_info() {
+    if [ "$EXTRA_CHECKS" ]; then
+        print_3title "Additional Network Information"
+        
+        # Bluetooth information
+        echo "Bluetooth Status:"
+        warn_exec system_profiler SPBluetoothDataType
+        
+        # Ethernet information
+        echo -e "\nEthernet Status:"
+        warn_exec system_profiler SPEthernetDataType
+        
+        # USB network adapters
+        echo -e "\nUSB Network Adapters:"
+        warn_exec system_profiler SPUSBDataType
+        
+        # Network kernel extensions
+        echo -e "\nNetwork Kernel Extensions:"
+        warn_exec kextstat | grep -i "network\|ethernet\|wifi\|bluetooth"
+        
+        # Network daemons
+        echo -e "\nNetwork Daemons:"
+        warn_exec launchctl list | grep -i "network\|vpn\|firewall\|sharing"
+    fi
+    echo ""
+}
+
+# Main function to get all network services information
+get_macos_network_services() {
+    if [ "$MACPEAS" ]; then
+        # Get sharing services status
+        get_sharing_services_status
+        
+        # Get VPN information
+        get_vpn_info
+        
+        # Get firewall information
+        get_firewall_info
+        
+        # Get additional network information if EXTRA_CHECKS is enabled
+        get_additional_network_info
+    fi
+}

 if [ "$MACPEAS" ]; then
-  print_2title "Any MacOS Sharing Service Enabled?"
-  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
-  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
-  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
-  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
-  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
-  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
-  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
-  echo ""
-  print_2title "VPN Creds"
-  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
-  echo ""
-  print_2title "Firewall status"
-  warn_exec system_profiler SPFirewallDataType
-  echo ""
-
-  if [ "$EXTRA_CHECKS" ]; then
-    print_2title "Bluetooth Info"
-    warn_exec system_profiler SPBluetoothDataType
-    echo ""
-
-    print_2title "Ethernet Info"
-    warn_exec system_profiler SPEthernetDataType
-    echo ""
-
-    print_2title "USB Info"
-    warn_exec system_profiler SPUSBDataType
-    echo ""
-  fi
+    get_macos_network_services
 fi
--- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh
@ -1,23 +1,168 @@
-# Title: Network Information - Tcpdump
+# Title: Network Information - Network Traffic Analysis
 # ID: NT_Tcpdump
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Can I sniff with tcpdump?
+# Description: Check network traffic analysis capabilities and tools
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_no, print_2title, print_info
-# Global Variables:
+# Functions Used: print_2title, print_3title, print_info, warn_exec
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $tools_found, $tool, $interfaces, $interfaces_found, $iface, $cmd, $pattern, $patterns
 # Fat linpeas: 0
 # Small linpeas: 1

+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}

-print_2title "Can I sniff with tcpdump?"
-timeout 1 tcpdump >/dev/null 2>&1
-if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sniffing"
-    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
-else echo_no
-fi
-echo ""
+# Function to check if we can sniff on an interface
+check_interface_sniffable() {
+    local iface=$1
+    if timeout 1 tcpdump -i "$iface" -c 1 >/dev/null 2>&1; then
+        return 0
+    fi
+    return 1
+}
+
+# Function to check for promiscuous mode
+check_promiscuous_mode() {
+    local iface=$1
+    if ip link show "$iface" 2>/dev/null | grep -q "PROMISC"; then
+        return 0
+    fi
+    return 1
+}
+
+# Main function to check network traffic analysis capabilities
+check_network_traffic_analysis() {
+    print_2title "Network Traffic Analysis Capabilities"
+    
+    # Check for sniffing tools
+    echo ""
+    print_3title "Available Sniffing Tools"
+    tools_found=0
+    
+    if check_command tcpdump; then
+        echo "tcpdump is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        # Check tcpdump version and capabilities
+        warn_exec tcpdump --version 2>/dev/null | head -n 1
+    fi
+    
+    if check_command tshark; then
+        echo "tshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+        # Check tshark version
+        warn_exec tshark --version 2>/dev/null | head -n 1
+    fi
+    
+    if check_command wireshark; then
+        echo "wireshark is available" | sed -${E} "s,.*,${SED_GREEN},g"
+        tools_found=1
+    fi
+    
+    if [ $tools_found -eq 0 ]; then
+        echo "No sniffing tools found" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check network interfaces
+    echo ""
+    print_3title "Network Interfaces Sniffing Capabilities"
+    interfaces_found=0
+    
+    # Get list of network interfaces
+    if command -v ip >/dev/null 2>&1; then
+        interfaces=$(ip -o link show | awk -F': ' '{print $2}')
+    elif command -v ifconfig >/dev/null 2>&1; then
+        interfaces=$(ifconfig -a | grep -o '^[^ ]*:' | tr -d ':')
+    else
+        interfaces=$(ls /sys/class/net/ 2>/dev/null)
+    fi
+    
+    for iface in $interfaces; do
+        if [ "$iface" != "lo" ]; then  # Skip loopback
+            echo -n "Interface $iface: "
+            if check_interface_sniffable "$iface"; then
+                echo "Sniffable" | sed -${E} "s,.*,${SED_GREEN},g"
+                interfaces_found=1
+                
+                # Check promiscuous mode
+                if check_promiscuous_mode "$iface"; then
+                    echo "  - Promiscuous mode enabled" | sed -${E} "s,.*,${SED_RED},g"
+                fi
+                
+                # Get interface details
+                if [ "$EXTRA_CHECKS" ]; then
+                    echo "  - Interface details:"
+                    warn_exec ip addr show "$iface" 2>/dev/null || ifconfig "$iface" 2>/dev/null
+                fi
+            else
+                echo "Not sniffable" | sed -${E} "s,.*,${SED_RED},g"
+            fi
+        fi
+    done
+    
+    if [ $interfaces_found -eq 0 ]; then
+        echo "No sniffable interfaces found" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check for sensitive traffic patterns if we have sniffing capabilities
+    if [ $tools_found -eq 1 ] && [ $interfaces_found -eq 1 ]; then
+        echo ""
+        print_3title "Sensitive Traffic Detection"
+        print_info "Checking for common sensitive traffic patterns..."
+        
+        # List of sensitive traffic patterns to check
+        patterns="
+            - HTTP Basic Auth
+            - FTP credentials
+            - SMTP credentials
+            - MySQL/MariaDB traffic
+            - PostgreSQL traffic
+            - Redis traffic
+            - MongoDB traffic
+            - LDAP traffic
+            - SMB traffic
+            - DNS queries
+            - SNMP traffic
+            - Many more...
+        "
+        
+        echo "$patterns" | while read -r pattern; do
+            if [ -n "$pattern" ]; then
+                echo "$pattern"
+            fi
+        done
+        
+        print_info "To capture sensitive traffic, you can use:"
+        echo "tcpdump -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+        echo "tshark -i <interface> -w capture.pcap" | sed -${E} "s,.*,${SED_GREEN},g"
+    fi
+    
+    # Additional information
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Network Analysis Information"
+        
+        # Check for network monitoring tools
+        echo "Checking for network monitoring tools..."
+        for tool in nethogs iftop iotop nload bmon; do
+            if check_command "$tool"; then
+                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+check_network_traffic_analysis
--- a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh
@ -1,20 +1,210 @@
-# Title: Network Information - Iptables
+# Title: Network Information - Firewall Rules Analysis
 # ID: NT_Iptables
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Enumerate iptables rules
+# Description: Analyze firewall rules and configurations
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: $EXTRA_CHECKS
+# Functions Used: print_2title, print_3title, warn_exec, echo_not_found
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $rules_file, $cmd, $tool, $config_file
 # Fat linpeas: 0
 # Small linpeas: 1

