diff --git a/.gitbook/assets/image (10) (2) (1).png b/.gitbook/assets/image (10) (2) (1).png
new file mode 100644
index 00000000..89ad985c
Binary files /dev/null and b/.gitbook/assets/image (10) (2) (1).png differ
diff --git a/.gitbook/assets/image (10) (2).png b/.gitbook/assets/image (10) (2).png
index 89ad985c..86da9924 100644
Binary files a/.gitbook/assets/image (10) (2).png and b/.gitbook/assets/image (10) (2).png differ
diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png
index 86da9924..77f2a896 100644
Binary files a/.gitbook/assets/image (10).png and b/.gitbook/assets/image (10).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
deleted file mode 100644
index c7834192..00000000
Binary files a/.gitbook/assets/image (13).png and /dev/null differ
diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png
deleted file mode 100644
index a254c23a..00000000
Binary files a/.gitbook/assets/image (14).png and /dev/null differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
index 0ef3cc20..c7834192 100644
Binary files a/.gitbook/assets/image (6).png and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
index 20ead5c0..a254c23a 100644
Binary files a/.gitbook/assets/image (7).png and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
index 77f2a896..0ef3cc20 100644
Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (9) (1) (4).png b/.gitbook/assets/image (9) (1) (4).png
new file mode 100644
index 00000000..84884c47
Binary files /dev/null and b/.gitbook/assets/image (9) (1) (4).png differ
diff --git a/.gitbook/assets/image (9) (1).png b/.gitbook/assets/image (9) (1).png
index 84884c47..d8f7dcb7 100644
Binary files a/.gitbook/assets/image (9) (1).png and b/.gitbook/assets/image (9) (1).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
index d8f7dcb7..20ead5c0 100644
Binary files a/.gitbook/assets/image (9).png and b/.gitbook/assets/image (9).png differ
diff --git a/README.md b/README.md
index 4404ac63..917a322f 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,7 @@ In addition to the above WebSec is also a **committed supporter of HackTricks.**
 
 ### [SYN CUBES](https://www.syncubes.com/)
 
-<figure><img src=".gitbook/assets/image (10) (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src=".gitbook/assets/image (10) (2) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
 
diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
index fdcfd6a9..1a4a1350 100644
--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -163,7 +163,7 @@ Script arguments:
 ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
 ```
 
-<figure><img src="../../.gitbook/assets/image (9) (1).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (9) (1) (4).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
 
 <figure><img src="../../.gitbook/assets/image (27) (1).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
 
diff --git a/linux-hardening/privilege-escalation/docker-security/cgroups.md b/linux-hardening/privilege-escalation/docker-security/cgroups.md
index a03efe2a..f231a13b 100644
--- a/linux-hardening/privilege-escalation/docker-security/cgroups.md
+++ b/linux-hardening/privilege-escalation/docker-security/cgroups.md
@@ -53,7 +53,7 @@ Don’t be alarmed if the **output is significantly shorter** on your system; th
 Cgroups are typically **accessed through the filesystem**. This is in contrast to the traditional Unix system call interface for interacting with the kernel.\
 To explore the cgroup setup of a shell, you can look in the `/proc/self/cgroup` file to find the shell's cgroup, and then navigate to the `/sys/fs/cgroup` (or `/sys/fs/cgroup/unified`) directory and look for a **directory with the same name as the cgroup**. Changing to this directory and looking around will allow you to see the various **settings and resource usage information for the cgroup**.
 
-<figure><img src="../../../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (10) (2).png" alt=""><figcaption></figcaption></figure>
 
 Among the many files that can be here, **the primary cgroup interface files begin with `cgroup`**. Start by looking at `cgroup.procs` (using cat is fine), which lists the processes in the cgroup. A similar file, `cgroup.threads`, also includes threads.
 
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 3f5fc29a..c5fb0f7d 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -49,7 +49,7 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
 
 Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
 
-![](<../../.gitbook/assets/image (13).png>)
+![](<../../.gitbook/assets/image (6).png>)
 
 #### JAMF device Authentication
 
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
index 23d5baf4..05e8ed1b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
 
 ### Endpoint Security Framework Architecture
 
-<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
 
 **User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
 
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
index 0f25ea4c..dee80ea4 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
@@ -64,9 +64,15 @@ This is a [public function](https://developer.apple.com/documentation/security/1
 
 For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
 
+### Execution by mounting
+
+If an installer writes to `/tmp/fixedname/bla/bla`, it's possible to **create a mount** over `/tmp/fixedname` with noowners so you could **modify any file during the installation** to abuse the installation process.
+
+An example of this is **CVE-2021-26089** which managed to **overwrite a periodic script** to get execution as root. For more information take a look to the talk: [**OBTS v4.0: "Mount(ain) of Bugs" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE)
+
 ## References
 
-* [https://www.youtube.com/watch?v=iASSG0\_zobQ](https://www.youtube.com/watch?v=iASSG0\_zobQ)
+* [**DEF CON 27 - Unpacking Pkgs A Look Inside Macos Installer Packages And Common Security Flaws**](https://www.youtube.com/watch?v=iASSG0\_zobQ)
 
 <details>
 
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
index 3a92811e..0c3bec3b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
@@ -387,7 +387,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
 
 In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
 
-<figure><img src="../../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
 
 ## Reference
 
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md
index 15e1f2d1..7bf00dd7 100644
--- a/network-services-pentesting/pentesting-postgresql.md
+++ b/network-services-pentesting/pentesting-postgresql.md
@@ -601,7 +601,7 @@ WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);
 
 And then **execute commands**:
 
-<figure><img src="../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Pass Burteforce with PL/pgSQL