f

src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md

@@ -84,6 +84,16 @@ echo "Done! Output:"
 cat ${OUTPUT_PATH}
 ```
 
+## Kernel hardening since 2022 (CVE-2022-0492)
+
+From Linux 5.10.93/5.15.17/5.16.2 onward the kernel **requires `CAP_SYS_ADMIN` in the _initial_ user-namespace to write `release_agent`**. A *privileged* container still has that capability, so this relative-path variant remains exploitable.  *Unprivileged* containers on patched kernels, however, will not bypass the new check.
+
+## Limitations on modern hosts (2025)
+
+* **cgroup-v2** (the default in Fedora 40, Ubuntu 24.10 and most systemd-256+ distros) **removed the whole `release_agent` interface** – the technique simply does not exist there.
+* On hybrid systems (`cgroup_no_v1="memory"` etc.) the memory controller may reside in v1 while others are in v2; if the memory hierarchy is v2 **the exploit must mount some other v1 controller** (e.g. `rdma`) to work.
+* Mandatory Access Control profiles (AppArmor/SELinux) that disallow `mount` or make `/sys/fs/cgroup/**/release_agent` read-only will block the attack even in privileged containers.
+
 {{#include ../../../../banners/hacktricks-training.md}}
 
 

src/windows-hardening/ntlm/README.md

@@ -290,7 +290,7 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt
 **Read more detailed guide on how to perform those attacks here:**
 
 {{#ref}}
-../../generic-methodologies-and-resources/pentesting-network/`spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md`
+../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
 ## Parse NTLM challenges from a network capture