+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}

-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Iptables rules"
-  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
-  echo ""
-fi
+# Function to analyze iptables rules
+analyze_iptables() {
+    echo ""
+    print_3title "Iptables Rules"
+    
+    # Check if iptables is available
+    if ! check_command iptables; then
+        echo_not_found "iptables"
+        return
+    fi
+    
+    # Check if we have permission to list rules
+    if ! timeout 1 iptables -L >/dev/null 2>&1; then
+        echo "No permission to list iptables rules" | sed -${E} "s,.*,${SED_RED},g"
+        return
+    fi
+    
+    # Get iptables version
+    warn_exec iptables --version 2>/dev/null
+    
+    # List all chains and rules
+    echo -e "\nFilter Table Rules:"
+    warn_exec iptables -L -v -n 2>/dev/null
+    
+    echo -e "\nNAT Table Rules:"
+    warn_exec iptables -t nat -L -v -n 2>/dev/null
+    
+    echo -e "\nMangle Table Rules:"
+    warn_exec iptables -t mangle -L -v -n 2>/dev/null
+    
+    # Check for custom chains
+    echo -e "\nCustom Chains:"
+    warn_exec iptables -L -v -n | grep -E "^Chain [A-Za-z]" | grep -v "INPUT\|OUTPUT\|FORWARD\|PREROUTING\|POSTROUTING" 2>/dev/null
+    
+    # Check for saved rules
+    echo -e "\nSaved Rules:"
+    for rules_file in /etc/iptables/* /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/iptables-save /etc/iptables.save; do
+        if [ -f "$rules_file" ]; then
+            echo "Found rules in $rules_file:"
+            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze nftables rules
+analyze_nftables() {
+    echo ""
+    print_3title "Nftables Rules"
+    
+    # Check if nft is available
+    if ! check_command nft; then
+        echo_not_found "nftables"
+        return
+    fi
+    
+    # Check if we have permission to list rules
+    if ! timeout 1 nft list ruleset >/dev/null 2>&1; then
+        echo "No permission to list nftables rules" | sed -${E} "s,.*,${SED_RED},g"
+        return
+    fi
+    
+    # Get nftables version
+    warn_exec nft --version 2>/dev/null
+    
+    # List all rules
+    echo -e "\nNftables Ruleset:"
+    warn_exec nft list ruleset 2>/dev/null
+    
+    # Check for saved rules
+    echo -e "\nSaved Rules:"
+    for rules_file in /etc/nftables.conf /etc/sysconfig/nftables.conf; do
+        if [ -f "$rules_file" ]; then
+            echo "Found rules in $rules_file:"
+            warn_exec cat "$rules_file" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze firewalld rules
+analyze_firewalld() {
+    echo ""
+    print_3title "Firewalld Rules"
+    
+    # Check if firewall-cmd is available
+    if ! check_command firewall-cmd; then
+        echo_not_found "firewalld"
+        return
+    fi
+    
+    # Check if firewalld is running
+    if ! systemctl is-active firewalld >/dev/null 2>&1; then
+        echo "Firewalld is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+        return
+    fi
+    
+    # Get firewalld version
+    warn_exec firewall-cmd --version 2>/dev/null
+    
+    # List all zones
+    echo -e "\nFirewalld Zones:"
+    warn_exec firewall-cmd --list-all-zones 2>/dev/null
+    
+    # List active zones
+    echo -e "\nActive Zones:"
+    warn_exec firewall-cmd --get-active-zones 2>/dev/null
+    
+    # List services
+    echo -e "\nAvailable Services:"
+    warn_exec firewall-cmd --list-services 2>/dev/null
+    
+    # List ports
+    echo -e "\nOpen Ports:"
+    warn_exec firewall-cmd --list-ports 2>/dev/null
+    
+    # List rich rules
+    echo -e "\nRich Rules:"
+    warn_exec firewall-cmd --list-rich-rules 2>/dev/null
+}
+
+# Function to analyze UFW rules
+analyze_ufw() {
+    echo ""
+    print_3title "UFW Rules"
+    
+    # Check if ufw is available
+    if ! check_command ufw; then
+        echo_not_found "ufw"
+        return
+    fi
+    
+    # Check if UFW is running
+    if ! ufw status >/dev/null 2>&1; then
+        echo "UFW is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+        return
+    fi
+    
+    # Get UFW version
+    warn_exec ufw version 2>/dev/null
+    
+    # List rules
+    echo -e "\nUFW Rules:"
+    warn_exec ufw status verbose 2>/dev/null
+    
+    # List numbered rules
+    echo -e "\nNumbered Rules:"
+    warn_exec ufw status numbered 2>/dev/null
+}
+
+# Main function to analyze firewall rules
+analyze_firewall_rules() {
+    print_2title "Firewall Rules Analysis"
+    
+    # Analyze different firewall systems
+    analyze_iptables
+    analyze_nftables
+    analyze_firewalld
+    analyze_ufw
+    
+    # Additional checks if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Firewall Information"
+        
+        # Check for common firewall configuration files
+        echo "Checking for firewall configuration files..."
+        for config_file in /etc/sysconfig/iptables /etc/sysconfig/ip6tables /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/nftables.conf /etc/ufw/user.rules /etc/ufw/user6.rules; do
+            if [ -f "$config_file" ]; then
+                echo "Found configuration file: $config_file" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+        
+        # Check for firewall management tools
+        echo -e "\nChecking for firewall management tools..."
+        for tool in shorewall shorewall6 ferm; do
+            if check_command "$tool"; then
+                echo "$tool is available" | sed -${E} "s,.*,${SED_GREEN},g"
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+analyze_firewall_rules
--- a/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
+++ b/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh
@ -1,20 +1,192 @@
-# Title: Network Information - Inetconf
+# Title: Network Information - Inetd/Xinetd Services Analysis
 # ID: NT_Inetdconf
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Check content of /etc/inetd.conf & /etc/xinetd.conf
+# Description: Analyze inetd and xinetd services and configurations
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title 
-# Global Variables: $EXTRA_CHECKS
+# Functions Used: print_2title, print_3title, warn_exec, echo_not_found
+# Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $inetd_service, $log_file, $cmd, $service_name, $conf_file, $service_dir, $service_file, $inetd_file
 # Fat linpeas: 0
 # Small linpeas: 0

+# Function to check if a command exists and is executable
+check_command() {
+    local cmd=$1
+    if command -v "$cmd" >/dev/null 2>&1; then
+        if [ -x "$(command -v "$cmd")" ]; then
+            return 0
+        fi
+    fi
+    return 1
+}

-if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
-  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
-  echo ""
-fi
+# Function to analyze inetd services
+analyze_inetd() {
+    echo ""
+    print_3title "Inetd Services"
+    
+    # Check if inetd is installed
+    if ! check_command inetd; then
+        echo_not_found "inetd"
+        return
+    fi
+    
+    # Check if inetd is running
+    if ! pgrep -x inetd >/dev/null 2>&1; then
+        echo "inetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+    fi
+    
+    # Get inetd version
+    warn_exec inetd -v 2>/dev/null
+    
+    # Check main configuration file
+    if [ -f "/etc/inetd.conf" ]; then
+        echo -e "\nInetd Configuration (/etc/inetd.conf):"
+        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        
+        # Check for potentially dangerous services
+        echo -e "\nPotentially Dangerous Services:"
+        warn_exec cat /etc/inetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" | grep -iE "shell|login|exec|rsh|rlogin|rexec|finger|telnet|ftp|tftp" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+    else
+        echo_not_found "/etc/inetd.conf"
+    fi
+    
+    # Check for additional configuration files
+    echo -e "\nAdditional Inetd Configuration Files:"
+    for conf_file in /etc/inetd.d/* /etc/inet/*.conf; do
+        if [ -f "$conf_file" ]; then
+            echo "Found configuration in $conf_file:"
+            warn_exec cat "$conf_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        fi
+    done
+}
+
+# Function to analyze xinetd services
+analyze_xinetd() {
+    echo ""
+    print_3title "Xinetd Services"
+    
+    # Check if xinetd is installed
+    if ! check_command xinetd; then
+        echo_not_found "xinetd"
+        return
+    fi
+    
+    # Check if xinetd is running
+    if ! pgrep -x xinetd >/dev/null 2>&1; then
+        echo "xinetd is not running" | sed -${E} "s,.*,${SED_YELLOW},g"
+    fi
+    
+    # Get xinetd version
+    warn_exec xinetd -version 2>/dev/null
+    
+    # Check main configuration file
+    if [ -f "/etc/xinetd.conf" ]; then
+        echo -e "\nXinetd Configuration (/etc/xinetd.conf):"
+        warn_exec cat /etc/xinetd.conf | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+        
+        # Check for included configurations
+        echo -e "\nIncluded Configurations:"
+        warn_exec grep -r "includedir" /etc/xinetd.conf 2>/dev/null
+    else
+        echo_not_found "/etc/xinetd.conf"
+    fi
+    
+    # Check for service-specific configurations
+    echo -e "\nService Configurations:"
+    for service_dir in /etc/xinetd.d/ /etc/xinetd/; do
+        if [ -d "$service_dir" ]; then
+            echo "Services in $service_dir:"
+            for service_file in "$service_dir"/*; do
+                if [ -f "$service_file" ]; then
+                    service_name=$(basename "$service_file")
+                    echo -e "\nService: $service_name"
+                    # Check if service is enabled
+                    if grep -q "disable.*=.*no" "$service_file" 2>/dev/null; then
+                        echo "Status: Enabled" | sed -${E} "s,.*,${SED_RED},g"
+                    else
+                        echo "Status: Disabled"
+                    fi
+                    # Show service configuration
+                    warn_exec cat "$service_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+                    
+                    # Check for potentially dangerous configurations
+                    if grep -qiE "server.*=.*/bin/|server.*=.*/sbin/|server.*=.*/usr/bin/|server.*=.*/usr/sbin/" "$service_file" 2>/dev/null; then
+                        echo "Warning: Service uses system binaries" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                    if grep -qiE "user.*=.*root|user.*=.*0" "$service_file" 2>/dev/null; then
+                        echo "Warning: Service runs as root" | sed -${E} "s,.*,${SED_RED},g"
+                    fi
+                fi
+            done
+        fi
+    done
+}
+
+# Function to check for running inetd/xinetd services
+check_running_services() {
+    echo ""
+    print_3title "Running Inetd/Xinetd Services"
+    
+    # Check netstat for services
+    if check_command netstat; then
+        echo "Active Services (from netstat):"
+        warn_exec netstat -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check ss for services
+    if check_command ss; then
+        echo -e "\nActive Services (from ss):"
+        warn_exec ss -tulpn 2>/dev/null | grep -E "inetd|xinetd" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    
+    # Check for service processes
+    echo -e "\nRunning Service Processes:"
+    for inetd_service in $(pgrep -l inetd 2>/dev/null; pgrep -l xinetd 2>/dev/null); do
+        echo "$inetd_service" | sed -${E} "s,.*,${SED_RED},g"
+    done
+}
+
+# Main function to analyze inetd/xinetd services
+analyze_inetd_services() {
+    print_2title "Inetd/Xinetd Services Analysis"
+    
+    # Analyze inetd and xinetd services
+    analyze_inetd
+    analyze_xinetd
+    
+    # Check for running services
+    check_running_services
+    
+    # Additional checks if EXTRA_CHECKS is enabled
+    if [ "$EXTRA_CHECKS" ]; then
+        echo ""
+        print_3title "Additional Inetd/Xinetd Information"
+        
+        # Check for inetd/xinetd logs
+        echo "Checking for service logs..."
+        for log_file in /var/log/inetd.log /var/log/xinetd.log /var/log/messages /var/log/syslog; do
+            if [ -f "$log_file" ]; then
+                echo "Found log file: $log_file" | sed -${E} "s,.*,${SED_GREEN},g"
+                warn_exec tail -n 20 "$log_file" | grep -iE "inetd|xinetd" 2>/dev/null
+            fi
+        done
+        
+        # Check for inetd/xinetd related files
+        echo -e "\nChecking for related files..."
+        for file in /etc/init.d/inetd /etc/init.d/xinetd /etc/default/inetd /etc/default/xinetd; do
+            if [ -f "$inetd_file" ]; then
+                echo "Found file: $inetd_file" | sed -${E} "s,.*,${SED_GREEN},g"
+                warn_exec cat "$inetd_file" | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null
+            fi
+        done
+    fi
+    
+    echo ""
+}
+
+# Run the main function
+analyze_inetd_services
--- a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh
@ -2,18 +2,59 @@
 # ID: UG_Pkexec
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Check Pkexec policy
+# Description: Check Pkexec policy and related files for privilege escalation
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title, print_info
-# Global Variables: $Groups, $groupsB, $groupsVB,$nosh_usrs, $sh_usrs, $USER
+# Functions Used: print_2title, print_info
+# Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
 # Fat linpeas: 0
 # Small linpeas: 1


