diff --git a/README.mdx b/README.mdx
index 354a46b..54d5a2b 100644
--- a/README.mdx
+++ b/README.mdx
@@ -1052,8 +1052,7 @@ sub t {
   $xx =~ tr/a-z/A-Z/;  🟡 `tr` all lowercase alpha to caps
   $xx =~ s/\s.*//;     🟡 `sub` all whitespaces w/ nothing 
 
-  🔵 Vulnerability -Backtick Injection:
-  exploits enclosed shell command execution 
+  🔵 Vulnerability - Backtick Injection
 
   @output = `egrep "^$xx" /tmp/xd 2>&1`;
   foreach $line (@output) {
@@ -1077,11 +1076,12 @@ n(t(param("x"), param("y")));
 ```
 
 Solution
-- Backtick command injection ``` `/*/C` ```
-  - gets executed by PERL right away
-- But why still fake an ALLCAPS filename?
-  - bc. program runs fast: `tr` and the `=~` pattern matching run at almost simultaneously
-  - to avoid asynchronicity , we ___delay___ the script a little 
+- Create a file: ``` `/*/C` ``` which contains a getflag command
+- The setuid `.pl` script executes a backticks-enclosed expression 
+- Why still fake an ALLCAPS filename?
+  - bc. the program runs fast
+  - `tr` and `=~` pattern matching run at almost simultaneously
+  - to avoid asynchronicit , we ___delay___ the script a little 
 
 ```b
 > echo "getflag > /tmp/tmp" > /tmp/C