The script is able to enumerate usernames from any posts available on the site because of that i didn't see a need to add more code just to enumerate usernames from the creds file but yeah it isn't hard at all just adding an extra one line of code will do the job perfectly.For the second question the script spawns a whole shell new shell every time you run a command so to run commands like su or sudo you need to get a real shell once before I've seen IPPSEC show a technique of spawning a shell over HTTP (a forward shell) mostly used for firewall restriction bypass but it means we have to add about 140 lines of code to the exploit which wasn't worth it i think it's better to just get a shell.

Thanks for the review much appreciated