-print_2title "Checking Pkexec policy"
+print_2title "Checking Pkexec and Polkit"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
-(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
+
+echo ""
+print_3title "Polkit Binary"
+# Check pkexec binary
+pkexec_bin=$(command -v pkexec 2>/dev/null)
+if [ -n "$pkexec_bin" ]; then
+  echo "Pkexec binary found at: $pkexec_bin" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  if [ -u "$pkexec_bin" ]; then
+    echo "Pkexec binary has SUID bit set!" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  ls -l "$pkexec_bin" 2>/dev/null
+  
+  # Check polkit version for known vulnerabilities
+  if command -v pkexec >/dev/null 2>&1; then
+    pkexec --version 2>/dev/null
+  fi
+fi
+
+# Check polkit policies
+echo ""
+print_3title "Polkit Policies"
+for policy_dir in "/etc/polkit-1/localauthority.conf.d/" "/etc/polkit-1/rules.d/" "/usr/share/polkit-1/rules.d/"; do
+  if [ -d "$policy_dir" ]; then
+    echo "Checking $policy_dir:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    if [ -w "$policy_dir" ]; then
+      echo "WARNING: $policy_dir is writable!" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    for policy_file in "$policy_dir"/*; do
+      if [ -f "$policy_file" ]; then
+        if [ -w "$policy_file" ]; then
+          echo "WARNING: $policy_file is writable!" | sed -${E} "s,.*,${SED_RED},g"
+        fi
+        cat "$policy_file" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$Groups,${SED_RED},g"
+      fi
+    done
+  fi
+done
+
+# Check for polkit authentication agent
+echo ""
+print_3title "Polkit Authentication Agent"
+ps aux 2>/dev/null | grep -i "polkit" | grep -v "grep"
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh
@ -2,17 +2,36 @@
 # ID: UG_Superusers
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Superusers
+# Description: Check for superusers and users with UID 0
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
-# Global Variables:$knw_usrs ,$nosh_usrs,$sh_usrs, $USER
+# Functions Used: print_2title, print_info
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $group
 # Fat linpeas: 0
 # Small linpeas: 1


-print_2title "Superusers"
-awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
+print_2title "Superusers and UID 0 Users"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html"
+
+# Check /etc/passwd for UID 0 users
+echo ""
+print_3title "Users with UID 0 in /etc/passwd"
+awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
+
+if [ command -v getent >/dev/null 2>&1 ]; then
+    for group in sudo wheel adm docker lxd lxc root shadow disk video; do
+        if getent group "$group" >/dev/null 2>&1; then
+            echo "- Users in group '$group':"
+            getent group "$group" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g" | sed "s,root,${SED_RED},g"
+        fi
+    done
+fi
+
+# Check for users with sudo privileges in sudoers
+echo ""
+print_3title "Users with sudo privileges in sudoers"
+grep -v "^#" /etc/sudoers 2>/dev/null | grep -v "^$" | grep -v "^Defaults" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh
@ -2,7 +2,7 @@
 # ID: UG_Login_now
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Login now
+# Description: Check currently logged in users and their sessions
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@ -13,6 +13,45 @@
 # Small linpeas: 1


-print_2title "Login now"
-(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+print_2title "Currently Logged in Users"
+
+# Check basic user information
+echo ""
+print_3title "Basic user information"
+(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+
+# Check for active sessions
+echo ""
+print_3title "Active sessions"
+if command -v w >/dev/null 2>&1; then
+  w 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for logged in users via utmp
+echo ""
+print_3title "Logged in users (utmp)"
+if [ -f "/var/run/utmp" ]; then
+  who -a 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for SSH sessions
+echo ""
+print_3title "SSH sessions"
+if command -v ss >/dev/null 2>&1; then
+  ss -tnp | grep ":22" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for screen sessions
+echo ""
+print_3title "Screen sessions"
+if command -v screen >/dev/null 2>&1; then
+  screen -ls 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check for tmux sessions
+echo ""
+print_3title "Tmux sessions"
+if command -v tmux >/dev/null 2>&1; then
+  tmux list-sessions 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh
@ -2,17 +2,54 @@
 # ID: UG_Last_logons
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Last logons
+# Description: Check last logons and login history
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $EXISTS_FINGER, $ushell
 # Fat linpeas: 0
-# Small linpeas: 0
+# Small linpeas: 1

+print_2title "Last Logons and Login History"

-print_2title "Last logons"
-(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+# Check last logins
 echo ""
+print_3title "Last logins"
+if command -v last >/dev/null 2>&1; then
+  last -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check failed login attempts
+echo ""
+print_3title "Failed login attempts"
+if command -v lastb >/dev/null 2>&1; then
+  lastb -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Check auth logs for recent logins
+echo ""
+print_3title "Recent logins from auth.log (limit 20)"
+if [ -f "/var/log/auth.log" ]; then
+  grep -i "login\|authentication\|accepted" /var/log/auth.log 2>/dev/null | tail -n 20 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
+fi
+
+# Last time logon each user
+echo ""
+if command -v lastlog >/dev/null 2>&1; then
+  print_3title "Last time logon each user"
+  lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+fi
+
+EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
+if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh
@ -1,29 +0,0 @@
-# Title: Users Information - Login info
-# ID: UG_Login_info
-# Author: Carlos Polop
-# Last Update: 22-08-2023
-# Description: Last time logon each user
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title
-# Global Variables: $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
-# Initial Functions:
-# Generated Global Variables: EXISTS_FINGER, ushell
-# Fat linpeas: 0
-# Small linpeas: 0
-
-
-print_2title "Last time logon each user"
-lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-
-EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
-if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
-  dscl . list /Users | while read un; do
-    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
-    if grep -q "$ushell" /etc/shells; then #Shell user
-      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
-      echo ""
-    fi
-  done
-fi
-echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh
@ -8,15 +8,18 @@
 # Functions Used: print_2title
 # Global Variables: $MACPEAS 
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0


 if [ "$MACPEAS" ];then
  print_2title "All Login and Logout hooks"
-  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
-  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+  for user_home in /Users/*/ /private/var/root/; do
+    if [ -f "${user_home}Library/Preferences/com.apple.loginwindow.plist" ]; then
+      echo "User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+      defaults read "${user_home}Library/Preferences/com.apple.loginwindow.plist" 2>/dev/null | grep -e "Hook" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+  done
  echo ""
-
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh
@ -1,14 +1,14 @@
-# Title: Users Information - Macos systemKey
+# Title: Users Information - MacOS Keychains
 # ID: UG_Macos_keychains
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Get macOS systemKey
+# Description: Get macOS keychains information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: print_2title
+# Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $user_home
 # Fat linpeas: 0
 # Small linpeas: 0

