{"uuid": "947778e9-5c70-4829-a236-45af2e38cd9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-0847", "type": "seen", "source": "https://gist.github.com/stillbigjosh/5a58fa426ea1b76221a6ce2ac9a909f6", "content": "#!/usr/bin/env bash\n# ==============================================================================\n# HTB CPTS Tool Installer \u2014 Parrot OS (HTB Edition)\n# Mirrors ~/tools directory structure from Kali box\n# Usage: bash install-tools.sh [target-dir]   (default: ~/tools)\n# ==============================================================================\n\nset -euo pipefail\n\nTOOLS_DIR=\"${1:-$HOME/tools}\"\nLOG_FILE=\"$TOOLS_DIR/install.log\"\n\nRED='\\033[0;31m'; GREEN='\\033[0;32m'; YELLOW='\\033[1;33m'; BLUE='\\033[0;34m'; NC='\\033[0m'\n\nlog()     { echo -e \"${GREEN}[+]${NC} $*\" | tee -a \"$LOG_FILE\"; }\nwarn()    { echo -e \"${YELLOW}[!]${NC} $*\" | tee -a \"$LOG_FILE\"; }\nerr()     { echo -e \"${RED}[-]${NC} $*\" | tee -a \"$LOG_FILE\"; }\nsection() { echo -e \"\\n${BLUE}[*] ===== $* =====${NC}\" | tee -a \"$LOG_FILE\"; }\n\n# ------------------------------------------------------------------------------\n# Helpers\n# ------------------------------------------------------------------------------\n\nclone() {\n    local name=\"$1\" url=\"$2\" dest=\"$3\"\n    if [ -d \"$dest/.git\" ]; then\n        warn \"$name already cloned \u2014 pulling latest\"\n        git -C \"$dest\" pull --quiet 2&gt;/dev/null || true\n    else\n        log \"Cloning $name...\"\n        if git clone --quiet --depth=1 \"$url\" \"$dest\" 2&gt;/dev/null; then\n            log \"$name cloned OK\"\n        else\n            err \"Failed to clone $name ($url)\"\n        fi\n    fi\n}\n\ndownload() {\n    local name=\"$1\" url=\"$2\" dest=\"$3\" exe=\"${4:-true}\"\n    if [ -f \"$dest\" ]; then\n        warn \"$name already exists \u2014 skipping\"\n        return\n    fi\n    log \"Downloading $name...\"\n    if curl -fsSL \"$url\" -o \"$dest\"; then\n        [ \"$exe\" = \"true\" ] &amp;&amp; chmod +x \"$dest\"\n        log \"$name downloaded OK\"\n    else\n        err \"Failed to download $name\"\n    fi\n}\n\ndownload_zip() {\n    local name=\"$1\" url=\"$2\" dest_dir=\"$3\"\n    log \"Downloading $name...\"\n    if curl -fsSL \"$url\" -o /tmp/_dl.zip &amp;&amp; unzip -q /tmp/_dl.zip -d \"$dest_dir\" &amp;&amp; rm -f /tmp/_dl.zip; then\n        log \"$name extracted OK\"\n    else\n        err \"Failed to download/extract $name\"\n        rm -f /tmp/_dl.zip\n    fi\n}\n\ndownload_tar() {\n    local name=\"$1\" url=\"$2\" dest_dir=\"$3\"\n    log \"Downloading $name...\"\n    if curl -fsSL \"$url\" | tar -xz -C \"$dest_dir\" 2&gt;/dev/null; then\n        log \"$name extracted OK\"\n    else\n        err \"Failed to download/extract $name\"\n    fi\n}\n\npip_install() {\n    local tool=\"$1\" path=\"$2\"\n    if [ -f \"$path/requirements.txt\" ]; then\n        log \"pip: installing requirements for $tool...\"\n        pip3 install -r \"$path/requirements.txt\" -q 2&gt;/dev/null || warn \"Some pip requirements failed for $tool\"\n    fi\n    if [ -f \"$path/setup.py\" ]; then\n        log \"pip: setup.py install for $tool...\"\n        pip3 install -e \"$path\" -q 2&gt;/dev/null || warn \"setup.py install failed for $tool\"\n    fi\n}\n\nbuild_make() {\n    local name=\"$1\" path=\"$2\"\n    if [ -f \"$path/Makefile\" ]; then\n        log \"make: building $name...\"\n        (cd \"$path\" &amp;&amp; make -s 2&gt;/dev/null) &amp;&amp; log \"$name built OK\" || warn \"$name make failed\"\n    fi\n}\n\nbuild_go() {\n    local name=\"$1\" path=\"$2\" out=\"${3:-$name}\"\n    if [ -f \"$path/go.mod\" ]; then\n        log \"go: building $name...