diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md
index a31efd26f6f..4d6f6e435e7 100644
--- a/src/linux-hardening/linux-post-exploitation/README.md
+++ b/src/linux-hardening/linux-post-exploitation/README.md
@@ -144,6 +144,19 @@ Hardening
 - Enforce **single-instance** execution by binding a fixed loopback port (for example, `127.0.0.1:51125` or `127.0.0.1:52225`) and exiting if `bind()` fails; `ss -lntp | grep -E '51125|52225'` will reveal the mutex listener.
 - Operators may periodically mass-kill any process whose `cmdline` contains the dropper name (e.g., `init_stop`), so reusing those names during analysis can collide; pick unique filenames.
 
+## WSL -> Windows Startup folder persistence
+
+If you already have execution **inside Linux on WSL**, you can persist into Windows by **writing a payload into the Windows user's Startup folder**. Windows executes Startup entries on the next interactive logon, so the persistence **bridges from WSL to Windows** even though the foothold is Linux.
+
+Common path from WSL (user-specific):
+
+```bash
+WIN_STARTUP="/mnt/c/Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
+cp /tmp/payload.exe "$WIN_STARTUP/"
+```
+
+This only works when the WSL instance has access to the Windows user profile path and the user later logs in on Windows.
+
 ## Process masquerading via prctl + argv overwrite
 
 - Set the short process name with `prctl(PR_SET_NAME, "<label>")` (15-byte `comm` limit), commonly to `init`, so `/proc/<pid>/status` and GUIs show a benign label.
@@ -157,5 +170,6 @@ Hardening
 - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
 - [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
+- [Rapid7 Metasploit Wrap-Up 02/27/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-27-2026/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index 719bd0a628f..4994209c04b 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -805,6 +805,17 @@ curl --path-as-is -b "session=$SESSION" \
 
 Tune the number of `../` segments until you escape the intended directory, then dump `/etc/passwd`, `/proc/self/cwd/app.py`, or other source/config files.
 
+### Artifact pull/install traversal -> arbitrary file write -> .so load RCE
+
+Some services implement a **"pull/install"** flow for models, packages, or images (often from OCI-style registries). If the artifact **path is attacker-controlled and traversal is not sanitized**, a normal pull becomes an **arbitrary file write** primitive. A common escalation chain:
+
+1. Point the target at a **rogue registry** or artifact source you control.
+2. Use `../` traversal in artifact paths so the pull/write lands outside the intended model/cache directory.
+3. Write a **malicious `.so`** to a location that a subsequent service process will load.
+4. **Trigger a new process spawn** (or another code path that loads shared libraries) so the dynamic loader maps your `.so`, yielding RCE.
+
+This pattern turns **path traversal in artifact installers** into **unauthenticated RCE** by chaining file write and shared library load semantics.
+
 ## References
 
 - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
@@ -818,10 +829,10 @@ Tune the number of `../` segments until you escape the intended directory, then
 - [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
 - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
 - [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
+- [Rapid7 Metasploit Wrap-Up 02/27/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-27-2026/)
 
 {{#file}}
 EN-Local-File-Inclusion-1.pdf
 {{#endfile}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index 4d769d374e9..684cf8b0e82 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -259,6 +259,11 @@ Within these keys, various subkeys exist, each corresponding to a specific compo
 - Modifying or writing to a key where **`IsInstalled`** is set to `"1"` with a specific **`StubPath`** can lead to unauthorized command execution, potentially for privilege escalation.
 - Altering the binary file referenced in any **`StubPath`** value could also achieve privilege escalation, given sufficient permissions.
 
+**Persistence caveats (Active Setup):**
+
+- Execution is **per-user and typically one-time**; after a user runs it, it won't trigger again for that user unless the key is reset/changed.
+- The **payload runs in the user context**, even if an admin planted the key, so plan privilege expectations accordingly.
+
 To inspect the **`StubPath`** configurations across Active Setup components, these commands can be used:
 
 ```bash
@@ -346,9 +351,8 @@ autorunsc.exe -m -nobanner -a * -ct /accepteula
 - [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
 - [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2)
 - [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)
+- [Rapid7 Metasploit Wrap-Up 02/27/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-27-2026/)
 
 
 
 {{#include ../../banners/hacktricks-training.md}}
-
-