@ -16,6 +16,14 @@
 if [ "$MACPEAS" ];then
  print_2title "Keychains"
  print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
-  security list-keychains
+  echo "System Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  security list-keychains 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+  echo -e "\nUser Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  for user_home in /Users/*/; do
+    if [ -d "${user_home}Library/Keychains" ]; then
+      echo "- User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+      ls -la "${user_home}Library/Keychains/" 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  done
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh
@ -1,8 +1,8 @@
-# Title: Users Information - Macos systemKey
+# Title: Users Information - MacOS SystemKey
 # ID: UG_Macos_systemkey
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Get macOS systemKey
+# Description: Get macOS SystemKey information (used for FileVault encryption)
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
@ -15,10 +15,14 @@

 if [ "$MACPEAS" ];then
  print_2title "SystemKey"
-  ls -l /var/db/SystemKey
+  echo "The SystemKey is used by FileVault to encrypt/decrypt the volume. If you can read it, you might be able to decrypt the disk."
+  echo -e "\nSystemKey file permissions:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  ls -l /var/db/SystemKey 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  
  if [ -r "/var/db/SystemKey" ]; then
-    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
-    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    echo -e "\nWARNING: You can read /var/db/SystemKey!" | sed -${E} "s,.*,${SED_RED},g"
+    echo "SystemKey content (first 24 bytes after header):" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},g"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh
@ -2,21 +2,48 @@
 # ID: UG_Pgp_keys
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: PGP keys
+# Description: Check for PGP keys and related files that might contain sensitive information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: 
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $HOME
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $pgp_file
 # Fat linpeas: 0
 # Small linpeas: 1


-print_2title "Do I have PGP keys?"
-command -v gpg 2>/dev/null || echo_not_found "gpg"
-gpg --list-keys 2>/dev/null
-command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
-netpgpkeys --list-keys 2>/dev/null
-command -v netpgp 2>/dev/null || echo_not_found "netpgp"
+print_2title "PGP Keys and Related Files"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys"
+
+# Check for GPG
+echo "GPG:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+if command -v gpg >/dev/null 2>&1; then
+  echo "GPG is installed, listing keys:"
+  gpg --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+  # Check for private keys
+  gpg --list-secret-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+else
+  echo_not_found "gpg"
+fi
+
+# Check for NetPGP
+echo -e "\nNetPGP:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+if command -v netpgpkeys >/dev/null 2>&1; then
+  echo "NetPGP is installed" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+  netpgpkeys --list-keys 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"
+else
+  echo_not_found "netpgpkeys"
+fi
+
+# Check for common PGP files
+echo -e "\nPGP Related Files:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+for pgp_file in "$HOME/.gnupg" "$HOME/.pgp" "$HOME/.openpgp" "$HOME/.ssh/gpg-agent.conf" "$HOME/.config/gpg"; do
+  if [ -e "$pgp_file" ]; then
+    echo "Found: $pgp_file"
+    if [ -d "$pgp_file" ]; then
+      ls -la "$pgp_file" 2>/dev/null
+    fi
+  fi
+done
 echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh
@ -2,28 +2,52 @@
 # ID: UG_Clipboard_highlighted_text
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Clipboard and highlighted text
+# Description: Check clipboard and highlighted text for sensitive information
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
+# Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $pwd_inside_history
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $content
 # Fat linpeas: 0
 # Small linpeas: 1


-if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-  print_2title "Clipboard or highlighted text?"
+if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+  print_2title "Clipboard and Highlighted Text"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#clipboard"
+
+  # Function to check clipboard content
+  check_clipboard() {
+    local content="$1"
+    if [ -n "$content" ]; then
+      echo "$content" | sed -${E} "s,$pwd_inside_history,${SED_RED},g" | sed -${E} "s,(password|passwd|pwd).*=.*,${SED_RED},g" | sed -${E} "s,(token|key|secret).*=.*,${SED_RED},g"
+    fi
+  }
+
+  # Check different clipboard tools
  if [ "$(command -v xclip 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Using xclip:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xclip -o -selection clipboard 2>/dev/null)"
+    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xclip -o 2>/dev/null)"
  elif [ "$(command -v xsel 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Using xsel:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xsel -ob 2>/dev/null)"
+    echo "Highlighted text:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(xsel -o 2>/dev/null)"
  elif [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ]; then
-    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
-  else echo_not_found "xsel and xclip"
+    echo "Using pbpaste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(pbpaste 2>/dev/null)"
+  elif [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ]; then
+    echo "Using wl-paste:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    echo "Clipboard:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    check_clipboard "$(wl-paste 2>/dev/null)"
+  else
+    echo_not_found "clipboard tools (xclip, xsel, pbpaste, wl-paste)"
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh
@ -2,23 +2,54 @@
 # ID: UG_Doas
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Checking doas.conf
+# Description: Check doas configuration and permissions for privilege escalation
 # License: GNU GPL
 # Version: 1.0
-# Functions Used: echo_not_found, print_2title
-# Global Variables: $DEBUG, $nosh_usrs,  $sh_usrs, $USER
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $DEBUG, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $doas_dir_name
+# Generated Global Variables: $doas_dir_name, $doas_bin, $conf_file
 # Fat linpeas: 0
 # Small linpeas: 1


-if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
-  print_2title "Checking doas.conf"
-  doas_dir_name=$(dirname "$(command -v doas || echo -n '')" 2>/dev/null)
-  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
-    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
-  else echo_not_found "doas.conf"
+if [ -f "/etc/doas.conf" ] || [ -f "/usr/local/etc/doas.conf" ] || [ "$DEBUG" ]; then
+  print_2title "Doas Configuration"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#doas"
+
+  # Find doas binary and its config locations
+  doas_bin=$(command -v doas 2>/dev/null)
+  if [ -n "$doas_bin" ]; then
+    doas_dir_name=$(dirname "$doas_bin")
+    echo "Doas binary found at: $doas_bin" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    
+    # Check doas binary permissions
+    if [ -u "$doas_bin" ]; then
+      echo "Doas binary has SUID bit set!" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+    ls -l "$doas_bin" 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"
  fi
-  echo ""
-fi
+
+  # Check all possible doas.conf locations
+  echo -e "\nChecking doas.conf files:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  for conf_file in "/etc/doas.conf" "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" "/usr/local/etc/doas.conf"; do
+    if [ -f "$conf_file" ]; then
+      echo "Found: $conf_file" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+      if [ -w "$conf_file" ]; then
+        echo "WARNING: $conf_file is writable!" | sed -${E} "s,.*,${SED_RED},g"
+      fi
+      cat "$conf_file" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED},g" | sed "s,root,${SED_RED},g" | sed "s,nopass,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed "s,$USER,${SED_RED_YELLOW},g"
+    fi
+  done
+
+  # Check if doas is working
+  if [ -n "$doas_bin" ]; then
+    echo -e "\nTesting doas:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+    if $doas_bin -l 2>/dev/null; then
+      echo "doas -l command works!" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+  fi
+else
+  echo_not_found "doas.conf"
+fi
+echo ""
--- a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
@ -8,7 +8,7 @@
 # Functions Used: print_2title
 # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS
 # Initial Functions:
-# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass
+# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass, $mysqluser, $version_output, $major_version, $version, $process_info
 # Fat linpeas: 0
 # Small linpeas: 1