\"\n        (cd \"$path\" &amp;&amp; go build -ldflags=\"-s -w\" -o \"$out\" . 2&gt;/dev/null) &amp;&amp; log \"$name built OK\" || warn \"$name go build failed\"\n    fi\n}\n\n# ==============================================================================\n# PREFLIGHT\n# ==============================================================================\n\npreflight() {\n    section \"Preflight\"\n\n    local missing=()\n    for cmd in git curl wget python3 pip3 go ruby gem make gcc unzip; do\n        command -v \"$cmd\" &amp;&gt;/dev/null || missing+=(\"$cmd\")\n    done\n\n    if [ ${#missing[@]} -gt 0 ]; then\n        warn \"Missing: ${missing[*]} \u2014 installing...\"\n        sudo apt-get update -qq 2&gt;/dev/null\n        sudo apt-get install -y git curl wget python3 python3-pip golang-go ruby ruby-dev \\\n            make gcc g++ libssl-dev libffi-dev python3-dev unzip libpcap-dev 2&gt;/dev/null || true\n    fi\n\n    log \"Creating directory structure...\"\n    mkdir -p \"$TOOLS_DIR\"/{Activedir,Payloads,Pivot}\n    mkdir -p \"$TOOLS_DIR\"/Recon/{Linux,Network,Web,Windows}\n    mkdir -p \"$TOOLS_DIR\"/Privesc/{Windows,Linux,App}\n    &gt; \"$LOG_FILE\"\n}\n\n# ==============================================================================\n# ACTIVE DIRECTORY\n# ==============================================================================\n\ninstall_activedir() {\n    section \"Active Directory Tools\"\n    local D=\"$TOOLS_DIR/Activedir\"\n\n    clone \"adidnsdump\"              \"https://github.com/dirkjanm/adidnsdump.git\"                                    \"$D/adidnsdump\"\n    pip_install \"adidnsdump\"        \"$D/adidnsdump\"\n\n    clone \"Certipy\"                 \"https://github.com/dru1d-foofus/Certipy\"                                       \"$D/Certipy\"\n    pip_install \"Certipy\"           \"$D/Certipy\"\n\n    clone \"CVE-2021-1675\"           \"https://github.com/cube0x0/CVE-2021-1675.git\"                                  \"$D/CVE-2021-1675\"\n\n    clone \"gMSADumper\"              \"https://github.com/micahvandeusen/gMSADumper.git\"                              \"$D/gMSADumper\"\n    pip_install \"gMSADumper\"        \"$D/gMSADumper\"\n\n    clone \"kerbrute\"                \"https://github.com/ropnop/kerbrute.git\"                                        \"$D/kerbrute\"\n    build_go \"kerbrute\"             \"$D/kerbrute\" \"kerbrute\"\n\n    clone \"krbrelayx\"               \"https://github.com/dirkjanm/krbrelayx.git\"                                     \"$D/krbrelayx\"\n    pip_install \"krbrelayx\"         \"$D/krbrelayx\"\n\n    clone \"NetNTLMtoSilverTicket\"   \"https://github.com/NotMedic/NetNTLMtoSilverTicket.git\"                         \"$D/NetNTLMtoSilverTicket\"\n\n    clone \"noPac\"                   \"https://github.com/Ridter/noPac.git\"                                           \"$D/noPac\"\n    pip_install \"noPac\"             \"$D/noPac\"\n\n    clone \"PassTheCert\"             \"https://github.com/AlmondOffSec/PassTheCert.git\"                               \"$D/PassTheCert\"\n\n    clone \"PetitPotam\"              \"https://github.com/topotam/PetitPotam.git\"                                     \"$D/PetitPotam\"\n\n    clone \"PKINITtools\"             \"https://github.com/dirkjanm/PKINITtools.git\"                                   \"$D/PKINITtools\"\n    pip_install \"PKINITtools\"       \"$D/PKINITtools\"\n\n    clone \"pywhisker\"               \"https://github.com/ShutdownRepo/pywhisker.git\"                                 \"$D/pywhisker\"\n    pip_install \"pywhisker\"         \"$D/pywhisker\"\n\n    clone \"Security-Assessment-PS\"  \"https://github.com/itzvenom/Security-Assessment-PS.git\"                        \"$D/Security-Assessment-PS\"\n\n    clone \"targetedKerberoast\"      \"https://github.com/ShutdownRepo/targetedKerberoast.git\"                        \"$D/targetedKerberoast\"\n    pip_install \"targetedKerberoast\" \"$D/targetedKerberoast\"\n\n    clone \"windapsearch\"            \"https://github.com/ropnop/windapsearch.git\"                                    \"$D/windapsearch\"\n    pip_install \"windapsearch\"      \"$D/windapsearch\"\n\n    # BloodHound CLI (precompiled)\n    if [ ! -f \"$D/bloodhound/bloodhound-cli\" ]; then\n        mkdir -p \"$D/bloodhound\"\n        local BH_URL\n        BH_URL=$(curl -fsSL \"https://api.github.com/repos/SpecterOps/BloodHound/releases/latest\" \\\n            | grep -o '\"browser_download_url\": *\"[^\"]*bloodhound-cli-linux-amd64\\.tar\\.gz\"' \\\n            | grep -o 'https://[^\"]*' | head -1)\n        if [ -n \"$BH_URL\" ]; then\n            download_tar \"BloodHound CLI\" \"$BH_URL\" \"$D/bloodhound\"\n            chmod +x \"$D/bloodhound/bloodhound-cli\" 2&gt;/dev/null || true\n        else\n            warn \"BloodHound CLI: could not resolve download URL \u2014 check github.com/SpecterOps/BloodHound/releases\"\n        fi\n    else\n        warn \"BloodHound CLI already present\"\n    fi\n\n    # Rubeus (precompiled \u2014 Ghostpack)\n    if [ ! -f \"$D/Rubeus/Rubeus.exe\" ]; then\n        mkdir -p \"$D/Rubeus\"\n        download \"Rubeus.exe\" \\\n            \"https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe\" \\\n            \"$D/Rubeus/Rubeus.exe\" \"false\"\n    else\n        warn \"Rubeus.exe already present\"\n    fi\n}\n\n# ==============================================================================\n# PAYLOADS\n# ==============================================================================\n\ninstall_payloads() {\n    section \"Payload Tools\"\n    local D=\"$TOOLS_DIR/Payloads\"\n\n    clone \"CVE-2023-36664 Ghostscript\" \"https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection.git\" \"$D/Ghostscript\"\n    clone \"nishang\"                    \"https://github.com/samratashok/nishang.git\"                                     \"$D/nishang\"\n    clone \"ntlm_theft\"                 \"https://github.com/Greenwolf/ntlm_theft.git\"                                    \"$D/ntlm_theft\"\n    clone \"php-reverse-shell\"          \"https://github.com/pentestmonkey/php-reverse-shell.git\"                         \"$D/php-reverse-shell\"\n    clone \"reverse_shell_splunk\"       \"https://github.com/0xjpuff/reverse_shell_splunk.git\"                            \"$D/reverse_shell_splunk\"\n    clone \"wwwolf-php-webshell\"        \"https://github.com/WhiteWinterWolf/wwwolf-php-webshell.git\"                     \"$D/wwwolf-php-webshell\"\n\n    # RunasCs (precompiled)\n    if [ ! -f \"$D/RunasCs/RunasCs.exe\" ]; then\n        mkdir -p \"$D/RunasCs\"\n        download_zip \"RunasCs\" \\\n            \"https://github.com/antonioCoco/RunasCs/releases/latest/download/RunasCs.zip\" \\\n            \"$D/RunasCs\"\n    else\n        warn \"RunasCs (Payloads) already present\"\n    fi\n\n    # ysoserial.net (precompiled)\n    if [ ! -f \"$D/ysoserial/ysoserial.exe\" ]; then\n        mkdir -p \"$D/ysoserial\"\n        local YSOS_URL\n        YSOS_URL=$(curl -fsSL \"https://api.github.com/repos/pwntester/ysoserial.net/releases/latest\" \\\n            | grep -o '\"browser_download_url\": *\"[^\"]*\\.zip\"' \\\n            | grep -o 'https://[^\"]*' | head -1)\n        if [ -n \"$YSOS_URL\" ]; then\n            download_zip \"ysoserial.net\" \"$YSOS_URL\" \"$D/ysoserial\"\n        