@ -102,4 +102,42 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
  else echo_no
  fi
  echo ""
+fi
+
+### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
+
+# Find the mysqld process
+process_info=$(ps aux | grep '[m]ysqld' | head -n1)
+
+if [ -z "$process_info" ]; then
+  echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
+else
+
+  # Extract the process user
+  mysqluser=$(echo "$process_info" | awk '{print $1}')
+
+  # Get the MySQL version string
+  version_output=$(mysqld --version 2>&1)
+
+  # Extract the version number (expects format like X.Y.Z)
+  version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+  if [ -z "$version" ]; then
+    echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
+  else
+
+    # Extract the major version number (X from X.Y.Z)
+    major_version=$(echo "$version" | cut -d. -f1)
+
+    # Check if MySQL is running as root and if the version is either 4.x or 5.x
+    if [ "$mysqluser" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
+      echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
+      echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
+      echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
+    else
+      echo "MySQL is running as user '$mysqluser' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
+    fi
+    ### ------------------------------------------------------------------------------------------------------------------------------------------------ ###
+  
+  fi
 fi
--- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh
+++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh
@ -17,27 +17,55 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Capabilities"
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
  if [ "$(command -v capsh || echo -n '')" ]; then
-
    print_3title "Current shell capabilities"
    cat "/proc/$$/status" | grep Cap | while read -r cap_line; do
      cap_name=$(echo "$cap_line" | awk '{print $1}')
      cap_value=$(echo "$cap_line" | awk '{print $2}')
      if [ "$cap_name" = "CapEff:" ]; then
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        # Add validation check for cap_value
+        # For more POSIX-compliant formatting, the following could be used instead:
+        # if echo "$cap_value" | grep -E '^[0-9a-fA-F]+$' > /dev/null 2>&1; then
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
      else
-        echo "$cap_name  $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name  $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED},")"
+        else
+          echo "$cap_name  [Invalid capability format]"
+        fi
      fi
    done
    echo ""
-
    print_info "Parent process capabilities"
    cat "/proc/$PPID/status" | grep Cap | while read -r cap_line; do
      cap_name=$(echo "$cap_line" | awk '{print $1}')
      cap_value=$(echo "$cap_line" | awk '{print $2}')
      if [ "$cap_name" = "CapEff:" ]; then
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED_YELLOW},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
      else
-        echo "$cap_name	 $(capsh --decode=0x"$cap_value" | sed -${E} "s,$capsB,${SED_RED},")"
+        # Add validation check for cap_value
+        if [[ "$cap_value" =~ ^[0-9a-fA-F]+$ ]]; then
+          # Memory errors can occur with certain values (e.g., ffffffffffffffff)
+          # so we redirect stderr to prevent error propagation
+          echo "$cap_name	 $(capsh --decode=0x"$cap_value" 2>/dev/null | sed -${E} "s,$capsB,${SED_RED},")"
+        else
+          echo "$cap_name	 [Invalid capability format]"
+        fi
      fi
    done
    echo ""
@ -69,10 +97,9 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
    if ! [ "$capsVB_vuln" ]; then
      echo "$cb" | sed -${E} "s,$capsB,${SED_RED},"
    fi
-
    if ! [ "$IAMROOT" ] && [ -w "$(echo $cb | cut -d" " -f1)" ]; then
      echo "$cb is writable" | sed -${E} "s,.*,${SED_RED},"
    fi
  done
  echo ""
-fi
+fi
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh
@ -15,6 +15,6 @@

 if ! [ "$SEARCH_IN_FOLDER" ]; then
  print_2title "Searching passwords inside logs (limit 70)"
-  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
+  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -H -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
  echo ""
-fi
+fi
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh
@ -19,7 +19,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
  print_2title "Searching possible password variables inside key folders (limit 140)"
  if ! [ "$SEARCH_IN_FOLDER" ]; then
    timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
-    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
+    timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
  else
    timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
  fi
@ -29,12 +29,12 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
  ##-- IF) Find possible conf files with passwords
  print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
  if ! [ "$SEARCH_IN_FOLDER" ]; then
-    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
  else
-    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
+    ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
  fi
  printf "%s\n" "$ppicf" | while read f; do
-    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' \"$f\" 2>/dev/null; then
+    if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null; then
      echo "$ITALIC $f$NC"
      grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
    fi
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh
@ -0,0 +1,22 @@
+# Title: Interesting Files - Interesting Environment Variables
+# ID: IF_Interesting_environment_variables
+# Author: Jack Vaughn
+# Last Update: 25-05-2025
+# Description: Searching possible sensitive environment variables inside of /proc/*/environ
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS, $NoEnvVars, $EnvVarsRed
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if [ -z "$MACPEAS" ]; then
+  print_2title "Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars"
+  cat /proc/[0-9]*/environ 2>/dev/null | \
+  tr '\0' '\n' | \
+  grep -Eiv "$NoEnvVars" | \
+  sort -u | \
+  sed -${E} "s,$EnvVarsRed,${SED_RED},g"
+fi
--- a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh
+++ b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh
@ -30,4 +30,28 @@ print_2title "Writable log files (logrotten) (limit 50)"
  done
 fi

+# Check syslog configuration
+print_2title "Syslog configuration (limit 50)"
+if [ -f "/etc/rsyslog.conf" ]; then
+    grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
+elif [ -f "/etc/syslog.conf" ]; then
+    grep -v "^#" /etc/syslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
+else
+    echo_not_found "syslog configuration"
+fi
+
+
+# Check auditd configuration
+print_2title "Auditd configuration (limit 50)"
+if [ -f "/etc/audit/auditd.conf" ]; then
+    grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50
+else
+    echo_not_found "auditd configuration"
+fi
+
+# Check for log files with weak permissions
+print_2title "Log files with potentially weak perms (limit 50)"
+find /var/log -type f -ls 2>/dev/null | grep -Ev "root\s+root|root\s+systemd-journal|root\s+syslog|root\s+utmp" | sed -${E} "s,.*,${SED_RED},g" | head -n 50
+
+
 echo ""
--- a/linPEAS/builder/linpeas_parts/functions/check_az_app.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_az_app.sh
@ -19,4 +19,7 @@ check_az_app(){
  if [ -d "/opt/microsoft" ] && env | grep -iq "azure"; then
    is_az_app="Yes"
  fi
+  if [ -n "$IDENTITY_ENDPOINT" ] && echo "$IDENTITY_ENDPOINT" | grep -q "/token" && [ -n "$IDENTITY_HEADER" ]; then
+    is_az_app="Yes"
+  fi
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_az_vm.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_az_vm.sh
@ -26,13 +26,13 @@ check_az_vm(){

  else
    # 3. Try querying the Azure Metadata Service for more wide support (e.g. Azure Container Registry tasks need this)
-    if command -v curl &> /dev/null; then
+    if type curl >/dev/null 2>&1; then
      meta_response=$(curl -s --max-time 2 \
        "http://169.254.169.254/metadata/identity/oauth2/token")
      if echo "$meta_response" | grep -q "Missing"; then
        is_az_vm="Yes"
      fi
-    elif command -v wget &> /dev/null; then
+    elif type wget >/dev/null 2>&1; then
      meta_response=$(wget -qO- --timeout=2 \
        "http://169.254.169.254/metadata/identity/oauth2/token")
      if echo "$meta_response" | grep -q "Missing"; then
--- a/linPEAS/builder/linpeas_parts/functions/check_dns.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_dns.sh
@ -8,11 +8,19 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_DNS, $local_pid
 # Fat linpeas: 0
 # Small linpeas: 1

-
 check_dns(){
-  (timeout 20 /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' ) 2>/dev/null || echo "DNS not available"
+  local TIMEOUT_INTERNET_SECONDS_DNS=$1
+  if ! [ -f "/bin/bash" ]; then
+    echo "  /bin/bash not found"
+    return
+  fi
+
+  # example.com
+  (bash -c '((( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS accessible") | grep "accessible" && exit 0 ) 2>/dev/null || echo "DNS is not accessible"') & local_pid=$!
+
+  sleep $TIMEOUT_INTERNET_SECONDS_DNS && kill -9 $local_pid 2>/dev/null && echo "DNS is not accessible"
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
@ -0,0 +1,26 @@
+# Title: LinPeasBase - check_external_hostname
+# ID: check_external_hostname
+# Author: Carlos Polop
+# Last Update: 23-05-2025
+# Description: This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $$INTERNET_SEARCH_TIMEOUT
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+check_external_hostname(){
+  INTERNET_SEARCH_TIMEOUT=15
+  # wget or curl?
+  if command -v curl >/dev/null 2>&1; then
+    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+  elif command -v wget >/dev/null 2>&1; then
+    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+  else
+    echo "wget or curl not found"
+  fi
+}
--- a/linPEAS/builder/linpeas_parts/functions/check_icmp.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_icmp.sh
@ -1,4 +1,4 @@
-# Title: LinPeasBase - check_tcp_443
+# Title: LinPeasBase - check_icmp
 # ID: check_icmp
 # Author: Carlos Polop
 # Last Update: 22-08-2023
@ -8,11 +8,20 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_ICMP, $local_pid
 # Fat linpeas: 0
 # Small linpeas: 1


 check_icmp(){
-  (timeout -s KILL 20 /bin/bash -c '(ping -c 1 1.1.1.1 | grep "1 received" && echo "Ping is available" || echo "Ping is not available") 2>/dev/null | grep "available"') 2>/dev/null || echo "Ping is not available"
+  local TIMEOUT_INTERNET_SECONDS_ICMP=$1
+  if ! [ "$(command -v ping 2>/dev/null || echo -n '')" ]; then
+    echo "  ping not found"
+    return
+  fi
+
+  # example.com
+  ((ping -c 1 1.1.1.1 2>/dev/null | grep -Ei "1 received|1 packets received" && echo "ICMP is accessible" || echo "ICMP is not accessible" 2>/dev/null) | grep "accessible" && exit 0 ) 2>/dev/null || echo "ICMP is not accessible" & local_pid=$!
+
+  sleep $TIMEOUT_INTERNET_SECONDS_ICMP && kill -9 $local_pid 2>/dev/null && echo "ICMP is not accessible"
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh
@ -8,11 +8,21 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_443
 # Fat linpeas: 0
 # Small linpeas: 1