else\n            warn \"ysoserial.net: could not resolve download URL \u2014 check github.com/pwntester/ysoserial.net/releases\"\n        fi\n    else\n        warn \"ysoserial already present\"\n    fi\n}\n\n# ==============================================================================\n# PIVOT / TUNNELING\n# ==============================================================================\n\ninstall_pivot() {\n    section \"Pivot / Tunneling Tools\"\n    local D=\"$TOOLS_DIR/Pivot\"\n\n    # chisel \u2014 build from source\n    clone \"chisel\" \"https://github.com/jpillora/chisel.git\" \"$D/chisel\"\n    build_go \"chisel\" \"$D/chisel\" \"chisel\"\n\n    # dnscat2 \u2014 Ruby server + C client\n    clone \"dnscat2\" \"https://github.com/iagox86/dnscat2.git\" \"$D/dnscat2\"\n    if [ -f \"$D/dnscat2/server/Gemfile\" ]; then\n        log \"Installing dnscat2 gems...\"\n        (cd \"$D/dnscat2/server\" &amp;&amp; gem install bundler -q 2&gt;/dev/null &amp;&amp; bundle install -q 2&gt;/dev/null) \\\n            || warn \"dnscat2 gem install failed\"\n    fi\n    if [ -f \"$D/dnscat2/client/Makefile\" ]; then\n        log \"Building dnscat2 C client...\"\n        (cd \"$D/dnscat2/client\" &amp;&amp; make -s 2&gt;/dev/null) &amp;&amp; log \"dnscat2 client built OK\" || warn \"dnscat2 client build failed\"\n    fi\n\n    clone \"dnscat2-powershell\" \"https://github.com/lukebaggett/dnscat2-powershell.git\" \"$D/dnscat2-powershell\"\n\n    # ptunnel-ng \u2014 build from source\n    clone \"ptunnel-ng\" \"https://github.com/utoni/ptunnel-ng.git\" \"$D/ptunnel-ng\"\n    if [ -f \"$D/ptunnel-ng/autogen.sh\" ]; then\n        log \"Building ptunnel-ng...\"\n        (cd \"$D/ptunnel-ng\" &amp;&amp; ./autogen.sh 2&gt;/dev/null &amp;&amp; make -s 2&gt;/dev/null) \\\n            &amp;&amp; log \"ptunnel-ng built OK\" || warn \"ptunnel-ng build failed\"\n    else\n        build_make \"ptunnel-ng\" \"$D/ptunnel-ng\"\n    fi\n\n    clone \"rpivot\" \"https://github.com/klsecservices/rpivot.git\" \"$D/rpivot\"\n\n    # ligolo-ng (precompiled \u2014 no public git repo with source in original)\n    local LIGOLO_DIR=\"$D/ligolo-ng\"\n    if [ ! -f \"$LIGOLO_DIR/proxy\" ]; then\n        mkdir -p \"$LIGOLO_DIR\"\n        local LIGOLO_VER\n        LIGOLO_VER=$(curl -fsSL \"https://api.github.com/repos/nicocha30/ligolo-ng/releases/latest\" \\\n            | grep '\"tag_name\"' | grep -o 'v[0-9.]*' | head -1)\n        LIGOLO_VER=\"${LIGOLO_VER:-v0.8.2}\"\n        log \"Downloading ligolo-ng $LIGOLO_VER...\"\n        download_tar \"ligolo-ng proxy (linux)\"  \\\n            \"https://github.com/nicocha30/ligolo-ng/releases/download/$LIGOLO_VER/ligolo-ng_proxy_${LIGOLO_VER#v}_linux_amd64.tar.gz\" \\\n            \"$LIGOLO_DIR\" || \\\n        download_tar \"ligolo-ng proxy (linux, alt URL)\" \\\n            \"https://github.com/nicocha30/ligolo-ng/releases/download/$LIGOLO_VER/ligolo-ng_proxy_linux_amd64.tar.gz\" \\\n            \"$LIGOLO_DIR\"\n        chmod +x \"$LIGOLO_DIR/proxy\" 2&gt;/dev/null || true\n\n        download_tar \"ligolo-ng agent (linux)\" \\\n            \"https://github.com/nicocha30/ligolo-ng/releases/download/$LIGOLO_VER/ligolo-ng_agent_${LIGOLO_VER#v}_linux_amd64.tar.gz\" \\\n            \"$LIGOLO_DIR\" || true\n        chmod +x \"$LIGOLO_DIR/agent\" 2&gt;/dev/null || true\n\n        download_zip \"ligolo-ng agent (windows)\" \\\n            \"https://github.com/nicocha30/ligolo-ng/releases/download/$LIGOLO_VER/ligolo-ng_agent_${LIGOLO_VER#v}_windows_amd64.zip\" \\\n            \"$LIGOLO_DIR\" || true\n    else\n        warn \"ligolo-ng already present\"\n    