+
 check_tcp_443(){
-  (timeout -s KILL 20 /bin/bash -c '(echo >/dev/tcp/1.1.1.1/443 && echo "Port 443 is accessible" || echo "Port 443 is not accessible") 2>/dev/null | grep "accessible"') 2>/dev/null || echo "Port 443 is not accessible"
-}
+  local TIMEOUT_INTERNET_SECONDS_443=$1
+  if ! [ -f "/bin/bash" ]; then
+    echo "  /bin/bash not found"
+    return
+  fi
+
+  # example.com
+  (bash -c '(echo >/dev/tcp/104.18.74.230/443 2>/dev/null && echo "Port 443 is accessible" && exit 0) 2>/dev/null || echo "Port 443 is not accessible"') & local_pid=$!
+
+  sleep $TIMEOUT_INTERNET_SECONDS_443 && kill -9 $local_pid 2>/dev/null && echo "Port 443 is not accessible"
+}
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
@ -0,0 +1,46 @@
+# Title: LinPeasBase - check_tcp_443_bin
+# ID: check_tcp_443_bin
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if TCP Internet conns are available (via port 443) using curl or wget
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $url_lambda, $TIMEOUT_INTERNET_SECONDS_443_BIN
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+check_tcp_443_bin () {
+  local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
+  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
+
+  if command -v curl >/dev/null 2>&1; then
+    if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+    then
+      echo "Port 443 is accessible with curl"
+      return 0                      # ✅ success
+    else
+      echo "Port 443 is not accessible with curl"
+      return 1
+    fi
+
+  elif command -v wget >/dev/null 2>&1; then
+    if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+    then
+      echo "Port 443 is accessible with wget"
+      return 0
+    else
+      echo "Port 443 is not accessible with wget"
+      return 1
+    fi
+
+  else
+    echo "Neither curl nor wget available"
+    return 1
+  fi
+}
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh
@ -8,11 +8,21 @@
 # Functions Used:
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_80
 # Fat linpeas: 0
 # Small linpeas: 1


+
 check_tcp_80(){
-  (timeout -s KILL 20 /bin/bash -c '( echo >/dev/tcp/1.1.1.1/80 && echo "Port 80 is accessible" || echo "Port 80 is not accessible") 2>/dev/null | grep "accessible"') 2>/dev/null || echo "Port 80 is not accessible"
+  local TIMEOUT_INTERNET_SECONDS_80=$1
+  if ! [ -f "/bin/bash" ]; then
+    echo "  /bin/bash not found"
+    return
+  fi
+
+  # example.com
+  (bash -c '(echo >/dev/tcp/104.18.74.230/80 2>/dev/null && echo "Port 80 is accessible" && exit 0) 2>/dev/null || echo "Port 80 is not accessible"') & local_pid=$!
+
+  sleep $TIMEOUT_INTERNET_SECONDS_80 && kill -9 $local_pid 2>/dev/null && echo "Port 80 is not accessible"
 }
--- a/linPEAS/builder/linpeas_parts/functions/execBin.sh
+++ b/linPEAS/builder/linpeas_parts/functions/execBin.sh
@ -2,30 +2,53 @@
 # ID: execBin
 # Author: Carlos Polop
 # Last Update: 22-08-2023
-# Description: Write and exected an embedded binary
+# Description: Write and execute an embedded binary
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_3title, print_info
 # Global Variables: $Wfolder
 # Initial Functions:
-# Generated Global Variables: $TOOL_NAME, $TOOL_LINK, $B64_BIN, $PARAMS
+# Generated Global Variables: $TOOL_NAME, $TOOL_LINK, $B64_BIN, $PARAMS, $TMP_BIN, $cmdpid, $watcher, $rc
 # Fat linpeas: 0
 # Small linpeas: 1


-execBin(){
-  TOOL_NAME=$1
-  TOOL_LINK=$2
-  B64_BIN=$3
-  PARAMS=$4
-  if [ "$B64_BIN" ]; then
-    echo ""
-    print_3title "Running $TOOL_NAME"
-    print_info "$TOOL_LINK"
-    echo "$B64_BIN" | base64 -d > $Wfolder/bin
-    chmod +x $Wfolder/bin
-    eval "$Wfolder/bin $PARAMS"
-    rm -f $Wfolder/bin
-    echo ""
+execBin() {
+  TOOL_NAME=$1        # Display name
+  TOOL_LINK=$2        # Reference URL
+  B64_BIN=$3          # base64‑encoded executable
+  PARAMS=$4           # Arguments to the tool
+
+  [ -z "$B64_BIN" ] && return 0   # nothing to do
+
+  echo
+  print_3title "Running $TOOL_NAME"
+  print_info  "$TOOL_LINK"
+
+  TMP_BIN=$(mktemp "${Wfolder:-/tmp}/bin.XXXXXX") || { echo "mktemp failed"; return 1; }
+  printf '%s' "$B64_BIN" | base64 -d > "$TMP_BIN" || { echo "decode failed"; rm -f "$TMP_BIN"; return 1; }
+  chmod +x "$TMP_BIN"
+
+  # ---------------- 120‑second wall‑clock timeout ----------------
+  if command -v timeout >/dev/null 2>&1; then                 # GNU/BSD timeout
+      timeout --preserve-status -s 9 120 "$TMP_BIN" $PARAMS
+  elif command -v gtimeout >/dev/null 2>&1; then              # Homebrew coreutils (macOS)
+      gtimeout --preserve-status -s 9 120 "$TMP_BIN" $PARAMS
+  else                                                        # POSIX fall‑back
+      (
+        "$TMP_BIN" $PARAMS &                                  # run in background
+        cmdpid=$!
+        ( sleep 120 && kill -9 "$cmdpid" 2>/dev/null) &
+        watcher=$!
+        wait "$cmdpid"
+        rc=$?
+        kill -9 "$watcher" 2>/dev/null
+        exit $rc
+      )
  fi
+  rc=$?
+
+  rm -f "$TMP_BIN"
+  echo
+  return $rc
 }
--- a/linPEAS/builder/linpeas_parts/functions/su_try_pwd.sh
+++ b/linPEAS/builder/linpeas_parts/functions/su_try_pwd.sh
@ -6,9 +6,9 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: 
-# Global Variables:
+# Global Variables: $SED_RED_YELLOW
 # Initial Functions:
-# Generated Global Variables: $BFUSER, $PASSWORDTRY, $trysu, $SED_RED_YELLOW
+# Generated Global Variables: $BFUSER, $PASSWORDTRY, $trysu
 # Fat linpeas: 0
 # Small linpeas: 1

--- a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh
+++ b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh
@ -83,6 +83,7 @@ AUTO_NETWORK_SCAN=""
 EXTRA_CHECKS=""
 REGEXES=""
 PORT_FORWARD=""
+NOT_CHECK_EXTERNAL_HOSTNAME=""
 THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@ -96,6 +97,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
        ${YELLOW}    -e${BLUE} Perform extra enumeration
        ${YELLOW}    -r${BLUE} Enable Regexes (this can take from some mins to hours)
        ${YELLOW}    -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
+        ${YELLOW}    -n${BLUE} Do not check hostname & IP in known malicious lists and leaks
 	${YELLOW}    -D${BLUE} Debug mode

      ${GREEN}  Network recon:
@ -128,6 +130,7 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
    p)  PORTS=$OPTARG;;
    i)  IP=$OPTARG;;
    P)  PASSWORD=$OPTARG;;
+    n)  NOT_CHECK_EXTERNAL_HOSTNAME="1";;
    q)  QUIET=1;;
    o)  CHECKS=$OPTARG;;
    L)  MACPEAS="";;
@ -188,6 +191,9 @@ if [ $? -ne 0 ] ; then
 	fi
 fi

+# on macOS the built-in echo does not support -n, use /bin/echo instead
+if [ "$MACPEAS" ] ; then alias echo=/bin/echo ; fi
+
 print_title(){
  if [ "$DEBUG" ]; then
    END_T1_TIME=$(date +%s 2>/dev/null)
@ -343,7 +349,7 @@ print_support () {
    ${GREEN}/---------------------------------------------------------------------------------\\
    |                             ${BLUE}Do you like PEASS?${GREEN}                                  |
    |---------------------------------------------------------------------------------|
-    |         ${YELLOW}Learn Cloud Hacking${GREEN}       :     ${RED}https://training.hacktricks.wiki${GREEN}         |
+    |         ${YELLOW}Learn Cloud Hacking${GREEN}       :     ${RED}https://training.hacktricks.xyz ${GREEN}        |
    |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@hacktricks_live${GREEN}                        |
    |         ${YELLOW}Respect on HTB${GREEN}            :     ${RED}SirBroccoli            ${GREEN}                 |
    |---------------------------------------------------------------------------------|
--- a/linPEAS/builder/linpeas_parts/linpeas_base/1_check_network_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/linpeas_base/1_check_network_jobs.sh
--- a/linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
+++ b/linPEAS/builder/linpeas_parts/variables/EnvVarsRed.sh
@ -0,0 +1,18 @@
+# Title: Variables - EnvVarsRed
+# ID: EnvVarsRed
+# Author: Carlos Polop
+# Last Update: 26-05-2025
+# Description: Useless env vars
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $EnvVarsRed
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+EnvVarsRed="[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME|[aA][pP][iI][_][kK][eE][yY]|[aA][wW][sS]|[aA][zZ][uU][rR][eE]|[gG][cC][pP]|[aA][pP][iI]|[sS][eE][cC][rR][eE][tT]|[sS][qQ][lL]|[dD][aA][tT][aA][bB][aA][sS][eE]|[tT][oO][kK][eE][nN]"
+
+
--- a/linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
+++ b/linPEAS/builder/linpeas_parts/variables/NoEnvVars.sh
@ -0,0 +1,16 @@
+# Title: Variables - NoEnvVars
+# ID: NoEnvVars
+# Author: Carlos Polop
+# Last Update: 26-05-2025
+# Description: Useless env vars
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $NoEnvVars
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+NoEnvVars="LESS_TERMCAP|JOURNAL_STREAM|XDG_SESSION|DBUS_SESSION|systemd\/sessions|systemd_exec|MEMORY_PRESSURE_WATCH|RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_|^PATH=|^INVOCATION_ID=|^WATCHDOG_PID=|^LISTEN_PID="
--- a/linPEAS/builder/linpeas_parts/variables/processesVB.sh
+++ b/linPEAS/builder/linpeas_parts/variables/processesVB.sh
@ -13,4 +13,4 @@
 # Small linpeas: 1


-processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
+processesVB='jdwp|tmux |screen | inspect |--inspect=|--inspect |--inspect$|--inpect-brk|--remote-debugging-port'
--- a/linPEAS/builder/linpeas_parts/variables/timersG.sh
+++ b/linPEAS/builder/linpeas_parts/variables/timersG.sh
@ -13,4 +13,4 @@
 # Small linpeas: 1


-timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|dpkg-db-backup.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
+timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|dpkg-db-backup.timer|e2scrub_all.timer|exim4-base.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
--- a/linPEAS/builder/linpeas_parts/variables/usrs_sh.sh
+++ b/linPEAS/builder/linpeas_parts/variables/usrs_sh.sh
@ -21,6 +21,6 @@ if [ "$MACPEAS" ]; then
    if  grep -q \"$ushell\" /etc/shells; then sh_usrs="$sh_usrs|$uname"; else nosh_usrs="$nosh_usrs|$uname"; fi
  done
 else
-  sh_usrs=$(cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|sys|/|sys[\\\s:]|^sys$|/' | sed 's/|daemon|/|daemon[\\\s:]|^daemon$|/')"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere
-  nosh_usrs=$(cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/')"ImPoSSssSiBlEee"
+  sh_usrs=$(cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[[:space:]:]|^bin$|/' | sed 's/|sys|/|sys[[:space:]:]|^sys$|/' | sed 's/|daemon|/|daemon[[:space:]:]|^daemon$|/')"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere
+  nosh_usrs=$(cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[[:space:]:]|^bin$|/')"ImPoSSssSiBlEee"
 fi
--- a/linPEAS/builder/src/linpeasBaseBuilder.py
+++ b/linPEAS/builder/src/linpeasBaseBuilder.py
@ -292,9 +292,12 @@ class LinpeasBaseBuilder:
        all_module_paths += self.enumerate_directory(LINPEAS_PARTS["variables"])
        
        for module in LINPEAS_PARTS["modules"]:
+            exclude = False
            for ex_module in exclude_modules:
                if ex_module in module["folder_path"] or ex_module in [module["name"], module["name_check"]]:
-                    continue
+                    exclude = True
+                    break
+            if exclude: continue
            all_module_paths += self.enumerate_directory(module["folder_path"])
        
        for module in all_module_paths:
--- a/linPEAS/builder/src/linpeasBuilder.py
+++ b/linPEAS/builder/src/linpeasBuilder.py
@ -97,7 +97,7 @@ class LinpeasBuilder:
        for orig_url in urls:
            tar_gz_bin_name = ""
            if ",,," in orig_url:
-                tar_gz_bin_name = url.split(",,,")[1]
+                tar_gz_bin_name = orig_url.split(",,,")[1]
                url = orig_url.split(",,,")[0]
            else:
                url = orig_url
@ -402,13 +402,15 @@ class LinpeasBuilder:


    def __replace_mark(self, mark: str, find_calls: list, join_char: str):
-        """Substitude the markup with the actual code"""
-        
-        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
+        """Substitute the markup with the actual code"""
+
+        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char isn't needed
    
    def write_linpeas(self, path):
        """Write on disk the final linpeas"""
        
        with open(path, "w") as f:
            f.write(self.linpeas_sh)
+        
+        print(f"[+] Linpeas written on {path}")
    