fi\n}\n\n# ==============================================================================\n# PRIVILEGE ESCALATION\n# ==============================================================================\n\ninstall_privesc() {\n    section \"Privilege Escalation Tools\"\n    local GHOSTPACK=\"https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master\"\n\n    # ---- Windows ----\n    local DW=\"$TOOLS_DIR/Privesc/Windows\"\n\n    clone \"Windows-PrivEsc-Cookbook\"  \"https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook.git\" \"$DW/Cookbook\"\n    clone \"EnableAllTokenPrivs\"       \"https://github.com/fashionproof/EnableAllTokenPrivs.git\"                       \"$DW/EnableAllTokenPrivs\"\n    clone \"EoPLoadDriver\"             \"https://github.com/TarlogicSecurity/EoPLoadDriver.git\"                         \"$DW/EoPLoadDriver\"\n    clone \"psgetsystem\"               \"https://github.com/decoder-it/psgetsystem.git\"                                 \"$DW/psgetsystem\"\n    clone \"RoguePlanet\"               \"https://github.com/MSNightmare/RoguePlanet.git\"                                \"$DW/RoguePlanet\"\n    clone \"SeTcbPrivilege_escalation\" \"https://github.com/mSameerMalik/SeTcbPrivilege_escalation.git\"                \"$DW/SeTcbPrivilege_escalation\"\n\n    # GodPotato\n    if [ ! -f \"$DW/GodPotato/GodPotato-NET4.exe\" ]; then\n        mkdir -p \"$DW/GodPotato\"\n        download \"GodPotato-NET4.exe\" \\\n            \"https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe\" \\\n            \"$DW/GodPotato/GodPotato-NET4.exe\" \"false\"\n    else\n        warn \"GodPotato already present\"\n    fi\n\n    # JuicyPotato\n    if [ ! -f \"$DW/JuicyPotato/JuicyPotato.exe\" ]; then\n        mkdir -p \"$DW/JuicyPotato\"\n        download \"JuicyPotato.exe\" \\\n            \"https://github.com/ohpe/juicy-potato/releases/latest/download/JuicyPotato.exe\" \\\n            \"$DW/JuicyPotato/JuicyPotato.exe\" \"false\"\n    else\n        warn \"JuicyPotato already present\"\n    fi\n\n    # PrintSpoofer\n    if [ ! -f \"$DW/PrintSpoofer/PrintSpoofer64.exe\" ]; then\n        mkdir -p \"$DW/PrintSpoofer\"\n        download \"PrintSpoofer64.exe\" \\\n            \"https://github.com/itm4n/PrintSpoofer/releases/latest/download/PrintSpoofer64.exe\" \\\n            \"$DW/PrintSpoofer/PrintSpoofer64.exe\" \"false\"\n        download \"PrintSpoofer32.exe\" \\\n            \"https://github.com/itm4n/PrintSpoofer/releases/latest/download/PrintSpoofer32.exe\" \\\n            \"$DW/PrintSpoofer/PrintSpoofer32.exe\" \"false\"\n    else\n        warn \"PrintSpoofer already present\"\n    fi\n\n    # FullPowers\n    if [ ! -f \"$DW/FullPowers/FullPowers.exe\" ]; then\n        mkdir -p \"$DW/FullPowers\"\n        download \"FullPowers.exe\" \\\n            \"https://github.com/itm4n/FullPowers/releases/latest/download/FullPowers.exe\" \\\n            \"$DW/FullPowers/FullPowers.exe\" \"false\"\n    else\n        warn \"FullPowers already present\"\n    fi\n\n    # RunasCs\n    if [ ! -f \"$DW/RunasCs/RunasCs.exe\" ]; then\n        mkdir -p \"$DW/RunasCs\"\n        download_zip \"RunasCs (Privesc)\" \\\n            \"https://github.com/antonioCoco/RunasCs/releases/latest/download/RunasCs.zip\" \\\n            \"$DW/RunasCs\"\n    else\n        warn \"RunasCs (Privesc) already present\"\n    fi\n\n    # Ghostpack binaries: Seatbelt, SharpUp, SharpChrome\n    for bin in Seatbelt.exe SharpUp.exe SharpChrome.exe; do\n        local bname=\"${bin%%.