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
SirBroccoli	41128808a6	Merge pull request #483 from securitytime/patch-1 Update Beaprint.cs	2025-07-01 16:23:13 +02:00
carlospolop	6fd96f4bdb	f	2025-07-01 12:12:01 +02:00
carlospolop	a745f00dd7	fix	2025-07-01 11:10:21 +02:00
securitytime	933e12d7f1	Update Beaprint.cs A space character is missing here: "... educational purposes only.Any misuse of this software ..."	2025-06-28 09:12:40 +02:00
SirBroccoli	4061cef7e8	Merge pull request #476 from peass-ng/codex/fix-url-reference-in-linpeasbuilder.py Fix url variable reference in linpeasBuilder	2025-06-25 01:59:43 +02:00
SirBroccoli	b66ced3c63	Merge pull request #475 from peass-ng/codex/find-and-fix-a-bug Fix parser global state reuse	2025-06-25 01:59:03 +02:00
SirBroccoli	cde725dacc	Merge pull request #477 from peass-ng/codex/update-docstring-and-fix-typo Fix docstring and comment in linpeasBuilder	2025-06-25 01:57:58 +02:00
SirBroccoli	f0f829890c	Merge pull request #479 from peass-ng/codex/replace--parth--with--path--in-argparse Fix typo in linpeas builder arg help	2025-06-25 01:57:11 +02:00
SirBroccoli	99c36b8562	Merge pull request #480 from Signum21/master Fixed multiple bugs in Vulnerable Leaked Handlers	2025-06-25 01:56:58 +02:00
SirBroccoli	a74c6c820f	Merge pull request #482 from Aarav-Juneja/builder-exclude-fix Fix exclude modules on linPEASS	2025-06-25 01:55:48 +02:00
SirBroccoli	53fd4d8dc8	Merge pull request #481 from ertaku12/master Added a privilege escalation vulnerability for MySQL 4.x/5.x versions.	2025-06-25 01:55:25 +02:00
Aarav Juneja	9b37fd4ef4	Fix exclude modules on linPEASS	2025-06-24 13:05:10 -07:00
John Doe	f27b1d4816	Added a privilege escalation vulnerability for MySQL 4.x/5.x versions.	2025-06-23 22:37:44 +03:00
Signum21	d335b9254f	Fixed multiple bugs in Vulnerable Leaked Handlers	2025-06-15 20:59:20 +02:00
SirBroccoli	d5e3c2a885	Fix typo in linpeas builder output argument	2025-06-06 00:38:05 +02:00
SirBroccoli	4af321d138	Fix docstring and comment typo	2025-06-06 00:01:29 +02:00
SirBroccoli	4e556fd594	Fix variable reference when parsing URLs	2025-06-06 00:01:17 +02:00
SirBroccoli	39066f6867	Fix leftover debug code and reset state in parser	2025-06-06 00:00:39 +02:00
SirBroccoli	c3a93a57fe	Merge pull request #473 from Signum21/master Fix IdentityNotMappedException in Vulnerable Leaked Handlers	2025-05-31 22:36:49 +02:00
Signum21	f62d9fc550	Fix System.Security.Principal.IdentityNotMappedException in Vulnerable Leaked Handlers	2025-05-31 04:56:14 +02:00
SirBroccoli	11e9b8dde6	Merge pull request #472 from Jack-Vaughn/NoEnvVars-Update Add 4 noisy environment variables to NoEnvVars.sh	2025-05-26 23:57:40 +02:00
Jack Vaughn	b9a9ad5ddf	Add 4 noisy and useless environment variables to NoEnvVars.sh These variables (^PATH=\|^INVOCATION_ID=\|^WATCHDOG_PID=\|^LISTEN_PID=) frequently appear across processes on busy systems (10+ each on tested system) and produce a large volume of irrelevant output	2025-05-25 21:32:51 -04:00
carlospolop	88f08a405e	l	2025-05-26 02:55:07 +02:00
SirBroccoli	322792c4ec	Merge pull request #471 from Jack-Vaughn/environ-check Add module to check for sensitive environment variables via /proc/*/environ	2025-05-26 02:33:43 +02:00
Jack	c150e63b52	This module scans /proc/*/environ for potentially sensitive environment variables on Linux systems. It targets common keywords like token, password, secret, AWS, API, etc. Uses 'tr' instead of 'strings' to improve compatibility in minimal environments like containers. The check is skipped entirely on MacPEAS.	2025-05-25 12:55:34 -04:00
carlospolop	7b8dcfbe8d	f	2025-05-25 08:17:07 +02:00
carlospolop	aac3667247	f l	2025-05-25 08:15:48 +02:00
carlospolop	64ab193d25	f linpeas	2025-05-25 07:05:48 +02:00
carlospolop	aab8241ede	f	2025-05-25 02:21:39 +02:00
carlospolop	65b98d11ac	only print errors when relevant	2025-05-25 02:10:07 +02:00
carlospolop	1e72dbeb76	impr winpeas networking checks	2025-05-25 01:46:30 +02:00
carlospolop	c9282b4bdb	fix winpeas?	2025-05-25 01:37:03 +02:00
carlospolop	b91334e5b3	fix	2025-05-24 23:37:00 +02:00
carlospolop	b7bc20a027	improvement	2025-05-24 23:31:12 +02:00
carlospolop	4fbe6ffd79	winpeas networkinfo test ci/cd	2025-05-24 23:16:31 +02:00
carlospolop	c288f3a810	fw	2025-05-24 23:05:13 +02:00
carlospolop	f3e29a509f	fix winpeas	2025-05-24 23:02:18 +02:00
carlospolop	c29fc553b5	Merge branch 'master' of github.com:peass-ng/PEASS-ng	2025-05-24 08:30:12 +02:00
carlospolop	1e7a90d29f	cursor rewrite + network checks	2025-05-24 08:29:47 +02:00
SirBroccoli	5a5d44f393	Merge pull request #470 from Signum21/master WinPeas: Differentiate between Allow ACLs and Deny ACLs	2025-05-21 07:06:46 +02:00
Signum21	368f0af794	WinPeas: Differentiate between Allow ACLs and Deny ACLs Works for files, folders, registry keys and named pipes	2025-05-21 03:33:33 +02:00
carlospolop	604580adbd	more	2025-05-19 06:36:39 +02:00
carlospolop	9820c18697	Cursor improvements parts 1 and 2	2025-05-19 06:36:35 +02:00
carlospolop	ea9b930fdb	fix capabilities module	2025-05-18 14:33:02 +02:00
SirBroccoli	dae0f7a533	Merge pull request #468 from ThatTotallyRealMyth/ThatTotallyRealMyth-4_capEdit-1 Update 4_Capabilities.sh: Fix capability decoding to prevent shell breaking output from shell/process capabiltiy checking.	2025-05-18 14:19:28 +02:00
carlospolop	3a317cc5c4	fix ec2	2025-05-18 14:17:15 +02:00
ThatTotallyRealMyth	01bf3a4ef8	Update 4_Capabilities.sh: Fix capability decoding to prevent sequence number output Testing confirmed that certain capability values (specifically ffffffffffffffff) cause memory allocation errors in capsh: "xrealloc: cannot allocate 716488832 bytes (57344 bytes allocated)" These memory errors were being propagated into the output, causing the long sequence of numbers. The fix prevents these errors from affecting the script's output.	2025-05-18 16:05:01 +10:00
carlospolop	ef28ef7a33	fix linpeas not getting EC2 metadata	2025-05-18 04:58:22 +02:00
carlospolop	58c107df40	fix kill?	2025-05-18 04:46:19 +02:00
carlospolop	63c090059b	kill frozen external binaries	2025-05-18 01:20:32 +02:00
carlospolop	4c16f72ae2	fix	2025-05-17 16:09:36 +02:00
carlospolop	85684b39ad	add timeout 120 when executing external binary	2025-05-17 16:06:35 +02:00
SirBroccoli	c0b171a5c1	Update peass.rb	2025-05-16 22:25:10 +02:00
SirBroccoli	ddc2d95cb4	Update peass.rb	2025-05-16 15:53:43 +02:00
Carlos Polop	97ae1d2e3b	Merge branch 'master' of github.com:peass-ng/PEASS-ng	2025-04-24 04:20:22 +02:00
Carlos Polop	3b6f0a5bdc	f	2025-04-24 04:20:19 +02:00
SirBroccoli	7008652029	Merge pull request #462 from jahway603/jahway603-patch-1 Minor URL fix	2025-03-30 19:18:52 +02:00
SirBroccoli	e5239f8c58	Merge pull request #461 from Signum21/master Handle path access denied	2025-03-30 19:18:34 +02:00
SirBroccoli	b2c03246d2	Merge pull request #459 from gildasio/master Set grep to show filename that contains passwords	2025-03-30 19:18:13 +02:00
SirBroccoli	f0686d491b	Merge pull request #464 from spkal01/master Rework PEASS url logic for the metasploit module	2025-03-29 21:56:35 +01:00
spkal01	99e8eb7813	Rework PEASS url logic for the metasploit module	2025-03-29 21:45:58 +02:00
Carlos Polop	46193aa0d5	fix	2025-03-20 05:13:54 +01:00
Carlos Polop	62022abc47	impr winpeas	2025-03-20 05:02:34 +01:00
jahway603	d63e737b63	Minor URL fix	2025-03-18 12:33:50 -04:00
Signum21	0b041ad694	Handle path access denied The program crashes when trying to access a path that is not allowed. An exampe of this can be found on the latest HackTheBox machine (TheFrizz) where the starting user can't access the path C:\Users	2025-03-16 05:43:48 +01:00
Gildasio Junior	8ea67f3cc2	Set grep to show filename that contains passwords This way one can identify which file contains the relevant information, eg: /var/log/responder/Poisoners-Session.log:2025-02-09 21:12:12,701 - [*] Skipping previously captured cleartext password for donald /var/log/responder/Responder-Session.log:11/02/2025 12:33:11 PM - [HTTP] Basic Password : bambam /var/log/responder/Responder-Session.log:11/02/2025 12:36:12 PM - [HTTP] Basic Password : estrella	2025-02-28 19:54:44 -03:00
Carlos Polop	ce5cb1ad9c	fix	2025-02-24 00:21:09 +01:00
Carlos Polop	30586c064f	Merge branch 'master' of github.com:peass-ng/PEASS-ng	2025-02-23 23:58:45 +01:00
Carlos Polop	b82fc9ac39	improve winpeas azure env detection	2025-02-23 23:58:41 +01:00
SirBroccoli	54818756e4	Update README.md	2025-02-23 23:47:47 +01:00
Carlos Polop	516aafff27	fix wget	2025-02-16 17:36:01 +01:00
Carlos Polop	2b64ffc803	a	2025-02-16 16:15:19 +01:00
Carlos Polop	9f8563c751	improve linpeas	2025-02-15 18:14:56 +01:00
Carlos Polop	573acee58c	improve azure linpeas	2025-02-15 17:43:42 +01:00
SirBroccoli	41e00d5618	Merge pull request #458 from DidierA/macos_echo Fix echo -n on macOS	2025-02-02 13:49:16 +01:00
SirBroccoli	536913e7f0	Merge pull request #457 from gcorrall/fix_28_files_with_passwords Fix 28_Files_with_passwords.sh	2025-02-02 13:48:14 +01:00
DidierA	4d771fb1f6	Fix echo -n on macOS	2025-01-31 16:45:24 +01:00
Gary Corrall	4964033d44	Fix 28_Files_with_passwords.sh	2025-01-29 16:33:54 +00:00