*}\"\n        mkdir -p \"$DW/$bname\"\n        if [ ! -f \"$DW/$bname/$bin\" ]; then\n            download \"$bin\" \"$GHOSTPACK/$bin\" \"$DW/$bname/$bin\" \"false\"\n        else\n        warn \"$bin already present\"\n    fi\n    done\n\n    # SeBackupPrivilege DLLs\n    if [ ! -f \"$DW/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dll\" ]; then\n        mkdir -p \"$DW/SeBackupPrivilege\"\n        local SBP_BASE=\"https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug\"\n        download \"SeBackupPrivilegeCmdLets.dll\" \"$SBP_BASE/SeBackupPrivilegeCmdLets.dll\" \"$DW/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dll\" \"false\"\n        download \"SeBackupPrivilegeUtils.dll\"   \"$SBP_BASE/SeBackupPrivilegeUtils.dll\"   \"$DW/SeBackupPrivilege/SeBackupPrivilegeUtils.dll\"   \"false\"\n    else\n        warn \"SeBackupPrivilege already present\"\n    fi\n\n    # LaZagne.exe (Windows)\n    if [ ! -f \"$DW/LaZagne/LaZagne.exe\" ]; then\n        mkdir -p \"$DW/LaZagne\"\n        download \"LaZagne.exe\" \\\n            \"https://github.com/AlessandroZ/LaZagne/releases/latest/download/LaZagne.exe\" \\\n            \"$DW/LaZagne/LaZagne.exe\" \"false\"\n    else\n        warn \"LaZagne.exe (Privesc/Windows) already present\"\n    fi\n\n    # ---- Linux ----\n    local DL=\"$TOOLS_DIR/Privesc/Linux\"\n\n    clone \"CVE-2021-3156 BaronSamedit\" \"https://github.com/blasty/CVE-2021-3156.git\"                          \"$DL/Baronsamedit\"\n    build_make \"CVE-2021-3156\"         \"$DL/Baronsamedit\"\n\n    clone \"CVE-2022-2588 DirtyCred\"    \"https://github.com/Markakd/CVE-2022-2588.git\"                         \"$DL/DirtyCred\"\n\n    clone \"CVE-2022-0847 DirtyPipe\"    \"https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git\"  \"$DL/DirtyPipe\"\n    build_make \"CVE-2022-0847\"         \"$DL/DirtyPipe\"\n\n    clone \"fail2ban exploit\"           \"https://github.com/rvizx/fail2ban.git\"                                 \"$DL/fail2ban\"\n\n    clone \"CVE-2023-2640 GameOverlay\"  \"https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629.git\"             \"$DL/GameOverlay\"\n\n    clone \"CVE-2021-3493 OverlayFS\"    \"https://github.com/briskets/CVE-2021-3493.git\"                        \"$DL/OverlayFS-CVE-2021-3493\"\n    if [ -f \"$DL/OverlayFS-CVE-2021-3493/exploit.c\" ]; then\n        log \"Compiling CVE-2021-3493...\"\n        gcc \"$DL/OverlayFS-CVE-2021-3493/exploit.c\" -o \"$DL/OverlayFS-CVE-2021-3493/exploit\" 2&gt;/dev/null \\\n            &amp;&amp; log \"CVE-2021-3493 compiled OK\" || warn \"CVE-2021-3493 compile failed\"\n    fi\n\n    clone \"CVE-2023-0386 OverlayFS\"    \"https://github.com/xkaneiki/CVE-2023-0386\"                            \"$DL/OverlayFS-CVE-2023-0386\"\n    build_make \"CVE-2023-0386\"         \"$DL/OverlayFS-CVE-2023-0386\"\n\n    clone \"PwnKit\"                     \"https://github.com/ly4k/PwnKit\"                                        \"$DL/PwnKit\"\n    build_make \"PwnKit\"                \"$DL/PwnKit\"\n\n    clone \"CVE-2024-1086\"              \"https://github.com/Notselwyn/CVE-2024-1086\"                            \"$DL/use_after_free-CVE-2024-1086\"\n\n    # ---- App ----\n    clone \"Nexus-Sonatype-RCE\" \\\n        \"https://github.com/aaryan-11-x/Nexus-Sonatype-Repository-Manager-Groovy-Script-RCE-Authenticated-.git\" \\\n        \"$TOOLS_DIR/Privesc/App/Nexus-Sonatype-Repository-Manager\"\n}\n\n# ==============================================================================\n# RECON\n# ==============================================================================\n\ninstall_recon() {\n    section \"Reconnaissance Tools\"\n\n    # ---- Linux ----\n    local DL=\"$TOOLS_DIR/Recon/Linux\"\n\n    clone \"LaZagne\"          \"https://github.com/AlessandroZ/LaZagne.git\"              \"$DL/LaZagne\"\n    pip_install \"LaZagne\"    \"$DL/LaZagne\"\n\n    clone \"LinEnum\"          \"https://github.com/rebootuser/LinEnum.git\"               \"$DL/LinEnum\"\n    chmod +x \"$DL/LinEnum/LinEnum.sh\" 2&gt;/dev/null || true\n\n    clone \"linuxprivchecker\" \"https://github.com/sleventyeleven/linuxprivchecker.git\"  \"$DL/linuxprivchecker\"\n\n    clone \"mimipenguin\"      \"https://github.com/huntergregal/mimipenguin.git\"         \"$DL/mimipenguin\"\n    build_make \"mimipenguin\" \"$DL/mimipenguin\"\n\n    # linpeas (precompiled)\n    if [ ! -f \"$DL/linpeas/linpeas.sh\" ]; then\n        mkdir -p \"$DL/linpeas\"\n        download \"linpeas.sh\" \\\n            \"https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh\" \\\n            \"$DL/linpeas/linpeas.sh\"\n    else\n        warn \"linpeas already present\"\n    fi\n\n    # pspy (precompiled)\n    if [ ! -f \"$DL/pspy/pspy64\" ]; then\n        mkdir -p \"$DL/pspy\"\n        download \"pspy64\" \"https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64\" \"$DL/pspy/pspy64\"\n        download \"pspy32\" \"https://github.com/DominicBreuker/pspy/releases/latest/download/pspy32\" \"$DL/pspy/pspy32\"\n    else\n        warn \"pspy already present\"\n    fi\n\n    # ---- Network ----\n    local DN=\"$TOOLS_DIR/Recon/Network\"\n\n    clone \"PCredz\"           \"https://github.com/lgandx/PCredz.git\"                   \"$DN/PCredz\"\n    pip_install \"PCredz\"     \"$DN/PCredz\"\n\n    # nmap static binary\n    if [ ! -f \"$DN/nmap-static-binary/nmap\" ]; then\n        mkdir -p \"$DN/nmap-static-binary\"\n        download \"nmap (static linux)\" \\\n            \"https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap\" \\\n            \"$DN/nmap-static-binary/nmap\"\n        download \"nmap.exe (static win)\" \\\n            \"https://github.com/andrew-d/static-binaries/raw/master/binaries/windows/x86/nmap.exe\" \\\n            \"$DN/nmap-static-binary/nmap.exe\" \"false\"\n    else\n        warn \"nmap static binary already present\"\n    fi\n\n    # rustscan\n    if [ ! -f \"$DN/rustscan/rustscan\" ]; then\n        mkdir -p \"$DN/rustscan\"\n        log \"Downloading rustscan...\"\n        local RS_URL\n        RS_URL=$(curl -fsSL \"https://api.github.com/repos/RustScan/RustScan/releases/latest\" \\\n            | grep -o '\"browser_download_url\": *\"[^\"]*amd64\\.deb\"' \\\n            | grep -o 'https://[^\"]*' | head -1)\n        if [ -n \"$RS_URL\" ]; then\n            curl -fsSL \"$RS_URL\" -o /tmp/rustscan.deb \\\n                &amp;&amp; sudo dpkg -i /tmp/rustscan.deb \\\n                &amp;&amp; cp \"$(command -v rustscan)\" \"$DN/rustscan/rustscan\" 2&gt;/dev/null \\\n                &amp;&amp; rm -f /tmp/rustscan.deb \\\n                || warn \"rustscan install failed\"\n        else\n            warn \"rustscan: could not resolve .deb URL \u2014 check github.com/RustScan/RustScan/releases\"\n        fi\n    else\n        warn \"rustscan already present\"\n    fi\n\n    # ---- Web ----\n    local DW=\"$TOOLS_DIR/Recon/Web\"\n\n    clone \"Bashfuscator\"      \"https://github.com/Bashfuscator/Bashfuscator\"           \"$DW/Bashfuscator\"\n    pip_install \"Bashfuscator\" \"$DW/Bashfuscator\"\n\n    clone \"FinalRecon\"        \"https://github.com/thewhiteh4t/FinalRecon.git\"          \"$DW/FinalRecon\"\n    pip_install \"FinalRecon\"  \"$DW/FinalRecon\"\n\n    clone \"liffy\"             \"https://github.com/mzfr/liffy.git\"                      \"$DW/liffy\"\n    pip_install \"liffy\"       \"$DW/liffy\"\n\n    clone \"Security-Wordlist\" \"https://github.com/DragonJAR/Security-Wordlist.git\"     \"$DW/Security-Wordlist\"\n\n    clone \"subbrute\"          \"https://github.com/TheRook/subbrute.git\"                \"$DW/subbrute\"\n\n    clone \"username-anarchy\"  \"https://github.com/urbanadventurer/username-anarchy.git\" \"$DW/username-anarchy\"\n\n    clone \"XSStrike\"          \"https://github.com/s0md3v/XSStrike.git\"                 \"$DW/XSStrike\"\n    pip_install \"XSStrike\"    \"$DW/XSStrike\"\n\n    # Aquatone (precompiled)\n    if [ ! -f \"$DW/Aquatone/aquatone\" ]; then\n        mkdir -p \"$DW/Aquatone\"\n        local AQ_URL\n        AQ_URL=$(curl -fsSL \"https://api.github.com/repos/michenriksen/aquatone/releases/latest\" \\\n            | grep -o '\"browser_download_url\": *\"[^\"]*linux_amd64[^\"]*\\.zip\"' \\\n            | grep -o 'https://[^\"]*' | head -1)\n        if [ -n \"$AQ_URL\" ]; then\n            download_zip \"aquatone\" \"$AQ_URL\" \"$DW/Aquatone\"\n            chmod +x \"$DW/Aquatone/aquatone\" 2&gt;/dev/null || true\n        else\n            warn \"aquatone: could not resolve download URL\"\n        fi\n    else\n        warn \"aquatone already present\"\n    fi\n\n    # ---- Windows ----\n    local DWWIN=\"$TOOLS_DIR/Recon/Windows\"\n    local GHOSTPACK=\"https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master\"\n\n    for bin in Seatbelt.exe SharpChrome.exe SharpUp.exe; do\n        if [ ! -f \"$DWWIN/$bin\" ]; then\n            download \"$bin\" \"$GHOSTPACK/$bin\" \"$DWWIN/$bin\" \"false\"\n        else\n        warn \"$bin (Recon/Windows) already present\"\n    fi\n    done\n\n    # LaZagne.exe (Windows recon copy)\n    if [ ! -f \"$DWWIN/LaZagne.exe\" ]; then\n        download \"LaZagne.exe (Recon/Windows)\" \\\n            \"https://github.com/AlessandroZ/LaZagne/releases/latest/download/LaZagne.exe\" \\\n            \"$DWWIN/LaZagne.exe\" \"false\"\n    else\n        warn \"LaZagne.exe (Recon/Windows) already present\"\n    fi\n}\n\n# ==============================================================================\n# SUMMARY\n# ==============================================================================\n\nprint_summary() {\n    section \"Installation Complete\"\n    log \"Tools installed to: $TOOLS_DIR\"\n    log \"Log file: $LOG_FILE\"\n\n    local warns errors\n    warns=$(grep -c '^\\[!\\]' \"$LOG_FILE\" 2&gt;/dev/null || echo 0)\n    errors=$(grep -c '^\\[-\\]' \"$LOG_FILE\" 2&gt;/dev/null || echo 0)\n\n    echo \"\"\n    echo -e \"${YELLOW}Warnings:${NC} $warns  ${RED}Errors:${NC} $errors\"\n    echo \"\"\n    if [ \"$errors\" -gt 0 ]; then\n        echo -e \"${RED}Failed installs:${NC}\"\n        grep '^\\[-\\]' \"$LOG_FILE\"\n    fi\n    echo \"\"\n    echo -e \"${YELLOW}NOTE:${NC} Windows .exe files are ready to transfer to target hosts.\"\n    echo -e \"${YELLOW}NOTE:${NC} Python tools with venvs may need: python3 -m venv venv &amp;&amp; pip3 install -r requirements.txt\"\n    echo -e \"${YELLOW}NOTE:${NC} Some C exploits may need kernel-version-specific recompilation on target.\"\n}\n\n# ==============================================================================\n# MAIN\n# ==============================================================================\n\nmain() {\n    echo -e \"${BLUE}\"\n    cat &lt;&lt;'BANNER'\n  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n  \u2551   HTB CPTS Tool Installer \u2014 Parrot OS (HTB Edition)  \u2551\n  \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\nBANNER\n    echo -e \"  Tools Dir : $TOOLS_DIR\"\n    echo -e \"  Log File  : $LOG_FILE${NC}\"\n    echo \"\"\n\n    preflight\n    install_activedir\n    install_payloads\n    install_pivot\n    install_privesc\n    install_recon\n    print_summary\n}\n\nmain \"$@\"\n", "creation_timestamp": "2026-07-01T20:11:33.953749Z"}